Recover ESXi password in Veeam

[vmNik]

Good morning.

Is it possible to view/recover via SQL a password for an ESXi host attached to VBR? A remote host password has been forgotten but has a Veeam system in place there, attached with the ESXi host in question and able to backup, restore, etc. Looking at SQL table [dbo.Credentials] in VBR8, the list of users is shown. Is there a means to get a password from SQL?

Thank you.

[nielsengelen]

You can't recover passwords from the database.

[Gostev]

Correct, using the product UI you certainly cannot look up stored passwords.

But the code itself obviously can do this (to be able to actually leverage those credentials), so generally speaking, it is doable. But it is a manual procedure that has to be performed on backup server using some system calls. Our support can do this for you (ask them to ask me if they've never done it before).

[omfk]

Hello,

is there a way to recover the password which I set for giving B&R for a copy job towards a CIFS share?

BR
Frank

[PTide]

Hi,

Unfortunately that is not possible from the UI, however you can contact our support team and ask them to help you.

Thanks

[omfk]

Thanks for the reply. I'll give it a try on Monday.

[omfk]

Hi,

Unfortunately that is not possible from the UI, however you can contact our support team and ask them to help you.

Thanks

The answer from the support team was negative:
"Unfortunatelly it's not possible to recover passwords from Veeam B&R 9.5. Passwords stored in Veeam are encrypted and it's not possible to recover them."

Correct or not?

BR
Frank

[Gostev]

Not correct, but it is possible that they simply misunderstood your inquiry, and thought that you are talking about backup file password (and not ESXi host password).

[omfk]

I replied to their email with a picture showing the dialog in question. I'll keep you informed.

Veeam Support - Case # 02067079

BR
Frank

[omfk]

Update:
I had a remote session with Veeam support and using a power shell script it was possible to display the password(s) in question.

Thx again
Frank

[peter84]

Hello,

The backup on our ESX host is running fine at this moment. But my colleague forgot to save our esx password in our database.
So is it possible to get the password out of veeam?

[DGrinev]

Hi Peter and welcome to the community!

You cannot do that yourself using Veeam Backup & Replication UI, however, if you open a support case our team should be able to assist you with this task. Thanks!

[signal]

From a security perspective, how are the passwords stored?
Are they encrypted?
I see them in the database, they are not in cleartext, but different passwords share some similar characteristics, so it can't be any form of strong encryption as that would and should produce dissimilar strings.

[Gostev]

We do use strong encryption of Microsoft CryptoAPI to encrypt passwords using machine-specific encryption key, which is an industry-standard approach. It basically guarantees that the decryption can only be performed on the specific machine, so there's no need to worry if someone steals the configuration database, or takes a picture of those values, etc. Thanks!

[signal]

Which CSP is used?
Which algorithm and key length is used?

[Gostev]

As a matter of fact, we operate "on a higher level" by simply using ProtectedData.Protect method of CryptoAPI to encrypt those credentials, so we don't have to deal with CSP, algorithm and key length. Not sure what Microsoft uses under the hood for those, but if it was not strong encryption - then CryptoAPI would not be FIPS-certified

[bolnetworks]

We have the same issue. Can you recover the password for us also? I've contacted support and they told me to write a reply in this topic.

[veremin]

It's support team that performs password recovery, not the team behind these forums. You might refer to the previously reported ticket 02067079 or escalate the ticket to the higher tier. Thanks.

[mcz]

As a matter of fact, we operate "on a higher level" by simply using ProtectedData.Protect method of CryptoAPI to encrypt those credentials

+1 for sharing used API's with us

[vveeaamm]

Here is a quick .NET code to recover the pass:

Code: Select all

using System;
using System.Collections.Generic;
using System.Security.Cryptography;
using System.Text;

namespace Main 
{
internal static class Program
	{
	private static void Main(string[] args)
		{
			string encrypted = "<pass_from_dbo.Credentials>";
			if (string.IsNullOrEmpty(encrypted))
			{
				return;
			}
			byte[] encryptedData = Convert.FromBase64String(encrypted);
			Console.WriteLine(Encoding.UTF8.GetString(ProtectedData.Unprotect(encryptedData, null, DataProtectionScope.LocalMachine)));
		}
}
}

[ialvarez]

Connect to sql management studio and to the db for veeam

Run this query.

SELECT TOP (1000) [id]
,[user_name]
,[password]
,[usn]
,[description]
,[visible]
,[change_time_utc]
FROM [VeeamBackup].[dbo].[Credentials]

Get the password hash from the results (match the description to the one you need) then run this in powershell on the server running the db/veeam service the BR server with the hash you grabbed.

