Attacking and Pentesting VMWare ESXi Hosts

 Before getting into the Attacking and Exploitation, it is recommended to know the difference between vSphere, vCenter and ESXI/ESX hosts.  

VMware vSphere: VMware vSphere is the name given for the comprehensive virtualization platform that includes multiple software products and tools for creating, managing, and running virtual machines (VMs) on a physical server. It provides features like resource management, high availability, and centralized management.

vCenter Server: vCenter Server is a key component of the vSphere platform. It serves as a centralized management system that enables administrators to control and monitor multiple ESXi hosts and VMs. It offers features like VMotion, Distributed Resource Scheduler (DRS), and centralized management of virtual infrastructure.

ESXi (VMware vSphere Hypervisor): ESXi is a bare-metal hypervisor, which is a type 1 hypervisor installed directly on the physical server hardware. It provides the foundation for running VMs by managing the physical resources of the host, such as CPU, memory, storage, and networking, while also supporting features like vMotion and High Availability (HA). ESXi hosts are like a normal vmware or virual box that we usually setup locally - it enables users to create VM's on demand. On the other hand, vCenter Server is a management console which has the capability to control/manage Multiple ESXi hosts at once. 

Reference Links

1. Soap API Guide
2. Ports and Services
3. Vcenter Security Guide  ESXi Security
4. REST VAPI-HTTP Queries 
5. vAPI REST API - New


1. CVE-2021-21974 Exploit
2. VMware ESXi Zero-Day Used by Chinese Espionage Actor to Perform Privileged Guest Operations on Compromised Hypervisors | Mandiant
3. Zero Day Initiative — CVE-2020-3992 & CVE-2021-21974: Pre-Auth Remote Code Execution in VMware ESXi
Common Ports

22 - SSH Access to ESXi Host 
161 - SNMP 
80, 443 - ESXi Web Server, Client connector/ ESXi Host Client
902 - VMware Authentication Daemon
3260 - iscsi 
5989 - CIM Broker
8000 - ESXi hosts listen on port 8000 for TCP connections from remote ESXi hosts for vMotion traffic 
8080 - Used by the Storage Management Service (SMS) that is part of vCenter to access information about Virtual SAN storage profiles, capabilities, and compliance.
8889 - WS-Management for SOAP
8083, 9080, 8182, 8300, 9080, 9999 - vAPI-PicoHttp Service 

- Look for the Fingerprint on Port 443 and 80 to get the ESXi Version
- See if Port 22 is enabled - Can be used to login to ESXi Shell (Default Username is root and cannot be locked out - bruteforce it)
- SSO can be enabled for the login
- To use ESXCLI, you need vCenter Server Root Certificate, you can download it if you know the address. 
- Check the ESXi Host Certificates for vCenter Server address, from which you can download the certificate. 
- Check for servers below 7.0.3u (Multiple Vulnerabilities)
- curl -kL https://esxi.fqdn/host -v - all the hosts for host endpoint 
- Check if TCP port 427 is open for any server - SLP Service, After the patch of CVE-2020-3992 and CVE-2021-21974, SLP service is only accessible from local ( or::1(ipv6))

CVE-2019-5544(heap buffer overflow)

CVE-2020-3992(use after free)

CVE-2021-21974(heap buffer overflow)

CVE-2022-31699(heap buffer overflow)=

VMware vCenter Server CVE-2021-21985 Remote Code Execution Vulnerability

curl -s -k -X $'POST' -H 'Host: <target>' -H 'User-Agent: curl' 
-H 'Content-Type: application/json' 
-H 'Connection: close' 
--data-binary $'{\"methodInput\":[{\"type\":\"ClusterComputeResource\",\"value\": null,\"serverGuid\": null}]}\x0d\x0a' https://esxi.fqdn/ui/h5-vsan/rest/proxy/service/
Testing VMWARE API Access - Port 443

go to or 
git clone

#Run below command to run a set of predefined queries against given set of hosts to check the authentication status of the API's hosts.txt output.txt 

#if you want to test the queries manually - you can find the soap queries here 
Access ESXi Hosts Remotely 

Register and download esxcli from here - esxcli works only from ESXi 7.0 Version 

Basic Commands: 

# Accessing using config file 
# Save the below contents into a file and use it as -config
VI_USERNAME = administrator@vsphere.local
VI_PASSWORD = admin_password
VI_SERVER = my_vc

esxcli --config <my_saved_config> network ip interface list
esxcli -s --cacertsfile cert.0

