mubix/solarflare mubix/solarflare

  • Stars
    star
    342
  • Rank 123,263 (Top 3 %)
  • Language
    C#
  • License
    BSD 3-Clause "New...
  • Created almost 4 years ago
  • Updated over 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
mubix/solarflare
github

mubix

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

SolarWinds Orion Account Audit / Password Dumping Utility

solarflare

.NET Build

Credential Dumping Tool for SolarWinds Orion

Blog post: https://malicious.link/post/2020/solarflare-release-password-dumper-for-solarwinds-orion/

Credit to @asolino, @gentilkiwi, and @skelsec for helping me figuring out DPAPI.

============================================
| Collecting RabbitMQ Erlang Cookie
|       Erlang Cookie: abcdefg12456789abcde
============================================
| Collecting SolarWinds Certificate
|       SolarWinds Orion Certificate Found!
|       Subject Name: CN=SolarWinds-Orion
|       Thumbprint  : BE85C6C3AACA8840E166187B6AB8C6BA9DA8DE80
|       Password    : alcvabkajp4
|       Private Key : MIIKHwIBAzCCCd8GCSqGSIb3DQEHAaCCCdAEggn<snip>
============================================
| Collecting Default.DAT file
|       Encrypted: 01000000D08C9DDF0115D<snip>
|       Decrypted: 5D3CE5B08C9201E636BCF<snip>
============================================
| Collecting Database Credentials          |
|       Path to SWNetPerfMon.DB is: C:\Program Files (x86)\SolarWinds\Orion\SWNetPerfMon.DB
|       Connection String: Server=(local)\SOLARWINDS_ORION;Database=SolarWindsOrion;User ID=SolarWindsOrionDatabaseUser;Password=SUPERSECRETPASSWORDHERE
|       Number of database credentials found: 1
============================================
| Connecting to the Database              |
|       Successfully connected to: Server=(local)\SOLARWINDS_ORION;Database=SolarWindsOrion;User ID=SolarWindsOrionDatabaseUser;MultipleActiveResultSets=true
============================================
| DB - Exporting Key Table                 |
|       KeyID: 1
|       Encrypted Key: LmjknGhSXTC<snip>
|       Kind: Aes256
|       Purpose: master
|       Protection Type: 1
|       Protection Value: BE85C6C3AACA8<snip>
|       Protection Details: {}
------------------------------------------------
|       KeyID: 2
|       Encrypted Key: //pj6a4FaCyfv/Rgs<snip>
|       Kind: Aes256
|       Purpose: oldcryptohelper
|       Protection Type: 0
|       Protection Value: 1
|       Protection Details: {"IV":"oj3JCT7Cft<snip>"}
============================================
| DB - Exporting Accounts Table            |
|        Account: _system
|        Password Hash: qE9ClH<snip>
|        Password Salt: XgtO8XNWc/KiIdglGOnxvw==
|        Hashcat Mode 12501: $solarwinds$1$XgtO8XNWc/KiIdglGOnxvw==$qE9ClHDI<snip>
|        Account Enabled: Y
|        Allow Admin: Y
|        Last Login: 12/15/2020
--------------------------------------------
|        Account: Admin
|        Password Hash: IfAEwA7LXxOAH7ORCG0ZYeq<snip>
|        Password Salt: jNhn3i2XtHfY8y4EOmNdiQ==
|        Hashcat Mode 12501: $solarwinds$1$jNhn3i2XtHfY8y4EOmNdiQ==$IfAEwA7LXxOAH7ORCG0ZY<snip>
|        Account Enabled: Y
|        Allow Admin: Y
|        Last Login: 12/02/2020
--------------------------------------------
|        Account: Guest
|        Password Hash: Y/EMuOWMNfCd<snip>
|        Salt is NULL in DB so lowercase username is used: guest
|        Hashcat Mode 12500: $solarwinds$0$guest$Y/EMuOWMNfCd<snip>
|        Account Enabled: N
|        Allow Admin: N
|        Last Login: 12/30/1899
