metasploit-framework icon indicating copy to clipboard operation
metasploit-framework copied to clipboard
verified publisher icon rapid7

Add veeam_credential_dump post module

Open npm-cesium137-io opened this issue 3 years ago • 3 comments

This is another post module for credential capture, this time from Veeam Backup & Recovery and Veeam ONE Monitor. I have rolled in all the accumulated changes acquired for previous PRs so far. Should work for current versions of VBR / Veeam ONE between 9.x and 11.x.

npm-cesium137-io avatar Dec 21 '22 21:12 npm-cesium137-io

Hey @npm-cesium137-io, the team and I were wondering if you'd be able to consolidate some of the functions in the PR. There's a couple functions where vom & vbr are embedded in the function where they could be passed in as a parameter in order to eliminate some code duplication.

dump_vbr_db & dump_vom_db could be refactored to dump_db(arg) get_vbr_version & get_vom_version could be refactored to get_version(arg) get_vbr_path & get_vom_path could be refactored to get_path(arg)

Each of the database_config and the decrypt functions are fairly complex and i think it makes sense that they stay the way they are. Let me know if you have any questions - thanks again for the great contribution.

jheysel-r7 avatar Jan 05 '23 21:01 jheysel-r7

@jheysel-r7 thanks, I hope to have some time this weekend to make refinements and commit some of these changes. The code has been hard to wrangle (it started as two distinct modules) and I have struggled to reduce clutter in there - these refactoring suggestions are great, and I will definitely implement them! I hope these types of post modules are useful as I intend to continue making them when I encounter useful sources of credentials in the field.

npm-cesium137-io avatar Jan 06 '23 16:01 npm-cesium137-io

@jheysel-r7 good afternoon! I just pushed a commit that should hopefully fix this up: it occurred to me that all your example B64 payloads...were exactly 256 characters. Long story short this was sqlcmd's fault, truncating column values at 256 characters by default. I've done an explicit cast to VARCHAR(4096) which should (hopefully?) be enough to cover even the most ambitious credential. This did not express in my other modules because I always ended up having to cast VARBINARY so each column was explicitly sized in all those cases. Live and learn!

I have also consolidated some additional code and tried to streamline things, let me know if this looks closer to shipshape. Last: I can't seem to let go of the BATCH_DPAPI concept even though it's a very weird corner case, because just KNOW this pattern will come up again, so I have done some significant refactoring there to add actual batch logic vs. spray-and-pray. Right now it will break things up into 8KB chunks, and this is configurable by the new BATCH_DPAPI_MAXLEN advanced option.

npm-cesium137-io avatar Jan 09 '23 21:01 npm-cesium137-io

Hey @npm-cesium137-io, thanks for the fix and the great module, retested and it worked like a charm 🚢

msf6 post(windows/gather/credentials/veeam_credential_dump) > rerun
[*] Reloading module...

[*] Hostname DESKTOP-8ATHH6O IPv4 172.16.199.135
[*] Veeam Backup & Replication Install Path: C:\Program Files\Veeam\Backup and Replication\Backup
[+] Compressed size: 1336
[*] Veeam Backup & Replication Build 11.0.1.1261
[*] Get Veeam SQL Parameters ...
[+] SQL Database Connection Configuration:
[+] 	Instance Name: DESKTOP-8ATHH6O\VEEAMSQL2016
[+] 	Database Name: VeeamBackup
[+] 	Database User: (Windows Integrated)
[!] The database uses Windows authentication
[!] Session identity must have access to the SQL server instance to proceed
[*] Performing export of Veeam Backup & Replication SQL database to CSV file
[*] Export VBR DB ...
[+] 6 rows exported, 6 unique IDs
[+] Encrypted Veeam Backup & Replication Database Dump: /Users/jheysel/.msf4/loot/20230201171956_default_172.16.199.135_veeam_VBR_enc_899910.txt
[*] Performing decryption of Veeam Backup & Replication SQL database
[+] 6 VBR rows loaded, 6 unique IDs
[*] Process Veeam Backup & Replication DB ...
[+] Compressed size: 1472
[+] Compressed size: 5640
[+] 6 VBR rows processed
[*] 5 rows recovered: 0 plaintext, 5 decrypted (1 blank)
[*] 5 rows written (1 blank rows withheld)
[+] 5 unique VBR ID records recovered
[+] Recovered Credential: test
[+] 	L: test
[+] 	P: test
[+] Recovered Credential: Helper appliance credentials
[+] 	L: root
[+] 	P: notpassword
[+] Recovered Credential: Tenant-side network extension appliance credentials
[+] 	L: root
[+] 	P: N0tpassword!
[+] Recovered Credential: msfuser
[+] 	L: msfuser
[+] 	P: PASSSSSSSW0RDFOREVERRRR
[+] Recovered Credential: Azure helper appliance credentials
[+] 	L: root
[+] 	P: mYPaSSw0RdiSs0StRoNgE
[+] Decrypted Veeam Backup & Replication Database Dump: /Users/jheysel/.msf4/loot/20230201172004_default_172.16.199.135_veeam_vbr_dec_596773.txt
[*] Post module execution completed

jheysel-r7 avatar Feb 01 '23 22:02 jheysel-r7

Release Notes

Post credential capture module Veeam Backup & Recovery and Veeam ONE Monitor versions 9.x - 11.x

jheysel-r7 avatar Feb 01 '23 22:02 jheysel-r7