-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vcenter offline mdb extract #16571
Vcenter offline mdb extract #16571
Conversation
Add new aux module vcenter_offline_mdb_extract for extracting IdP credentials, certificates and keys from a vCenter backup file. Added module documentation.
this would do well in a library like the juniper/cisco/arista offline config things, that way we can have some specs and such |
I mean.... this would have been totally useful landing that last PR.... 😆 |
I used the same .mdb file I used to pull the certs from for #16484?
|
Huh. That means you made it to get_sts_key but it raised OpenSSL::PKey::PKeyError. Guess as to cause: the buffer we’re working with cut off the end of the key data? You might play with advanced option MDB_CHUNK_SIZE, setting it to something like 8192, 16384, etc. It defaults to 4KB so it’s possible we overshooting the data little bit, or truncating a portion in this case. Another possibility is the pattern I’m using to ID the block of bytes where vmwSTSTenantCredential lives (case-insensitive cn=tenantcredential-1, along with the PKCS#1 and x509v3 magic bytes) is not deterministic enough and you hit that somewhere else and are pulling some random garbage into RSA.new. If you are comfortable getting me the problem .mdb file, I can investigate!
From: Brendan <>
Sent: Monday, May 16, 2022 2:12 PM
To: rapid7/metasploit-framework ***@***.***>
Cc: npm-cesium137-io ***@***.***>; Author ***@***.***>
Subject: Re: [rapid7/metasploit-framework] Vcenter offline mdb extract (PR #16571)
I used the same .mdb file I used to pull the certs from for #16484 <#16484> ?
msf6 auxiliary(admin/vmware/vcenter_offline_mdb_extract) > show options
Module options (auxiliary/admin/vmware/vcenter_offline_mdb_extract):
Name Current Setting Required Description
---- --------------- -------- -----------
VC_IP no (Optional) IPv4 address to attach to loot
VMAFD_DB no Path to the vmafd afd.db file
VMDIR_MDB /home/tmoose/data.md no Path to the vmdir data.mdb file
Auxiliary action:
Name Description
---- -----------
Dump Dump secrets from vCenter files
msf6 auxiliary(admin/vmware/vcenter_offline_mdb_extract) > run
[*] Extracting vmwSTSTenantCredential from /home/tmoose/data.md ...
[-] Auxiliary aborted due to failure: no-target: Failure during extract of PKCS#1 RSA private key
[*] Auxiliary module execution completed
—
Reply to this email directly, view it on GitHub <#16571 (comment)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/AYYVYM55CLKILYUSN2MJTGTVKKFYLANCNFSM5V4LLF4A> .
You are receiving this because you authored the thread. <https://github.com/notifications/beacon/AYYVYM3KJQF4XGABDB63N5DVKKFYLA5CNFSM5V4LLF4KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOIM52J4Q.gif> Message ID: ***@***.*** ***@***.***> >
|
No luck
I'm happy to provide the file to you if you'd like, as this is a mostly-offline test system. |
If you could through it on Box or something, that would be awesome, I should be able to figure out what is going on pretty rapidly.
From: Brendan <>
Sent: Tuesday, May 17, 2022 3:38 PM
To: rapid7/metasploit-framework ***@***.***>
Cc: npm-cesium137-io ***@***.***>; Author ***@***.***>
Subject: Re: [rapid7/metasploit-framework] Vcenter offline mdb extract (PR #16571)
No luck
msf6 payload(linux/aarch64/meterpreter/reverse_tcp) > use auxiliary/admin/vmware/vcenter_offline_mdb_extract
msf6 auxiliary(admin/vmware/vcenter_offline_mdb_extract) > set VMDIR_MDB /home/tmoose/data.md
VMDIR_MDB => /home/tmoose/data.md
msf6 auxiliary(admin/vmware/vcenter_offline_mdb_extract) > set verbose true
verbose => true
msf6 auxiliary(admin/vmware/vcenter_offline_mdb_extract) > run
[*] Extracting vmwSTSTenantCredential from /home/tmoose/data.md ...
[-] Auxiliary aborted due to failure: no-target: Failure during extract of PKCS#1 RSA private key
[*] Auxiliary module execution completed
msf6 auxiliary(admin/vmware/vcenter_offline_mdb_extract) > set MDB_CHUNK_SIZE 8192
MDB_CHUNK_SIZE => 8192
msf6 auxiliary(admin/vmware/vcenter_offline_mdb_extract) > run
[*] Extracting vmwSTSTenantCredential from /home/tmoose/data.md ...
