Comprehensive data protection for all workloads
Post Reply
vmNik
Novice
Posts: 6
Liked: never
Joined: Apr 10, 2015 12:14 am
Contact:

Recover ESXi password in Veeam

Post by vmNik »

Good morning.

Is it possible to view/recover via SQL a password for an ESXi host attached to VBR? A remote host password has been forgotten but has a Veeam system in place there, attached with the ESXi host in question and able to backup, restore, etc. Looking at SQL table [dbo.Credentials] in VBR8, the list of users is shown. Is there a means to get a password from SQL?

Thank you.
VCP5-DCV

nielsengelen
Veeam Software
Posts: 4900
Liked: 1031 times
Joined: Jul 15, 2013 11:09 am
Full Name: Niels Engelen
Contact:

Re: Recover ESXi password in Veeam

Post by nielsengelen »

You can't recover passwords from the database.
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen

Gostev
SVP, Product Management
Posts: 29880
Liked: 5813 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Recover ESXi password in Veeam

Post by Gostev » 1 person likes this post

Correct, using the product UI you certainly cannot look up stored passwords.

But the code itself obviously can do this (to be able to actually leverage those credentials), so generally speaking, it is doable. But it is a manual procedure that has to be performed on backup server using some system calls. Our support can do this for you (ask them to ask me if they've never done it before).

omfk
Expert
Posts: 108
Liked: 9 times
Joined: Nov 30, 2016 9:48 pm
Full Name: Frank Knappe
Contact:

[MERGED] Recover password for CIFS share

Post by omfk »

Hello,

is there a way to recover the password which I set for giving B&R for a copy job towards a CIFS share?

BR
Frank

PTide
Product Manager
Posts: 6177
Liked: 669 times
Joined: May 19, 2015 1:46 pm
Contact:

[MERGED] Re: Recover password for CIFS share

Post by PTide »

Hi,

Unfortunately that is not possible from the UI, however you can contact our support team and ask them to help you.

Thanks

omfk
Expert
Posts: 108
Liked: 9 times
Joined: Nov 30, 2016 9:48 pm
Full Name: Frank Knappe
Contact:

Re: [MERGED] Re: Recover password for CIFS share

Post by omfk »

Thanks for the reply. I'll give it a try on Monday.

omfk
Expert
Posts: 108
Liked: 9 times
Joined: Nov 30, 2016 9:48 pm
Full Name: Frank Knappe
Contact:

Re: [MERGED] Re: Recover password for CIFS share

Post by omfk »

PTide wrote:Hi,

Unfortunately that is not possible from the UI, however you can contact our support team and ask them to help you.

Thanks
The answer from the support team was negative:
"Unfortunatelly it's not possible to recover passwords from Veeam B&R 9.5. Passwords stored in Veeam are encrypted and it's not possible to recover them."

Correct or not?

BR
Frank

Gostev
SVP, Product Management
Posts: 29880
Liked: 5813 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Recover ESXi password in Veeam

Post by Gostev »

Not correct, but it is possible that they simply misunderstood your inquiry, and thought that you are talking about backup file password (and not ESXi host password).

omfk
Expert
Posts: 108
Liked: 9 times
Joined: Nov 30, 2016 9:48 pm
Full Name: Frank Knappe
Contact:

Re: Recover ESXi password in Veeam

Post by omfk »

I replied to their email with a picture showing the dialog in question. I'll keep you informed.

Veeam Support - Case # 02067079

BR
Frank

omfk
Expert
Posts: 108
Liked: 9 times
Joined: Nov 30, 2016 9:48 pm
Full Name: Frank Knappe
Contact:

Re: Recover ESXi password in Veeam

Post by omfk » 1 person likes this post

Update:
I had a remote session with Veeam support and using a power shell script it was possible to display the password(s) in question.

Thx again
Frank

peter84
Service Provider
Posts: 2
Liked: never
Joined: Dec 28, 2015 3:27 pm
Full Name: Peter Doesberg
Location: Netherlands

[MERGED] Get ESX password out off veeam

Post by peter84 »

Hello,

The backup on our ESX host is running fine at this moment. But my colleague forgot to save our esx password in our database.
So is it possible to get the password out of veeam?

DGrinev
Expert
Posts: 1943
Liked: 247 times
Joined: Dec 01, 2016 3:49 pm
Full Name: Dmitry Grinev
Location: St.Petersburg
Contact:

Re: Get ESX password out off veeam

Post by DGrinev »

Hi Peter and welcome to the community!

You cannot do that yourself using Veeam Backup & Replication UI, however, if you open a support case our team should be able to assist you with this task. Thanks!

signal
Enthusiast
Posts: 65
Liked: 4 times
Joined: Oct 06, 2016 1:19 pm
Contact:

Re: Recover ESXi password in Veeam

Post by signal »

From a security perspective, how are the passwords stored?
Are they encrypted?
I see them in the database, they are not in cleartext, but different passwords share some similar characteristics, so it can't be any form of strong encryption as that would and should produce dissimilar strings.

