Rapid 7 has announced with Metasploit 4.2 a brute force attack on weak passwords in vSphere web services APIs (vmware-api). Their repository also shows updates to the ESX scanner as well as a few admin scripts.
- vmauthd_version : Discovers the version details for a vmauthd service
- esx_fingerprint : Fingerprints (down to the build number) of a stand-alone ESX server
- vmware_http_login : Attempts to brute force local VMware credentials via the Web Services interface
- vmauthd_login : Attempts to brute force local VMware credentials via the vmauthd service
- vmware_enum_users : Enumerates both local and domain VMware user accounts
- vmware_enum_permissions : Enumerates locally-defined user and group permissions on a VMware instance
- vmware_enum_sessions : Enumerates active VMware login sessions
- vmware_enum_vms : Enumerates all local virtual machines on the local VMware instance
- vmware_host_details : Discovers host hardware and software details of the VMware host machine
- poweroff_vm : Powers off a virtual machine via the VMware Web Services interface
- poweron_vm : Powers on a virtual machine via the VMware Web Services interface
- tag_vm : Writes a user-defined “tag” to the VMware logs as proof of compromise
- vmware_screenshot_stealer : Grabs screenshots of VMware guest operating systems as proof of compromise
- terminate_esx_sessions : Disconnects a user from the ESX server
Finding weak passwords is a great example of old threats and vulnerabilities applied to new environments. VMware gives consumers the ability to set strong password restrictions but that does not mean systems will always be configured properly. These tests are an excellent way to validate vSphere hardening procedures in an organization.