Search...

VMWare Enumerate Virtual Machines

2012-02-13T18:07:28

ID MSF:AUXILIARY/SCANNER/VMWARE/VMWARE_ENUM_VMS
Type metasploit
Reporter Rapid7
Modified 2017-07-24T13:26:21

Description

This module attempts to discover virtual machines on any VMWare instance running the web interface. This would include ESX/ESXi and VMWare Server.

                                        
                                            ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule &lt; Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Report
  include Msf::Exploit::Remote::VIMSoap
  include Msf::Auxiliary::Scanner

  def initialize
    super(
      'Name'           =&gt; 'VMWare Enumerate Virtual Machines',
      'Description'    =&gt; %Q{
        This module attempts to discover virtual machines on any VMWare instance
        running the web interface. This would include ESX/ESXi and VMWare Server.
      },
      'Author'         =&gt; ['theLightCosine'],
      'License'        =&gt; MSF_LICENSE,
      'DefaultOptions' =&gt; { 'SSL' =&gt; true }
    )

    register_options(
      [
        Opt::RPORT(443),
        OptString.new('USERNAME', [ true, "The username to Authenticate with.", 'root' ]),
        OptString.new('PASSWORD', [ true, "The password to Authenticate with.", 'password' ]),
        OptBool.new('SCREENSHOT', [true, "Wheter or not to try to take a screenshot", true])
      ])
  end

  def run_host(ip)

    if vim_do_login(datastore['USERNAME'], datastore['PASSWORD']) == :success
      virtual_machines = vim_get_vms
      virtual_machines.each do |vm|
        print_good YAML.dump(vm)
        report_note(
          :host  =&gt; rhost,
          :type  =&gt; "vmware.esx.vm",
          :data  =&gt; vm,
          :port  =&gt; rport,
          :proto =&gt; 'tcp',
          :update =&gt; :unique_data
        )
        next unless datastore['SCREENSHOT'] and vm['runtime']['powerState'] == 'poweredOn'
        print_status "Attempting to take screenshot of #{vm['name']}...."
        screenshot = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )
        case screenshot
        when :error
          print_error "Screenshot failed"
          next
        when :expired
          vim_do_login(datastore['USERNAME'], datastore['PASSWORD'])
          retry_result = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )
          if retry_result == :error or retry_result == :expired
            print_error "Screenshot failed"
          else
            ss_path = store_loot("host.vmware.screenshot", "image/png", datastore['RHOST'], retry_result, "#{vm['name']}_screenshot.png", "Screenshot of VM #{vm['name']}")
            print_good "Screenshot Saved to #{ss_path}"
          end
        else
          ss_path = store_loot("host.vmware.screenshot", "image/png", datastore['RHOST'], screenshot, "screenshot.png", "Screenshot of VM #{vm['name']}")
          print_good "Screenshot Saved to #{ss_path}"
        end
      end

      f = store_loot('host.vmware.vms', "text/plain", datastore['RHOST'], YAML.dump(virtual_machines) , "#{datastore['RHOST']}_esx_vms.txt", "VMWare ESX Virtual Machines")
      vprint_good("VM info stored in: #{f}")
    else
      print_error "Login Failure on #{ip}"
      return
    end
  end
end