Gostev
SVP, Product Management
Posts: 29880
Liked: 5813 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Recover ESXi password in Veeam

Post by Gostev »

We do use strong encryption of Microsoft CryptoAPI to encrypt passwords using machine-specific encryption key, which is an industry-standard approach. It basically guarantees that the decryption can only be performed on the specific machine, so there's no need to worry if someone steals the configuration database, or takes a picture of those values, etc. Thanks!

signal
Enthusiast
Posts: 65
Liked: 4 times
Joined: Oct 06, 2016 1:19 pm
Contact:

Re: Recover ESXi password in Veeam

Post by signal »

Which CSP is used?
Which algorithm and key length is used?

Gostev
SVP, Product Management
Posts: 29880
Liked: 5813 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Recover ESXi password in Veeam

Post by Gostev » 2 people like this post

As a matter of fact, we operate "on a higher level" by simply using ProtectedData.Protect method of CryptoAPI to encrypt those credentials, so we don't have to deal with CSP, algorithm and key length. Not sure what Microsoft uses under the hood for those, but if it was not strong encryption - then CryptoAPI would not be FIPS-certified :D

bolnetworks
Influencer
Posts: 13
Liked: never
Joined: Aug 03, 2010 11:39 am
Full Name: Bol Networks
Contact:

Re: Recover ESXi password in Veeam

Post by bolnetworks »

We have the same issue. Can you recover the password for us also? I've contacted support and they told me to write a reply in this topic.

veremin
Product Manager
Posts: 19438
Liked: 2023 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: Recover ESXi password in Veeam

Post by veremin »

It's support team that performs password recovery, not the team behind these forums. You might refer to the previously reported ticket 02067079 or escalate the ticket to the higher tier. Thanks.

mcz
Veeam Legend
Posts: 622
Liked: 112 times
Joined: Jul 19, 2016 8:39 am
Full Name: Michael
Contact:

Re: Recover ESXi password in Veeam

Post by mcz »

Gostev wrote:As a matter of fact, we operate "on a higher level" by simply using ProtectedData.Protect method of CryptoAPI to encrypt those credentials
+1 for sharing used API's with us

vveeaamm
Lurker
Posts: 1
Liked: 2 times
Joined: Mar 22, 2019 10:04 am
Full Name: ESX

Re: Recover ESXi password in Veeam

Post by vveeaamm » 2 people like this post

Here is a quick .NET code to recover the pass:

Code: Select all

using System;
using System.Collections.Generic;
using System.Security.Cryptography;
using System.Text;

namespace Main 
{
internal static class Program
	{
	private static void Main(string[] args)
		{
			string encrypted = "<pass_from_dbo.Credentials>";
			if (string.IsNullOrEmpty(encrypted))
			{
				return;
			}
			byte[] encryptedData = Convert.FromBase64String(encrypted);
			Console.WriteLine(Encoding.UTF8.GetString(ProtectedData.Unprotect(encryptedData, null, DataProtectionScope.LocalMachine)));
		}
}
}

ialvarez
Lurker
Posts: 1
Liked: 5 times
Joined: May 30, 2019 9:41 pm
Full Name: Isaac Alvarez
Contact:

Re: Recover ESXi password in Veeam

Post by ialvarez » 5 people like this post

Connect to sql management studio and to the db for veeam

Run this query.

SELECT TOP (1000) [id]
,[user_name]
,[password]
,[usn]
,[description]
,[visible]
,[change_time_utc]
FROM [VeeamBackup].[dbo].[Credentials]

Get the password hash from the results (match the description to the one you need) then run this in powershell on the server running the db/veeam service the BR server with the hash you grabbed.

Add-Type -Path "C:\Program Files\Veeam\Backup and Replication\Backup\Veeam.Backup.Common.dll"
$encoded = 'hashed string from above'
[Veeam.Backup.Common.ProtectedStorage]::GetLocalString($encoded)

vcocaud
Service Provider
Posts: 2
Liked: never
Joined: Sep 03, 2013 4:50 pm
Full Name: Valentin COCAUD
Contact:

Re: Recover ESXi password in Veeam

Post by vcocaud »

I tried to use ialvarez method but getting this error (english translation = "invalid data") :

Code: Select all

[i]PS C:\Users\Administrateur> [Veeam.Backup.Common.ProtectedStorage]::GetLocalString($encoded)
Exception lors de l'appel de « GetLocalString » avec « 1 » argument(s) : « Données non valides.
 »
Au caractère Ligne:1 : 1
+ [Veeam.Backup.Common.ProtectedStorage]::GetLocalString($encoded)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : CryptographicException
[/i]
I'm trying to recover a backup encryption password, is it possible with this method or another one ?

mcz
Veeam Legend
Posts: 622
Liked: 112 times
Joined: Jul 19, 2016 8:39 am
Full Name: Michael
Contact:

Re: Recover ESXi password in Veeam

Post by mcz »

can you share a screenshot with us?

