.. /pveproxy

Star

pveproxy is the Proxmox VE API daemon that handles all web interface and API requests. Understanding pveproxy configuration and logs helps adversaries identify authentication mechanisms, API endpoints, and potential vulnerabilities. The associated certificates and keys are critical targets.

Paths

• /usr/bin/pveproxy
• /etc/pve/priv/pve-root-ca.key
• /etc/pve/pve-root-ca.pem
• /etc/pve/local/pve-ssl.key
• /etc/pve/priv/authkey.key

Resources

• https://pve.proxmox.com/wiki/Certificate_Management
• https://pve.proxmox.com/pve-docs/pveproxy.8.html

Detection

• Monitor access to /etc/pve/priv/ directory
• Watch for certificate file reads
• Alert on unauthorized private key access

Acknowledgements

• ZephrFish

Credential Access

1. Read the Proxmox root CA private key.

   cat /etc/pve/priv/pve-root-ca.key

   Use Case Extract the root CA key to forge certificates for MITM attacks or impersonation.

   Privileges Required Administrator

   Operating System Proxmox VE
   ATT&CK Technique T1552.004

   Tags

   Certificate TheftMITM

2. Read the Proxmox root CA certificate.

   cat /etc/pve/pve-root-ca.pem

   Use Case Obtain the root CA certificate for trust analysis or certificate forging.

   Privileges Required Administrator

   Operating System Proxmox VE
   ATT&CK Technique T1552.004

3. Read the node's SSL private key.

   cat /etc/pve/local/pve-ssl.key

   Use Case Extract SSL key for MITM attacks on the web interface.

   Privileges Required Administrator

   Operating System Proxmox VE
   ATT&CK Technique T1552.004

4. Read the authentication key used for ticket signing.

   cat /etc/pve/priv/authkey.key

   Use Case Extract the auth key to forge authentication tickets.

   Privileges Required Administrator

   Operating System Proxmox VE
   ATT&CK Technique T1552.004

   Tags

   Credential AccessTicket Forgery

5. Search proxy logs for authentication tickets.

   grep -r "ticket" /var/log/pveproxy/

   Use Case Harvest authentication tickets from logs for session hijacking.

   Privileges Required Administrator

   Operating System Proxmox VE
   ATT&CK Technique T1552.001

Discovery

1. Analyze the node's SSL certificate.

   openssl x509 -in /etc/pve/local/pve-ssl.pem -text -noout

   Use Case Examine certificate details including validity, SANs, and issuer.

   Privileges Required Administrator

   Operating System Proxmox VE
   ATT&CK Technique T1082

2. Check pveproxy service status.

   systemctl status pveproxy

   Use Case Verify API service is running and identify any configuration issues.

   Privileges Required Administrator

   Operating System Proxmox VE
   ATT&CK Technique T1082

3. Read pveproxy configuration defaults.

   cat /etc/default/pveproxy

   Use Case Identify custom configurations, cipher suites, and security settings.

   Privileges Required Administrator

   Operating System Proxmox VE
   ATT&CK Technique T1082