Cleartext password creds.kspw

jake_susnik1 · November 18, 2022, 5:22pm

Can someone verify, looks like cleartext password in path: \Rapid7\nexpose\nsc\conf\creds.kspw

jake_susnik1 · November 18, 2022, 6:15pm

All admin password hash, salt, and token? \Rapid7\nexpose\nsc\conf\userdb.xml

john_hartman · November 18, 2022, 9:30pm

The creds.kspw is the key used to encrypt the passwords for stored credentials. It’s also the key used to decrypt the credentials when restoring from a backup.

Also, yes on the userdb.xml.

jake_susnik1 · November 18, 2022, 9:43pm

Seems like a pretty unsecured practice. R7 Support tells me “I reached out to one of our principal engineer’s on this, so it turns out it is clear text. The reason its there is during restore, you need to have that to decrypt the creds storage in the database. It used to be that all customer had the same password. So it does still need to be protected, but only someone with root access to the folder can read it.”

If it protected why can I Google the password and it is in public R7 documentation? r@p1d7k3y*****

jake_susnik1 · November 18, 2022, 9:49pm

So your saying this is safe, with all Console Global Admins: D:\Rapid7\nexpose\nsc\conf\userdb.xml

salt=“7dc99095df69039”
passwordHash=“941A4F3716CD95E569AEBE3645DF7E4DE1A79E91”
token=“XCWN25QRJQJMOU2J”

jake_susnik1 · November 18, 2022, 9:51pm

How do we change this password creds.kspw? If forced to have a cleartext password that decrypts passwords I would prefer to not have a password that if in R7 documentation.

john_hartman · November 18, 2022, 10:01pm

The key shouldnt be what you have listed above, on first install it will be that value but after everything spins up it should generate a new key of random characters and random length.

Im not sure off the top of my head the BEST way to generate a new key. I mean technically if you just open that file and change the value it should do what youre looking for because it will call that file to encrypt future passwords. However i dont think it updates previously or current saved passwords.

I would reconvene with support on the best way to manually update that file.

jake_susnik1 · November 18, 2022, 10:13pm

I mean we have had console stood up and 4 scanner for about 1.5 years. Thank you, will work with support.
That is bad we have to have basically out LastPass password in cleartext.

jake_susnik1 · November 28, 2022, 2:27pm

Hello John,

Reply from R7 Support case 03467784Created By : Steve Sustaita 11/22/2022, 18:00
Hey Jake,

Reached out internally on your last inquiry:

So the Password in last comment is not the same thing as the creds.kspw password.

Creds.kspw password requires root access to view but yes it is in plain text and this is by design, however again root access is needed so internal access and authentication would be required to view it.

If you have any concerns, please bring it up with your CSM as this is not broken, its by design.:"