HackTricks
VMware ESX / vCenter Pentesting
Tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking:HackTricks Training GCP Red Team Expert (GRTE)
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Uorodheshaji
nmap -sV --script "http-vmware-path-vuln or vmware-version" -p <PORT> <IP>
msf> use auxiliary/scanner/vmware/esx_fingerprint
msf> use auxiliary/scanner/http/ms15_034_http_sys_memory_dump
Bruteforce
msf> auxiliary/scanner/vmware/vmware_http_login
If you find valid credentials, you can use more metasploit scanner modules to obtain information.
ESXi Post-Exploitation & Ransomware Operations
Mtiririko wa Mashambulizi ndani ya Virtual Estates
- Kuendeleza: tunza agent mdogo wa usimamizi (mfano, MrAgent), encryptor (mfano, Mario), na leak infrastructure.
- Kuingia ndani: pata udhibiti wa usimamizi wa vSphere, orodhesha hosts, uibe data, na panga payloads.
- Kusambaza: push agents kwa kila ESXi host, waruhusu wao kufanya poll C2, na pull encryptor baada ya kukamatwa kwa amri.
- Kutoza fidia: leak proof-of-compromise data na endesha ransom chats mara encryption itakapothibitishwa.
Hypervisor Takeover Primitives
Mara tu utekelezaji wa amri kwenye ESXi console/SSH session unapopatikana, wadukuzi kwa kawaida wanaendesha amri zifuatazo za usimamizi kubaini sifa na kutenganisha host kabla ya ransomware deployment:
uname -a # hostname / build metadata for tracking
esxcli --formatter=csv network nic list # adapter + MAC inventory
esxcli --formatter=csv network ip interface ipv4 get
esxcli network firewall set --enabled false
/etc/init.d/vpxa stop # cut vCenter off from the host
passwd root # rotate credentials under attacker control
Agent sawa kawaida huwa na loop ya kudumu inayopolls hard-coded C2 URI. Hali yoyote isiyofikika huanzisha retries, ikimaanisha beacon inabaki hai hadi operators wasukuma instructions.
MrAgent-Style Instruction Channel
Lightweight management agents hutoa set fupi ya instructions zinazochambuliwa kutoka C2 queue. Set hiyo inatosha kuendesha dozens za hypervisors zilizo compromised bila interactive shells:
| Instruction | Effect |
|---|---|
Config | Kuandika juu local JSON config inayofafanua target directories, execution delays au throttling, ikiruhusu hot re-tasking bila ku-redeploy binaries. |
Info | Return hypervisor build info, IPs na adapter metadata zilizokusanywa kwa kutumia uname/esxcli probes. |
Exec | Kick off the ransomware phase: badilisha root credentials, stop vpxa, hiari panga reboot delay kisha pull+execute the encryptor. |
Run | Tekeleza remote shell kwa kuandika amri za aina yoyote zilizotolewa na C2 kwenye ./shmv, run chmod +x na kuiendesha. |
Remove | Issuu rm -rf <path> kwa kusafisha tools au kufuta kwa uharibifu. |
Abort / Abort_f | Sitisha queued encryptions au kill running worker threads ikiwa operator anataka ku-pause post-reboot actions. |
Quit | Terminate agent na rm -f binary yake kwa kuondoa yenyewe haraka. |
Welcome | Tumia esxcli system welcomemesg set -m="text" kuonyesha ransom notices moja kwa moja kwenye console banner. |
Ndani yao agents hawa huweka JSON blobs mbili zilizo mutex-protected (runtime config + status/telemetry) ili concurrent threads (mf. beaconing + encryption workers) zisiharibu shared state. Samples mara nyingi zimejazwa na junk code kupunguza ufanisi wa shallow static analysis lakini core routines hubaki intact.
Virtualization & Backup-Aware Targeting
Mario-like encryptors huhamia tu operator-supplied directory roots na kugusa virtualization artefacts muhimu kwa business continuity:
| Extension | Target |
|---|---|
vmdk, vmem, vmsd, vmsn, vswp | VM disks, memory snapshots na swap backing files. |
ova, ovf | Portable VM appliance bundles/metadata. |
vib | ESXi installation bundles ambazo zinaweza kuzuia remediation/patching. |
vbk, vbm | Veeam VM backups + metadata kwa kusabotea on-box restores. |
Tabia za uendeshaji:
- Kila directory iliyotembelewa hupokea
How To Restore Your Files.txtkabla ya encryption ili kuhakikisha ransom channels zinatangazwa hata kwenye hosts zilizokatika. - Faili zilizoshughulikiwa tayari huzuiwa ikiwa majina yao yana
.emario,.marion,.lmario,.nmario,.mmarioau.wmario, kuzuia double encryption ambayo ingeuka kuvunja attackers’ decryptor. - Encrypted payloads hubadilishwa majina kwa suffix ya
*.mario-style (mara nyingi.emario) ili operators waweze kuthibitisha coverage kwa mbali kwenye consoles au datastore listings.
Layered Encryption Upgrades
Tangu za hivi karibuni za Mario zimebadili routine ya awali ya linear single-key na kuingiza sparse, multi-key design iliyoboreshwa kwa VMDKs za mamia ya gigabytes:
- Key schedule: Generate 32-byte primary key (stored around
var_1150) na independent 8-byte secondary key (var_20). Data kwanza hubadilishwa kwa primary context kisha re-mixed na secondary key kabla ya disk writes. - Per-file headers: Metadata buffers (e.g.
var_40) hufuata chunk maps na flags ili attackers’ private decryptor iweze kujenga upya sparse layout. - Dynamic chunking: Badala ya loop ya constant
0xA00000, chunk size na offsets huripotiwa upya kulingana na file size, na thresholds zimeongezwa hadi ~8 GB ili kuendana na modern VM images. - Sparse coverage: Only strategically chosen regions ndizo zinazoguswa, kupunguza runtime kwa kiwango kikubwa huku bado zikiharibu VMFS metadata, NTFS/EXT4 structures ndani ya guest au backup indexes.
- Instrumentation: Builds zilizoboreshwa zinaandika per-chunk byte counts na totals (encrypted/skipped/failed) kwa stdout, zikitoa affiliates telemetry wakati wa intrusions za moja kwa moja bila tooling ya ziada.
See also
Linux LPE via VMware Tools service discovery (CWE-426 / CVE-2025-41244):
Vmware Tools Service Discovery Untrusted Search Path Cve 2025 41244
References
Tip
Jifunze na fanya mazoezi ya AWS Hacking:
Jifunze na fanya mazoezi ya GCP Hacking:Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.