JSON Vulners Source

Initial Source

{"id": "MSF:AUXILIARY/SCANNER/VMWARE/VMWARE_ENUM_VMS", "type": "metasploit", "bulletinFamily": "exploit", "title": "VMWare Enumerate Virtual Machines", "description": "This module attempts to discover virtual machines on any VMWare instance running the web interface. This would include ESX/ESXi and VMWare Server.", "published": "2012-02-13T18:07:28", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-01-29T22:11:10", "history": [{"bulletin": {"id": "MSF:AUXILIARY/SCANNER/VMWARE/VMWARE_ENUM_VMS", "type": "metasploit", "bulletinFamily": "exploit", "title": "VMWare Enumerate Virtual Machines", "description": "This module attempts to discover virtual machines on any VMWare instance running the web interface. This would include ESX/ESXi and VMWare Server.", "published": "2012-02-13T18:07:28", "modified": "2017-05-03T20:42:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.rapid7.com/db/modules/auxiliary/scanner/vmware/vmware_enum_vms", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2017-07-02T23:55:28", "history": [], "viewCount": 1, "enchantments": {}, "enchantments_done": [], "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/vmware/vmware_enum_vms.rb", "sourceData": "##\n# This module requires Metasploit: http://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\n\n\nclass MetasploitModule < Msf::Auxiliary\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Exploit::Remote::VIMSoap\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'VMWare Enumerate Virtual Machines',\n 'Description' => %Q{\n This module attempts to discover virtual machines on any VMWare instance\n running the web interface. This would include ESX/ESXi and VMWare Server.\n },\n 'Author' => ['theLightCosine'],\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => { 'SSL' => true }\n )\n\n register_options(\n [\n Opt::RPORT(443),\n OptString.new('USERNAME', [ true, \"The username to Authenticate with.\", 'root' ]),\n OptString.new('PASSWORD', [ true, \"The password to Authenticate with.\", 'password' ]),\n OptBool.new('SCREENSHOT', [true, \"Wheter or not to try to take a screenshot\", true])\n ])\n end\n\n def run_host(ip)\n\n if vim_do_login(datastore['USERNAME'], datastore['PASSWORD']) == :success\n virtual_machines = vim_get_vms\n virtual_machines.each do |vm|\n print_good YAML.dump(vm)\n report_note(\n :host => rhost,\n :type => \"vmware.esx.vm\",\n :data => vm,\n :port => rport,\n :proto => 'tcp',\n :update => :unique_data\n )\n next unless datastore['SCREENSHOT'] and vm['runtime']['powerState'] == 'poweredOn'\n print_status \"Attempting to take screenshot of #{vm['name']}....\"\n screenshot = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n case screenshot\n when :error\n print_error \"Screenshot failed\"\n next\n when :expired\n vim_do_login(datastore['USERNAME'], datastore['PASSWORD'])\n retry_result = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n if retry_result == :error or retry_result == :expired\n print_error \"Screenshot failed\"\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], retry_result, \"#{vm['name']}_screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], screenshot, \"screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n end\n\n f = store_loot('host.vmware.vms', \"text/plain\", datastore['RHOST'], YAML.dump(virtual_machines) , \"#{datastore['RHOST']}_esx_vms.txt\", \"VMWare ESX Virtual Machines\")\n vprint_status(\"VM info stored in: #{f}\")\n else\n print_error \"Login Failure on #{ip}\"\n return\n end\n end\n\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/vmware/vmware_enum_vms.rb"}, "lastseen": "2017-07-02T23:55:28", "differentElements": ["modified", "sourceData"], "edition": 1}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/VMWARE/VMWARE_ENUM_VMS", "type": "metasploit", "bulletinFamily": "exploit", "title": "VMWare Enumerate Virtual Machines", "description": "This module attempts to discover virtual machines on any VMWare instance running the web interface. This would include ESX/ESXi and VMWare Server.", "published": "2012-02-13T18:07:28", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.rapid7.com/db/modules/auxiliary/scanner/vmware/vmware_enum_vms", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2017-07-24T19:29:47", "history": [], "viewCount": 1, "enchantments": {}, "enchantments_done": [], "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/vmware/vmware_enum_vms.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Exploit::Remote::VIMSoap\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'VMWare Enumerate Virtual Machines',\n 'Description' => %Q{\n This module attempts to discover virtual machines on any VMWare instance\n running the web interface. This would include ESX/ESXi and VMWare Server.\n },\n 'Author' => ['theLightCosine'],\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => { 'SSL' => true }\n )\n\n register_options(\n [\n Opt::RPORT(443),\n OptString.new('USERNAME', [ true, \"The username to Authenticate with.\", 'root' ]),\n OptString.new('PASSWORD', [ true, \"The password to Authenticate with.\", 'password' ]),\n OptBool.new('SCREENSHOT', [true, \"Wheter or not to try to take a screenshot\", true])\n ])\n end\n\n def run_host(ip)\n\n if vim_do_login(datastore['USERNAME'], datastore['PASSWORD']) == :success\n virtual_machines = vim_get_vms\n virtual_machines.each do |vm|\n print_good YAML.dump(vm)\n report_note(\n :host => rhost,\n :type => \"vmware.esx.vm\",\n :data => vm,\n :port => rport,\n :proto => 'tcp',\n :update => :unique_data\n )\n next unless datastore['SCREENSHOT'] and vm['runtime']['powerState'] == 'poweredOn'\n print_status \"Attempting to take screenshot of #{vm['name']}....\"\n screenshot = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n case screenshot\n when :error\n print_error \"Screenshot failed\"\n next\n when :expired\n vim_do_login(datastore['USERNAME'], datastore['PASSWORD'])\n retry_result = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n if retry_result == :error or retry_result == :expired\n print_error \"Screenshot failed\"\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], retry_result, \"#{vm['name']}_screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], screenshot, \"screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n end\n\n f = store_loot('host.vmware.vms', \"text/plain\", datastore['RHOST'], YAML.dump(virtual_machines) , \"#{datastore['RHOST']}_esx_vms.txt\", \"VMWare ESX Virtual Machines\")\n vprint_good(\"VM info stored in: #{f}\")\n else\n print_error \"Login Failure on #{ip}\"\n return\n end\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/vmware/vmware_enum_vms.rb"}, "lastseen": "2017-07-24T19:29:47", "differentElements": ["href"], "edition": 2}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/VMWARE/VMWARE_ENUM_VMS", "type": "metasploit", "bulletinFamily": "exploit", "title": "VMWare Enumerate Virtual Machines", "description": "This module attempts to discover virtual machines on any VMWare instance running the web interface. This would include ESX/ESXi and VMWare Server.", "published": "2012-02-13T18:07:28", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2017-08-21T15:32:10", "history": [], "viewCount": 2, "enchantments": {}, "enchantments_done": [], "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/vmware/vmware_enum_vms.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Exploit::Remote::VIMSoap\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'VMWare Enumerate Virtual Machines',\n 'Description' => %Q{\n This module attempts to discover virtual machines on any VMWare instance\n running the web interface. This would include ESX/ESXi and VMWare Server.\n },\n 'Author' => ['theLightCosine'],\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => { 'SSL' => true }\n )\n\n register_options(\n [\n Opt::RPORT(443),\n OptString.new('USERNAME', [ true, \"The username to Authenticate with.\", 'root' ]),\n OptString.new('PASSWORD', [ true, \"The password to Authenticate with.\", 'password' ]),\n OptBool.new('SCREENSHOT', [true, \"Wheter or not to try to take a screenshot\", true])\n ])\n end\n\n def run_host(ip)\n\n if vim_do_login(datastore['USERNAME'], datastore['PASSWORD']) == :success\n virtual_machines = vim_get_vms\n virtual_machines.each do |vm|\n print_good YAML.dump(vm)\n report_note(\n :host => rhost,\n :type => \"vmware.esx.vm\",\n :data => vm,\n :port => rport,\n :proto => 'tcp',\n :update => :unique_data\n )\n next unless datastore['SCREENSHOT'] and vm['runtime']['powerState'] == 'poweredOn'\n print_status \"Attempting to take screenshot of #{vm['name']}....