If you are doing security assessments, you are probably running into virtual servers every day. According to analyst firm Gartner, 80% of companies now have a virtualization project or program. With the recent 4.2 release of Metasploit, your next penetration test should be much more fun. For example, Metasploit now flags ESX Servers as virtual hosts in the user interface:
If you are managing virtual servers, you may have come across the VMware vSphere Web Services SDK. It's a powerful way to manage virtual machines on ESX/ESXi and vCenter Server systems, with a documentation that rivals the New York phone book (if it still exists as a printed version). Like most self-respecting APIs, it requires you to authenticate with a username and password. This password may be the lynchpin of your virtual data security. In other words, you may be well advised to audit that the passwords for this API are not found in Average Joe's common password list.
In the recent 4.2 release, Metasploit has added a new module that brute forces passwords for the VMware vSphere Web Services API, plus a few modules that enable penetration testers to have fun with the virtual data center. The most simple modules enable you to shut down a critical server or spin up a virtual machine that's laid dormant for months - and is probably crawling with vulnerabilities you can attack. You can also collect screenshots from all guest systems, which will come in handy for your security assessment report.
Systems running VMware virtualization technology, including ESX Server and VMware Workstation, also have a service called VMauthD, which enables authentication through the OS's local user credentials. Metasploit now includes a brute force module for VMAuthD authentication, which provides an alternative service to obtain system credentials. If an ESX server is integrated with the Windows Active Directory, the enum_users module will even generate a list of all users and groups on the domain, which is fantastic for reconnaissance.
Here's a list of all the fun modules you can throw at your virtualized data center directly from Metasploit:
|auxiliary/admin/vmware/poweroff_vm||This module will log into the Web API of VMware and try to power off a specified Virtual Machine.|
|auxiliary/admin/vmware/poweron_vm||This module will log into the Web API of VMware and try to power on a specified Virtual Machine.|
|auxiliary/admin/vmware/tag_vm||This module will log into the Web API of VMware and 'tag' a specified Virtual Machine. It does this by logging a user event with user supplied text|
|auxiliary/admin/vmware/terminate_esx_sessions||This module will log into the Web API of VMware and try to terminate user login sessions as specified by the session keys.|
|post/multi/gather/find_vmx||This module will attempt to find any VMware virtual machines stored on the target.|
|auxiliary/scanner/vmware/esx_fingerprint||This module accesses the web API interfaces for VMware ESX/ESXi servers and attempts to identify version information for that server.|
|auxiliary/scanner/vmware/vmauthd_login||This module will test vmauthd logins on a range of machines and report successful logins.|
|auxiliary/scanner/vmware/vmware_enum_permissions||This module will log into the Web API of VMware and try to enumerate all the user/group permissions. Unlike enum suers this is only users and groups that specifically have permissions defined within the VMware product|
|auxiliary/scanner/vmware/vmware_enum_sessions||This module will log into the Web API of VMware and try to enumerate all the login sessions.|
|auxiliary/scanner/vmware/vmware_enum_users||This module will log into the Web API of VMware and try to enumerate all the user accounts. If the VMware instance is connected to one or more domains, it will try to enumerate domain users as well.|
|auxiliary/scanner/vmware/vmware_enum_vms||This module attempts to discover virtual machines on any VMware instance running the web interface. This would include ESX/ESXi and VMware Server.|
|auxiliary/scanner/vmware/vmware_host_details||This module attempts to enumerate information about the host systems through the VMWare web API. This can include information about the hardware installed on the host machine.|
|auxiliary/scanner/vmware/vmware_http_login||This module attempts to authenticate to the VMware HTTP service for VMware Server, ESX, and ESXi|
|auxiliary/scanner/vmware/vmware_screenshot_stealer||This module uses supplied login credentials to connect to VMware via the web interface. It then searches through the data stores looking for screenshots. It will download any screenshots it finds and save them as loot.|
In addition to the VMware modules, we've also added a post-exploitation module for VirtualBox, called post/multi/gather/enum_vbox. This module will attempt to enumerate any VirtualBox VMs on the target machine. Due to the nature of VirtualBox, this module can only enumerate VMs registered for the current user, therefore, this module needs to be invoked from a user context.
If you would like to hear more about pentesting virtual environments, sign up for our free webcast with David Maloney from the Metasploit engineering team who developed most of the new virtual pwning goodness.