id: vmware-detect
info:
name: VMware Detection
author: elouhi
severity: info
description: Sends a POST request containing a SOAP payload to a vCenter server to obtain version information
reference:
- https://www.pwndefend.com/2021/09/23/exposed-vmware-vcenter-servers-around-the-world-cve-2021-22005/
- https://svn.nmap.org/nmap/scripts/vmware-version.nse
tags: tech,vcenter,vmware
metadata:
max-request: 1
http:
- raw:
- |
POST /sdk/ HTTP/1.1
Host: {{Hostname}}
00000001-00000001
<_this xsi:type="ManagedObjectReference" type="ServiceInstance">ServiceInstance
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: body
words:
- 'ha-folder-root'
- 'RetrieveServiceContentResponse'
condition: or
- type: word
part: header
words:
- "text/xml"
extractors:
- type: regex
part: body
group: 1
regex:
- "(.*?)"
- "(.*?)"
- "(.*?)"
- "(.*?)"
- "(.*?)"
- "(.*?)"