\"\n screenshot = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n case screenshot\n when :error\n print_error \"Screenshot failed\"\n next\n when :expired\n vim_do_login(datastore['USERNAME'], datastore['PASSWORD'])\n retry_result = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n if retry_result == :error or retry_result == :expired\n print_error \"Screenshot failed\"\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], retry_result, \"#{vm['name']}_screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], screenshot, \"screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n end\n\n f = store_loot('host.vmware.vms', \"text/plain\", datastore['RHOST'], YAML.dump(virtual_machines) , \"#{datastore['RHOST']}_esx_vms.txt\", \"VMWare ESX Virtual Machines\")\n vprint_good(\"VM info stored in: #{f}\")\n else\n print_error \"Login Failure on #{ip}\"\n return\n end\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/vmware/vmware_enum_vms.rb"}, "lastseen": "2017-08-21T15:32:10", "differentElements": ["modified", "published"], "edition": 3}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/VMWARE/VMWARE_ENUM_VMS", "type": "metasploit", "bulletinFamily": "exploit", "title": "VMWare Enumerate Virtual Machines", "description": "This module attempts to discover virtual machines on any VMWare instance running the web interface. This would include ESX/ESXi and VMWare Server.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2017-10-17T19:25:17", "history": [], "viewCount": 2, "enchantments": {}, "enchantments_done": [], "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/vmware/vmware_enum_vms.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Exploit::Remote::VIMSoap\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'VMWare Enumerate Virtual Machines',\n 'Description' => %Q{\n This module attempts to discover virtual machines on any VMWare instance\n running the web interface. This would include ESX/ESXi and VMWare Server.\n },\n 'Author' => ['theLightCosine'],\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => { 'SSL' => true }\n )\n\n register_options(\n [\n Opt::RPORT(443),\n OptString.new('USERNAME', [ true, \"The username to Authenticate with.\", 'root' ]),\n OptString.new('PASSWORD', [ true, \"The password to Authenticate with.\", 'password' ]),\n OptBool.new('SCREENSHOT', [true, \"Wheter or not to try to take a screenshot\", true])\n ])\n end\n\n def run_host(ip)\n\n if vim_do_login(datastore['USERNAME'], datastore['PASSWORD']) == :success\n virtual_machines = vim_get_vms\n virtual_machines.each do |vm|\n print_good YAML.dump(vm)\n report_note(\n :host => rhost,\n :type => \"vmware.esx.vm\",\n :data => vm,\n :port => rport,\n :proto => 'tcp',\n :update => :unique_data\n )\n next unless datastore['SCREENSHOT'] and vm['runtime']['powerState'] == 'poweredOn'\n print_status \"Attempting to take screenshot of #{vm['name']}....\"\n screenshot = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n case screenshot\n when :error\n print_error \"Screenshot failed\"\n next\n when :expired\n vim_do_login(datastore['USERNAME'], datastore['PASSWORD'])\n retry_result = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n if retry_result == :error or retry_result == :expired\n print_error \"Screenshot failed\"\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], retry_result, \"#{vm['name']}_screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], screenshot, \"screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n end\n\n f = store_loot('host.vmware.vms', \"text/plain\", datastore['RHOST'], YAML.dump(virtual_machines) , \"#{datastore['RHOST']}_esx_vms.txt\", \"VMWare ESX Virtual Machines\")\n vprint_good(\"VM info stored in: #{f}\")\n else\n print_error \"Login Failure on #{ip}\"\n return\n end\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/vmware/vmware_enum_vms.rb"}, "lastseen": "2017-10-17T19:25:17", "differentElements": ["modified", "published"], "edition": 4}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/VMWARE/VMWARE_ENUM_VMS", "type": "metasploit", "bulletinFamily": "exploit", "title": "VMWare Enumerate Virtual Machines", "description": "This module attempts to discover virtual machines on any VMWare instance running the web interface. This would include ESX/ESXi and VMWare Server.", "published": "2012-02-13T18:07:28", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2017-10-18T07:16:05", "history": [], "viewCount": 3, "enchantments": {}, "enchantments_done": [], "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/vmware/vmware_enum_vms.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Exploit::Remote::VIMSoap\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'VMWare Enumerate Virtual Machines',\n 'Description' => %Q{\n This module attempts to discover virtual machines on any VMWare instance\n running the web interface. This would include ESX/ESXi and VMWare Server.\n },\n 'Author' => ['theLightCosine'],\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => { 'SSL' => true }\n )\n\n register_options(\n [\n Opt::RPORT(443),\n OptString.new('USERNAME', [ true, \"The username to Authenticate with.\", 'root' ]),\n OptString.new('PASSWORD', [ true, \"The password to Authenticate with.\", 'password' ]),\n OptBool.new('SCREENSHOT', [true, \"Wheter or not to try to take a screenshot\", true])\n ])\n end\n\n def run_host(ip)\n\n if vim_do_login(datastore['USERNAME'], datastore['PASSWORD']) == :success\n virtual_machines = vim_get_vms\n virtual_machines.each do |vm|\n print_good YAML.dump(vm)\n report_note(\n :host => rhost,\n :type => \"vmware.esx.vm\",\n :data => vm,\n :port => rport,\n :proto => 'tcp',\n :update => :unique_data\n )\n next unless datastore['SCREENSHOT'] and vm['runtime']['powerState'] == 'poweredOn'\n print_status \"Attempting to take screenshot of #{vm['name']}....\"\n screenshot = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n case screenshot\n when :error\n print_error \"Screenshot failed\"\n next\n when :expired\n vim_do_login(datastore['USERNAME'], datastore['PASSWORD'])\n retry_result = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n if retry_result == :error or retry_result == :expired\n print_error \"Screenshot failed\"\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], retry_result, \"#{vm['name']}_screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], screenshot, \"screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n end\n\n f = store_loot('host.vmware.vms', \"text/plain\", datastore['RHOST'], YAML.dump(virtual_machines) , \"#{datastore['RHOST']}_esx_vms.txt\", \"VMWare ESX Virtual Machines\")\n vprint_good(\"VM info stored in: #{f}\")\n else\n print_error \"Login Failure on #{ip}\"\n return\n end\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/vmware/vmware_enum_vms.rb"}, "lastseen": "2017-10-18T07:16:05", "differentElements": ["modified", "published"], "edition": 5}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/VMWARE/VMWARE_ENUM_VMS", "type": "metasploit", "bulletinFamily": "exploit", "title": "VMWare Enumerate Virtual Machines", "description": "This module attempts to discover virtual machines on any VMWare instance running the web interface. This would include ESX/ESXi and VMWare Server.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2017-11-07T07:46:21", "history": [], "viewCount": 3, "enchantments": {}, "enchantments_done": [], "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/vmware/vmware_enum_vms.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Exploit::Remote::VIMSoap\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'VMWare Enumerate Virtual Machines',\n 'Description' => %Q{\n This module attempts to discover virtual machines on any VMWare instance\n running the web interface. This would include ESX/ESXi and VMWare Server.\n },\n 'Author' => ['theLightCosine'],\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => { 'SSL' => true }\n )\n\n register_options(\n [\n Opt::RPORT(443),\n OptString.new('USERNAME', [ true, \"The username to Authenticate with.\", 'root' ]),\n OptString.new('PASSWORD', [ true, \"The password to Authenticate with.\", 'password' ]),\n OptBool.new('SCREENSHOT', [true, \"Wheter or not to try to take a screenshot\", true])\n ])\n end\n\n def run_host(ip)\n\n if vim_do_login(datastore['USERNAME'], datastore['PASSWORD']) == :success\n virtual_machines = vim_get_vms\n virtual_machines.each do |vm|\n print_good YAML.dump(vm)\n report_note(\n :host => rhost,\n :type => \"vmware.esx.vm\",\n :data => vm,\n :port => rport,\n :proto => 'tcp',\n :update => :unique_data\n )\n next unless datastore['SCREENSHOT'] and vm['runtime']['powerState'] == 'poweredOn'\n print_status \"Attempting to take screenshot of #{vm['name']}....