A couple of weeks ago I helped a friend with a penetration test for a company that used the OpenVAS vulnerability scanner (https://www.openvas.org/). OpenVAS, as most vulnerability scanners, uses pre-configured credentials in order to perform its scans. Putting your hands in one of these credentials during a pentest usually means gaining a wide range of access to the environment. Most of the time system administrators will use a small set of accounts with administrative privileges for vulnerability scanning, as configuring lots of different credentials for different assets is not efficient.
We got access to the tool web interface by finding the credentials in a system administrators' e-mail box (who would think =P). Once we did that, we jumped to the credentials section in order to check if they had any User+Password credentials configured. OpenVAS supports other types of credentials but retrieving these, if possible, is out of the scope of this article. Lucky us, they had a couple of User+Password credentials configured and they seemed new to us, meaning we did not get access to them using different techniques at the time.
There were two credentials we wanted to retrieve the passwords from. Our first idea was to spawn an SSH honeypot (https://github.com/desaster/kippo) and trigger an SSH scan using it as a target. Once the scanner tried to authenticate against the honeypot we would have access to the username and passwords it used. The idea was solid, but we were never able to test it as the scanning engine was completely unresponsive at the time. We could neither cancel the stuck scanning tasks which were running for months nor start new ones. At first, we thought that was a dead-end as neither of us had much experience with the tool. But, before moving forward we decided to dedicate some time for researching OpenVAS’s credentials management by “RTFM” (always a good idea). One feature caught my attention, Download an EXE package for Microsoft Windows (https://docs.greenbone.net/GSM-Manual/gos-6/en/scanning.html#managing-credentials).
Wait, what? Download an EXE package of the credential? How does that work? Well, the idea behind the feature is interesting and we have to take into consideration the feature pre-dates the wide adoption of orchestration tools like Ansible (https://www.ansible.com/) or Puppet (https://puppet.com/). Basically, when you configure a User+Password credential in OpenVAS you are able to download a Windows executable package which creates an Administrator user with the credential’s username and password in the machine it runs. In an environment with split responsibilities, the scanner’s management team can provide this package to the department responsible for managing the servers that need scanning and they can deploy the credential using their tool of choice. Pretty neat right? Well, the problem with this solution is that at some point the package needs to have the plaintext version of the credential’s password in order to create the user. Considering that, if an attacker (in this specific case me) gets the package and is able to attach a debugger to it in a machine he controls, eventually he will be able to retrieve the password.
Again we had a plan, download the EXE packages, and extract the passwords. The first thing we tried was reviewing the binary’s defined strings using the Linux command strings but the password did not seem to be among them. The next thing I tried was actually running the executable just to take a glance at how it worked. Following the wizard by basically clicking “Next” a couple of times a bunch of command prompts rapidly opens and closes in the screen and the local administrator user is created. At the time I could have chosen the proper fancy way and run Sysinternal’s Procmon to see what the executable was actually doing, but I was feeling lazy at the time so I used a screen recorder (https://www.screentogif.com/) to see what all of those command prompts were. Lucky me, the executable ran a sequence of standard windows commands to create the user. More than that, it logged every command it ran in the wizard’s window.
Exploiting this feature we were able to recover the credentials’ passwords and gained access to new assets during the pentest. I had even more fun with this feature but I will write a dedicated post about it in a few weeks.
If the OpenVAS Download an EXE package for Microsoft Windows is a bug/vulnerability or feature is still not clear to me. What do you think?