Skip to content

Tools for offensive security of NetBackup infrastructures

License

Notifications You must be signed in to change notification settings

airbus-seclab/nbutools

Repository files navigation

nbutools

nbutools is a Python toolbox that aims to assist security audits and analysis of NetBackup infrastructures. It provides tools to map out the exposed attack surface, to collect deployment information (e.g. configuration values, accessible services, etc.) and more. It also includes a set of utilities to help study NetBackup services relying on custom protocols and "beginner's guides" to using native NetBackup tools relevant for offensive activities.

Though most tools do not require any form of authentication (simple network access to the targets), others require specific privileges or access to components of the NetBackup infrastructure.

Note: this toolbox has been designed, used and tested against the following NetBackup versions: 8.2, 8.3 and 9.0. The toolbox may not work properly on other versions. Moreover, it is not designed to include any form of exploit.

Installation

Packages required

nbutools relies on Python 3.11 and the modules listed in requirements.txt.

Basic installation

nbutools can be installed with the following commands (assuming a Debian derivative):

$ sudo apt update
$ sudo apt install python3 python3-pip graphviz
$ pip3 install .

In particular, it will install the following new commands: nbuscan.py, nbumap.py and nbudbdump.py.

Development

A development environment can be setup using pip:

$ pip3 install --editable .

Usage

Reconnaissance (PreAuthentication)

nbumap: infrastructure map builder

nbumap.py is a Python script designed to collect information about NetBackup hosts, including the software version, the type of NetBackup component (client, primary, media, opscenter) and the associated primary server when relevant. It then tries to reconstruct a map of the infrastructure with the links between these hosts.

Context of usage:

  • Can be used after a network scan resulting in a list of IP responding on port 1556.
  • No authentication needed.
$ nbumap.py -h
usage: nbumap.py [-h] [-i INPUT] [-v] [-q] [-o OUTPUT] [--plot PLOT] [targets ...]

NetBackup infrastructure scanner

positional arguments:
  targets               Target hosts

options:
  -h, --help            show this help message and exit
  -i INPUT, --input INPUT
                        Input file containing the list of hosts to scan
  -v, --verbose         Run in verbose mode
  -q, --quiet           Disable output on stdout
  -o OUTPUT, --output OUTPUT
                        CSV File output
  --plot PLOT           Infrastructure map file output path

For example, this command builds a png image representing the hosts listed in listening_1556_IPlist.txt:

$ cat listening_1556_IPlist.txt 
172.16.142.49
172.16.142.50
172.16.142.51
172.16.142.52
172.16.142.53
172.16.142.60

$ nbumap.py -i listening_1556_IPlist.txt --plot carto.png
+---------------+----------------+-----------+--------------+---------------+
| Machines      | Type           | Version   | Master       | Vnetd State   |
+===============+================+===========+==============+===============+
| 172.16.142.49 | OpsCenter      | 820000    | -            | -             |
+---------------+----------------+-----------+--------------+---------------+
| 172.16.142.50 | Primary Server | 820000    | nb-primary-a | up            |
+---------------+----------------+-----------+--------------+---------------+
| 172.16.142.51 | Media Server   | 820000    | nb-primary-a | up            |
+---------------+----------------+-----------+--------------+---------------+
| 172.16.142.52 | Client         | 820000    | nb-primary-a | up            |
+---------------+----------------+-----------+--------------+---------------+
| 172.16.142.53 | Client         | 820000    | nb-primary-a | up            |
+---------------+----------------+-----------+--------------+---------------+
| 172.16.142.60 | Primary Server | 820000    | nb-primary-b | up            |
+---------------+----------------+-----------+--------------+---------------+
| nb-primary-a  | Unknown        | Unknown   | Unknown      | DNS           |
+---------------+----------------+-----------+--------------+---------------+
| nb-primary-b  | Unknown        | Unknown   | Unknown      | DNS           |
+---------------+----------------+-----------+--------------+---------------+

.

nbuscan: Information collector

nbuscan performs an unauthenticated remote scan of the given list of NetBackup hosts to determine their version, role and, if relevant, their associated primary server. It is more exhaustive than nbumap and thus serves a complimentary role.