\"\n screenshot = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n case screenshot\n when :error\n print_error \"Screenshot failed\"\n next\n when :expired\n vim_do_login(datastore['USERNAME'], datastore['PASSWORD'])\n retry_result = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n if retry_result == :error or retry_result == :expired\n print_error \"Screenshot failed\"\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], retry_result, \"#{vm['name']}_screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], screenshot, \"screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n end\n\n f = store_loot('host.vmware.vms', \"text/plain\", datastore['RHOST'], YAML.dump(virtual_machines) , \"#{datastore['RHOST']}_esx_vms.txt\", \"VMWare ESX Virtual Machines\")\n vprint_good(\"VM info stored in: #{f}\")\n else\n print_error \"Login Failure on #{ip}\"\n return\n end\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/vmware/vmware_enum_vms.rb"}, "lastseen": "2017-11-07T07:46:21", "differentElements": ["modified", "published"], "edition": 6}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/VMWARE/VMWARE_ENUM_VMS", "type": "metasploit", "bulletinFamily": "exploit", "title": "VMWare Enumerate Virtual Machines", "description": "This module attempts to discover virtual machines on any VMWare instance running the web interface. This would include ESX/ESXi and VMWare Server.", "published": "2012-02-13T18:07:28", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2017-11-08T19:42:26", "history": [], "viewCount": 3, "enchantments": {"score": {"value": 5.1, "modified": "2017-11-08T19:42:26"}}, "enchantments_done": [], "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/vmware/vmware_enum_vms.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Exploit::Remote::VIMSoap\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'VMWare Enumerate Virtual Machines',\n 'Description' => %Q{\n This module attempts to discover virtual machines on any VMWare instance\n running the web interface. This would include ESX/ESXi and VMWare Server.\n },\n 'Author' => ['theLightCosine'],\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => { 'SSL' => true }\n )\n\n register_options(\n [\n Opt::RPORT(443),\n OptString.new('USERNAME', [ true, \"The username to Authenticate with.\", 'root' ]),\n OptString.new('PASSWORD', [ true, \"The password to Authenticate with.\", 'password' ]),\n OptBool.new('SCREENSHOT', [true, \"Wheter or not to try to take a screenshot\", true])\n ])\n end\n\n def run_host(ip)\n\n if vim_do_login(datastore['USERNAME'], datastore['PASSWORD']) == :success\n virtual_machines = vim_get_vms\n virtual_machines.each do |vm|\n print_good YAML.dump(vm)\n report_note(\n :host => rhost,\n :type => \"vmware.esx.vm\",\n :data => vm,\n :port => rport,\n :proto => 'tcp',\n :update => :unique_data\n )\n next unless datastore['SCREENSHOT'] and vm['runtime']['powerState'] == 'poweredOn'\n print_status \"Attempting to take screenshot of #{vm['name']}....\"\n screenshot = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n case screenshot\n when :error\n print_error \"Screenshot failed\"\n next\n when :expired\n vim_do_login(datastore['USERNAME'], datastore['PASSWORD'])\n retry_result = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n if retry_result == :error or retry_result == :expired\n print_error \"Screenshot failed\"\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], retry_result, \"#{vm['name']}_screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], screenshot, \"screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n end\n\n f = store_loot('host.vmware.vms', \"text/plain\", datastore['RHOST'], YAML.dump(virtual_machines) , \"#{datastore['RHOST']}_esx_vms.txt\", \"VMWare ESX Virtual Machines\")\n vprint_good(\"VM info stored in: #{f}\")\n else\n print_error \"Login Failure on #{ip}\"\n return\n end\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/vmware/vmware_enum_vms.rb"}, "lastseen": "2017-11-08T19:42:26", "differentElements": ["modified", "published"], "edition": 7}, {"bulletin": {"id": "MSF:AUXILIARY/SCANNER/VMWARE/VMWARE_ENUM_VMS", "type": "metasploit", "bulletinFamily": "exploit", "title": "VMWare Enumerate Virtual Machines", "description": "This module attempts to discover virtual machines on any VMWare instance running the web interface. This would include ESX/ESXi and VMWare Server.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-01-29T18:09:31", "history": [], "viewCount": 3, "enchantments": {"score": {"value": 5.1, "modified": "2018-01-29T18:09:31"}}, "enchantments_done": [], "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/vmware/vmware_enum_vms.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Exploit::Remote::VIMSoap\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'VMWare Enumerate Virtual Machines',\n 'Description' => %Q{\n This module attempts to discover virtual machines on any VMWare instance\n running the web interface. This would include ESX/ESXi and VMWare Server.\n },\n 'Author' => ['theLightCosine'],\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => { 'SSL' => true }\n )\n\n register_options(\n [\n Opt::RPORT(443),\n OptString.new('USERNAME', [ true, \"The username to Authenticate with.\", 'root' ]),\n OptString.new('PASSWORD', [ true, \"The password to Authenticate with.\", 'password' ]),\n OptBool.new('SCREENSHOT', [true, \"Wheter or not to try to take a screenshot\", true])\n ])\n end\n\n def run_host(ip)\n\n if vim_do_login(datastore['USERNAME'], datastore['PASSWORD']) == :success\n virtual_machines = vim_get_vms\n virtual_machines.each do |vm|\n print_good YAML.dump(vm)\n report_note(\n :host => rhost,\n :type => \"vmware.esx.vm\",\n :data => vm,\n :port => rport,\n :proto => 'tcp',\n :update => :unique_data\n )\n next unless datastore['SCREENSHOT'] and vm['runtime']['powerState'] == 'poweredOn'\n print_status \"Attempting to take screenshot of #{vm['name']}....\"\n screenshot = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n case screenshot\n when :error\n print_error \"Screenshot failed\"\n next\n when :expired\n vim_do_login(datastore['USERNAME'], datastore['PASSWORD'])\n retry_result = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n if retry_result == :error or retry_result == :expired\n print_error \"Screenshot failed\"\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], retry_result, \"#{vm['name']}_screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], screenshot, \"screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n end\n\n f = store_loot('host.vmware.vms', \"text/plain\", datastore['RHOST'], YAML.dump(virtual_machines) , \"#{datastore['RHOST']}_esx_vms.txt\", \"VMWare ESX Virtual Machines\")\n vprint_good(\"VM info stored in: #{f}\")\n else\n print_error \"Login Failure on #{ip}\"\n return\n end\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/vmware/vmware_enum_vms.rb"}, "lastseen": "2018-01-29T18:09:31", "differentElements": ["modified", "published"], "edition": 8}], "viewCount": 3, "enchantments": {"vulnersScore": 7.5}, "enchantments_done": [], "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/vmware/vmware_enum_vms.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Exploit::Remote::VIMSoap\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'VMWare Enumerate Virtual Machines',\n 'Description' => %Q{\n This module attempts to discover virtual machines on any VMWare instance\n running the web interface. This would include ESX/ESXi and VMWare Server.\n },\n 'Author' => ['theLightCosine'],\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => { 'SSL' => true }\n )\n\n register_options(\n [\n Opt::RPORT(443),\n OptString.new('USERNAME', [ true, \"The username to Authenticate with.\", 'root' ]),\n OptString.new('PASSWORD', [ true, \"The password to Authenticate with.\", 'password' ]),\n OptBool.new('SCREENSHOT', [true, \"Wheter or not to try to take a screenshot\", true])\n ])\n end\n\n def run_host(ip)\n\n if vim_do_login(datastore['USERNAME'], datastore['PASSWORD']) == :success\n virtual_machines = vim_get_vms\n virtual_machines.each do |vm|\n print_good YAML.dump(vm)\n report_note(\n :host => rhost,\n :type => \"vmware.esx.vm\",\n :data => vm,\n :port => rport,\n :proto => 'tcp',\n :update => :unique_data\n )\n next unless datastore['SCREENSHOT'] and vm['runtime']['powerState'] == 'poweredOn'\n print_status \"Attempting to take screenshot of #{vm['name']}....\"\n screenshot = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n case screenshot\n when :error\n print_error \"Screenshot failed\"\n next\n when :expired\n vim_do_login(datastore['USERNAME'], datastore['PASSWORD'])\n retry_result = vim_take_screenshot(vm, datastore['USERNAME'], datastore['PASSWORD'] )\n if retry_result == :error or retry_result == :expired\n print_error \"Screenshot failed\"\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], retry_result, \"#{vm['name']}_screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n else\n ss_path = store_loot(\"host.vmware.screenshot\", \"image/png\", datastore['RHOST'], screenshot, \"screenshot.png\", \"Screenshot of VM #{vm['name']}\")\n print_good \"Screenshot Saved to #{ss_path}\"\n end\n end\n\n f = store_loot('host.vmware.vms', \"text/plain\", datastore['RHOST'], YAML.dump(virtual_machines) , \"#{datastore['RHOST']}_esx_vms.txt\", \"VMWare ESX Virtual Machines\")\n vprint_good(\"VM info stored in: #{f}\")\n else\n print_error \"Login Failure on #{ip}\"\n return\n end\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/vmware/vmware_enum_vms.rb", "_object_type": "robots.models.metasploit.MetasploitBulletin", "_object_types": ["robots.models.metasploit.MetasploitBulletin", "robots.models.base.Bulletin"]}