--------------------------------------------
|        Account: iprequest
|        Password Hash: 7zskGWFukuHuwQ<snip>
|        Salt is NULL in DB so lowercase username is used: iprequest
|        Hashcat Mode 12500: $solarwinds$0$iprequest$7zskGWFukuHuwQ<snip>
|        Account Enabled: Y
|        Allow Admin: N
|        Last Login: 01/01/1900
--------------------------------------------
|        Account: SITTINGDUCK\uberolduser
|        Password: 11-417578424799297-9-6260697430795685763067724
|        Decoded Password: ASDQWE123
|        Hashcat Mode 21500: $solarwinds$0$admin$fF1lrlOXfxVz51Etjcs18XNK+Zt3keV2AllH9cYtGzdt5Yg2TtcsU84G9+5VVFMIUorR5eNJzX/1kmef6wZfrg==
|        Account Enabled: Y
|        Allow Admin: N
|        Last Login: 11/15/2015
|        Account SID: S-1-5-21-1000000000-2000000000-3000000000-50000
|        Group: SITTINGDUCK\Domain Admins
--------------------------------------------
============================================
| DB - Exporting Credentials Table         |
------------------1--------------------------
| Type: SolarWinds.Orion.Core.SharedCredentials.Credentials.UsernamePasswordCredential
| Name: _system
|       Desc: Cortex Integration
|       Owner: CORE
|               Password: 9dM-5pH/&amp;Y(KU-v
|               Username: _system
------------------1--------------------------
------------------2--------------------------
| Type: SolarWinds.Orion.Core.SharedCredentials.Credentials.UsernamePasswordCredential
| Name: JobEngine
|       Desc: Job Engine router TCP endpoint credentials
|       Owner: JobEngine
|               Password: +fBByxJFsK+da6ZN2wKvLTKC/PWUzFlfIvvwtW/XqvA=
|               Username: KWPPhiYJmE8+fRF6qlkxulK2tf3t79TQOAk1ywBMVOI=
------------------2--------------------------
------------------3--------------------------
| Type: SolarWinds.Orion.Core.Models.Credentials.SnmpCredentialsV2
| Name: public
|       Desc:
|       Owner: Orion
|               Community: public
------------------3--------------------------
------------------4--------------------------
| Type: SolarWinds.Orion.Core.Models.Credentials.SnmpCredentialsV2
| Name: private
|       Desc:
|       Owner: Orion
|               Community: private
------------------4--------------------------
------------------5--------------------------
| Type: SolarWinds.Orion.Core.SharedCredentials.Credentials.UsernamePasswordCredential
| Name: Erlang cookie
|       Desc: Erlang clustering cookie
|       Owner: Erlang
|               Password: abcdefg12456789abcde
|               Username: ignored
------------------5--------------------------
------------------6--------------------------
| Type: SolarWinds.Orion.Core.SharedCredentials.Credentials.UsernamePasswordCredential
| Name: RabbitMQ user account
|       Desc: RabbitMQ user account for Message Bus
|       Owner: RabbitMQ
|               Password: LtVmCrzlTNyWmwxpxJMi
|               Username: orion
------------------6--------------------------
------------------7--------------------------
| Type: SolarWinds.Orion.Core.Models.Credentials.SnmpCredentialsV3
| Name: User: snmpv3user, Context: thisisthecontext
|       Desc:
|       Owner: Orion
|               AuthenticationKeyIsPassword: false
|               AuthenticationPassword: ASDqwe123
|               AuthenticationType: SHA1
|               Context: thisisthecontext
|               PrivacyKeyIsPassword: false
|               PrivacyPassword: ASDqwe123
|               PrivacyType: AES256
|               UserName: snmpv3user
------------------7--------------------------
