New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add vcenter_secrets_dump post module #16871
Conversation
@ErikWynter @npm-cesium137-io can you all test this module? I suspect there are still some bugs (hence why its draft) since my vcenter doesn't have any ESXs connected to control, and there are many ways to configure vcenter other than what I have. please post (sanitized) output here, I left the docs in their old state until I can finalize everything a bit more |
@msjenkins-r7 test this please. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice work, love the comments :D
There seems to be some overlap in the functionality you have here with other libs, might be a good idea to have a discussion on how we want to consolidate them? things like vm_dir for example
I'm going to go ahead and open this up. While it isn't 100% finished, I don't have SSO setup and am hoping someone will who can test that portion, its the last part and I just need to know what the output is from the |
Are we blocked on this? I can't guarantee we'll have an SSO setup for testing, so if we're blocked on that, would it make sense to just omit it for now? |
Module will work w/o it, so shouldn't be a blocker. |
documentation/modules/post/linux/gather/vcenter_secrets_dump.md
Outdated
Show resolved
Hide resolved
documentation/modules/post/linux/gather/vcenter_secrets_dump.md
Outdated
Show resolved
Hide resolved
Updated to address comments.
|
looks like this was in the previous commit, looking into it still |
@h00die thanks for continuing to work on this! Unfortunately I haven't come across a vulnerable instance in quite a while, but next time I do, I'll try to run this one |
problem solved, believe ready for review again |
just checking in on this, before it falls off the to do list |
|
#16871 (comment) looks still unresponded/unresolved. |
good catch, the gui was hiding that from me. merged, tested, uploaded. |
|
Release NotesAdd post/linux/gather module to dump vCenter vmdir dcAccountPassword and platform certificates. |
@npm-cesium137-io just wanted to make sure you saw this landed to framework. Sorry it took so long! |
@h00die congrats! feel free to ping me if you have any questions about the db stuff or run into anything weird |
print_status('Found SSO Identity Source Credential:') | ||
print_good("#{sso_prov_type} @ #{sso_conn_str}:") | ||
print_good("\t SSOUSER: #{sso_user}") | ||
print_good("\t SSOPASS: #{sso_pass}") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@h00die @npm-cesium137-io I came across a Vcenter today, where the password contains a single \
, however the module printed \\
. I'll debug tomorrow at which stage we shall de-escape.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@h00die: Correction. The password I got wrongly on screen is not the above but this one: print_good("vSphere SSO DC PW: #{bind_pw}")
coming from get_domain_dc_password
of lib/msf/core/post/vcenter/vcenter.rb
.
The string grepped from registry is already backslash escaped, Which works well for self.shell_bind_pw
(and later use in shell comand), but for the screen and for store_valid_credential
we shall de-escape it.
Example:
- on screen and stored as credential:
vSphere SSO DC PW: Password\\123
- the actual password is:
Password\123
Other special characters might be in theory escaped too though.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
funny update. My bind password has a backtick too, which is for bash a special character, so apart of escaping "
via self.bind_pw = bind_pw.gsub('"') { '\\"' }
we shall escape the backtick too for the shell_bind_pw
variable.
Besides I believe escaping "
and backtick shall be made for shell_bind_pw
only and not for bind_pw
which is printed and stored as credential.
end | ||
# pull out the name from the url | ||
unless output['url'].nil? | ||
output['name'] = output['url'].split('/').last |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@h00die : it may have also form of jdbc:postgresql://localhost:5432/VCDB?sslmode=disable
in that case additional - sort of - split('?")[0]
required.
@HynekPetrak these are really good issues/things to bring up. Can you start an issue and tag me on it so they don't get lost on this already merged module? I'll either add the updates to #17214 or PR them up if that one lands before i can get to these. |
Hi, I'm amazed that you were able to whip that, uhm, comprehensive pile of code I plopped here into something workable, can't wait to try it out! P.S. trying to deal with all the shell escaping for bind / DB passwords shaved years off my life, too, IKTF. |
This is a rework of #16465 and expands on the work of @npm-cesium137-io but unfortunately they seem to gone missing (mainly due to my rework taking a long time). It moves many of the functions to a library and includes a spec so we can track changes and ensure the code is working.
This PR is part of a series of PRs. After this lands, I'll add in @ErikWynter 's two modules, but want to get this pushed to master before we start expanding so we have a good base of work to go off of.
This module adds a new post module for
vcenter
. to test it, you'll want to root a vcenter (i've been using my log4j box for this purpose).Verification
msfconsole
exploit/multi/http/vmware_vcenter_log4shell
use vcenter_secrets_dump
set session 1