138 lines
4.5 KiB
Ruby
138 lines
4.5 KiB
Ruby
##
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
|
# web site for more information on licensing and terms of use.
|
|
# http://metasploit.com/
|
|
##
|
|
|
|
|
|
require 'msf/core'
|
|
require 'rex/proto/ntlm/message'
|
|
|
|
|
|
class Metasploit3 < Msf::Auxiliary
|
|
include Msf::Exploit::Remote::VIMSoap
|
|
include Msf::Exploit::Remote::HttpClient
|
|
include Msf::Auxiliary::Report
|
|
include Msf::Auxiliary::Scanner
|
|
|
|
def initialize
|
|
super(
|
|
'Name' => 'VMWare Enumerate User Accounts',
|
|
'Description' => %Q{
|
|
This module will log into the Web API of VMWare and try to enumerate
|
|
all the user accounts. If the VMware instance is connected to one or
|
|
more domains, it will try to enumerate domain users as well.
|
|
},
|
|
'Author' => ['theLightCosine'],
|
|
'License' => MSF_LICENSE
|
|
)
|
|
|
|
register_options(
|
|
[
|
|
Opt::RPORT(443),
|
|
OptString.new('USERNAME', [ true, "The username to Authenticate with.", 'root' ]),
|
|
OptString.new('PASSWORD', [ true, "The password to Authenticate with.", 'password' ])
|
|
], self.class)
|
|
|
|
register_advanced_options([OptBool.new('SSL', [ false, 'Negotiate SSL for outgoing connections', true]),])
|
|
end
|
|
|
|
|
|
def run_host(ip)
|
|
if vim_do_login(datastore['USERNAME'], datastore['PASSWORD']) == :success
|
|
#Get local Users and Groups
|
|
user_list = vim_get_user_list(nil)
|
|
tmp_users = Rex::Ui::Text::Table.new(
|
|
'Header' => "Users for server #{ip}",
|
|
'Indent' => 1,
|
|
'Columns' => ['Name', 'Description']
|
|
)
|
|
tmp_groups = Rex::Ui::Text::Table.new(
|
|
'Header' => "Groups for server #{ip}",
|
|
'Indent' => 1,
|
|
'Columns' => ['Name', 'Description']
|
|
)
|
|
unless user_list.nil?
|
|
case user_list
|
|
when :noresponse
|
|
print_error "Recieved no Response from #{ip}"
|
|
when :expired
|
|
print_error "The login session appears to have expired on #{ip}"
|
|
when :error
|
|
print_error "An error occured while trying to enumerate the users for #{domain} on #{ip}"
|
|
else
|
|
user_list.each do |obj|
|
|
if obj['group'] == 'true'
|
|
tmp_groups << [obj['principal'], obj['fullName']]
|
|
else
|
|
tmp_users << [obj['principal'], obj['fullName']]
|
|
end
|
|
end
|
|
print_good tmp_groups.to_s
|
|
store_loot('host.vmware.groups', "text/plain", datastore['RHOST'], tmp_groups.to_csv , "#{datastore['RHOST']}_esx_groups.txt", "VMWare ESX User Groups")
|
|
print_good tmp_users.to_s
|
|
store_loot('host.vmware.users', "text/plain", datastore['RHOST'], tmp_users.to_csv , "#{datastore['RHOST']}_esx_users.txt", "VMWare ESX Users")
|
|
end
|
|
end
|
|
|
|
#Enumerate Domains the Server is connected to
|
|
esx_domains = vim_get_domains
|
|
case esx_domains
|
|
when :noresponse
|
|
print_error "Recieved no Response from #{ip}"
|
|
when :expired
|
|
print_error "The login session appears to have expired on #{ip}"
|
|
when :error
|
|
print_error "An error occured while trying to enumerate the domains on #{ip}"
|
|
else
|
|
#Enumerate Domain Users and Groups
|
|
esx_domains.each do |domain|
|
|
tmp_dusers = Rex::Ui::Text::Table.new(
|
|
'Header' => "Users for domain #{domain}",
|
|
'Indent' => 1,
|
|
'Columns' => ['Name', 'Description']
|
|
)
|
|
|
|
tmp_dgroups = Rex::Ui::Text::Table.new(
|
|
'Header' => "Groups for domain #{domain}",
|
|
'Indent' => 1,
|
|
'Columns' => ['Name', 'Description']
|
|
)
|
|
|
|
user_list = vim_get_user_list(domain)
|
|
case user_list
|
|
when nil
|
|
next
|
|
when :noresponse
|
|
print_error "Recieved no Response from #{ip}"
|
|
when :expired
|
|
print_error "The login session appears to have expired on #{ip}"
|
|
when :error
|
|
print_error "An error occured while trying to enumerate the users for #{domain} on #{ip}"
|
|
else
|
|
user_list.each do |obj|
|
|
if obj['group'] == 'true'
|
|
tmp_dgroups << [obj['principal'], obj['fullName']]
|
|
else
|
|
tmp_dusers << [obj['principal'], obj['fullName']]
|
|
end
|
|
end
|
|
print_good tmp_dgroups.to_s
|
|
|
|
f = store_loot('domain.groups', "text/plain", datastore['RHOST'], tmp_dgroups.to_csv , "#{domain}_esx_groups.txt", "VMWare ESX #{domain} Domain User Groups")
|
|
vprint_status("VMWare domain user groups stored in: #{f}")
|
|
print_good tmp_dusers.to_s
|
|
f = store_loot('domain.users', "text/plain", datastore['RHOST'], tmp_dgroups.to_csv , "#{domain}_esx_users.txt", "VMWare ESX #{domain} Domain Users")
|
|
vprint_status("VMWare users stored in: #{f}")
|
|
end
|
|
end
|
|
end
|
|
else
|
|
print_error "Login Failure on #{ip}"
|
|
return
|
|
end
|
|
end
|
|
|
|
end
|