search

sadshade / veeam-creds

Collection of scripts to retrieve stored passwords from Veeam Backup
GNU General Public License v3.0
97 stars 28 forks source link

Thx for awesome script. Gemme some advice pls. how to bypass certificate error. Thx so much. #1

Open TAI-REx opened 2 years ago

TAI-REx commented 2 years ago

After doing the connection from veeam console - Im got error on server side script veeampot.py That thing about ssl cert.

Exception happened during processing of request from ('x.x.x.x.', xxxxx) Traceback (most recent call last): File "/usr/lib/python3.8/socketserver.py", line 316, in _handle_request_noblock self.process_request(request, client_address) File "/usr/lib/python3.8/socketserver.py", line 347, in process_request self.finish_request(request, client_address) File "/usr/lib/python3.8/socketserver.py", line 360, in finish_request self.RequestHandlerClass(request, client_address, self) File "/usr/lib/python3.8/socketserver.py", line 747, in init self.handle() File "/usr/lib/python3.8/http/server.py", line 427, in handle self.handle_one_request() File "/usr/lib/python3.8/http/server.py", line 415, in handle_one_request method() File "veeampot.py", line 43, in do_POST print("Login: " + re.search('(.*)', post_data, re.IGNORECASE).group(1)) AttributeError: 'NoneType' object has no attribute 'group'

Thx a lot.

sadshade commented 2 years ago

Hi,

It seems script can't find userName field in request. In the last commit I added an option for debugging. Change DEBUG to True, and look at the last request.

It should looks like this:

Recived GET request # 1
Recived GET request # 2
Recived POST request #3:
<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body>
<RetrieveServiceContent xmlns="urn:vim25"><_this type="ServiceInstance">ServiceInstance</_this>
</RetrieveServiceContent></soap:Body></soap:Envelope>

Recived POST request #4:
<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body>
<RetrieveInternalContent xmlns="urn:vim25"><_this type="ServiceInstance">ServiceInstance</_this>
</RetrieveInternalContent></soap:Body></soap:Envelope>

Recived POST request #5:
<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body>
<Login xmlns="urn:vim25"><_this type="SessionManager">ha-sessionmgr</_this><userName>XXXXXXXXX</userName>
<password>XXXXXXXXX</password></Login></soap:Body></soap:Envelope>
TAI-REx commented 2 years ago

Hi mr.sadshde. Now I got output:

python3 veeampot.py Waiting Veeam on port 8443...

Exception happened during processing of request from ('IPIPIPI', 64478) Traceback (most recent call last): File "/usr/lib/python3.8/socketserver.py", line 316, in _handle_request_noblock self.process_request(request, client_address) File "/usr/lib/python3.8/socketserver.py", line 347, in process_request self.finish_request(request, client_address) File "/usr/lib/python3.8/socketserver.py", line 360, in finish_request self.RequestHandlerClass(request, client_address, self) File "/usr/lib/python3.8/socketserver.py", line 747, in init self.handle() File "/usr/lib/python3.8/http/server.py", line 427, in handle self.handle_one_request() File "/usr/lib/python3.8/http/server.py", line 395, in handle_one_request self.raw_requestline = self.rfile.readline(65537) File "/usr/lib/python3.8/socket.py", line 669, in readinto return self._sock.recv_into(b) File "/usr/lib/python3.8/ssl.py", line 1241, in recv_into return self.read(nbytes, buffer) File "/usr/lib/python3.8/ssl.py", line 1099, in read return self._sslobj.read(len, buffer) ssl.SSLError: [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:2635)

Recived GET request # 1 Recived GET request # 2 Recived POST request #3: <?xml version="1.0" encoding="utf-8"?><_this type="ServiceInstance">ServiceInstance</soap:Body></soap:Envelope>

Recived POST request #4: <?xml version="1.0" encoding="utf-8"?><_this type="ServiceInstance">ServiceInstance</soap:Body></soap:Envelope>

Recived POST request #5: <?xml version="1.0" encoding="utf-8"?><_this type="ServiceInstance">ServiceInstance</soap:Body></soap:Envelope>

