How to Recover Credentials From the Veeam Backup & Replication Database

KB ID:	4349
Product:	Veeam Backup & Replication Veeam Cloud Connect
Published:	2022-12-08
Last Modified:	2022-12-08

Security Statement

Since the credentials provided to Veeam Backup & Replication are used to make connections to other resources in the environment (vCenter, Hyper-V, Linux, Azure, etc.), they must be stored in such a way that allows the software to decrypt the stored credentials and use them to authenticate to those remote resources. To accomplish this, Veeam Backup & Replication encrypts the credentials and keeps them in its configuration database. The credentials are encrypted using Microsoft Data Protection API and the unique MachineKey of the Windows OS where Veeam Backup & Replication is installed, making it so that the encrypted password can only be decrypted using the Windows machine where Veeam Backup & Replication is installed.

This storing of passwords in a state which the software can later decrypt is shared among all software that must take actions on behalf of users. When credentials are stored in such a way that software can later utilize those credentials on behalf of the user, they can also be decrypted by any user with access to that machine by using the same decrypt commands the software would use. In that same way, so too can the encrypted credentials stored by Veeam Backup & Replication be decrypted by a user who has access to both the configuration database (VeeamBackup) and the Windows server where Veeam Backup & Replication is installed.

For those reasons, it is strongly advised to closely follow all security best practices and limit access to the Veeam Backup Server.

For information about Veeam Backup Server security, review the following:
Veeam Backup & Replication Best Practice Guide - Security Domains

Key Points:

Recovery of credentials stored in the Veeam Backup & Replication Configuration Database requires both of the following:
- Access to the Configuration Database to acquire the encrypted password.
- Access to the Veeam Backup Server to execute the native windows commands to decrypt the password from the database.
Credentials provided by users to Veeam Backup & Replication are encrypted and stored in the Configuration Database.
Credentials can only be recovered by executing code from the machine where Veeam Backup & Replication is installed.
Credentials cannot be recovered with only a copy of the database. The decryption process requires access to the machine that initially encrypted the credentials.
The native Windows commands used to recover the encrypted credentials can be performed by any user.
The ability to recover the passwords from the Veeam Backup & Replication Configuration Database is not a vulnerability. It is inherent to the nature of any software which must make authentication actions on behalf of a user, such as monitoring software or any other backup software that authenticates with username/password.

Purpose

This article documents how to recover credentials stored within the Veeam Backup & Replication configuration database.

Solution

The file and database locations below are based on the default install locations for Veeam Backup & Replication.

Credential Recovery Procedure

Collect the encrypted password value from the Veeam Backup & Replication configuration database using the following SQL query.
Refer to KB1471 for Veeam Database Location Details.

SELECT user_name,password,description,change_time_utc FROM [dbo].[Credentials]  
                       

Update the following PowerShell script using the encrypted password value from the database, and then Execute.

Add-Type -AssemblyName 'system.security'
$context = '<encrypted-password-value-from-database>'
$data = [Convert]::FromBase64String($context)
$raw = [System.Security.Cryptography.ProtectedData]::Unprotect($data, $null, [System.Security.Cryptography.DataProtectionScope]::LocalMachine)
[System.Text.Encoding]::UTF8.GetString($raw)  
                       

Attempting this procedure on a machine other than the Veeam Backup Server that encrypted and wrote the value to the database will fail, as shown below.
Note that the same commands as the example above are used.

More Information

Credentials Manager Cleanup

In some environments, duplicate accounts may be listed within the Credentials Manager. For more information, review: KB3224: How to Clean Up the Credentials Manager in Veeam Backup & Replication.

Advanced Script Example

The script below will automatically identify the location of the VeeamBackup database from the registry values used by Veeam Backup & Replication and output all credentials in plaintext.