{"result": {"securelist": [{"lastseen": "2018-04-23T14:35:20", "_object_types": ["robots.models.base.Bulletin", "robots.models.rss.RssBulletin"], "references": [], "description": "![no-image](https://securelist.com/wp-content/themes/securelist/images/article-default/abstraction_12.jpg)\n\n[_Energetic Bear/Crouching Yeti_](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08080817/EB-YetiJuly2014-Public.pdf>)_ is a widely known APT group active since at least 2010. The group tends to attack different companies with a strong focus on the energy and industrial sectors. Companies attacked by Energetic Bear/Crouching Yeti are geographically distributed worldwide with a more obvious concentration in Europe and the US. In 2016-2017, the number of attacks on companies in Turkey increased significantly. _\n\n_The main tactics of the group include sending phishing emails with malicious documents and infecting various servers. The group uses some of the infected servers for auxiliary purposes \u2013 to host tools and logs. Others are deliberately infected to use them in waterhole attacks in order to reach the group's main targets. _\n\n_Recent activity of the group against US organizations was discussed in a _[_US-CERT_](<https://www.us-cert.gov/ncas/alerts/TA18-074A>)_ advisory, which linked the actor to the Russian government, as well as an advisory by the _[_UK National Cyber Security Centre_](<https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control>)_. _\n\n_This report by _[_Kaspersky Lab ICS CERT_](<https://ics-cert.kaspersky.com/>)_ presents information on identified servers that have been infected and used by the group. The report also includes the findings of an analysis of several webservers compromised by the Energetic Bear group during 2016 and in early 2017_.\n\n## Attack victims\n\nThe table below shows the distribution of compromised servers (based on the language of website content and/or the origins of the company renting the server at the time of compromise) by countries, attacked company types and the role of each server in the overall attack scheme. Victims of the threat actor's attacks were not limited to industrial companies.\n\n**Table 1. Compromised servers**\n\n**Country** | **Description** | **Role in the attack** \n---|---|--- \n**Russia** | Opposition political website | Waterhole \nReal estate agency | Auxiliary (collecting user data in the waterhole attack) \nFootball club | Waterhole \nDeveloper and integrator of secure automation systems and IS consultant | Waterhole \nDevelopers of software and equipment | Auxiliary (collecting user data in the waterhole attack, tool hosting) \nInvestment website | Auxiliary (collecting user data in the waterhole attack) \n**Ukraine** | Electric power sector company | Waterhole \nBank | Waterhole \n**UK** | Aerospace company | Waterhole \n**Germany** | Software developer and integrator | Waterhole \nUnknown | Auxiliary (collecting user data in the waterhole attack) \n**Turkey** | Oil and gas sector enterprise | Waterhole \nIndustrial group | Waterhole \nInvestment group | Waterhole \n**Greece** | Server of a university | Auxiliary (collecting user data in the waterhole attack) \n**USA** | Oil and gas sector enterprise | Waterhole \n**Unknown** | Affiliate network site | Auxiliary (collecting user data in the waterhole attack) \n \n## Waterhole\n\nAll waterhole servers are infected following the same pattern: injecting a link into a web page or JS file with the following file scheme: file://IP/filename.png.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/04/18124232/180418-energetic-bear-crouching-yeti-1.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/04/18124232/180418-energetic-bear-crouching-yeti-1.png>)\n\n_Injected link with the file scheme_\n\nThe link is used to initiate a request for an image, as a result of which the user connects to the remote server over the SMB protocol. In this attack type, the attackers' goal is to extract the following data from the session:\n\n * user IP,\n * user name,\n * domain name,\n * NTLM hash of the user's password.\n\nIt should be noted that the image requested using the link is not physically located on the remote server.\n\n## Scanned resources\n\nCompromised servers are in some cases used to conduct attacks on other resources. In the process of analyzing infected servers, numerous websites and servers were identified that the attackers had scanned with various tools, such as nmap, dirsearch, sqlmap, etc. (tool descriptions are provided below).\n\n**Table 2. Resources that were scanned from one of the infected servers**\n\n**Country \n(based on the content)** | **Description** \n---|--- \n**Russia** | Non-profit organization \nSale of drugs \nTravel/maps \nResources based on the Bump platform (platform for corporate social networks) \u2013 non-profit organization, social network for college/university alumni, communication platform for NGOs, etc. \nBusiness \u2013 photographic studio \nIndustrial enterprise, construction company \nDoor manufacturing \nCryptocurrency exchange \nConstruction information and analysis portal \nPersonal website of a developer \nVainah Telecom IPs and Subnets (Chechen Republic) \nVarious Chechen resources (governmental organizations, universities, industrial enterprises, etc.) \nWeb server with numerous sites (alumni sites, sites of industrial and engineering companies, etc.) \nMuslim dating site \n**Brazil** | Water treatment \n**Turkey** | Hotels \nEmbassy in Turkey \nSoftware developer \nAirport website \nCity council website \nCosmetics manufacturer \nReligious website \nTurktelekom subnet with a large number of sites \nTelnet Telecom subnet with a large number of sites \n**Georgia** | Personal website of a journalist \n**Kazakhstan** | Unknown web server \n**Ukraine** | Office supplies online store \nFloral business \nImage hosting service \nOnline course on sales \nDealer of farming equipment and spare parts \nUkrainian civil servant's personal website \nOnline store of parts for household appliance repair \nTimber sales, construction \nTennis club website \nOnline store for farmers \nOnline store of massage equipment \nOnline clothes store \nWebsite development and promotion \nOnline air conditioner store \n**Switzerland** | Analytical company \n**US** | Web server with many domains \n**France** | Web server with many domains \n**Vietnam** | Unknown server \n**International** | Flight tracker \n \nThe sites and servers on this list do not seem to have anything in common. Even though the scanned servers do not necessarily look like potential final victims, it is likely that the attackers scanned different resources to find a server that could be used to establish a foothold for hosting the attackers' tools and, subsequently, to develop the attack.\n\nPart of the sites scanned may have been of interest to the attackers as candidates for hosting waterhole resources.\n\nIn some cases, the domains scanned were hosted on the same server; sometimes the attackers went through the list of possible domains matching a given IP.\n\nIn most cases, multiple attempts to compromise a specific target were not identified \u2013 with the possible exception of sites on the Bump platform, flight tracker servers and servers of a Turkish hotel chain.\n\nCuriously, the sites scanned included a web developer's website, kashey.ru, and resources links to which were found on this site. These may have been links to resources developed by the site's owner: [www.esodedi.ru](<http://www.esodedi.ru>), [www.i-stroy.ru](<http://www.i-stroy.ru>), [www.saledoor.ru](<http://www.saledoor.ru>)\n\n## Toolset used\n\n### Utilities\n\nUtilities found on compromised servers are open-source and publicly available on GitHub:\n\n * Nmap \u2013 an open-source utility for analyzing the network and verifying its security.\n * [Dirsearch](<https://github.com/maurosoria/dirsearch>) \u2014 a simple command-line tool for brute forcing (performing exhaustive searches of) directories and files on websites.\n * [Sqlmap](<https://github.com/sqlmapproject/sqlmap>) \u2014 an open-source penetration testing tool, which automates the process of identifying and exploiting SQL injection vulnerabilities and taking over database servers.\n * [Sublist3r](<https://github.com/aboul3la/Sublist3r>) \u2014 a tool written in Python designed to enumerate website subdomains. The tool uses open-source intelligence ([OSINT](<https://ru.wikipedia.org/wiki/OSINT>)). Sublist3r supports many different search engines, such as Google, Yahoo, Bing, Baidu and Ask, as well as such services as Netcraft, Virustotal, ThreatCrowd, DNSdumpster and ReverseDNS. The tool helps penetration testers to collect information on the subdomains of the domain they are researching.\n * [Wpscan](<https://github.com/wpscanteam/wpscan>) \u2014 a WordPress vulnerability scanner that uses the blackbox principle, i.e., works without access to the source code. It can be used to scan remote WordPress sites in search of security issues.\n * [Impacket](<https://github.com/CoreSecurity/impacket>) \u2014 a toolset for working with various network protocols, which is required by SMBTrap.\n * [SMBTrap](<https://github.com/CylanceSPEAR/SMBTrap>) \u2014 a tool for logging data received over the SMB protocol (user IP address, user name, domain name, password NTLM hash).\n * [Commix](<https://github.com/commixproject/commix>) \u2014 a vulnerability search and command injection and exploitation tool written in Python.\n * [Subbrute](<https://github.com/TheRook/subbrute>) \u2013 a subdomain enumeration tool available for Python and Windows that uses an open name resolver as a proxy and does not send traffic to the target DNS server.\n * [PHPMailer](<https://github.com/PHPMailer/PHPMailer>) \u2013 a mail sending tool.\n\nIn addition, a custom Python script named ftpChecker.py was found on one of the servers. The script was designed to check FTP hosts from an incoming list.