Add-Type -Path "C:\Program Files\Veeam\Backup and Replication\Backup\Veeam.Backup.Common.dll"
$encoded = 'hashed string from above'
[Veeam.Backup.Common.ProtectedStorage]::GetLocalString($encoded)

[vcocaud]

I tried to use ialvarez method but getting this error (english translation = "invalid data") :

Code: Select all

[i]PS C:\Users\Administrateur> [Veeam.Backup.Common.ProtectedStorage]::GetLocalString($encoded)
Exception lors de l'appel de « GetLocalString » avec « 1 » argument(s) : « Données non valides.
 »
Au caractère Ligne:1 : 1
+ [Veeam.Backup.Common.ProtectedStorage]::GetLocalString($encoded)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : CryptographicException
[/i]

I'm trying to recover a backup encryption password, is it possible with this method or another one ?

[mcz]

can you share a screenshot with us?

[Moebius]

Connect to sql management studio and to the db for veeam

Run this query.

SELECT TOP (1000) [id]
,[user_name]
,[password]
,[usn]
,[description]
,[visible]
,[change_time_utc]
FROM [VeeamBackup].[dbo].[Credentials]

Get the password hash from the results (match the description to the one you need) then run this in powershell on the server running the db/veeam service the BR server with the hash you grabbed.

Add-Type -Path "C:\Program Files\Veeam\Backup and Replication\Backup\Veeam.Backup.Common.dll"
$encoded = 'hashed string from above'
[Veeam.Backup.Common.ProtectedStorage]::GetLocalString($encoded)

This has been working great for me! Also working in v10. Thank you!

[daesiku]

This worked perfectly for my needs. It also serves to emphasize how important it is to secure your backup infrastructure.

[xavierpitz]

Connect to sql management studio and to the db for veeam

Run this query.

SELECT TOP (1000) [id]
,[user_name]
,[password]
,[usn]
,[description]
,[visible]
,[change_time_utc]
FROM [VeeamBackup].[dbo].[Credentials]

Get the password hash from the results (match the description to the one you need) then run this in powershell on the server running the db/veeam service the BR server with the hash you grabbed.

Add-Type -Path "C:\Program Files\Veeam\Backup and Replication\Backup\Veeam.Backup.Common.dll"
$encoded = 'hashed string from above'
[Veeam.Backup.Common.ProtectedStorage]::GetLocalString($encoded)

Thank you very much for this trick.
I was able to retrieve/resurect a private SSH key from table dbo.Ssh_creds with the same method and decrypting private_key/passphrase strings

SELECT TOP (1000) [id]
,[elevatetoroot]
,[rootpassword]
,[private_key]
,[passphrase]
FROM [Veeam].[dbo].[Ssh_creds]

[tiiash]

I tried to use ialvarez method but getting this error (english translation = "invalid data") :

Code: Select all

[i]PS C:\Users\Administrateur> [Veeam.Backup.Common.ProtectedStorage]::GetLocalString($encoded)
Exception lors de l'appel de « GetLocalString » avec « 1 » argument(s) : « Données non valides.
 »
Au caractère Ligne:1 : 1
+ [Veeam.Backup.Common.ProtectedStorage]::GetLocalString($encoded)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : CryptographicException
[/i]

I'm trying to recover a backup encryption password, is it possible with this method or another one ?

For what it's worth, I experienced the same error message today. As a penetration tester, I am probably not the main audience of this forum ( ) but I figured this might be relevant for backup administrators as well. I understand that the decryption needs to be run on the same system that stores the encrypted passwords due to the data being tied to the local machine key. However, it seems that there can be situations in which the described process does not work as expected.

Since the Veeam backups are running happily everyday, there must be some way to decrypt the data successfully.

[Gostev]

Please note that this thread is about recovering credentials specifically. No one ever said the same approach can be used for other encrypted entities, such as backup encryption passwords the person you're quoting is trying to recover.

Other than that, you are definitely an integral part of the main audience. Remember these are Veeam R&D forums and so we're particularly interested in opinions and findings of highly specialized professionals like yourself. Definitely way more than in "something broke in my environment yesterday and backups are no longer working, help!" type of posters

[tiiash]

Thanks Gostev, I just found your reply and now activated email notifications for this topic .
You are right that the user vcocaud, who I quoted, tried to decrypt backup encryption passwords. For me, the same error message occurred when trying to decrypt credentials which I retrieved from a Veeam backup server instance.
The approach described in this topic has already helped me multiple times in escalating privileges in a client environment and ultimately, in showing them why it is dangerous to connect your backup infrastructure to your production domain. If this happens, I always link them to your great best practice guide: https://bp.veeam.com/vbr/Security/Security_domains.html