Usage:

$ nbuscan.py -h
usage: nbuscan.py [-h] [-j JOBS] [-v] [-q] [-l {DEBUG,INFO,WARNING,ERROR,CRITICAL}] [-t TIMEOUT] [-f {plain,json}] [-i INPUT] [-o OUTPUT] [targets ...]

NetBackup scanner tool

positional arguments:
  targets               Target hosts

options:
  -h, --help            show this help message and exit
  -j JOBS, --jobs JOBS  Maximum number of concurrent jobs
  -v, --verbose         Run in verbose mode
  -q, --quiet           Run in quiet mode
  -l {DEBUG,INFO,WARNING,ERROR,CRITICAL}, --log-level {DEBUG,INFO,WARNING,ERROR,CRITICAL}
                        Define the log level
  -t TIMEOUT, --timeout TIMEOUT
                        Timeout for TCP connections
  -f {plain,json}, --format {plain,json}
                        Output format
  -i INPUT, --input INPUT
                        Input file containing the list of hosts to scan
  -o OUTPUT, --output OUTPUT
                        Output file

For example, this command scans information on the 172.16.142.50 host and prints the output in json format:

$ nbuscan.py -f json 172.16.142.50

Post-exploitation on primary servers (PostAuthentication, root privileges)

Primary servers are key components of the NetBackup infrastructure, on which root access grants significant post-exploitation capabilities for an attacker. The following section aims at showcasing how such an access can be leveraged to perform several tasks, including retrieving files from backups and dumping parts of a NetBackup database.

Relevant resources

Plenty of administrative tools are provided with the NetBackup product, and some of them can be of interest from a security point of view. Some notes about interesting commands to know were gathered here.

nbudbdump: Sybase database hash dumper

nbudbdump dumps user hashes from a Linux NetBackup Primary Server database using local access (or remotely if the database is configured to allow remote authenticated access), assuming having access to the following files:

  • /usr/openv/var/global/.yekcnedwssap
  • /usr/openv/db/data/vxdbms.conf
  • jconn4-16.0.jar
$ nbudbdump.py -h
usage: nbudbdump.py [-h] -k YEKCNEDWSSAP_FILE_PATH -p VXDBMSCONF_FILE_PATH -j JCONN4_FILE_PATH --host HOST [--port PORT] [-v]

Purpose: Retrieve DBA pwd of NBDB.db and get User Infos

options:
  -h, --help            show this help message and exit
  -k YEKCNEDWSSAP_FILE_PATH, --yekcnedwssap_file_path YEKCNEDWSSAP_FILE_PATH
                        .yekcnedwssap file path (example: /usr/openv/var/global/.yekcnedwssap)
  -p VXDBMSCONF_FILE_PATH, --vxdbmsconf_file_path VXDBMSCONF_FILE_PATH
                        vxdbms.conf file path (example: /usr/openv/db/data/vxdbms.conf)
  -j JCONN4_FILE_PATH, --jconn4_file_path JCONN4_FILE_PATH
                        jconn4 jar file path (example: /usr/openv/netbackup/web/jconn4-16.0.jar)
  --host HOST, -H HOST  IP address of the host where the NBDB Sybase Server is running
  --port PORT           Port where the NBDB Sybase Server is running (default: 13785)
  -v, --verbose         Run in verbose mode

For example, the following command dumps the hashes of a NBDB.db Sybase database from a remote server using port forwarding:

# Download required files
$ scp -OT root@172.16.142.50:"/usr/openv/var/global/.yekcnedwssap /usr/openv/db/data/vxdbms.conf /usr/openv/netbackup/web/jconn4-16.0.jar" .
# Use port-forwarding to grant access to database port
$ ssh -N -L 127.0.0.1:13785:127.0.0.1:13785 root@172.16.142.50
# Dump hashes
$ nbudbdump.py -k .yekcnedwssap -p vxdbms.conf -h jconn4-16.0.jar -H 127.0.0.1

To go further

Some other NetBackup protocols were analyzed by AirbusSeclab. The network-analysis folder contains custom pynet plugins and definitions for custom Scapy packets based on our understanding of their formats.

License

nbutools is released under GPLv2.

Associated publications

About

Tools for offensive security of NetBackup infrastructures

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages