modules/auxiliary/scanner/vmware/vmware_enum_users.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##


class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::VIMSoap
  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Report
  include Msf::Auxiliary::Scanner

  def initialize
    super(
      'Name'           => 'VMWare Enumerate User Accounts',
      'Description'    => %Q{
        This module will log into the Web API of VMWare and try to enumerate
        all the user accounts. If the VMware instance is connected to one or
        more domains, it will try to enumerate domain users as well.
      },
      'Author'         => ['theLightCosine'],
      'License'        => MSF_LICENSE,
      'DefaultOptions' => { 'SSL' => true }
    )

    register_options(
      [
        Opt::RPORT(443),
        OptString.new('USERNAME', [ true, "The username to Authenticate with.", 'root' ]),
        OptString.new('PASSWORD', [ true, "The password to Authenticate with.", 'password' ])
      ])
  end


  def run_host(ip)
    if vim_do_login(datastore['USERNAME'], datastore['PASSWORD']) == :success
      # Get local Users and Groups
      user_list = vim_get_user_list(nil)
      tmp_users = Rex::Text::Table.new(
        'Header'  => "Users for server #{ip}",
        'Indent'  => 1,
        'Columns' => ['Name', 'Description']
      )
      tmp_groups = Rex::Text::Table.new(
        'Header'  => "Groups for server #{ip}",
        'Indent'  => 1,
        'Columns' => ['Name', 'Description']
      )
      unless user_list.nil?
        case user_list
        when :noresponse
          print_error "Received no response from #{ip}"
        when :expired
          print_error "The login session appears to have expired on #{ip}"
        when :error
          print_error "An error occurred while trying to enumerate the users for #{domain} on #{ip}"
        else
          user_list.each do |obj|
            if obj['group'] == 'true'
              tmp_groups << [obj['principal'], obj['fullName']]
            else
              tmp_users <<  [obj['principal'], obj['fullName']]
            end
          end
          print_good tmp_groups.to_s
          store_loot('host.vmware.groups', "text/plain", datastore['RHOST'], tmp_groups.to_csv , "#{datastore['RHOST']}_esx_groups.txt", "VMWare ESX User Groups")
          print_good tmp_users.to_s
          store_loot('host.vmware.users', "text/plain", datastore['RHOST'], tmp_users.to_csv , "#{datastore['RHOST']}_esx_users.txt", "VMWare ESX Users")
        end
      end

      # Enumerate Domains the Server is connected to
      esx_domains = vim_get_domains
      case esx_domains
      when :noresponse
        print_error "Received no response from #{ip}"
      when :expired
        print_error "The login session appears to have expired on #{ip}"
      when :error
        print_error "An error occurred while trying to enumerate the domains on #{ip}"
      else
        # Enumerate Domain Users and Groups
        esx_domains.each do |domain|
          tmp_dusers = Rex::Text::Table.new(
            'Header'  => "Users for domain #{domain}",
            'Indent'  => 1,
            'Columns' => ['Name', 'Description']
          )

          tmp_dgroups = Rex::Text::Table.new(
            'Header'  => "Groups for domain #{domain}",
            'Indent'  => 1,
            'Columns' => ['Name', 'Description']
          )

          user_list = vim_get_user_list(domain)
          case user_list
          when nil
            next
          when :noresponse
            print_error "Received no response from #{ip}"
          when :expired
            print_error "The login session appears to have expired on #{ip}"
          when :error
            print_error "An error occurred while trying to enumerate the users for #{domain} on #{ip}"
          else
            user_list.each do |obj|
              if obj['group'] == 'true'
                tmp_dgroups << [obj['principal'], obj['fullName']]
              else
                tmp_dusers <<  [obj['principal'], obj['fullName']]
              end
            end
            print_good tmp_dgroups.to_s

            f = store_loot('domain.groups', "text/plain", datastore['RHOST'], tmp_dgroups.to_csv , "#{domain}_esx_groups.txt", "VMWare ESX #{domain} Domain User Groups")
            vprint_status("VMWare domain user groups stored in: #{f}")
            print_good tmp_dusers.to_s
            f = store_loot('domain.users', "text/plain", datastore['RHOST'], tmp_dgroups.to_csv , "#{domain}_esx_users.txt", "VMWare ESX #{domain} Domain Users")
            vprint_status("VMWare users stored in: #{f}")
          end
        end
      end
    else
      print_error "Login failure on #{ip}"
      return
    end
  end
end
Adding User Enumeration Scanner for vmware 2012-02-15 22:55:11 -06:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Adding User Enumeration Scanner for vmware 2012-02-15 22:55:11 -06:00			`##`


use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Auxiliary`
Adding User Enumeration Scanner for vmware 2012-02-15 22:55:11 -06:00			`include Msf::Exploit::Remote::VIMSoap`
			`include Msf::Exploit::Remote::HttpClient`
			`include Msf::Auxiliary::Report`
			`include Msf::Auxiliary::Scanner`

			`def initialize`
			`super(`
			`'Name' => 'VMWare Enumerate User Accounts',`
			`'Description' => %Q{`
Massive whitespace cleanup 2012-03-18 00:07:27 -05:00			`This module will log into the Web API of VMWare and try to enumerate`
			`all the user accounts. If the VMware instance is connected to one or`
			`more domains, it will try to enumerate domain users as well.`
			`},`
updated all my authour refs to use an alias 2012-09-19 21:46:14 -05:00			`'Author' => ['theLightCosine'],`
remove re-registered ssl options 2016-01-22 09:54:52 +01:00			`'License' => MSF_LICENSE,`
			`'DefaultOptions' => { 'SSL' => true }`
Adding User Enumeration Scanner for vmware 2012-02-15 22:55:11 -06:00			`)`

			`register_options(`
			`[`
			`Opt::RPORT(443),`
			`OptString.new('USERNAME', [ true, "The username to Authenticate with.", 'root' ]),`
			`OptString.new('PASSWORD', [ true, "The password to Authenticate with.", 'password' ])`
Fix msf/core and self.class msftidy warnings 2017-05-03 15:42:21 -05:00			`])`
Adding User Enumeration Scanner for vmware 2012-02-15 22:55:11 -06:00			`end`


			`def run_host(ip)`
			`if vim_do_login(datastore['USERNAME'], datastore['PASSWORD']) == :success`
yard doc and comment corrections for auxiliary 2015-04-03 16:12:23 +05:00			`# Get local Users and Groups`
Adding User Enumeration Scanner for vmware 2012-02-15 22:55:11 -06:00			`user_list = vim_get_user_list(nil)`
replace old rex::ui::text::table refs 2016-08-10 13:30:09 -05:00			`tmp_users = Rex::Text::Table.new(`
Adding User Enumeration Scanner for vmware 2012-02-15 22:55:11 -06:00			`'Header' => "Users for server #{ip}",`
			`'Indent' => 1,`
			`'Columns' => ['Name', 'Description']`
			`)`
replace old rex::ui::text::table refs 2016-08-10 13:30:09 -05:00			`tmp_groups = Rex::Text::Table.new(`
Adding User Enumeration Scanner for vmware 2012-02-15 22:55:11 -06:00			`'Header' => "Groups for server #{ip}",`
			`'Indent' => 1,`
			`'Columns' => ['Name', 'Description']`
			`)`
			`unless user_list.nil?`
			`case user_list`
			`when :noresponse`
Fix various typos 2017-07-21 07:40:08 -07:00			`print_error "Received no response from #{ip}"`
Adding User Enumeration Scanner for vmware 2012-02-15 22:55:11 -06:00			`when :expired`
			`print_error "The login session appears to have expired on #{ip}"`
			`when :error`
Fix various typos 2017-07-21 07:40:08 -07:00			`print_error "An error occurred while trying to enumerate the users for #{domain} on #{ip}"`
Adding User Enumeration Scanner for vmware 2012-02-15 22:55:11 -06:00			`else`
			`user_list.each do \|obj\|`
			`if obj['group'] == 'true'`
			`tmp_groups << [obj['principal'], obj['fullName']]`
			`else`
			`tmp_users << [obj['principal'], obj['fullName']]`
			`end`
			`end`
			`print_good tmp_groups.to_s`
Permissions scanner for vmware 2012-02-16 02:19:33 -06:00			`store_loot('host.vmware.groups', "text/plain", datastore['RHOST'], tmp_groups.to_csv , "#{datastore['RHOST']}_esx_groups.txt", "VMWare ESX User Groups")`
Adding User Enumeration Scanner for vmware 2012-02-15 22:55:11 -06:00			`print_good tmp_users.to_s`
Permissions scanner for vmware 2012-02-16 02:19:33 -06:00			`store_loot('host.vmware.users', "text/plain", datastore['RHOST'], tmp_users.to_csv , "#{datastore['RHOST']}_esx_users.txt", "VMWare ESX Users")`
Adding User Enumeration Scanner for vmware 2012-02-15 22:55:11 -06:00			`end`
			`end`

yard doc and comment corrections for auxiliary 2015-04-03 16:12:23 +05:00			`# Enumerate Domains the Server is connected to`
Adding User Enumeration Scanner for vmware 2012-02-15 22:55:11 -06:00			`esx_domains = vim_get_domains`
			`case esx_domains`
			`when :noresponse`
Fix various typos 2017-07-21 07:40:08 -07:00			`print_error "Received no response from #{ip}"`
Adding User Enumeration Scanner for vmware 2012-02-15 22:55:11 -06:00			`when :expired`
			`print_error "The login session appears to have expired on #{ip}"`
			`when :error`
Fix various typos 2017-07-21 07:40:08 -07:00			`print_error "An error occurred while trying to enumerate the domains on #{ip}"`
Adding User Enumeration Scanner for vmware 2012-02-15 22:55:11 -06:00			`else`
yard doc and comment corrections for auxiliary 2015-04-03 16:12:23 +05:00			`# Enumerate Domain Users and Groups`
Adding User Enumeration Scanner for vmware 2012-02-15 22:55:11 -06:00			`esx_domains.each do \|domain\|`
replace old rex::ui::text::table refs 2016-08-10 13:30:09 -05:00			`tmp_dusers = Rex::Text::Table.new(`
Adding User Enumeration Scanner for vmware 2012-02-15 22:55:11 -06:00			`'Header' => "Users for domain #{domain}",`
			`'Indent' => 1,`
			`'Columns' => ['Name', 'Description']`
			`)`

replace old rex::ui::text::table refs 2016-08-10 13:30:09 -05:00			`tmp_dgroups = Rex::Text::Table.new(`
Adding User Enumeration Scanner for vmware 2012-02-15 22:55:11 -06:00			`'Header' => "Groups for domain #{domain}",`
			`'Indent' => 1,`
			`'Columns' => ['Name', 'Description']`
			`)`

			`user_list = vim_get_user_list(domain)`
			`case user_list`
			`when nil`
			`next`
			`when :noresponse`
Fix various typos 2017-07-21 07:40:08 -07:00			`print_error "Received no response from #{ip}"`
Adding User Enumeration Scanner for vmware 2012-02-15 22:55:11 -06:00			`when :expired`
			`print_error "The login session appears to have expired on #{ip}"`
			`when :error`
Fix various typos 2017-07-21 07:40:08 -07:00			`print_error "An error occurred while trying to enumerate the users for #{domain} on #{ip}"`
Adding User Enumeration Scanner for vmware 2012-02-15 22:55:11 -06:00			`else`
			`user_list.each do \|obj\|`
			`if obj['group'] == 'true'`
			`tmp_dgroups << [obj['principal'], obj['fullName']]`
			`else`
			`tmp_dusers << [obj['principal'], obj['fullName']]`
			`end`
			`end`
			`print_good tmp_dgroups.to_s`
[SeeRM #8313 ] - Print where files are stored 2013-08-19 15:02:15 -05:00
			`f = store_loot('domain.groups', "text/plain", datastore['RHOST'], tmp_dgroups.to_csv , "#{domain}_esx_groups.txt", "VMWare ESX #{domain} Domain User Groups")`
			`vprint_status("VMWare domain user groups stored in: #{f}")`
Adding User Enumeration Scanner for vmware 2012-02-15 22:55:11 -06:00			`print_good tmp_dusers.to_s`
[SeeRM #8313 ] - Print where files are stored 2013-08-19 15:02:15 -05:00			`f = store_loot('domain.users', "text/plain", datastore['RHOST'], tmp_dgroups.to_csv , "#{domain}_esx_users.txt", "VMWare ESX #{domain} Domain Users")`
			`vprint_status("VMWare users stored in: #{f}")`
Adding User Enumeration Scanner for vmware 2012-02-15 22:55:11 -06:00			`end`
			`end`
			`end`
			`else`
Fix various typos 2017-07-21 07:40:08 -07:00			`print_error "Login failure on #{ip}"`
Adding User Enumeration Scanner for vmware 2012-02-15 22:55:11 -06:00			`return`
			`end`
			`end`
			`end`