Testing Many Suspected Root Passwords on Many vCenter Appliances
One of my customers ran into a situation where they had lost track of the root passwords for their vCenter and Platform Services Controller appliances. As they logged into devices with expired passwords, they changed them, but they had lost track of which devices had had their passwords changed and which password each device was using. Since there was a decent sized list of potential passwords and quite a few devices, I decided that we'd all be better served by writing a script to test them for us, rather than trying them all by hand. Aside from the boredom that would come from running the tests by hand, I was concerned about human error introducing false negatives to our results.
Well, such a script is pretty trivial - I can just make an array of server names and an array of potential passwords, then nest a foreach inside of another foreach to try each password against each server. And that's true, but then I got to thinking about security. I really didn't want to type every suspected root password in this environment, in plain text, into my console. Sure, I was in a physically secured space and so was reasonably protected against shoulder surfing. Sure, I can use clear-history to remove those passwords from my powershell history... but it's still just not something that I'm comfortable with (don't even ask about hard coding the passwords into the scripts!).
So, here's what I came up with. This script requires plink to function; it's common freeware, so if you don't have it, you should probably go get it (and its big brother, putty). It takes an array of server names as the -servers parameter, and then is good to go. When you run the script, it prompts you for credentials. It stores those credentials in an array and prompts over and over, until you supply a blank password (so, this script will not test for blank passwords). Once you supply a blank password, it then proceeds to the nested foreach loops.
By default, the script returns a table that lists each server name and the number of the password that worked on that server (-1 means none worked), so remember the order in which you entered your passwords! I started this numbering at 1, because humans. If you really want to though, I added the -insecure switch to the script. That will cause the script to output a table with the server names and the actual password that worked for each server, instead of just the number of the password. Use at your own risk!
In fact, use this whole thing at your own risk! Just like any script you find on the internet, make sure that you really understand what it's doing before you run it, especially if it's asking for sensitive data like root passwords! While this worked for me in my environment, that's no guarantee that it'll work for you in yours, you know the drill.
Well, such a script is pretty trivial - I can just make an array of server names and an array of potential passwords, then nest a foreach inside of another foreach to try each password against each server. And that's true, but then I got to thinking about security. I really didn't want to type every suspected root password in this environment, in plain text, into my console. Sure, I was in a physically secured space and so was reasonably protected against shoulder surfing. Sure, I can use clear-history to remove those passwords from my powershell history... but it's still just not something that I'm comfortable with (don't even ask about hard coding the passwords into the scripts!).
So, here's what I came up with. This script requires plink to function; it's common freeware, so if you don't have it, you should probably go get it (and its big brother, putty). It takes an array of server names as the -servers parameter, and then is good to go. When you run the script, it prompts you for credentials. It stores those credentials in an array and prompts over and over, until you supply a blank password (so, this script will not test for blank passwords). Once you supply a blank password, it then proceeds to the nested foreach loops.
By default, the script returns a table that lists each server name and the number of the password that worked on that server (-1 means none worked), so remember the order in which you entered your passwords! I started this numbering at 1, because humans. If you really want to though, I added the -insecure switch to the script. That will cause the script to output a table with the server names and the actual password that worked for each server, instead of just the number of the password. Use at your own risk!
In fact, use this whole thing at your own risk! Just like any script you find on the internet, make sure that you really understand what it's doing before you run it, especially if it's asking for sensitive data like root passwords! While this worked for me in my environment, that's no guarantee that it'll work for you in yours, you know the drill.
FYI, for environments where you can install or run arbitrary software, hydra or ncrack will do this for you. But some environments may flag those as hacking tools, in which case plink is pretty commonly available in my experience!
ReplyDeleteFor example:
ncrack --user root -P password_file.txt 10.0.0.0/24
https://nmap.org/ncrack/