\n\n### Malicious php files\n\nThe following malicious php files were found in different directories in the nginx folder and in a working directory created by the attackers on an infected web servers:\n\n**File name** | **Brief description** | **md5sum** | **Time of the latest file change (MSK)** | **Size, bytes** \n---|---|---|---|--- \nini.php | wso shell+ mail | f3e3e25a822012023c6e81b206711865 | 2016-07-01 15:57:38 | 28786 \nmysql.php | wso shell+ mail | f3e3e25a822012023c6e81b206711865 | 2016-06-12 13:35:30 | 28786 \nopts.php | wso shell | c76470e85b7f3da46539b40e5c552712 | 2016-06-12 12:23:28 | 36623 \nerror_log.php | wso shell | 155385cc19e3092765bcfed034b82ccb | 2016-06-12 10:59:39 | 36636 \ncode29.php | web shell | 1644af9b6424e8f58f39c7fa5e76de51 | 2016-06-12 11:10:40 | 10724 \nproxy87.php | web shell | 1644af9b6424e8f58f39c7fa5e76de51 | 2016-06-12 14:31:13 | 10724 \ntheme.php | wso shell | 2292f5db385068e161ae277531b2e114 | 2017-05-16 17:33:02 | 133104 \nsma.php | PHPMailer | 7ec514bbdc6dd8f606f803d39af8883f | 2017-05-19 13:53:53 | 14696 \nmedia.php | wso shell | 78c31eff38fdb72ea3b1800ea917940f | 2017-04-17 15:58:41 | 1762986 \n \nIn the table above:\n\n * Web shell is a script that allows remote administration of the machine.\n * WSO is a popular web shell and file manager (it stands for \"Web Shell by Orb\") that has the ability to masquerade as an error page containing a hidden login form. It is available on GitHub:\n\n<https://github.com/wso-shell/WSO>\n\nTwo of the PHP scripts found, ini.php and mysql.php, contained a WSO shell concatenated with the following email spamming script:\n\n<https://github.com/bediger4000/php-malware-analysis/tree/master/db-config.php>\n\nAll the scripts found are obfuscated.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/04/18124233/180418-energetic-bear-crouching-yeti-2.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/04/18124233/180418-energetic-bear-crouching-yeti-2.png>)\n\n_wso shell \u2013 error_log.php_\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/04/18124232/180418-energetic-bear-crouching-yeti-3.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/04/18124232/180418-energetic-bear-crouching-yeti-3.png>)\n\n_Deobfuscated wso shell \u2013 error_log.php_\n\nOne of the web shells was found on the server under two different names (proxy87.php and code29.php). It uses the eval function to execute a command sent via HTTP cookies or a POST request:\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/04/18124231/180418-energetic-bear-crouching-yeti-4.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/04/18124231/180418-energetic-bear-crouching-yeti-4.png>)\n\n_Web shell \u2013 proxy87.php_\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/04/18124231/180418-energetic-bear-crouching-yeti-5.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/04/18124231/180418-energetic-bear-crouching-yeti-5.png>)\n\n_Deobfuscated web shell \u2013 proxy87.php_\n\n### Modified sshd\n\nA modified sshd with a preinstalled backdoor was found in the process of analyzing the server.\n\nPatches with some versions of backdoors for sshd that are similar to the backdoor found are available on GitHub, for example:\n\n<https://github.com/jivoi/openssh-backdoor-kit>\n\nCompilation is possible on any OS with binary compatibility.\n\nAs a result of replacing the original sshd file with a modified one on the infected server, an attacker can use a 'master password' to get authorized on the remote server, while leaving minimal traces (compared to an ordinary user connecting via ssh).\n\nIn addition, the modified sshd logs all legitimate ssh connections (this does not apply to the connection that uses the 'master password'), including connection times, account names and passwords. The log is encrypted and is located at /var/tmp/.pipe.sock.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/04/18124232/180418-energetic-bear-crouching-yeti-6.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/04/18124232/180418-energetic-bear-crouching-yeti-6.png>)\n\n_Decrypted log at /var/tmp/.pipe.sock_\n\n## Activity of the attackers on compromised servers\n\nIn addition to using compromised servers to scan numerous resources, other attacker activity was also identified.\n\nAfter gaining access to the server, the attackers installed the tools they needed at different times. Specifically, the following commands for third-party installations were identified on one of the servers:\n\n * apt install traceroute\n * apt-get install nmap\n * apt-get install screen\n * git clone https://github.com/sqlmapproject/sqlmap.git\n\nAdditionally, the attackers installed any packages and tools for Python they needed.\n\nThe diagram below shows times of illegitimate logons to one of the compromised servers during one month. The attackers checked the smbtrap log file on working days. In most cases, they logged on to the server at roughly the same time of day, probably in the morning hours:\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/04/18124231/180418-energetic-bear-crouching-yeti-7.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/04/18124231/180418-energetic-bear-crouching-yeti-7.png>)\n\n_Times of illegitimate connections with the server (GMT+3)_\n\nIn addition, in the process of performing the analysis, an active process was identified that exploited SQL injection and collected data from a database of one of the victims.\n\n## Conclusion\n\nThe findings of the analysis of compromised servers and the attackers' activity on these servers are as follows:\n\n 1. With rare exceptions, the group's members get by with publicly available tools. The use of publicly available utilities by the group to conduct its attacks renders the task of attack attribution without any additional group 'markers' very difficult.\n 2. Potentially, any vulnerable server on the internet is of interest to the attackers when they want to establish a foothold in order to develop further attacks against target facilities.\n 3. In most cases that we have observed, the group performed tasks related to searching for vulnerabilities, gaining persistence on various hosts, and stealing authentication data.\n 4. The diversity of victims may indicate the diversity of the attackers' interests.\n 5. It can be assumed with some degree of certainty that the group operates in the interests of or takes orders from customers that are external to it, performing initial data collection, the theft of authentication data and gaining persistence on resources that are suitable for the attack's further development.\n\n## Appendix I \u2013 Indicators of Compromise\n\n### Filenames and Paths\n\n#### Tools*\n\n/usr/lib/libng/ftpChecker.py \n/usr/bin/nmap/ \n/usr/lib/libng/dirsearch/ \n/usr/share/python2.7/dirsearch/ \n/usr/lib/libng/SMBTrap/ \n/usr/lib/libng/commix/ \n/usr/lib/libng/subbrute-master/ \n/usr/share/python2.7/sqlmap/ \n/usr/lib/libng/sqlmap-dev/ \n/usr/lib/libng/wpscan/ \n/usr/share/python2.7/wpscan/ \n/usr/share/python2.7/Sublist3r/\n\n*Note that these tools can also be used by other threat actors.\n\n#### PHP files:\n\n/usr/share/python2.7/sma.php \n/usr/share/python2.7/theme.php \n/root/theme.php \n/usr/lib/libng/media.php\n\n#### Logs\n\n/var/tmp/.pipe.sock\n\n### PHP file hashes\n\nf3e3e25a822012023c6e81b206711865 \nc76470e85b7f3da46539b40e5c552712 \n155385cc19e3092765bcfed034b82ccb \n1644af9b6424e8f58f39c7fa5e76de51 \n2292f5db385068e161ae277531b2e114 \n7ec514bbdc6dd8f606f803d39af8883f \n78c31eff38fdb72ea3b1800ea917940f\n\n### Yara rules\n\nrule Backdoored_ssh { \nstrings: \n$a1 = \"OpenSSH\" \n$a2 = \"usage: ssh\" \n$a3 = \"HISTFILE\" \ncondition: \nuint32(0) == 0x464c457f and filesize<1000000 and all of ($a*) \n}\n\n## Appendix II \u2013 Shell script to check a server for tools\n\n### Shell script for Debian\n\ncd /tmp \nworkdir=428c5fcf495396df04a459e317b70ca2 \nmkdir $workdir \ncd $workdir \nfind / -type d -iname smbtrap > find-smbtrap.txt 2>/dev/null \nfind / -type d -iname dirsearch > find-dirsearch.txt 2>/dev/null \nfind / -type d -iname nmap > find-nmap.txt 2>/dev/null \nfind / -type d -iname wpscan > find-wpscan.txt 2>/dev/null \nfind / -type d -iname sublist3r > find-sublist3r.txt 2>/dev/null \ndpkg -l | grep -E \\\$impacket\\|pcapy\\|nmap\\\$ > dpkg-grep.txt \ncp /var/lib/dpkg/info/openssh-server.md5sums . #retrieve initial hash for sshd \nmd5sum /usr/sbin/sshd > sshd.md5sum #calculate actual hash for sshd\n\n### Shell script for Centos\n\ncd /tmp \nworkdir=428c5fcf495396df04a459e317b70ca2 \nmkdir $workdir \ncd $workdir \nfind / -type d -iname smbtrap > find-smbtrap.txt 2>/dev/null \nfind / -type d -iname dirsearch > find-dirsearch.txt 2>/dev/null \nfind / -type d -iname nmap > find-nmap.txt 2>/dev/null \nfind / -type d -iname wpscan > find-wpscan.txt 2>/dev/null \nfind / -type d -iname sublist3r > find-sublist3r.txt 2>/dev/null \nrpm -qa | grep -E \\\$impacket\\|pcapy\\|nmap\\\$ > rpm-grep.txt \nrpm -qa -dump | grep ssh > rpm-qa-dump.txt #retrieve initial hash for sshd \nsha256sum /usr/sbin/sshd > sshd.sha256sum #calculate actual sha256 hash for sshd \nmd5sum /usr/sbin/sshd > sshd.md5sum #calculate actual md5 hash for sshd\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2012/08/08092111/pdf_small5.gif) **Energetic Bear/Crouching Yeti: attacks on servers**](<https://ics-cert.kaspersky.com/media/EB_public_FINAL_EN_20042018.pdf>)", "reporter": "Kaspersky Lab ICS CERT", "published": "2018-04-23T10:00:36", "type": "securelist", "title": "Energetic Bear/Crouching Yeti: attacks on servers", "enchantments": {}, "bulletinFamily": "blog", "cvelist": [], "_object_type": "robots.models.rss.RssBulletin", "modified": "2018-04-23T10:00:36", "id": "SECURELIST:5120B9325810A974F19B2E365EC8516C", "href": "https://securelist.com/energetic-bear-crouching-yeti/85345/", "cvss": {"score": 0.0, "vector": "NONE"}}], "cve": [{"lastseen": "2018-04-23T10:44:01", "references": ["https://peckshield.com/2018/04/22/batchOverflow/", "https://dasp.co/#item-3", "https://twitter.com/OKEx_/status/987967343983714304", "https://support.okex.com/hc/en-us/articles/360002944212-BeautyChain-BEC-Withdrawal-and-Trading-Suspended"], "description": "An integer overflow in the batchTransfer function of a smart contract implementation for Beauty Ecosystem Coin (BEC), the Ethereum ERC20 token used in the Beauty Chain economic system, allows attackers to accomplish an unauthorized increase of digital assets by providing two _receivers arguments in conjunction with a large _value argument, as exploited in the wild in April 2018, aka the \"batchOverflow\" issue. NOTE: the OKEx exchange suspended