# Allin Command Line
esxcli --server <vc_hostname_or_IP> --username <privileged_user> --password <password> --vihost 
<esxi_hostname_or_IP> <namespace> [<namespace]...> <command> --<option_name=option_value>

Bruteforce ESXI Hosts 

 pip install pyVim
 git clone
 cd ESXiBrute
 python --hosts hosts.txt --usernames usernames.txt --passwords passwords.txt --cert cert.pem [--output output.csv]

Reference: ESXiBrute

Note: You can find the certificate from VMWare vCenter UI (You can find vCenter IP Address/Hostname from ESXi HTTPS Certificate - Port 443)
Bruteforce ESXi Hosts if you dont have Cert/Hostname

Download and Install VMware vSphere Resxtop - VMware {code} 

# Add the library to PATH 
export LD_LIBRARY_PATH=/usr/lib/vmware/resxtop/


chmod +x
./ hosts.txt usernames.txt passwords.txt

Reference: ESXiBrute
Get Stats from ESXi Hosts using Resxtop 

Download from VMware vSphere Resxtop - VMware {code} 

resxtop is a command-line utility or tool that runs on linux and provides a detailed look at how ESXi uses resources in real time. You can use this to authenticate or validate available credentials or brute force the creds. 

# Add the library to PATH 
export LD_LIBRARY_PATH=/usr/lib/vmware/resxtop/

# Server is the vcenter and vihost is the esxi address 
resxtop --server -a --vihost

usage: resxtop [-h] [-v] [-b] [-s] [-a] [-c config file] [-d delay] [-n iterations]
               [--server server-name [--vihost host-name]] [--portnumber socket-port] [--username user-name]
              -h prints this help menu.
              -v prints version.
              -b enables batch mode.
              -s enables secure mode.
              -a show all statistics.
              -c sets the esxtop configuration file, which by default is .esxtop60rc
              -d sets the delay between updates in seconds.
              -n runs resxtop for only n iterations. Use "-n infinity" to run resxtop forever.
              --server      remote server name.
              --vihost      esx host name, if --server specifies vc server.
              --portnumber  socket port, default is 443.
              --username    user name on the remote server.

Resolving ESXi Certificate Issue 

When you run a command, ESXCLI first checks whether a certificate file is available. If not, ESXCLI checks whether a thumbprint of the target server is available. If not, you receive an error saying cert or thumbprint not valid. To Resolve this issue, you need to download vCenter root certificate. 

Find out the vCenter Server IP Addresses/Hostname then follow below steps 

#Download and Install the vCenter Server Certificate
1. Enter the URL of the vCenter Server system into a Web browser.
2. Click the Download trusted root CA certificates link or use direct download link -
3.Verify that the extension of the downloaded file is .zip.
The file is a ZIP file of all certificates in the TRUSTED_ROOTS store.
4. Extract the ZIP file.
A certificates folder is extracted. The folder includes files with the extension .0, .1, and so on, which 
are certificates, and files with the extension .r0, .r1, and so on which are CRL files associated with 
the certificates.
5.Add the trusted root certificates to the list of trusted roots.

you can use the cert via --cacertsfile option or the VI_CACERTFILE variable.

or --thumbprint option
Port 443 - ESXi UI 

#ESXi Login 

#These files are exposed via the vSphere HTTPS-based file transfer API. These files should be monitored for modifications.

Port 427 - SLP

It is a service discovery protocol that allows computers and other  devices to find services in a local area network (LAN) without prior configuration.

- run with root privilege after  ESXi 5.5
- enabled by default (before ESXi 7.0 U2c)
- After the patch of CVE-2020-3992 and CVE-2021-21974, SLP service is only accessible from local( or::1(ipv6))
- CVE-2022-31699 can be used to escape sandbox before ESXi 7.0u2, especially in ESXi 6.7.
- From 7.0u2, SLP service runs inside sandbox.
- From 7.0u2c, SLP service is disabled by default.

