id: vmware-detect info: name: VMware Detection author: elouhi severity: info description: Sends a POST request containing a SOAP payload to a vCenter server to obtain version information reference: - https://www.pwndefend.com/2021/09/23/exposed-vmware-vcenter-servers-around-the-world-cve-2021-22005/ - https://svn.nmap.org/nmap/scripts/vmware-version.nse metadata: max-request: 1 tags: tech,vcenter,vmware http: - raw: - | POST /sdk/ HTTP/1.1 Host: {{Hostname}} 00000001-00000001 <_this xsi:type="ManagedObjectReference" type="ServiceInstance">ServiceInstance matchers-condition: and matchers: - type: status status: - 200 - type: word part: body words: - 'ha-folder-root' - 'RetrieveServiceContentResponse' condition: or - type: word part: header words: - "text/xml" extractors: - type: regex part: body group: 1 regex: - "(.*?)" - "(.*?)" - "(.*?)" - "(.*?)" - "(.*?)" - "(.*?)" # digest: 4a0a004730450221009f903b04dfb035af861717060428d7be35ac0124afa6e2abd18624e3161b7e21022051e0ee1bba394974db7dc5468adccbcdc79e7b9c352b62bab25fa8aebf895c23:922c64590222798bb761d5b6d8e72950