id: vmware-detect
info:
name: VMware Detection
author: elouhi
severity: info
description: Sends a POST request containing a SOAP payload to a vCenter server to obtain version information
reference:
- https://www.pwndefend.com/2021/09/23/exposed-vmware-vcenter-servers-around-the-world-cve-2021-22005/
- https://svn.nmap.org/nmap/scripts/vmware-version.nse
metadata:
max-request: 1
tags: tech,vcenter,vmware
http:
- raw:
- |
POST /sdk/ HTTP/1.1
Host: {{Hostname}}
00000001-00000001
<_this xsi:type="ManagedObjectReference" type="ServiceInstance">ServiceInstance
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: body
words:
- 'ha-folder-root'
- 'RetrieveServiceContentResponse'
condition: or
- type: word
part: header
words:
- "text/xml"
extractors:
- type: regex
part: body
group: 1
regex:
- "(.*?)"
- "(.*?)"
- "(.*?)"
- "(.*?)"
- "(.*?)"
- "(.*?)"
# digest: 4a0a004730450221009f903b04dfb035af861717060428d7be35ac0124afa6e2abd18624e3161b7e21022051e0ee1bba394974db7dc5468adccbcdc79e7b9c352b62bab25fa8aebf895c23:922c64590222798bb761d5b6d8e72950