------------------8--------------------------
| Type: SolarWinds.Orion.Core.Models.Credentials.SnmpCredentialsV3
| Name: User: rootsnmpv3, Context: newcontextv3
|       Desc:
|       Owner: Orion
|               AuthenticationKeyIsPassword: true
|               AuthenticationPassword: ASDqwe123
|               AuthenticationType: MD5
|               Context: newcontextv3
|               PrivacyKeyIsPassword: true
|               PrivacyPassword: ASDqwe123
|               PrivacyType: AES128
|               UserName: rootsnmpv3
------------------8--------------------------
------------------9--------------------------
| Type: SolarWinds.Orion.Core.SharedCredentials.Credentials.UsernamePasswordCredential
| Name: DomainAdmin
|       Desc:
|       Owner: Orion
|               Password: ASDqwe123
|               Username: SITTINGDUCK\uberuser
------------------9--------------------------
------------------10--------------------------
| Type: SolarWinds.Orion.Core.SharedCredentials.Credentials.UsernamePasswordCredential
| Name: DomainJoiner
|       Desc:
|       Owner: Orion
|               Password: ASDqwe123
|               Username: [email protected]
------------------10--------------------------
------------------11--------------------------
| Type: SolarWinds.Orion.Core.SharedCredentials.Credentials.UsernamePasswordCredential
| Name: vesxi
|       Desc: vesxi
|       Owner: VIM
|               Password: ASDqwe123
|               Username: root
------------------11--------------------------
------------------12--------------------------
| Type: SolarWinds.Orion.Core.SharedCredentials.Credentials.ActiveDirectoryCredential
| Name: SITTINGDUCK\uberuser
| 	Desc: 
| 	Owner: Orion
| 		Password: ASDqwe213
| 		Username: SITTINGDUCK\uberuser
------------------12--------------------------
------------------13--------------------------
| Type: SolarWinds.APM.Common.Credentials.ApmUsernamePasswordCredential
| Name: App Monitoring User
| 	Desc: 
| 	Owner: APM
| 		Password: ASDqwe123
| 		Username: SITTINGDUCK\uberuser
------------------13--------------------------
------------------14--------------------------
| Type: SolarWinds.SRM.Common.Credentials.SmisCredentials
| Name: EMC_SMIS_Solarwinds
| 	Desc: 
| 	Owner: SRM
| 		HttpPort: 5988
| 		HttpsPort: 5989
| 		InteropNamespace: /interop
| 		Namespace: root/emc
| 		Password: ASDqwe123
| 		Username: solarwinds
| 		UseSSL: true
------------------14--------------------------
------------------15--------------------------
| Type: SolarWinds.ESI.Common.Connection.ExternalSystemCredential
| Name: ESC
| 	Desc: 
| 	Owner: ESI
| 		Password: ASDqwe123
| 		Username: solar_winds
------------------15--------------------------
------------------16--------------------------
| Type: SolarWinds.Orion.Web.Integration.OAuth2Token
| Name: SITTINGDUCK\uberuser
| 	Desc: 
| 	Owner: Web.Integration
| 		AccessToken: GthQHd3<snip>
| 		AccessTokenExpiration: 2020-11-01T10:52:50.2768075Z
| 		AccessTokenIssueDate: 2020-11-01T09:52:51.2768075Z
| 		RefreshToken:hEyph9WqIfzm<snip>
| 		Scopes: 
| 		Username: [email protected]
------------------16--------------------------
------------------17--------------------------
| Type: SolarWinds.SRM.Common.Credentials.XtremIoHttpCredential
| Name: XtremIO_Admin
| 	Desc: 
| 	Owner: SRM
| 		HttpPort: 80
| 		HttpsPort: 443
| 		Password: ASDqwe123
| 		Username: admin
| 		UseSsl: true
------------------18--------------------------
============================================
============================================

