This post is pulling from my public notes here or at https://calvin-connor.gitbook.io/hacking-notes/general/file-types/.vhd. For better formatting and usability, I would recommend using the notes instead.
What is a .vhd?
.vhd stands for virtual hard disk. A virtual hard disk (VHD) is a file format for storing the entire contents of a computer’s hard drive.
Viewing Files
7z l filename.vhd
using 7zip you can quickly look at the file structure of the virtual hard drive. This is useful to see if there are any important files or directories you should explore further. You can also replace the l option with x to extract instead of view.
Mounting
guestmount --add filename.vhd --inspector --ro /directory/to/mount/to
The guestmount tool allows you to mount the virtual hard drive and explore the new files. The –ro flag stands for read only, so you will have to copy the files elsewhere to make changes. Add the -v flag for verbose output. Mounting a virtual hard disk can take upwards of a few minutes.
Extracting Credentials
Files to look for, besides non-standard:
C:\Windows\System32\config\SAM
C:\Windows\System32\config\SYSTEM
C:\Windows\NTDS\ntds.dit // Only on Domain Controller
To extract the credentials, copy the files with:
cp SAM SYSTEM /local/directory
Use impacket to dump secrets. Exclude ntds.dit if you do not have it.
impacket-secretsdump -sam SAM -system SYSTEM -ntds NTDS.DIT local
This is not every important default file on a .vhd, just the ones I have run into on engagements. Always be on the lookout for non-standard files and directories.