Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

VMware Detection

By kannthu

Informative
Vidoc logoVidoc Module
#tech#vcenter#vmware
Description

What is the "VMware Detection" module?

The "VMware Detection" module is designed to detect vulnerabilities in VMware vCenter servers. It sends a POST request containing a SOAP payload to a vCenter server to obtain version information. This module is created by elouhi and has an informative severity level.

Impact

This module helps identify potential vulnerabilities in VMware vCenter servers, allowing users to take appropriate action to secure their systems. By detecting vulnerabilities, it helps prevent potential security breaches and data leaks.

How does the module work?

The "VMware Detection" module uses a specific HTTP request template to interact with the target vCenter server. Here is an example of the request:

POST /sdk/ HTTP/1.1
Host: {%Hostname%}

<?xml version="1.0" encoding="UTF-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
   <soap:Header>
      <operationID>00000001-00000001</operationID>
   </soap:Header>
   <soap:Body>
      <RetrieveServiceContent xmlns="urn:internalvim25">
         <_this xsi:type="ManagedObjectReference" type="ServiceInstance">ServiceInstance</_this>
      </RetrieveServiceContent>
   </soap:Body>
</soap:Envelope>

The module then applies matching conditions to the response received from the vCenter server. The following conditions are used:

- The response status must be 200. - The response body must contain either "ha-folder-root" or "RetrieveServiceContentResponse". - The response header must contain the word "text/xml".

If all the matching conditions are met, the module reports a vulnerability.

For more information, you can refer to the following references:

- https://www.pwndefend.com/2021/09/23/exposed-vmware-vcenter-servers-around-the-world-cve-2021-22005/ - https://svn.nmap.org/nmap/scripts/vmware-version.nse

Module preview

Concurrent Requests (1)
1. HTTP Request template
Raw request
Matching conditions
status: 200and
word: ha-folder-root, RetrieveServiceContentRe...and
word: text/xml
Passive global matcher
No matching conditions.
On match action
Report vulnerability