Everyone knows that Veeam is a pretty cool and common tool for backing up virtual machines. Did you know that Veeam can be useful not only for creating backups, but also can be a good source of data when conducting penetration testing. In this article, I will share my best practices on using Veeam as a penetration testing tool .
So, what exactly does Veeam give us as a toolkit? You know that Veeam has a role-based access system, but usually the default settings are left intact - the administrative group includes users from the local administrator group of the host. Thus, access to the console can be obtained by obtaining a service account or a user account with administrator rights on the OS.
Veeam Roles / Users
TL; DR
You can restore individual files from backups, for example, the Active Directory database, as well as get saved credentials for connecting to hypervisors, VMs, etc. two ways. Link to scripts at the end of the page.
Veeam allows you to make backups from VMs to vSphere and Hyper-V and much more. These backups can be restored not only to the hypervisor, but also to a local disk. In addition, it has such an interesting feature as recovering individual files from a VM. Already understood where I'm going, right? Of course, you can restore the Active Directory base.
Veeam Backup List
After completing the wizard, a file selection window will open. To restore and decrypt the Active Directory database, we need several files:
Veeam Single File Recovery Wizard
Having restored these files, it will not be difficult to obtain password hashes, for this there are several utilities: impacket-secretsdump, ntdsxtract
An example of how the secretsdump utility works
If it was not possible to connect to the Veeam console, but you have access to the backup files, then you can use the Veeam Backup Extract Utility to extract.
Veeam Backup Extract Utility
Veeam Credential Manager
Of course, you can't just take and get a password through the manager, but don't worry, I have two working methods for you!
I warn you in advance, the methods were tested for operability on the Veaam 9.5 version, for newer versions, you may have to work with a file.
Method one - connecting to a fake vSphere host
This method is suitable for cases in which you were able to connect to the Veeam console and you have the right to create new connections to the hypervisor. It doesn't matter if the console is running on the same host or on a different one.
The bottom line is that when Veeam connects to an ESXi host, the username and password are transmitted with a simple POST request, like this:
VSphere Authorization Request
To obtain a password in this way, you can use utilities such as OWASP ZAP or Burp Suite, provided that you have a working vSphere host, but such conditions are not always present. For convenience, a small Python script has been prepared that emulates the responses of the ESXi SOAP interface. The link to the repository is given at the end of the article.
Using this script, you can get the password for the desired account from Veeam in a few steps:
Veeampot.py script output
Method two - getting passwords directly from the database
The first method is certainly suitable in most cases when you are on the customer's local network with your favorite laptop and a charged Kali Linux. And what if there is no machine with python nearby or RDP is not possible to use, but there is an escalated session with Empire / Meterpreter, or just too lazy to collect passwords one at a time?
Before continuing, a few technical details. Veeam stores credential manager passwords in its database along with other settings. These passwords are encrypted using the Data Protection API (DPAPI), the key of the local machine. The data for connecting to the database is stored in the HKLM registry branch and you need elevation of rights (UAC) to access it.
Thus, to get passwords in clear text, you need to do the following:
Veeam-Get-Creds.ps1 script output
If you want to use the script in PowerShell Empire, you can run it on the agent by going to the command line (shell) mode.
You can get a "one-liner" from a script by running the following commands in Linux:
echo -n "powershell -enc "; \
iconv -f UTF-8 -t UTF-16LE < \
Veeam-Get-Creds.ps1 | base64 -w0
But this is not convenient, and the output of the command will not be structured. It is much more convenient to use framework modules to get information from an agent. For this, the VeeamGetCreds.yaml module was prepared, which contains an adapted PowerShell script for obtaining passwords from the Veeam database.
To use it, copy the module to the empire / server / modules / powershell / credentials folder of the Empire server, then start the server and client. The module can then be used as usual.
Displaying VeeamGetCreds module in Empire
Thank you for your attention, I hope this information will be useful.
Link to the repository with all scripts
P.S. Information provided for educational purposes. Use only if you have owner permission to disclose credentials.
So, what exactly does Veeam give us as a toolkit? You know that Veeam has a role-based access system, but usually the default settings are left intact - the administrative group includes users from the local administrator group of the host. Thus, access to the console can be obtained by obtaining a service account or a user account with administrator rights on the OS.
Veeam Roles / Users
TL; DR
You can restore individual files from backups, for example, the Active Directory database, as well as get saved credentials for connecting to hypervisors, VMs, etc. two ways. Link to scripts at the end of the page.
