Veeam Backup & Recplication is a widely used tool for backing up virtual environments built on VMware vSphere, Nutanix AHV, and Microsoft Hyper-V hypervisors. If you manage to compromise the Veeam Backup & Replication serveur, you can extract passwords and hashes from its database or from the machines that are backed up
Veam servers used for the backup should not be joined to the domain, so when attackers compromise the domain, they can't destroy your backup.
Practice
Credentials Dump
Veeam requires the username and password for any machine you want to back it up. The user provided should have high privileges on the machine, so usually, if you're going to backup the domain devices, you will put administrator creds. Veeam stores these creds on MS-SQL using ProtectedData.Protect method of CryptoAPI. You can easily extract them if you have admin privilege on the Veeam Server.
You can do this step by running the veeam-creds script and extract passwords.
.\Veeam-Get-Creds.ps1
If you are able to connect to the Veeam console and you have the right to create new connections to the hypervisor. You can have Veeam connect to a fake vSphere host.
It doesn’t matter if the console is running on the same host or on a different one.
This will dumpt the password hashes. Copy them and then run a PowerShell interface
Add-Type-Path "C:\Program Files\Veeam\Backup and Replication\Backup\Veeam.Backup.Common.dll"$encoded='INSERT_HASH_HERE'[Veeam.Backup.Common.ProtectedStorage]::GetLocalString($encoded)
copy VeeamGetCreds.yaml to empire/server/modules/powershell/credentials/ folder
Run Empire server and client
Use as usual Empire module by name /powershell/credentials/VeeamGetCreds
Backup Machines - Hashes Extraction
If you can access a backup image, you can restore it on your local disk. More interesting, we can use the Veam individual files recover feature. Depending on the server backup type, you may extract SAM and LSA secrets from registry hives or even the NTDS.dit file if it's a domain controller. Check this section for more information about credentials dumping.
When you have a valid backup image, Veeam provides a restore mechanism by "VBK Extract". You can exfiltrate the backup images and extract the backup in multiple extensions like VMDM, VHD, or VHDX on your attacking host.
#Before, copy backups files in the current directory#VBK Extract on linuxtar-zxvfVeamExtract*./extract
We can then create a new VM from this files or mount it to our disk to recover sensitive files.
From the Veeam console, to restore individual files, you need to select the required VM from the list of tasks from the section Backups > Disk > ${JOB_NAME} and select the recovery mode for individual files from the menu.
After completing the wizard, a file selection window will open. To restore and decrypt the Active Directory database, you can extract several files:
Vulnerability CVE-2023-27532 in a Veeam Backup & Replication component allows an unauthenticated user operating within the backup infrastructure network perimeter to obtain encrypted credentials stored in the configuration database or perform remote code execution.