[-] Auxiliary aborted due to failure: no-target: Failure during extract of PKCS#1 RSA private key
[*] Auxiliary module execution completed
msf6 auxiliary(admin/vmware/vcenter_offline_mdb_extract) > set MDB_CHUNK_SIZE 16384
MDB_CHUNK_SIZE => 16384
msf6 auxiliary(admin/vmware/vcenter_offline_mdb_extract) > run
[*] Extracting vmwSTSTenantCredential from /home/tmoose/data.md ...
[-] Auxiliary aborted due to failure: no-target: Failure during extract of PKCS#1 RSA private key
[*] Auxiliary module execution completed
msf6 auxiliary(admin/vmware/vcenter_offline_mdb_extract) >
I'm happy to provide the file to you if you'd like, as this is a mostly-offline test system.
—
Reply to this email directly, view it on GitHub <#16571 (comment)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/AYYVYM6FVNRM2Z567UATZHDVKPYQTANCNFSM5V4LLF4A> .
You are receiving this because you authored the thread. <https://github.com/notifications/beacon/AYYVYM3GIWQNQ2OBARSH44LVKPYQTA5CNFSM5V4LLF4KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOINHOW2Y.gif> Message ID: ***@***.*** ***@***.***> >
|
Could you email msfdev[at]metasploit.com and I'll send it back to you? |
Sorry I was a bit slow on this, but I figure we should go back to the PR for discussions.
This was the version that I used before, but to verify:
If I remove the rescue and let the error come through OpenSSL:
|
Added verbose output to the RSA and x509 extraction functions for troubleshooting. Changed error handling to just print an error message instead of throwing an exception temporariliy.
Interesting. Looks like Ruby's OpenSSL interface is having trouble parsing the DER/ASN1 when you run it. The only thing noteworthy (potentially) is that you're on Ruby 2.7.2 and I'm on Ruby 3.0.3 but still have no clear picture what is going on. I just pushed a commit that adds some verbose output to the key functions, could you please re-attempt your testing with set verbose true and email me the output? You can just post it here too, if you don't mind the private key material potentially being exposed. This should tell me at least what bytes it is trying to turn into a PKCS#1 key, from there it may be possible to pin down the issue. |
The Ruby looks old because I use rvm. When I switch into the metasploit directory, it changes to 3.0.2:
That said, the latest update seems to work, now 🎉 ?
|
The only change was converting the key data to Base64/PEM before passing it to OpenSSL::PKey::RSA.new() - so I guess we can say that method insists on PEM-formatted input in your case. I am going to try running on a few different distros / builds to see if I can pin down the root cause but for now I guess we resolved this? |
I apologize; I guess I never assigned myself to this, so I completely forgot about it. I assigned myself to it so I won't get too distracted again. Were you able to verify the root cause of the error? I'm thinking that we've documented the occurrence here, and seemingly found a fix to the discovered error, so I'm game to go ahead with this PR and land it if you are OK with that. We can keep an eye open and see if anyone else runs into this issue again. |
Pinging @npm-cesium137-io; are we OK landing this? |
@bwatters-r7 I should think it should be ready to go, so long as it functions. I was able to reproduce the issue, Ruby 2.x OpenSSL module seems not to like DER format, 3.x appears to be fine with either. My rig is on 3.x so I didn't notice this. Looking at some of my other stuff uncovered the same bug in modules that do DER/PEM vs. just DER so def. in the future I'll just make sure to explicitly convert to PEM just to be backwards compatible. I'm good w/ landing this. Thanks! |
Release NotesThis module extracts the vmdir / vmafd certificates from an offline copy of the service database (i.e. a vCenter backup). Right now it will pull the IdP keypair, the VMCA root cert, and anything from vmafd that has a private key associated. |
Now that PR #16484 has landed (yay!) - this module might actually be useful. Not sure if this is overkill but it is designed to extract the vmdir / vmafd certificates from an offline copy of the service database (i.e. a vCenter backup) - very helpful now that vcenter_forge_saml_token is available. Right now it will only pull the IdP keypair, the VMCA root cert, and anything from vmafd that has a private key associated, but that is plenty. Very WYSIWYG.