SLP Vulns: 
CVE-2019-5544(heap buffer overflow)
CVE-2020-3992(use after free) 
CVE-2021-21974(heap buffer overflow)
CVE-2022-31699(heap buffer overflow)
Port 902 - VMWare Authentication Daemon

- It is possible to brute force credentials on Port 902 using metasploit 
- 902 Port is available only when remote access is required. 
- Uses Windows Domain Login Creds - unless local access is set. 
- Generally, this kind of service is not logged 
- Recommended to brute force 902 port instead of RDP or ssh when. 

use auxiliary/scanner/vmware/vmauthd_login 

nc 902 
USER root
PASS toor
Port 161 SNMP 

- Check if SNMP Is enabled or not 
- if SNMP is misconfigured - setup required alerts 

Look for SNMP Attacks here
Port 3260 - ISCSI 

nmap -sV -Pn -p 3260 --script=iscsi-info

#Install iscsiadm
sudo apt install open-iscsi

#Discover the targets 
iscsiadm -m discovery -t sendtargets -p 192.168.xx.xx

# Login 
iscsiadm -m node --targetname="" -l -p 192.168.xx.xx --login -

iscsiadm -m node --targetname="" -p 192.168.xx.xx
Port 5989 - CIM Broker

Default user is root

# Accepts only POST Requests 
curl -kL -X POST -u root:admin -v
curl -kL -X POST --basic --user root -v --data '<?xml version="1.0" encoding="UTF-8"?'

#Full request with headers and data
curl -vvv --insecure 'https://user:pass@localhost:5989/root/cimv2:LMI_LANEndpoint' -H 'Content-type: application/xml; charset="utf-8"' -H 'CIMOperation: MethodCall' -H 'CIMMethod: EnumerateInstances' -H 'CIMObject: root/cimv2' -H 'Accept-Encoding: identity' -d '<?xml version="1.0" encoding="utf-8" ?>

ESXi 7.0.1, 6.7, 6.5 has 2 Vulnerabilities related to CIM Broker 

Refer to VMWare Advisory

#Using wbecli
tar -xvf sblim-wbemcli-1.4.10.tar.gz
cd sblim-wbemcli-1.4.10
make install 

 wbemcli ei -noverify -dx 'https://user:pass@localhost:5989/root/cimv2:LMI_LANEndpoint' 
Port 8889 - OpenWSMan

#WWW-Authenticate: Basic realm="OPENWSMAN"
curl -kL -X POST -u root:root 
Connecting to ESXI Host using API 

you will need vCenter Cert to pass the first level of authentication, you can download it from ttps://  

#Once you have the certificate, convert it to .pem file 
openssl x509 -in your_certificate.crt -out your_certificate.pem -outform PEM

#Install the required packages and libraries using below commands
# Install venv
sudo apt install python3-venv

#Create a new virual env 
python3 -m venv .venv/project_name

# Get into virtual env - now you are in vir env
source project_name/bin/activate

git clone
python install 
git clone
pip install -U lib/**/*.whl
pip install -U `pwd`

#Code to Connect to VMWare ESXi Host

import ssl
from pyVim import connect

# ESXi host connection details
host = ""
user = "your_username"
password = "your_password"
cert_path = "new.pem"

ssl_context = ssl.create_default_context(cafile=cert_path)

# Connect to the ESXi host
    service_instance = connect.SmartConnect(
    print("Connected to ESXi host:", host)

    # Perform actions here

    # Disconnect from the ESXi host
    print("Disconnected from ESXi host:", host)

except Exception as e:
    print("Error:", e)

#Code to Connect to VMWARE vCenter 

import requests
import urllib3
from vmware.vapi.vsphere.client import create_vsphere_client
session = requests.session()

session.verify = False

# Connect to a vCenter Server using username and password
vsphere_client = create_vsphere_client(server='', username='root', password='root', session=session)

# List all VMs inside the vCenter Server
Script to Test if there are many IP addresses. 

# Add below details in config file while update the creds and address
VI_SERVER = esxi_server_a

#Create a new .sh file with below script 
# Update the command as per your automation
VIHOSTS=(esxi_server_a esx_server_b esxi_server_c)
for VIHOST in ${VIHOSTS[@]}
echo "Adding NAS datastore for ${VIHOST} ..."
esxcli --config ${VI_CONFIG_FILE} storage nfs add --host ${VIHOST} --share <share point> --volumename <volume name>
esxcli --config ${VI_CONFIG_FILE} storage nfs list

Bhanu Namikaze

Bhanu Namikaze is an Ethical Hacker, Security Analyst, Blogger, Web Developer and a Mechanical Engineer. He Enjoys writing articles, Blogging, Debugging Errors and Capture the Flags. Enjoy Learning; There is Nothing Like Absolute Defeat - Try and try until you Succeed.

No comments:

Post a Comment