nbutools
is a Python toolbox that aims to assist security audits and analysis
of NetBackup infrastructures. It
provides tools to map out the exposed attack surface, to collect deployment
information (e.g. configuration values, accessible services, etc.) and more. It
also includes a set of utilities to help study NetBackup services relying on
custom protocols and "beginner's guides" to using native NetBackup tools
relevant for offensive activities.
Though most tools do not require any form of authentication (simple network access to the targets), others require specific privileges or access to components of the NetBackup infrastructure.
Note: this toolbox has been designed, used and tested against the following
NetBackup versions: 8.2
, 8.3
and 9.0
. The toolbox may not work properly on
other versions. Moreover, it is not designed to include any form of exploit.
nbutools
relies on Python 3.11 and the modules listed in requirements.txt
.
nbutools
can be installed with the following commands (assuming a Debian derivative):
$ sudo apt update
$ sudo apt install python3 python3-pip graphviz
$ pip3 install .
In particular, it will install the following new commands: nbuscan.py
,
nbumap.py
and nbudbdump.py
.
A development environment can be setup using pip
:
$ pip3 install --editable .
nbumap.py
is a Python script designed to collect information about NetBackup
hosts, including the software version, the type of NetBackup component (client,
primary, media, opscenter) and the associated primary server when relevant. It
then tries to reconstruct a map of the infrastructure with the links between
these hosts.
Context of usage:
- Can be used after a network scan resulting in a list of IP responding on port
1556
. - No authentication needed.
$ nbumap.py -h
usage: nbumap.py [-h] [-i INPUT] [-v] [-q] [-o OUTPUT] [--plot PLOT] [targets ...]
NetBackup infrastructure scanner
positional arguments:
targets Target hosts
options:
-h, --help show this help message and exit
-i INPUT, --input INPUT
Input file containing the list of hosts to scan
-v, --verbose Run in verbose mode
-q, --quiet Disable output on stdout
-o OUTPUT, --output OUTPUT
CSV File output
--plot PLOT Infrastructure map file output path
For example, this command builds a png image representing the hosts listed in
listening_1556_IPlist.txt
:
$ cat listening_1556_IPlist.txt
172.16.142.49
172.16.142.50
172.16.142.51
172.16.142.52
172.16.142.53
172.16.142.60
$ nbumap.py -i listening_1556_IPlist.txt --plot carto.png
+---------------+----------------+-----------+--------------+---------------+
| Machines | Type | Version | Master | Vnetd State |
+===============+================+===========+==============+===============+
| 172.16.142.49 | OpsCenter | 820000 | - | - |
+---------------+----------------+-----------+--------------+---------------+
| 172.16.142.50 | Primary Server | 820000 | nb-primary-a | up |
+---------------+----------------+-----------+--------------+---------------+
| 172.16.142.51 | Media Server | 820000 | nb-primary-a | up |
+---------------+----------------+-----------+--------------+---------------+
| 172.16.142.52 | Client | 820000 | nb-primary-a | up |
+---------------+----------------+-----------+--------------+---------------+
| 172.16.142.53 | Client | 820000 | nb-primary-a | up |
+---------------+----------------+-----------+--------------+---------------+
| 172.16.142.60 | Primary Server | 820000 | nb-primary-b | up |
+---------------+----------------+-----------+--------------+---------------+
| nb-primary-a | Unknown | Unknown | Unknown | DNS |
+---------------+----------------+-----------+--------------+---------------+
| nb-primary-b | Unknown | Unknown | Unknown | DNS |
+---------------+----------------+-----------+--------------+---------------+
nbuscan
performs an unauthenticated remote scan of the given list of NetBackup
hosts to determine their version, role and, if relevant, their associated
primary server. It is more exhaustive than nbumap
and thus serves a
complimentary role.
Usage:
$ nbuscan.py -h
usage: nbuscan.py [-h] [-j JOBS] [-v] [-q] [-l {DEBUG,INFO,WARNING,ERROR,CRITICAL}] [-t TIMEOUT] [-f {plain,json}] [-i INPUT] [-o OUTPUT] [targets ...]
NetBackup scanner tool
positional arguments:
targets Target hosts
options:
-h, --help show this help message and exit
-j JOBS, --jobs JOBS Maximum number of concurrent jobs
-v, --verbose Run in verbose mode
-q, --quiet Run in quiet mode
-l {DEBUG,INFO,WARNING,ERROR,CRITICAL}, --log-level {DEBUG,INFO,WARNING,ERROR,CRITICAL}
Define the log level
-t TIMEOUT, --timeout TIMEOUT
Timeout for TCP connections
-f {plain,json}, --format {plain,json}
Output format
-i INPUT, --input INPUT
Input file containing the list of hosts to scan
-o OUTPUT, --output OUTPUT
Output file
For example, this command scans information on the 172.16.142.50
host and
prints the output in json format:
$ nbuscan.py -f json 172.16.142.50
Primary servers are key components of the NetBackup infrastructure, on which
root
access grants significant post-exploitation capabilities for an attacker.
The following section aims at showcasing how such an access can be leveraged to
perform several tasks, including retrieving files from backups and dumping parts
of a NetBackup database.
Plenty of administrative tools are provided with the NetBackup product, and some of them can be of interest from a security point of view. Some notes about interesting commands to know were gathered here.
nbudbdump
dumps user hashes from a Linux NetBackup Primary Server database
using local access (or remotely if the database is configured to allow remote
authenticated access), assuming having access to the following files:
/usr/openv/var/global/.yekcnedwssap
/usr/openv/db/data/vxdbms.conf
jconn4-16.0.jar
$ nbudbdump.py -h
usage: nbudbdump.py [-h] -k YEKCNEDWSSAP_FILE_PATH -p VXDBMSCONF_FILE_PATH -j JCONN4_FILE_PATH --host HOST [--port PORT] [-v]
Purpose: Retrieve DBA pwd of NBDB.db and get User Infos
options:
-h, --help show this help message and exit
-k YEKCNEDWSSAP_FILE_PATH, --yekcnedwssap_file_path YEKCNEDWSSAP_FILE_PATH
.yekcnedwssap file path (example: /usr/openv/var/global/.yekcnedwssap)
-p VXDBMSCONF_FILE_PATH, --vxdbmsconf_file_path VXDBMSCONF_FILE_PATH
vxdbms.conf file path (example: /usr/openv/db/data/vxdbms.conf)
-j JCONN4_FILE_PATH, --jconn4_file_path JCONN4_FILE_PATH
jconn4 jar file path (example: /usr/openv/netbackup/web/jconn4-16.0.jar)
--host HOST, -H HOST IP address of the host where the NBDB Sybase Server is running
--port PORT Port where the NBDB Sybase Server is running (default: 13785)
-v, --verbose Run in verbose mode
For example, the following command dumps the hashes of a NBDB.db
Sybase
database from a remote server using port forwarding:
# Download required files
$ scp -OT root@172.16.142.50:"/usr/openv/var/global/.yekcnedwssap /usr/openv/db/data/vxdbms.conf /usr/openv/netbackup/web/jconn4-16.0.jar" .
# Use port-forwarding to grant access to database port
$ ssh -N -L 127.0.0.1:13785:127.0.0.1:13785 root@172.16.142.50
# Dump hashes
$ nbudbdump.py -k .yekcnedwssap -p vxdbms.conf -h jconn4-16.0.jar -H 127.0.0.1
Some other NetBackup protocols were analyzed by AirbusSeclab. The network-analysis folder contains custom pynet plugins and definitions for custom Scapy packets based on our understanding of their formats.
nbutools
is released under GPLv2.