BEC trading as of 2018-04-22; however, the integer overflow in this codebase can still be exploited through transactions involving other exchanges and/or other tokens.", "edition": 1, "reporter": "NVD", "published": "2018-04-23T00:29:00", "title": "CVE-2018-10299", "type": "cve", "enchantments": {}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2018-10299"], "scanner": [], "modified": "2018-04-23T00:29:00", "cpe": [], "id": "CVE-2018-10299", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-10299", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-04-23T10:41:45", "references": ["https://edricteo.com/kliqqi-cms-sqli-vulnerability-in-version-3.5.2/"], "description": "SQL Injection exists in Kliqqi CMS 3.5.2 via the randkey parameter of a new story at the pligg/story.php?title= URI.", "edition": 1, "reporter": "NVD", "published": "2018-04-22T11:29:00", "title": "CVE-2017-17902", "type": "cve", "enchantments": {}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2017-17902"], "scanner": [], "modified": "2018-04-22T11:29:00", "cpe": [], "id": "CVE-2017-17902", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-17902", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-04-23T10:44:01", "references": ["https://laworigin.github.io/2018/04/22/Discuz-x-portal-Stored-XSS/"], "description": "Discuz! DiscuzX through X3.4 has reflected XSS via forum.php?mod=post&action=newthread because data/template/1_diy_portal_view.tpl.php does not restrict the content.", "edition": 1, "reporter": "NVD", "published": "2018-04-22T11:29:00", "title": "CVE-2018-10298", "type": "cve", "enchantments": {}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2018-10298"], "scanner": [], "modified": "2018-04-22T11:29:00", "cpe": [], "id": "CVE-2018-10298", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-10298", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-04-23T10:41:45", "references": ["https://edricteo.com/kliqqi-cms-xss-vulnerability-in-version-3.5.2/"], "description": "Kliqqi CMS 3.5.2 has XSS via a crafted group name in pligg/groups.php, a crafted Homepage string in a profile, or a crafted string in Tags or Description within pligg/submit.php.", "edition": 1, "reporter": "NVD", "published": "2018-04-22T11:29:00", "title": "CVE-2017-17889", "type": "cve", "enchantments": {}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2017-17889"], "scanner": [], "modified": "2018-04-22T11:29:00", "cpe": [], "id": "CVE-2017-17889", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-17889", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-04-23T10:44:01", "references": ["https://laworigin.github.io/2018/04/22/Discuz-x-portal-Stored-XSS/"], "description": "Discuz! DiscuzX through X3.4 has stored XSS via the portal.php?mod=portalcp&ac=article URI, related to mishandling of IMG elements associated with remote images.", "edition": 1, "reporter": "NVD", "published": "2018-04-22T11:29:00", "title": "CVE-2018-10297", "type": "cve", "enchantments": {}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2018-10297"], "scanner": [], "modified": "2018-04-22T11:29:00", "cpe": [], "id": "CVE-2018-10297", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-10297", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-04-23T10:44:01", "references": ["https://github.com/chemcms/ChemCMS/issues/1"], "description": "ChemCMS v1.0.6 has CSRF by using public/admin/user/addpost.html to add an administrator account.", "edition": 1, "reporter": "NVD", "published": "2018-04-22T10:29:00", "title": "CVE-2018-10295", "type": "cve", "enchantments": {}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2018-10295"], "scanner": [], "modified": "2018-04-22T10:29:00", "cpe": [], "id": "CVE-2018-10295", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-10295", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-04-23T10:44:01", "references": ["https://github.com/bg5sbk/MiniCMS/issues/17"], "description": "MiniCMS V1.10 has XSS via the mc-admin/post-edit.php title parameter.", "edition": 1, "reporter": "NVD", "published": "2018-04-22T10:29:00", "title": "CVE-2018-10296", "type": "cve", "enchantments": {}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2018-10296"], "scanner": [], "modified": "2018-04-22T10:29:00", "cpe": [], "id": "CVE-2018-10296", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-10296", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-04-23T10:44:01", "references": ["https://gist.github.com/berkgoksel/b8e15cb5742540c6987e9d837d6fa8b1"], "description": "The Ericsson-LG iPECS NMS A.1Ac web application uses incorrect access control mechanisms. Since the app does not use any sort of session ID, an attacker might bypass authentication.", "edition": 1, "reporter": "NVD", "published": "2018-04-22T09:29:00", "title": "CVE-2018-10285", "type": "cve", "enchantments": {}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2018-10285"], "scanner": [], "modified": "2018-04-22T09:29:00", "cpe": [], "id": "CVE-2018-10285", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-10285", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-04-23T10:44:34", "references": ["https://gist.github.com/berkgoksel/99ba5c1f3f9f6e4e33e7ad966c007693"], "description": "The Ericsson-LG iPECS NMS A.1Ac login portal has a SQL injection vulnerability in the User ID and password fields that allows users to bypass the login page and execute remote code on the operating system.", "edition": 1, "reporter": "NVD", "published": "2018-04-22T09:29:00", "title": "CVE-2018-9245", "type": "cve", "enchantments": {}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2018-9245"], "scanner": [], "modified": "2018-04-22T09:29:00", "cpe": [], "id": "CVE-2018-9245", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-9245", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-04-23T10:44:01", "references": ["https://gist.github.com/berkgoksel/fde102503c457c0344e2e53b7971437a"], "description": "The Ericsson-LG iPECS NMS A.1Ac web application discloses sensitive information such as the NMS admin credentials and the PostgreSQL database credentials to logged-in users via the responses to certain HTTP POST requests. In order to be able to see the credentials in cleartext, an attacker needs to be authenticated.", "edition": 1, "reporter": "NVD", "published": "2018-04-22T09:29:00", "title": "CVE-2018-10286", "type": "cve", "enchantments": {}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2018-10286"], "scanner": [], "modified": "2018-04-22T09:29:00", "cpe": [], "id": "CVE-2018-10286", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-10286", "cvss": {"score": 0.0, "vector": "NONE"}}], "avleonov": [{"lastseen": "2018-04-23T09:02:09", "_object_types": ["robots.models.rss.RssBulletin", "robots.models.base.Bulletin"], "references": [], "description": "Almost whole last week I spent in Prague at [CyberCentral](<https://cybercentral.eu/>) conference. It was a pretty unique experience for me. I was for the first time at the International conference as a speaker. And not only I presented my report there, but lead the round table on Vulnerability Management and participated in a panel session.\n\n![CyberCentral2018 my presentation](https://avleonov.com/wp-content/uploads/2018/04/CyberCentral2018_my_presentation_logo-1024x768.jpg)\n\nFrom my point of view, everything was pretty good. I successfully closed my gestalt on public speaking in English. I definitely can do it. ![\ud83d\ude42](https://s.w.org/images/core/emoji/2.4/72x72/1f642.png)\n\nThe event was hold in Lucerna passage right in a center of Prague. Beautiful building in Art Nouveau style with famous ironic \"Statue of King Wenceslas Riding an Upside-Down Dead Horse\". ![\ud83d\ude42](https://s.w.org/images/core/emoji/2.4/72x72/1f642.png)\n\n![CyberCentral Lucerna passage](https://avleonov.com/wp-content/uploads/2018/04/CyberCentral_Lucerna_passage.png)\n\nEven to speak in this building was a great honor. In my opinion the place was chosen ideally. It is beautiful and really good located. Lots of good hotels, restaurants and all main tourist attractions were in nearby. It was easy to go for a walk in a spare time. Some photos you can see at my Facebook page [[1](<https://www.facebook.com/avleonov/posts/10214853806074979>),[2](<https://www.facebook.com/avleonov/posts/10214854128083029>)] .\n\n### Day 0\n\nFirst pre-conference day I spent at the Application Security training by [Milan Pikula](<https://www.linkedin.com/in/pikula/>), Security Analyst Lead at [SK-CERT](<http://www.nbusr.sk/en/cyber-security/sk-csirt/index.html>). He demonstrated how to exploit some basic web application vulnerabilities and use methods of binary analysis. It was possible to give it a try: all vulnerable applications were available for the audience.\n\n![CyberCentral pre-conference training](https://avleonov.com/wp-content/uploads/2018/04/CyberCentral_pre-conference_training.png)\n\nI need to say that the Small Lucerna cinema Hall is very comfortable for such trainings. In every chair there was a built-in small table for the laptop and a power socket.\n\nAt the evening we had a great dinner for the speakers at the [V\u00fdtopna Restaurant](<https://vytopna.cz>). Great feature of this restaurant is the functional railroad that goes right on the tables and the small trains serve drinks to the customers. ![\ud83d\ude42](https://s.w.org/images/core/emoji/2.4/72x72/1f642.png) Food was also pretty good.\n\n![CyberCentral speaker dinner](https://avleonov.com/wp-content/uploads/2018/04/CyberCentral_speaker_dinner.png)\n\nCyberCentral is not a very big conference, comparing to the main Russian events for security practitioners: [PHDays](<https://avleonov.com/2017/05/29/phdays-vii-to-vulnerability-database-and-beyond/>) and [ZeroNights](<https://avleonov.com/2017/11/19/zeronights-2017-back-to-the-cyber-80s/>). At the same time it is an advantage. It's much better for networking. Everyone in sight, everyone is available for a talk.\n\nThe important reason to visit European information security events is that you can meet there people who do not attend Russian international conferences. Moscow is a little bit far away for them and it's necessary to get visa. It's much easier to meet in one of the European countries. By the way, despite the fact that the conference was held in the Czech Republic, most of the attendees were from neighboring Slovakia. There were also many people from Germany, Great Britain and the Balkan countries. And practically from all other corners of Europe.