You can also extract the vSphere Creds by veampot.py
. Backup Machines Hashes Extraction
What if you have access to a backup image for a machine? What can you do? Or if you have access the backup server and find images for multiple machines?
There are many cases you can find such thing, like when you find a backup image on SMB shares, or you get access to a normal machine and find an old backup on it if you access the server for the backup.
If you have an entire disk backup, you can extract the hashes from the SAM file or the NTDS if it's a domain controller, and you are not limited to these two files. You can enumerate the disk and look for any useful data or cleartext passwords.
When you have a valid backup image, Veeam provides a restore mechanism by "VBK Extract" or importing the image on "Veeam Backup and Replication". You can extract the backup in multiple extensions like VMDM, VHD, or VHDX.
We have this backup image and want to extract the creds for: