Decrypting Veeam password is possible, so VBR servers must be protected


Userlevel 7
Badge +13

While navigating into the web, I found this interesting article published by Scottie Austin as red team hacker. In his article, he show how can be a disaster if a malicious user gain access to the VBR server because decrypting Veeam credentials can be done.

Based on Veeam documentation (https://helpcenter.veeam.com/docs/agentforwindows/configurator/encryption.html?ver=50), user credentials get encrypted before they’re stored into database and KB2327 (https://www.veeam.com/kb2327) says it’s used DPAPI crypto functions for encrypting and decrypting management data.

So, exporting DPAPI keys from the VBR servers where the attacker got access before on the first phase of the attack, breaking into SQL and then applying that reverse function using mimikatz or SharpDPAPI, the password can be decrypted in steps, from encrypted to HEX to ASCII.

This is an interesting example on why VBR servers must be protected from access, and how a malicious attacker can break that access.

Source with more content:

https://blog.checkymander.com/red%20team/veeam/decrypt-veeam-passwords/


19 comments

Userlevel 7
Badge +8

Interesting article but this assumes that access to the VBR has been compromised...

Userlevel 7
Badge +13

You’re correct, this article assumes access to windows disk files!

 

Userlevel 7
Badge +8

Or Maybe it could reproduce with the access of configuration backup and steal it from the repo with encryption key.

Userlevel 7
Badge +13

Or more simple, a domain joined VBR server where credentials of a domain admin got dumped and key files accessed via \\VBRserver\C$

There’s a ton of ways 😅

Userlevel 7
Badge +9

Interesting article but this assumes that access to the VBR has been compromised...

+1

Userlevel 7
Badge +20

Wow that is definitely interesting to read.  Security should be top of mind for your backup environment. 

Userlevel 7
Badge +9

Wow that is definitely interesting to read.  Security should be top of mind for your backup environment. 

Seconded!

Userlevel 7
Badge +7

Interesting article but this assumes that access to the VBR has been compromised...

+1

Wow that is definitely interesting to read.  Security should be top of mind for your backup environment. 

Seconded!

Good to know @marcofabbri 

As you know better than me , all systems are attackable if there are no security systems and predisposition to mitigate hacker attacks.

First of all the VBR server must not be included in the domain.
If you are forced to put in domain the VBR is necessary to implement GPO to avoid the use of mimicatz.
There are various techniques I attach some links.

 

Mimikatz – Active Directory Security (adsecurity.org)

Preventing Mimikatz Attacks. Mimikatz is playing a vital role in… | by Panagiotis Gkatziroulis | Blue Team | Medium

Defending Windows Domain Against Mimikatz Attacks | Windows OS Hub (woshub.com)

How to Mitigate Mimikatz WDigest Cleartext Credential Theft - Praetorian

 

 

Userlevel 7
Badge +13

 

First of all the VBR server must not be included in the domain.

+1 for no add to domain religion.

Userlevel 7
Badge +9

Interesting article but this assumes that access to the VBR has been compromised...

+1

Wow that is definitely interesting to read.  Security should be top of mind for your backup environment. 

Seconded!

Good to know @marcofabbri 

As you know better than me , all systems are attackable if there are no security systems and predisposition to mitigate hacker attacks.

First of all the VBR server must not be included in the domain.
If you are forced to put in domain the VBR is necessary to implement GPO to avoid the use of mimicatz.
There are various techniques I attach some links.

 

Mimikatz – Active Directory Security (adsecurity.org)

Preventing Mimikatz Attacks. Mimikatz is playing a vital role in… | by Panagiotis Gkatziroulis | Blue Team | Medium

Defending Windows Domain Against Mimikatz Attacks | Windows OS Hub (woshub.com)

How to Mitigate Mimikatz WDigest Cleartext Credential Theft - Praetorian

 

 

Spot on as well @Link State. I think @Nico Losschaert has an excellent guide on ways to harden the VBR Server and I would like to share it once again. 

Userlevel 7
Badge +7

Very interesting article. 

 

First of all the VBR server must not be included in the domain.

+1 for no add to domain religion.

+1 from me too

 

Userlevel 7
Badge +17

Very interesting article. 

 

First of all the VBR server must not be included in the domain.

+1 for no add to domain religion.