Veeam allows you to make backups from VMs to vSphere and Hyper-V and much more. These backups can be restored not only to the hypervisor, but also to a local disk. In addition, it has such an interesting feature as recovering individual files from a VM. Already understood where I'm going, right? Of course, you can restore the Active Directory base.
Restoring the Active Directory database
To recover individual files, select the desired VM from the list of tasks under Backups> Disk> $ {JOB_NAME} and select the recovery mode for individual files from the menu.
Veeam Backup List
After completing the wizard, a file selection window will open. To restore and decrypt the Active Directory database, we need several files:
- ntds.dit - encrypted AD database;
- SYSTEM - the registry branch containing the BootKey encryption key;
- SECURITY - the registry branch containing the cached LSA Secrets passwords;
- SAM - The Security Accounts Manager, which contains hashes of passwords for local users.
Veeam Single File Recovery Wizard
Having restored these files, it will not be difficult to obtain password hashes, for this there are several utilities: impacket-secretsdump, ntdsxtract
An example of how the secretsdump utility works
If it was not possible to connect to the Veeam console, but you have access to the backup files, then you can use the Veeam Backup Extract Utility to extract.
Veeam Backup Extract Utility
Retrieving Credentials from Veeam Database
If the backups do not contain useful information, then you can pay attention to the credentials that Veeam stores to connect to hosts when creating backups. Most often, these are privileged accounts for connecting to a hypervisor or to a VM to perform administrative tasks before creating a copy.
Veeam Credential Manager
Of course, you can't just take and get a password through the manager, but don't worry, I have two working methods for you!
I warn you in advance, the methods were tested for operability on the Veaam 9.5 version, for newer versions, you may have to work with a file.
Method one - connecting to a fake vSphere host
This method is suitable for cases in which you were able to connect to the Veeam console and you have the right to create new connections to the hypervisor. It doesn't matter if the console is running on the same host or on a different one.
The bottom line is that when Veeam connects to an ESXi host, the username and password are transmitted with a simple POST request, like this:
VSphere Authorization Request
To obtain a password in this way, you can use utilities such as OWASP ZAP or Burp Suite, provided that you have a working vSphere host, but such conditions are not always present. For convenience, a small Python script has been prepared that emulates the responses of the ESXi SOAP interface. The link to the repository is given at the end of the article.
Using this script, you can get the password for the desired account from Veeam in a few steps:
- Clone a repository with a script:
- git clone <REPO>
- Run the veeampot.py script on the controlled machine:
- cd veeam-creds; python3 veeampot.py
- Create a new connection to the vSphere server in the Veeam console in the Inventory section;
- Enter the address of the machine with the running script by specifying the connection port 8443;
- Select the desired account and complete the wizard;
- Get the password in the script output;
Laugh out loud if used with domain administrator rights.
Veeampot.py script output
Method two - getting passwords directly from the database
The first method is certainly suitable in most cases when you are on the customer's local network with your favorite laptop and a charged Kali Linux. And what if there is no machine with python nearby or RDP is not possible to use, but there is an escalated session with Empire / Meterpreter, or just too lazy to collect passwords one at a time?
Before continuing, a few technical details. Veeam stores credential manager passwords in its database along with other settings. These passwords are encrypted using the Data Protection API (DPAPI), the key of the local machine. The data for connecting to the database is stored in the HKLM registry branch and you need elevation of rights (UAC) to access it.
Thus, to get passwords in clear text, you need to do the following:
- Get data for connecting to the Veeam database;
- Connect to the database and get login / encrypted password records;
- Decrypt passwords using DPAPI.
Veeam-Get-Creds.ps1 script output
If you want to use the script in PowerShell Empire, you can run it on the agent by going to the command line (shell) mode.
You can get a "one-liner" from a script by running the following commands in Linux:
echo -n "powershell -enc "; \
iconv -f UTF-8 -t UTF-16LE < \
Veeam-Get-Creds.ps1 | base64 -w0
But this is not convenient, and the output of the command will not be structured. It is much more convenient to use framework modules to get information from an agent. For this, the VeeamGetCreds.yaml module was prepared, which contains an adapted PowerShell script for obtaining passwords from the Veeam database.
To use it, copy the module to the empire / server / modules / powershell / credentials folder of the Empire server, then start the server and client. The module can then be used as usual.
Displaying VeeamGetCreds module in Empire
Thank you for your attention, I hope this information will be useful.
Link to the repository with all scripts
P.S. Information provided for educational purposes. Use only if you have owner permission to disclose credentials.