\n\n### Day 1\n\nAt the first day of the conference I can mention great presentation of [Marco Ermini](<https://www.xing.com/profile/Marco_Ermini>), \nSenior Security Architect Hosts & Networks at Telefonica O2. He was talking how security risks and threats are connected with merger and acquisition activities. I especially liked the second part of his presentation. It was OSINT tools. I had some experience in Competitive Analysis and used similar techniques for getting information about different organisations from the publicly available data.\n\nAt the same day I lead the round table on Vulnerability Management. Networking was pretty fun. 5 people participated. We discussed Tenable and other VM vendors, who drag everything into their clouds. ^_^ We also talked about compliance scanning, GDPR and about life in our countries.\n\n![CyberCentral round table](https://avleonov.com/wp-content/uploads/2018/04/CyberCentral_round_table-570x1024.jpg)\n\n### Day 2\n\nThe second day was THE day for me. First of all, I presented my report \"Enterprise Vulnerability Management: fancy marketing brochures and the real-life troubles\".\n\n![CyberCentral my presentation](https://avleonov.com/wp-content/uploads/2018/04/CyberCentral_my_presentation.png)\n\n![CyberCentral 2018 assessing production](https://avleonov.com/wp-content/uploads/2018/04/CyberCentral2018_production-768x1024.jpg)\n\nYou can see slides at Slideshare:\n\nI was preparing this presentation since October 2017 and partly shown it at [ISACA Moscow meetup](<https://avleonov.com/2017/10/23/isaca-moscow-vulnerability-management-meetup-2017/>). Of course, for CyberCenter I updated it a lot: added [research on CWE](<https://avleonov.com/2017/10/21/cwes-in-nvd-cve-feed-analysis-and-complaints/>), [Nessus exploits](<https://avleonov.com/2017/11/02/exploitability-attributes-of-nessus-plugins-good-bad-and-vulners/>), [IDC](<https://avleonov.com/2018/03/16/my-short-review-of-idc-worldwide-security-and-vulnerability-management-market-shares-2016/>) and [Forrester](<https://avleonov.com/2018/03/20/my-short-review-of-the-forrester-wave-vulnerability-risk-management-q1-2018/>) marketing reports, the latest problems with [Nessus](<https://avleonov.com/2017/12/13/new-nessus-7-professional-and-the-end-of-cost-effective-vulnerability-management-as-we-knew-it/>) and [OpenVAS](<https://avleonov.com/2018/03/28/openvas-knowledge-base-become-smaller/>). I also spoke a little bit about [my vulnerability scanner Vulchain](<https://avleonov.com/2018/04/06/vulchain-scan-workflow-and-search-queries/>) and added wonderful examples of patching problems related to the latest Specter and Meltdown vulnerabilities.\n\nFinally, I've got this presentation plan:\n\n 1. Typical VM Solution\n 2. Inconvenient Questions\n 3. What actually should we scan? \n * [Perimeter](<https://avleonov.com/2017/11/28/vulnerability-management-for-network-perimeter/>)\n * Office\n * Business critical / Production\n 4. VM Analyst's Heaven and Hell\n 5. Vulnerability Management Market\n 6. Outrageously expensive solutions\n 7. Limited license = Limited IT Visibility\n 8. [The end of cost-effective VM (Nessus 7)](<https://avleonov.com/2017/12/13/new-nessus-7-professional-and-the-end-of-cost-effective-vulnerability-management-as-we-knew-it/>)\n 9. [OpenVAS \u201cAttic Cleanup\u201d](<https://avleonov.com/2018/03/28/openvas-knowledge-base-become-smaller/>)\n 10. [What about your own scanner?](<https://avleonov.com/2018/04/06/vulchain-scan-workflow-and-search-queries/>)\n 11. All Vulnerability Scanners are the same? \n * [CVE-based comparison](<https://avleonov.com/2016/11/27/fast-comparison-of-nessus-and-openvas-knowledge-bases/>)\n 12. Reports: problem of prioritization \n * [Common Weakness Enumeration (CWE)](<https://avleonov.com/2017/10/21/cwes-in-nvd-cve-feed-analysis-and-complaints/>)\n * [Exploitability flags](<https://avleonov.com/2017/11/02/exploitability-attributes-of-nessus-plugins-good-bad-and-vulners/>)\n 13. Dynamic reports\n 14. Why *they* don\u2019t patch vulnerabilities \n * It\u2019s great when you can update OS automatically, but\u2026\n * Something can break after update\n * Update can make situation even worse (Spectre and Meltdown)\n * The Neverending story of 3d party software patching\n * Fifty Shades of Legacy\n * Some systems are just difficult to update\n\nAnd made the following conclusions:\n\n 1. There is no magic in Vulnerability Management\n 2. Vulnerability scanners are awesome. Trust them, but not too much.\n 3. Homegrown automation is still necessary: \n * Update scan targets (Wiki, DNS, WAF/AntiDDoS, AD, Monitorings\u2026) and manage regular scan tasks\n * Get critical exploitable vulnerabilities from scan results\n * Inform responsible person / make tasks\n * Get statistics and visualize VM process\n\nIn the Q&A section, we talked very nicely about problems of detecting vulnerabilities in self-assembled software packages and about backported patches. Also there were interesting questions about [Vulchain](<https://avleonov.com/2018/04/06/vulchain-scan-workflow-and-search-queries/>) and the detection methods that it currently uses. ^ _ ^\n\nIn the same technical stream I liked 2 presentations:\n\n * First one, \"Regulations vs. actual security. The bottom line.\" by [Viktor Larionov](<https://www.linkedin.com/in/vlarionov/>), Director Of Operations at Nordicore Operations Ltd. He was talking about regulators who always check the documents and not the servers. I am working on actual security and naturally I would like to see more server checks during such audits.\n * The second one is \"Building Great SOC & CSIRT from Open-source Components\" by [Milan Pikula](<https://www.linkedin.com/in/pikula/>), Security Analyst Lead at [SK-CERT](<http://www.nbusr.sk/en/cyber-security/sk-csirt/index.html>). It was especially interesting what they use for Vulnerability Management. For example, I learned about [Taranis](<https://taranis.ncsc.nl/>) project. Here is a slide with the main SOC components: \n![SOC opensource](https://avleonov.com/wp-content/uploads/2018/04/SOC_opensource.png)\n\nThen I was participating in \"International Panel on Worldwide Trends\". It was the last talk of the event.\n\n![CyberCentral plenary session](https://avleonov.com/wp-content/uploads/2018/04/CyberCentral_plenary_session.png)\n\nThe plenary session also went well:\n\n * We talked about the trends. I said that nothing fundamentally new is happening. The waste majority of cases that we all have seen recently happened because people do not patch their systems on perimeter (Equifax and Apache Struts), in internal network (Windows, [WannaCry](<https://avleonov.com/2017/05/13/wannacry-about-vulnerability-management/>), [Petya](<https://avleonov.com/2017/06/30/petya-the-great-and-why-they-dont-patch-vulnerabilities/>), etc.) or do not make minimal hardening (Cisco Smart Install). And as long as people don't pay much attention to Vulnerability and Patch Management there will be lots of such massive attacks.\n * Then we talked about awareness. I said that training of the employees is wonderful, but we shouldn't forget to make effective minimization of privileges as our first priority.\n * The social problem of cybercrime also was discussed. Nothing new: whitehats and blackhats are grown from the same children. We should start working with them earlier: show how they can do what they really like to do while staying on the light side; how to earn money without risk of getting in jail.\n\nIt was very intense week. Lots of new connections and interesting talks. Big thanks to the organizers, especially to [Alexander Nevski](<https://www.linkedin.com/in/alexander-nevski/>), Cyber Security Program Director at EBCG, and all participants! It was awesome. =)\n\n![](http://feeds.feedburner.com/~r/avleonov/~4/l76Pez8VykM)", "reporter": "Alexander Leonov", "published": "2018-04-22T12:23:50", "type": "avleonov", "title": "CyberCentral Summit 2018 in Prague", "enchantments": {}, "bulletinFamily": "blog", "cvelist": [], "_object_type": "robots.models.rss.RssBulletin", "modified": "2018-04-22T12:23:50", "id": "AVLEONOV:9D792E1EA613C0D66266ACAA86B9B957", "href": "http://feedproxy.google.com/~r/avleonov/~3/l76Pez8VykM/", "cvss": {"score": 0.0, "vector": "NONE"}}], "gentoo": [{"lastseen": "2018-04-23T03:28:44", "references": ["https://bugs.gentoo.org/show_bug.cgi?id=623534", "https://nvd.nist.gov/vuln/detail/CVE-2017-11423", "https://nvd.nist.gov/vuln/detail/CVE-2018-0202", "https://nvd.nist.gov/vuln/detail/CVE-2017-6419", "https://nvd.nist.gov/vuln/detail/CVE-2017-6418", "https://bugs.gentoo.org/show_bug.cgi?id=628690", "https://nvd.nist.gov/vuln/detail/CVE-2012-6706", "https://bugs.gentoo.org/show_bug.cgi?id=625632", "https://nvd.nist.gov/vuln/detail/CVE-2018-1000085", "https://bugs.gentoo.org/show_bug.cgi?id=649314", "https://bugs.gentoo.org/show_bug.cgi?id=628686", "https://nvd.nist.gov/vuln/detail/CVE-2017-6420"], "affectedPackage": [{"OS": "Gentoo", "OSVersion": "any", "packageVersion": "0.99.4", "arch": "all", "packageFilename": "UNKNOWN", "packageName": "app-antivirus/clamav", "operator": "lt"}], "description": "### Background\n\nClamAV is a GPL virus scanner.\n\n### Description\n\nMultiple vulnerabilities have been discovered in ClamAV. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker, through multiple vectors, could execute arbitrary code, cause a Denial of Service condition, or have other unspecified impacts. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll ClamAV users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=app-antivirus/clamav-0.99.4\"", "edition": 1, "reporter": "Gentoo Foundation", "published": "2018-04-22T00:00:00", "title": "ClamAV: Multiple vulnerabilities", "type": "gentoo", "enchantments": {}, "bulletinFamily": "unix", "cvelist": ["CVE-2017-6420", "CVE-2017-6418", "CVE-2018-1000085", "CVE-2017-11423", "CVE-2018-0202", "CVE-2017-6419", "CVE-2012-6706"], "modified": "2018-04-22T00:00:00", "id": "GLSA-201804-16", "href": "https://security.gentoo.org/glsa/201804-16", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}}