+1 from me too

 

Or use a separate, dedicated “Backup” domain….

Userlevel 7
Badge +20

Interesting article but this assumes that access to the VBR has been compromised...

+1

Wow that is definitely interesting to read.  Security should be top of mind for your backup environment. 

Seconded!

Good to know @marcofabbri 

As you know better than me , all systems are attackable if there are no security systems and predisposition to mitigate hacker attacks.

First of all the VBR server must not be included in the domain.
If you are forced to put in domain the VBR is necessary to implement GPO to avoid the use of mimicatz.
There are various techniques I attach some links.

 

Mimikatz – Active Directory Security (adsecurity.org)

Preventing Mimikatz Attacks. Mimikatz is playing a vital role in… | by Panagiotis Gkatziroulis | Blue Team | Medium

Defending Windows Domain Against Mimikatz Attacks | Windows OS Hub (woshub.com)

How to Mitigate Mimikatz WDigest Cleartext Credential Theft - Praetorian

 

 

Spot on as well @Link State. I think @Nico Losschaert has an excellent guide on ways to harden the VBR Server and I would like to share it once again. 

Just an FYI this link does not work any more.

Userlevel 7
Badge +9

Interesting article but this assumes that access to the VBR has been compromised...

+1

Wow that is definitely interesting to read.  Security should be top of mind for your backup environment. 

Seconded!

Good to know @marcofabbri 

As you know better than me , all systems are attackable if there are no security systems and predisposition to mitigate hacker attacks.

First of all the VBR server must not be included in the domain.
If you are forced to put in domain the VBR is necessary to implement GPO to avoid the use of mimicatz.
There are various techniques I attach some links.

 

Mimikatz – Active Directory Security (adsecurity.org)

Preventing Mimikatz Attacks. Mimikatz is playing a vital role in… | by Panagiotis Gkatziroulis | Blue Team | Medium

Defending Windows Domain Against Mimikatz Attacks | Windows OS Hub (woshub.com)

How to Mitigate Mimikatz WDigest Cleartext Credential Theft - Praetorian

 

 

Spot on as well @Link State. I think @Nico Losschaert has an excellent guide on ways to harden the VBR Server and I would like to share it once again. 

Just an FYI this link does not work any more.

Hello @Chris.Childerhose, I can access it. Here is it below

 

Userlevel 7
Badge +20

Interesting article but this assumes that access to the VBR has been compromised...

+1

Wow that is definitely interesting to read.  Security should be top of mind for your backup environment. 

Seconded!

Good to know @marcofabbri 

As you know better than me , all systems are attackable if there are no security systems and predisposition to mitigate hacker attacks.

First of all the VBR server must not be included in the domain.
If you are forced to put in domain the VBR is necessary to implement GPO to avoid the use of mimicatz.
There are various techniques I attach some links.

 

Mimikatz – Active Directory Security (adsecurity.org)

Preventing Mimikatz Attacks. Mimikatz is playing a vital role in… | by Panagiotis Gkatziroulis | Blue Team | Medium

Defending Windows Domain Against Mimikatz Attacks | Windows OS Hub (woshub.com)

How to Mitigate Mimikatz WDigest Cleartext Credential Theft - Praetorian

 

 

Spot on as well @Link State. I think @Nico Losschaert has an excellent guide on ways to harden the VBR Server and I would like to share it once again. 

Just an FYI this link does not work any more.

Hello @Chris.Childerhose, I can access it. Here is it below

 

Very weird now it is working.  😋😂

Userlevel 7
Badge +10

You’re correct, this article assumes access to windows disk files!

 

And this the root cause; anyone on a network with administrative access & unlimited time will eventually do something bad.

Userlevel 7
Badge +12

In fact you don't even need Mimikatz to decrypt the credentials, but this doesn't change the key point; the backup server needs special protection. Thanks for posting this @marcofabbri 

Userlevel 7
Badge +7

You’re correct, this article assumes access to windows disk files!

 

And this the root cause; anyone on a network with administrative access & unlimited time will eventually do something bad.

A secure computer is an off computer. cit  “2001” Kevin D. Mittnick 😋

Userlevel 7
Badge +13

Thanks for this post! It should really be common knowledge, that when a hacker is able to enter VBR server, he/she is able read every login in VBR database. Therefore keep your VBR server safe like Fort Knox!

Comment