Mounting Encrypted VHD Drives

Related Sites:

• Mounting Bit-Locker Encrypted Drives

• Linux - Mount

sudo modprobe nbd
sudo qemu-nbd -c /dev/nbd0 backup.vhd

sudo cryptsetup bitlkOpen /dev/nbd0p2 david

Provide the password 123456789! then we can list out the /dev/mapper/ directory:

ls  -la /dev/mapper/david

Make a directory to mount it into:

sudo mkdir vhd

$ sudo mount /dev/mapper/david /home/d3lvx/HTB/Academy/PasswordAttacks/vhd 

List out the mounted drive:

We now have VHD mapped out and find backup copies of SAM and SYSTEM and we can use secretsdump to dump hashes.

Unmounting the Drive

# unmount the vhd directory

$ sudo umount vhd   

# Disconnect all nbd devices
$ sudo qemu-nbd -d /dev/nbd0

# Remove the VHD directory we created
$ sudo rmdir vhd 

# Remove the module
$ sudo modprobe -r nbd

If you are still having issues unmounting, restart the device

From Linked Medium Article: Mounting Bit-locker encrypted vhd files in Linux

Below is the article from this Medium article:

BitLocker is a full volume encryption feature included with Windows with natively uses AES 128bit or 256bit keys. It stores is the keys on the TPM.

On the other hand Linux distros provide encryption based on LUKS (Linux Unified Key Setup) which doesn’t depend on TPM in any way. LUKS encrypts the full drive including the partition header and BitLocker only acts on partition level. From Cryptsetup version 2.3.0 onward BitLocker encryption format is supported.

So following packages are required on the Linux distro of your choice: -

1. qemu-img (in RHEL, Fedora)/ qemu-utils (in Debian)

2. crytpsetup with minimum version of 2.3

3. ntfs-3g-devel (in RHEL, Fedora)/ ntfs-3g-dev (in Debian) (optional) needed only in case the NTFS volume is unclean

Once we have the packages ready, we can start by inserting the nbd modules in the kernel

$ modprobe nbd

After that we can have mount the vhd or vhdx file as follows.

$ qemu-nbd -c /dev/nbd0 <PATH_TO_FILE>.vhd

If mounting multiple vhd files we need to increment the /dev/nbd0 to /dev/nbd1 and so on. After running this our vhd files is mounted under /dev/nbd0 . We need to do a $ lsblk to identify exactly which partition is the Bitlocker encrypted partition (size of partition is useful for distinguishing). In my case the partition is /dev/nbd0p2 the second partition on the disk. We need to run Cryptsetup and provide a label for mounting the Bitlocker partition

$ cryptsetup bitlkOpen /dev/nbd0p2 my_label

Now my partition is visible as /dev/mapper/my_label . It can be mounted normally now.

$ mkdir /mnt/mydrive
$ mount /dev/mapper/my_label /mnt/mydrive

If we have NTFS related problems in the drive we can run ntfsfix before mounting the drive to fix the issues

$ ntfsfix -b -d /dev/mapper/my_label

To close the BitLocker partition properly we need to first umount then use cryptsetup bitlkClose for closing the partition

$ umount /mnt/mydrive
$ cryptsetup bitlkClose my_label