More Repositories

1

post-exploitation

Post Exploitation Collection
C
1,554
star
2

shellshocker-pocs

Collection of Proof of Concepts and Potential Targets for #ShellShocker
Python
881
star
3

post-exploitation-wiki

Post Exploitation Wiki
HTML
507
star
4

netview

Netview enumerates systems using WinAPI calls
C++
280
star
5

vt-notify

Get email notification when Virus Total has a copy of your binary.
Ruby
164
star
6

CVE-2021-44228-Log4Shell-Hashes

Hashes for vulnerable LOG4J versions
153
star
7

IOXIDResolver

IOXIDResolver.py from AirBus Security
Python
152
star
8

osx-wificleaner

Cleans out "open" wireless connections from OSX machine
Python
151
star
9

pykek

Kerberos Exploitation Kit
Python
125
star
10

howtowinccdc

Notes, Slides, Comments and Commands on How to Win CCDC
117
star
11

akb

Attack Knowledge Base
100
star
12

cfdb

Common Findings Database
99
star
13

Not-In-Pentesting-Class

The Dirty Secrets They Didn't Teach You In Pentesting Class
Ruby
94
star
14

repos

List of Repositories
89
star
15

open-ssids

SSIDs for the Hak5 Wifi Pineapple's PineAP setup
79
star
16

ditto

Binary resource copier
Objective-C
78
star
17

WhiteChapel

password cracking front end
CSS
57
star
18

sectaskbars

Security Product Taskbar Icons (to identify from screenshots)
55
star
19

tools

Operational toolset utilizing git's submodule feature
Lua
52
star
20

FakeNetBIOS

See here:
C
41
star
21

stuff

Things I've coded, or use (cause I can't find them online anymore)
Ruby
33
star
22

DeleteThatTweet

Monitors a Twitter stream and saves off any tweet that is deleted.
Ruby
26
star
23

manage2decrypt

ManageEngine OpManager Decryption Tools
Python
26
star
24

windows-hardening

Because I can't find scripts to do this anywhere else...
25
star
25

windows-declutter

Windows 10 De-Clutter script
PowerShell
24
star
26

ccdc_malware

Talk given at DerbyCon and RuxCon 2016
22
star
27

mubix.github

Malicious Link Blog
HTML
22
star
28

local-hibp

How to set up a local copy of Have-I-Been-Pwned's password checking service
Ruby
21
star
29

whitechapel-ng

Next Generation of White Chapel
Ruby
21
star
30

attackbox

Ansible scripts to build an attack box
Shell
21
star
31

lmo

LetMeOutOfYour.net Resources
Python
19
star
32

metasploitwiki

Clone of Metasploit's wiki w/ additions
HTML
15
star
33

Interceptor

PowerShell HTTP(s) Intercepting Proxy
PowerShell
14
star
34

hackingtogether

#HackingTogether
HTML
14
star
35

securitytitles.com

Standardizing Security Titles
13
star
36

ctf

Capture The Flag Information
JavaScript
12
star
37

GScriptOldEmal

Deletes old email from my Gmail accounts
JavaScript
12
star
38

twitter-list-follow

Follow all members of a list
Ruby
11
star
39

elgamalcrypto

Simple Python Elgamal Encryption and Decryption Tool
Python
8
star
40

presentations

Public copies of my previous presentations
7
star
41

bliizard_escalation

6
star
42

decryptcpuu

Decrypt "Unrestricted" CPUU.ini passwords
C++
6
star
43

ctfjournal.com

CTF Journal Blog - All are welcome
6
star
44

twitterfriendsopml

Generate an OPML based on the URLs in the people you follow on Twitter's bios
Python
5
star
45

portals

Repository of captive portals from around the world
5
star
46

8021xbridge

Automatically exported from code.google.com/p/8021xbridge
Shell
4
star
47

disappeared

Repo of sites and tools that went %POOF%
3
star
48

meterpy

Meterpreter On-target Python Scripts
3
star
49

random-scripts

Just random scripts of things I don't want to lose
Ruby
3
star
50

squirtle

A fork of the Squirtle project from: http://code.google.com/p/squirtle/
3
star
51

PowerWorm

Analysis, detection, and removal of the "Power Worm" PowerShell-based malware
PowerShell
2
star
52

mubix

2
star
53

ntlmv1des

Cracks DES C3 piece of NTLMv1 and combines into Crack.sh format
1
star
54

epilogue

ShmooCon Epilogue Website
HTML
1
star