Script Requirements

The script must be run on the Veeam Backup Server.
The script must be run from an Administrative PowerShell console.
The account used to execute the script must have access to the Configuration Database.
^{Use the command whoami in the Administrative PowerShell console to verify which account will execute the script.}

Support Statement

This script is provided as a courtesy and is not supported by Veeam Technical Support. Use at your own risk.
Veeam Technical Support will not assist in the usage or troubleshooting of this tool.

function Invoke-SQL {
    param(
        $dataSource,
        $sqlQuery = $(throw "Please specify a query."),
        $database
      )
    $connectionString = "Data Source=$dataSource; " + "Integrated Security=SSPI"
    if ($database.Length -gt 0) { $connectionString + ";Initial Catalog=$database" }
    $connection = new-object system.data.SqlClient.SQLConnection($connectionString)
    $command = new-object system.data.sqlclient.sqlcommand($sqlQuery,$connection)
    $connection.Open()
    $adapter = New-Object System.Data.sqlclient.sqlDataAdapter $command
    $dataset = New-Object System.Data.DataSet
    $adapter.Fill($dataSet) | Out-Null
    $connection.Close()
	return $dataset
}
function DecryptString {
    param(
        [string] $encryptedString
    )
    [reflection.assembly]::LoadWithPartialName('System.Security') | Out-Null
    $unprotectedBytes = [System.Security.Cryptography.ProtectedData]::Unprotect([System.Convert]::FromBase64String($encryptedString), $null, [System.Security.Cryptography.DataProtectionScope]::LocalMachine)
    $string = [System.Text.Encoding]::UTF8.GetString($unprotectedBytes)
    return $string
}
function QueryCredentials {
    param(
        [string] $dataSource,
        [string] $dbName
      )
    $query = "SELECT user_name, password, description FROM [VeeamBackup].[dbo].[Credentials]"
    $dataSet = Invoke-SQL $dataSource $query $dbName
    $results = @()
    foreach ($row in $dataSet.Tables[0].Rows) {
        $password = "<not set>"
        if ($row.password -ne "") {
            $password = DecryptString($row.password)
        }
        $results += [pscustomobject]@{login = $row.user_name; password = $password; description = $row.description}
    }
    $results | Format-Table
}
$brKey = Get-ItemProperty "HKLM:\SOFTWARE\Veeam\Veeam Backup and Replication"
if ($brKey -eq $null) {
    $sqlKey = Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server"
    $installedInstances = $sqlKey.InstalledInstances
    foreach($instance in $installedInstances) {
        $dataSource = "localhost" + "\" + $instance
        $dbName = "sys"
        $query = "select [name] as database_name, database_id, create_date from sys.databases order by name"
        $dataSet = Invoke-SQL $datasource $query
        $databases = @()
        foreach($row in $dataSet.Tables[0].Rows) {
            if ($row.database_name -like "*veeam*") { $databases += $row.database_name }
        }
        foreach($dbName in $databases) {
            QueryCredentials $dataSource $dbName
        }
    }
} else {
    $serverName = $brKey.SqlServerName
    $instanceName = $brKey.SqlInstanceName
    $dbName = $brKey.SqlDatabaseName
    $dataSource = $serverName + "\" + $instanceName
    QueryCredentials $dataSource $dbName
}  
                       

To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

How to Recover Credentials From Veeam Backup & Replication Database

How to Recover Credentials From the Veeam Backup & Replication Database

Security Statement

Key Points:

Purpose

Solution

Credential Recovery Procedure

More Information

Credentials Manager Cleanup

Advanced Script Example

Script Requirements

Trending Articles

Practice Sheet of Right form of verbs for HSC Students

Download: FK ft Shenky – Nakuyewa ”Prod by: Shenky”

How to win at Markstrat (Markstrat Tips and Tricks) – Vodites

Ominde Commission Report and Recommendations – Ominde Report of 1964

Bureau of Internal Revenue: Regional Offices (Directory)

GO 53 on Enhancement of Ex-gratia upto 5 Lakhs Toddy Tappers in Telangana

Cakewalk CA-2A Leveling Amplifier v2.0.1.97 WiN, v2.0.1.96 OSX Incl Keygen

Mp3 Download: Mdu - Kunjenjenjena

How the kill the job , when DTP request running for long hours.

Microsoft Intune から展開しているアプリのアップデートについて

18-year-old girl was beaten for half an hour by two Northampton men in 'an...

Car crash in Dunton Bassett leaves driver in critical condition

Macky 2, Two Others In Road Accident

Application log 00000000000000089514: Could not convert queue DLVST90CLNT

Detroit mafia: D’Anna Brothers agree to plea deal

Delivery block field greyed out using VA02

Muloraki Au

【個人撮影】スマホのプライベート映像♪「中に出さないで///」カラオケ屋での生ハメ撮りが流出ｗ【リベンジポルノ】＠PornHub

BREAKING NEWS: Diamond Platnumz Is Reported Dead After Ghastly Car Accident

FIAT 500 B0111 B0112