VMware ESX / vCenter Pentesting

Tip

Učite i vežbajte AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Učite i vežbajte GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Učite i vežbajte Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Podržite HackTricks

Enumeracija

nmap -sV --script "http-vmware-path-vuln or vmware-version" -p <PORT> <IP>
msf> use auxiliary/scanner/vmware/esx_fingerprint
msf> use auxiliary/scanner/http/ms15_034_http_sys_memory_dump

Bruteforce

msf> auxiliary/scanner/vmware/vmware_http_login

Ako pronađete važeće kredencijale, možete koristiti dodatne metasploit scanner modules da prikupite informacije.

ESXi Post-Exploitation & Ransomware Operations

Tok napada unutar virtuelnih okruženja

  • Develop: održavajte lagan agent za upravljanje (npr. MrAgent), encryptor (npr. Mario), i leak infrastrukturu.
  • Infiltrate: kompromitujte vSphere management, izlistajte hostove, ukradite podatke i postavite payloads.
  • Deploy: postavite agente na svaki ESXi host, neka se povezuju na C2 i preuzmu encryptor kada im bude naređeno.
  • Extort: leak podatke koji dokazuju kompromitaciju i pokrenite ransom chats kada je enkripcija potvrđena.

Hypervisor Takeover Primitives

Kada se obezbedi izvršavanje komandi na ESXi konzoli/SSH sesiji, napadači obično izvršavaju sledeće komande za upravljanje da bi identifikovali i izolovali host pre raspoređivanja ransomware-a:

uname -a                                   # hostname / build metadata for tracking
esxcli --formatter=csv network nic list    # adapter + MAC inventory
esxcli --formatter=csv network ip interface ipv4 get
esxcli network firewall set --enabled false
/etc/init.d/vpxa stop                      # cut vCenter off from the host
passwd root                                # rotate credentials under attacker control

Isti agent obično održava persistentnu petlju koja ispituje hard-kodirani C2 URI. Bilo koji nedostupan status pokreće retry pokušaje, što znači da beacon ostaje aktivan dok operatori ne pošalju instrukcije.

MrAgent-Style kanal instrukcija

Laki menadžment agenti izlažu kratak skup instrukcija parsiran iz C2 reda. Taj skup je dovoljan za upravljanje desetinama kompromitovanih hypervisora bez interaktivnih shell-ova:

InstrukcijaEfekat
ConfigOverwrite the local JSON config that defines target directories, execution delays or throttling, enabling hot re-tasking without redeploying binaries.
InfoReturn hypervisor build info, IPs and adapter metadata gathered with the uname/esxcli probes.
ExecKick off the ransomware phase: change root credentials, stop vpxa, optionally schedule a reboot delay and then pull+execute the encryptor.
RunImplement a remote shell by writing arbitrary C2-provided commands to ./shmv, chmod +x and execute it.
RemoveIssue rm -rf <path> for tool clean-up or destructive wiping.
Abort / Abort_fStop queued encryptions or kill running worker threads if the operator wants to pause post-reboot actions.
QuitTerminate the agent and rm -f its binary for fast self-removal.
WelcomeAbuse esxcli system welcomemesg set -m="text" to display ransom notices right in the console banner.

Interno, ovi agenti čuvaju dva mutex-zaštićena JSON bloba (runtime config + status/telemetrija) tako da konkurentne niti (npr. beaconing + encryption workers) ne korumpiraju zajedničko stanje. Sample-ovi su često ispumpani junk kodom da usporе plitku statičku analizu, ali osnovne rutine ostaju netaknute.

Ciljanje prilagođeno virtualizaciji i backupu

Mario-slični encryptori samo prolaze kroz direktorijume koje navede operator i dodiruju virtualizacionе artefakte koji su bitni za kontinuitet poslovanja:

EkstenzijaCilj
vmdk, vmem, vmsd, vmsn, vswpVM disks, memory snapshots and swap backing files.
ova, ovfPortable VM appliance bundles/metadata.
vibESXi installation bundles that can block remediation/patching.
vbk, vbmVeeam VM backups + metadata to sabotage on-box restores.

Operativne osobenosti:

  • Svaki posećen direktorijum dobije How To Restore Your Files.txt pre enkripcije kako bi se osiguralo da su kanali za iskazivanje otkupa vidljivi čak i na izolovanim hostovima.
  • Već obrađene datoteke se preskaču kada njihova imena sadrže .emario, .marion, .lmario, .nmario, .mmario ili .wmario, čime се sprečava dvostruka enkripcija koja bi pokvarila decryptor napadača.
  • Enkriptovani payload-i se preimenuju sa *.mario-stil sufiksom (obično .emario) tako da operatori mogu da provere pokrivenost udaljeno u konzolama ili listingu datastore-a.

Nadogradnje višeslojne enkripcije

Recentne Mario verzije zamenjuju originalnu linearnu, jednoključnu rutinu sparse, višeključnim dizajnom optimizovanim za VMDK fajlove od više stotina gigabajta:

  • Key schedule: Generate a 32-byte primary key (stored around var_1150) and an independent 8-byte secondary key (var_20). Data is first transformed with the primary context and then re-mixed with the secondary key before disk writes.
  • Per-file headers: Metadata buffers (e.g. var_40) track chunk maps and flags so the attackers’ private decryptor can reconstruct the sparse layout.
  • Dynamic chunking: Instead of a constant 0xA00000 loop, chunk size and offsets are recomputed based on file size, with thresholds extended up to ~8 GB to match modern VM images.
  • Sparse coverage: Only strategically chosen regions are touched, dramatically reducing runtime while still corrupting VMFS metadata, NTFS/EXT4 structures inside the guest or backup indexes.
  • Instrumentation: Upgraded builds log per-chunk byte counts and totals (encrypted/skipped/failed) to stdout, giving affiliates telemetry during live intrusions without extra tooling.

See also

Linux LPE via VMware Tools service discovery (CWE-426 / CVE-2025-41244):

Vmware Tools Service Discovery Untrusted Search Path Cve 2025 41244

Izvori

Tip

Učite i vežbajte AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Učite i vežbajte GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Učite i vežbajte Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Podržite HackTricks