Moebius
Veeam ProPartner
Posts: 186
Liked: 25 times
Joined: Jun 09, 2009 2:48 pm
Full Name: Lucio Mazzi
Location: Reggio Emilia, Italy
Contact:

Re: Recover ESXi password in Veeam

Post by Moebius »

ialvarez wrote: May 30, 2019 9:45 pm Connect to sql management studio and to the db for veeam

Run this query.

SELECT TOP (1000) [id]
,[user_name]
,[password]
,[usn]
,[description]
,[visible]
,[change_time_utc]
FROM [VeeamBackup].[dbo].[Credentials]

Get the password hash from the results (match the description to the one you need) then run this in powershell on the server running the db/veeam service the BR server with the hash you grabbed.

Add-Type -Path "C:\Program Files\Veeam\Backup and Replication\Backup\Veeam.Backup.Common.dll"
$encoded = 'hashed string from above'
[Veeam.Backup.Common.ProtectedStorage]::GetLocalString($encoded)
This has been working great for me! Also working in v10. Thank you!

daesiku
Novice
Posts: 6
Liked: 1 time
Joined: Nov 20, 2019 4:29 am
Contact:

Re: Recover ESXi password in Veeam

Post by daesiku » 1 person likes this post

This worked perfectly for my needs. It also serves to emphasize how important it is to secure your backup infrastructure.

xavierpitz
Lurker
Posts: 2
Liked: never
Joined: Sep 30, 2021 3:24 pm
Full Name: Xavier Pitz
Contact:

Re: Recover ESXi password in Veeam

Post by xavierpitz »

ialvarez wrote: May 30, 2019 9:45 pm Connect to sql management studio and to the db for veeam

Run this query.

SELECT TOP (1000) [id]
,[user_name]
,[password]
,[usn]
,[description]
,[visible]
,[change_time_utc]
FROM [VeeamBackup].[dbo].[Credentials]

Get the password hash from the results (match the description to the one you need) then run this in powershell on the server running the db/veeam service the BR server with the hash you grabbed.

Add-Type -Path "C:\Program Files\Veeam\Backup and Replication\Backup\Veeam.Backup.Common.dll"
$encoded = 'hashed string from above'
[Veeam.Backup.Common.ProtectedStorage]::GetLocalString($encoded)
Thank you very much for this trick.
I was able to retrieve/resurect a private SSH key from table dbo.Ssh_creds with the same method and decrypting private_key/passphrase strings

SELECT TOP (1000) [id]
,[elevatetoroot]
,[rootpassword]
,[private_key]
,[passphrase]
FROM [Veeam].[dbo].[Ssh_creds]

tiiash
Lurker
Posts: 2
Liked: 1 time
Joined: Feb 04, 2021 5:25 pm
Contact:

Re: Recover ESXi password in Veeam

Post by tiiash »

vcocaud wrote: Jun 12, 2019 3:06 pm I tried to use ialvarez method but getting this error (english translation = "invalid data") :

Code: Select all

[i]PS C:\Users\Administrateur> [Veeam.Backup.Common.ProtectedStorage]::GetLocalString($encoded)
Exception lors de l'appel de « GetLocalString » avec « 1 » argument(s) : « Données non valides.
 »
Au caractère Ligne:1 : 1
+ [Veeam.Backup.Common.ProtectedStorage]::GetLocalString($encoded)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : CryptographicException
[/i]
I'm trying to recover a backup encryption password, is it possible with this method or another one ?
For what it's worth, I experienced the same error message today. As a penetration tester, I am probably not the main audience of this forum ( :wink: ) but I figured this might be relevant for backup administrators as well. I understand that the decryption needs to be run on the same system that stores the encrypted passwords due to the data being tied to the local machine key. However, it seems that there can be situations in which the described process does not work as expected.

Since the Veeam backups are running happily everyday, there must be some way to decrypt the data successfully.

Gostev
SVP, Product Management
Posts: 29880
Liked: 5813 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Recover ESXi password in Veeam

Post by Gostev »

Please note that this thread is about recovering credentials specifically. No one ever said the same approach can be used for other encrypted entities, such as backup encryption passwords the person you're quoting is trying to recover.

Other than that, you are definitely an integral part of the main audience. Remember these are Veeam R&D forums and so we're particularly interested in opinions and findings of highly specialized professionals like yourself. Definitely way more than in "something broke in my environment yesterday and backups are no longer working, help!" type of posters ;)

tiiash
Lurker
Posts: 2
Liked: 1 time
Joined: Feb 04, 2021 5:25 pm
Contact:

Re: Recover ESXi password in Veeam

Post by tiiash » 1 person likes this post

Thanks Gostev, I just found your reply and now activated email notifications for this topic ;).
You are right that the user vcocaud, who I quoted, tried to decrypt backup encryption passwords. For me, the same error message occurred when trying to decrypt credentials which I retrieved from a Veeam backup server instance.
The approach described in this topic has already helped me multiple times in escalating privileges in a client environment and ultimately, in showing them why it is dangerous to connect your backup infrastructure to your production domain. If this happens, I always link them to your great best practice guide: https://bp.veeam.com/vbr/Security/Security_domains.html

Post Reply

Who is online

Users browsing this forum: Dream_On and 46 guests