Grabbing loot from vmdk’s

An acquaintance recently dropped me a line asking for some help with a gig she was working on. After sharing the background about the work she had performed so far, she said something which made me promptly sit up and listen… “I have access to backups… Can we do anything with vmdk’s?”. Needless to say, she had my undivided attention and I was only too happy to assist. ;)

Quick note… I haven’t seen anyone else using or discussing this technique, so if you find it helpful, or have some other great ideas on expanding this method, please let me know.

First thing’s first; are the vmdk’s encrypted?

If the vmdk’s are encrypted, the output would look similar to the following:

Our output however was as follows:

In most cases, if you are lucky enough to have access to unencrypted vmdk’s, you would simply copy the images, mount them, and start your normal forensics process to extract your loot. I will cover that scenario in a separate vmdk forensics writeup, but what if we only had access to the vmdk’s on a backup or similar server, and we were prohibited from copying or transferring the images? Enter stage left strings.


The following technique works on both data at rest, as well as live running virtual boxen. All of the following commands were run as a standard user with no escalated or root privileges, and as you will see we still gain full access to the privileged data.

db-01-nix.vmdk: *nix host examples.

When pentesting a *nix box, the holy grail is, in most cases, the contents of the shadow file. Normally this is not readable due to it containing the hashed passwords of all users on the system, including root. So, it’s only fitting that the first example for my strings technique is to grab the user hashes.

Judging by the naming convention of the vmdk file, it is safe to assume that our host could be a database server. Let’s check if the mysql default password has been set.

So how about something a little left field? What if we could read SSH RSA private keys?

med-01-win.vmdk: Windows host examples.

The same technique also works for Windows hosts. Unfortunately obtaining the hashes will need to occur via normal forensics extraction of the hives, but that’s not to say that there isn’t other information to be found.

Unfortunately I am unable to share exactly what application those md5 hardcoded hashes are from due to a very solid disclosure agreement. Needless to say however, securing medical devices is an ongoing challenge for the health industry, and still remains a very steep learning curve.

Moving on… GPP passwords anyone?

And last but not least, how about some AES keys and WPA2 PSK’s?

Moral of the story? Encrypt your vmdk’s! The potential of loot grabbing with this technique is very high, and only limited to your knowledge of operating systems, data storage, and knowing what to search for. With some simple scripting, it is very easy to use this method to quickly search for ‘common’ information like hashes, passwords, serial numbers, configuration variables and the like.

Until next time, tight lines and happy hacking.