I see iSCSI — compromising DC backup
People aren’t kidding when they say “enumeration is key”. That’s actually how I was able to obtain access and download a company’s Domain Controller (DC) backups. Below is a quick diagram showing you the attack path:
First things first — nmap. Using the following nmap command, I was able to obtain information regarding the target server (which revealed iSCSI service on port 3260)
nmap -sV -sC -Pn -p- targetmachine_IP -vv
There are a few ways to determine which software, service, or appliance is being used by the iSCSI protocol, but I’m only going through one which I used for this specific exploitation process. On Windows 10, there is a built-in tool by the name of iSCSI initiator. This tool allows you to connect to a shared storage via iSCSI protocol. When I opened the initiator, it automatically presented me with the following shares:
Being a curious human being that we all are, a simple google search on “Drobo:b800i” will present you with a Drobo appliance. I’ve tried connecting to each one of iSCSI paths, and all of them came back with “connected” status without requiring authentication. However, it was not possible for me to mount them without having to “format” each connected disk. Now we don’t want to do that (don’t break stuff). The next sensible thing was to go to the Drobo website and download the Drobo appliance dashboard on the attacking machine. Once installed, it will automatically show the following prompt (since no authentication is required):
Put a check mark beside the drive with “E:” label to mount it and go to Windows explorer to see that this shared disk is now mounted on your Windows attack machine.
That’s all you need! When going into this newly mounted drive, you will be able to see its content which are TIB files — TIB files are Acronis True Image backup files (simple Googling shows this).
After some research, I found out that one way to load these backup files is to download the Acronis True Image (trial version), and start loading each TIB file. Keep in mind that in order to load and see the content of each backup, you may need to know its passwords (gained through OSINT or information disclosure/hard coded credentials, etc.)
Here’s the final look of Acronis attempting to load the DC backups.
Since it is not feasible for us to brute-force for passwords (although you may be able to), I’m hit with a dead-end of not being able to view the actual content of the backup. However, do you see the “catalog” folder two screenshots above? That folder contains catalogs of files (in sqlite format) stored in each backup.
Using sqlite3 on Kali Linux, we should be able to convert these catalog files into CSV format. Please see the following link on how to do that: https://www.sqlitetutorial.net/sqlite-tutorial/sqlite-export-csv/
Once converted, just open the exported CSV file and you will be able to see the type of information you have access to if you have the password to the backup.
$$$ profit $$$
