File tree Expand file tree Collapse file tree 2 files changed +79
-0
lines changed
documentation/modules/auxiliary/scanner/vmware Expand file tree Collapse file tree 2 files changed +79
-0
lines changed Original file line number Diff line number Diff line change 1+ ## Vulnerable Application
2+
3+ This module works against VMWare ESX and ESXi. Both can be downloaded from VMWare from [ here] ( https://my.vmware.com/en/web/vmware/evalcenter?p=free-esxi6 ) , free account signup required.
4+
5+ ## Verification Steps
6+
7+ 1 . Start msfconsole
8+ 2 . Do: ` use auxiliary/scanner/vmware/esx_fingerprint `
9+ 3 . Do: ` set rhosts `
10+ 4 . Do: ` run `
11+
12+ ## Scenarios
13+
14+ A run against ESXi 6.0.0 Update 2 (Build 4600944)
15+
16+ ```
17+ msf > use auxiliary/scanner/vmware/esx_fingerprint
18+ msf auxiliary(esx_fingerprint) > set rhosts 10.1.2.5
19+ rhosts => 10.1.2.5
20+ msf auxiliary(esx_fingerprint) > run
21+
22+ [+] 10.1.2.5:443 - Identified VMware ESXi 6.0.0 build-4600944
23+ [*] Scanned 1 of 1 hosts (100% complete)
24+ [*] Auxiliary module execution completed
25+ msf auxiliary(esx_fingerprint) >
26+ ```
27+
28+ ## Confirming using NMAP
29+
30+ Utilizing [ vmware-version] ( https://nmap.org/nsedoc/scripts/vmware-version.html )
31+
32+ ** Note** : This script was not installed by default on Kali at the time of writing this document.
33+ It can be installed via: ` wget -O /usr/share/nmap/scripts/vmware-version.nse https://svn.nmap.org/nmap/scripts/vmware-version.nse `
34+
35+ ```
36+ nmap --script vmware-version -p443 10.1.2.5
37+
38+ Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-11 21:14 EDT
39+ Nmap scan report for 10.1.2.5
40+ Host is up (0.17s latency).
41+ PORT STATE SERVICE
42+ 443/tcp open https
43+ | vmware-version:
44+ | Server version: VMware ESXi 6.0.0
45+ | Build: 4600944
46+ | Locale version: INTL 000
47+ | OS type: vmnix-x86
48+ |_ Product Line ID: embeddedEsx
49+ ```
Original file line number Diff line number Diff line change 1+ ## Vulnerable Application
2+
3+ ` vmauthd ` is the VMWare authentication daemon that is included with many VMWare products,
4+ including [ ESX(i)] ( https://my.vmware.com/en/web/vmware/evalcenter?p=free-esxi6 ) ,
5+ and [ Workstation] ( https://www.vmware.com/products/workstation.html ) .
6+
7+ ** Warning:** There is a known condition where this module utilizes ` SSLv3 ` , however this is disabled in Kali.
8+ Changing to ` SSLv23 ` will work on a default Kali install. This change was made for documenting this module.
9+ Please see [ #7225 ] ( https://github.com/rapid7/metasploit-framework/issues/7225#issuecomment-294413253 ) for additional details and the fix.
10+
11+ ## Verification Steps
12+
13+ 1 . Start msfconsole
14+ 2 . Do: ` use auxiliary/scanner/vmware/vmauthd_version `
15+ 3 . Do: ` set rhosts `
16+ 4 . Do: ` run `
17+
18+ ## Scenarios
19+
20+ A run against ESXi 6.0.0 Update 2 (Build 4600944)
21+
22+ ```
23+ msf > use auxiliary/scanner/vmware/vmauthd_version
24+ msf auxiliary(vmauthd_version) > set rhosts 10.1.2.5
25+ rhosts => 10.1.2.5
26+ msf auxiliary(vmauthd_version) > run
27+
28+ [*] 10.1.2.5:902 - 10.1.2.5:902 Switching to SSL connection...
29+ [*] 10.1.2.5:902 - 10.1.2.5:902 Banner: 220 VMware Authentication Daemon Version 1.10: SSL Required, ServerDaemonProtocol:SOAP, MKSDisplayProtocol:VNC , VMXARGS supported, NFCSSL supported/t Certificate:/C=US/ST=California/L=Palo Alto/O=VMware, Inc/OU=VMware ESX Server Default Certificate/[email protected] /CN=localhost.localdomain/unstructuredName=1328954372,564d7761726520496e632e 30+ ```
You can’t perform that action at this time.
0 commit comments