Extracting Credential from Veeam Backup

Khalid Almuraykhi

This article will summarize the Veeam backup and how you can extract passwords and hashes from its database or from the machines that are backed up using Veeam.

What is Veeam Backup & Replication?
Veeam Backup & Replication is a backup app developed by Veeam for virtual environments built on VMware vSphere, Nutanix AHV, and Microsoft Hyper-V hypervisors.

Database Passwords Extraction
Veeam requires the username and password for any machine you want to back it up. The user provided should have high privileges on the machine, so usually, if you're going to backup the domain devices, you will put administrator creds. Veeam stores these creds on MS-SQL, and you can easily extract them if you have admin privilege on the Veeam Server. You can do this step manually or run the veeam-creds script to obtain the passwords.
Important note: the server used for the backup should not be joined to the domain, so when attackers compromise the domain, they can't destroy your backup.
The module is also available in Empire C2:
You can also extract the vSphere Creds by veampot.py.

Backup Machines Hashes Extraction
What if you have access to a backup image for a machine? What can you do? Or if you have access the backup server and find images for multiple machines?

There are many cases you can find such thing, like when you find a backup image on SMB shares, or you get access to a normal machine and find an old backup on it if you access the server for the backup.

If you have an entire disk backup, you can extract the hashes from the SAM file or the NTDS if it's a domain controller, and you are not limited to these two files. You can enumerate the disk and look for any useful data or cleartext passwords.

When you have a valid backup image, Veeam provides a restore mechanism by "VBK Extract" or importing the image on "Veeam Backup and Replication". You can extract the backup in multiple extensions like VMDM, VHD, or VHDX.

We have this backup image and want to extract the creds for:
We can extract the image in the below ways.

One way by using VBK Extract:
Another way by Using import in the Veeam Backup and Replication:
After that, we will have the disk. Mount the disk to your computer or virtual machine:
Then you can see the disk contents:
Also, we can access the system32\config folder, which means you can extract the SAM file hashes:
By using Mimikatz, we can extract the hashes of the backup image:
What if you can find a backup for a domain controller? You can also dump the NTDS. Like in the previous steps, you can mount the disk to your computer and access the image folders and files.

Here, we can see the NTDS folder so we can dump the domain hashes:
We use NTDSDumpEX to extract the domain hashes (you can also use other tools as well):
Ensure you have your backup servers secured, and should not be joined to the domain. Additionally, ensure the right security controls are in place to protect the backups and store them in a secure location. Regular audits and penetration tests can also help make sure those backups are well protected.

This article covered how attackers can extract sensitive information and user credentials from backups if they are not secured properly, and what best practices should be followed to avoid those security risks.


Share this blog
Follow us
Advance your skills by reading the latest blog created by our team.
Other Blogs