Exception happened during processing of request from ('XXX.X.XXX.XX.', 248) Traceback (most recent call last): File "/usr/lib/python3.8/socketserver.py", line 316, in _handle_request_noblock self.process_request(request, client_address) File "/usr/lib/python3.8/socketserver.py", line 347, in process_request self.finish_request(request, client_address) File "/usr/lib/python3.8/socketserver.py", line 360, in finish_request self.RequestHandlerClass(request, client_address, self) File "/usr/lib/python3.8/socketserver.py", line 747, in init self.handle() File "/usr/lib/python3.8/http/server.py", line 427, in handle self.handle_one_request() File "/usr/lib/python3.8/http/server.py", line 415, in handle_one_request method() File "veeampot.py", line 77, in do_POST print("Login: " + re.search('(.*)', post_data, re.IGNORECASE).group(1)) AttributeError: 'NoneType' object has no attribute 'group'

Recived POST request #5: <?xml version="1.0" encoding="utf-8"?><_this type="ServiceInstance">ServiceInstance</soap:Body></soap:Envelope>

Exception happened during processing of request from ('XXX.XXX.XXX.XXX', 64513) Traceback (most recent call last): File "/usr/lib/python3.8/socketserver.py", line 316, in _handle_request_noblock self.process_request(request, client_address) File "/usr/lib/python3.8/socketserver.py", line 347, in process_request self.finish_request(request, client_address) File "/usr/lib/python3.8/socketserver.py", line 360, in finish_request self.RequestHandlerClass(request, client_address, self) File "/usr/lib/python3.8/socketserver.py", line 747, in init self.handle() File "/usr/lib/python3.8/http/server.py", line 427, in handle self.handle_one_request() File "/usr/lib/python3.8/http/server.py", line 415, in handle_one_request method() File "veeampot.py", line 77, in do_POST print("Login: " + re.search('(.*)', post_data, re.IGNORECASE).group(1)) AttributeError: 'NoneType' object has no attribute 'group'

Recived POST request #5: <?xml version="1.0" encoding="utf-8"?><_this type="ServiceInstance">ServiceInstance</soap:Body></soap:Envelope>

Exception happened during processing of request from ('XXX.XXX.XXX.XXX', 29138) Traceback (most recent call last): File "/usr/lib/python3.8/socketserver.py", line 316, in _handle_request_noblock self.process_request(request, client_address) File "/usr/lib/python3.8/socketserver.py", line 347, in process_request self.finish_request(request, client_address) File "/usr/lib/python3.8/socketserver.py", line 360, in finish_request self.RequestHandlerClass(request, client_address, self) File "/usr/lib/python3.8/socketserver.py", line 747, in init self.handle() File "/usr/lib/python3.8/http/server.py", line 427, in handle self.handle_one_request() File "/usr/lib/python3.8/http/server.py", line 415, in handle_one_request method() File "veeampot.py", line 77, in do_POST print("Login: " + re.search('(.*)', post_data, re.IGNORECASE).group(1)) AttributeError: 'NoneType' object has no attribute 'group'

and veeam says that: veeampot

TAI-REx commented 2 years ago

Veeam 11.0.1.1261 build I tested.

sadshade commented 2 years ago

Hi TAI-REx,

You can ignore all SSL related warnings/exceptions, because it's self-signed certificate.

What confuses me is the requests from Veeam. This data below does look like truncated piece of SOAP request: <_this type="ServiceInstance">ServiceInstance

If Veeam send this, it's a problem. If another data removed by you to hide sensitive data, it's Ok. Just look at two last lines of request #5 and you can find the creds.

Unfortunately I don't have Veeam 11, but in documentation I've found ability to add vCloud Director server alongside with vSphere. Please choose vSphere in the wizard.

sadshade commented 2 years ago

It would be great if you can provide me full HTTP-requests from Veeam. You can use Burp Invisible Proxy feature for this purpose.

TAI-REx commented 2 years ago

Sry for long replay. Thx one more time for yours open source activity. I will catch HTTP-requests via burp soon and will post it here.

eedori commented 1 year ago

Hi. The issue seems to be a SOAP request, atleast in my case of similar finding. Capturing the full HTTP-Request from Veeam results in this interesting find:

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope
    xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:xsd="http://www.w3.org/2001/XMLSchema">
    <soap:Body>
        <RetrieveInternalContent
            xmlns="urn:vim25">
            <_this type="ServiceInstance">ServiceInstance</_this>
        </RetrieveInternalContent>
    </soap:Body>
</soap:Envelope>