Alexey TyurinNMAP:VMWARE-VERSION.NSEvmware-version NSE Script
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.8%
Queries VMware server (vCenter, ESX, ESXi) SOAP API to extract the version information.
The same script as VMware Fingerprinter from VASTO created by Claudio Criscione, Paolo Canaletti
Script Arguments
slaxml.debug
See the documentation for the slaxml library.
http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent
See the documentation for the http library.
smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername
See the documentation for the smbauth library.
Example Usage
nmap --script vmware-version -p443 <host>
Script Output
| vmware-version:
| Server version: VMware ESX 4.1.0
| Build: 348481
| Locale version: INTL 000
| OS type: vmnix-x86
|_ Product Line ID: esx
Requires
description = [[
Queries VMware server (vCenter, ESX, ESXi) SOAP API to extract the version information.
The same script as VMware Fingerprinter from VASTO created by Claudio Criscione, Paolo Canaletti
]]
---
-- @usage
-- nmap --script vmware-version -p443 <host>
--
-- @output
-- | vmware-version:
-- | Server version: VMware ESX 4.1.0
-- | Build: 348481
-- | Locale version: INTL 000
-- | OS type: vmnix-x86
-- |_ Product Line ID: esx
----------------------------------------------------------
author = "Alexey Tyurin"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"discovery", "safe", "version"}
local http = require "http"
local nmap = require "nmap"
local shortport = require "shortport"
local stdnse = require "stdnse"
local table = require "table"
portrule = function (host, port)
if nmap.version_intensity() < 7 or nmap.port_is_excluded(port.number, port.protocol) then
return false
end
return shortport.http(host, port)
end
local function get_file(host, port, path)
local req
req='<soap:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Header><operationID>00000001-00000001</operationID></soap:Header><soap:Body><RetrieveServiceContent xmlns="urn:internalvim25"><_this xsi:type="ManagedObjectReference" type="ServiceInstance">ServiceInstance</_this></RetrieveServiceContent></soap:Body></soap:Envelope>'
local result = http.post( host, port, path, nil, nil, req)
if(result['status'] ~= 200 or result['content-length'] == 0) then
return false, "Couldn't download file: " .. path
end
return true, result.body
end
action = function(host, port)
local result, body = get_file(host, port, "/sdk")
if(not(result)) then
stdnse.debug1("%s", body)
return nil
end
local vwname = body:match("<name>([^<]*)</name>")
if not vwname then
stdnse.debug1("Problem with XML parsing.")
return nil
end
local vwversion = body:match("<version>([^<]*)</version>")
local vwbuild = body:match("<build>([^<]*)</build>")
local vwlversion = body:match("<localeVersion>([^<]*)</localeVersion>")
local vwlbuild = body:match("<localeBuild>([^<]*)</localeBuild>")
local vmostype = body:match("<osType>([^<]*)</osType>")
local vmprod= body:match("<productLineId>([^<]*)</productLineId>")
if not port.version.product then
port.version.product = ("%s SOAP API"):format(vwname)
port.version.version = vwversion
end
table.insert(port.version.cpe, ("cpe:/o:vmware:%s:%s"):format(vwname:gsub("^[Vv][Mm][Ww]are ", ""), vwversion))
nmap.set_port_version(host, port, "hardmatched")
local response = stdnse.output_table()
response["Server version"] = ("%s %s"):format(vwname, vwversion)
response["Build"] = vwbuild
response["Locale version"] = ("%s %s"):format(vwlversion, vwlbuild)
response["OS type"] = vmostype
response["Product Line ID"] = vmprod
return response
end
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.8%