OpenSkillIndex← back to search

Hacktricks-skills vmware-esx-vcenter-security-audit

Security audit and hardening guidance for VMware ESX/vCenter infrastructure. Use this skill when users need to assess VMware virtualization security, understand attack vectors for defensive purposes, enumerate ESXi hosts for authorized penetration testing, identify ransomware indicators in virtual environments, or harden vSphere deployments. Trigger on mentions of VMware, ESXi, vCenter, virtualization security, hypervisor auditing, or ESX pentesting.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/network-services-pentesting/pentesting-web/vmware-esx-vcenter.../SKILL.MD
source content

VMware ESX/vCenter Security Audit

A skill for security professionals to audit, harden, and defend VMware ESX/vCenter infrastructure. This skill provides guidance on understanding attack vectors, identifying indicators of compromise, and implementing defensive controls.

⚠️ Authorization Required

All activities described in this skill require explicit written authorization. Use only on systems you own or have permission to test.

Enumeration & Discovery

Network Scanning

Identify VMware services and versions:

# Nmap service detection with VMware-specific scripts
nmap -sV --script "http-vmware-path-vuln or vmware-version" -p <PORT> <IP>

# Common VMware ports to scan
# 443 - vSphere Client (HTTPS)
# 902 - vSphere Agent
# 22 - SSH (if enabled)
# 902-903 - vSphere services

Metasploit Enumeration

# ESXi fingerprinting
msfconsole
use auxiliary/scanner/vmware/esx_fingerprint
set RHOSTS <target>
run

# Check for MS15-034 HTTP.sys vulnerability
use auxiliary/scanner/http/ms15_034_http_sys_memory_dump
set RHOSTS <target>
run

Credential Testing (Authorized Only)

# Test for weak credentials on VMware HTTP interface
use auxiliary/scanner/vmware/vmware_http_login
set RHOSTS <target>
set RPORT 443
set USERNAME <username>
set PASSWORD <password>
run

Post-Exploitation Indicators

Hypervisor Takeover Signs

Monitor for these commands in ESXi logs:

CommandPurposeDetection Priority
uname -a
Host fingerprintingMedium
esxcli network nic list
Network adapter enumerationHigh
esxcli network firewall set --enabled false
Firewall disablementCritical
/etc/init.d/vpxa stop
vCenter isolationCritical
passwd root
Credential rotationCritical

C2 Beacon Detection

Look for persistent processes polling external URIs:

# Check for suspicious network connections
netstat -anp | grep ESTABLISHED

# Look for unusual cron jobs
cat /var/spool/cron/crontabs/*

# Check for unknown processes
ps -ef | grep -v "init\|vpxa\|hostd"

Ransomware Indicators

File Extensions Targeted

ExtensionDescriptionRisk Level
.vmdk
, 
.vmem
, 
.vmsd
, 
.vmsn
, 
.vswp
VM disks, snapshots, swapCritical
.ova
, 
.ovf
VM appliance bundlesHigh
.vib
ESXi installation bundlesHigh
.vbk
, 
.vbm
Veeam backup filesCritical
.emario
, 
.marion
, 
.mario
Encrypted filesCritical

Detection Queries

# Find recently modified VM files
find /vmfs/volumes -name "*.vmdk" -mtime -1

# Look for ransom notes
find / -name "*Restore*" -o -name "*ransom*" -o -name "*How To*" 2>/dev/null

# Check for encrypted file extensions
find /vmfs/volumes -name "*.emario" -o -name "*.mario" 2>/dev/null

Hardening Recommendations

Network Security

  1. Segment management traffic - Isolate vCenter and ESXi management interfaces
  2. Disable unnecessary services - Turn off SSH, DCUI if not needed
  3. Implement network ACLs - Restrict access to management ports (443, 902, 22)
  4. Enable TLS 1.2+ - Disable older SSL/TLS versions

Access Control

  1. Strong authentication - Use MFA for vCenter access
  2. Principle of least privilege - Create role-based access controls
  3. Regular credential rotation - Change default passwords immediately
  4. Audit logging - Enable and monitor vCenter logs

Host Hardening

# Disable unnecessary services
esxcli system settings advanced set -o /UserVars/ESXShellEnabled -i 0

# Enable lockdown mode
esxcli system lockdown set -e true

# Configure firewall rules
esxcli network firewall ruleset set -e true -r sshServer

Backup Protection

  1. 3-2-1 backup rule - 3 copies, 2 media types, 1 offsite
  2. Immutable backups - Use write-once-read-many (WORM) storage
  3. Air-gapped recovery - Maintain offline backup copies
  4. Regular restore testing - Validate backup integrity monthly

Incident Response

Immediate Actions

  1. Isolate affected hosts - Disconnect from network
  2. Preserve evidence - Capture memory, logs, disk images
  3. Identify scope - Check all ESXi hosts and vCenter
  4. Notify stakeholders - Follow incident response procedures

Recovery Steps

  1. Clean rebuild - Reinstall ESXi from trusted media
  2. Restore from clean backups - Verify backup integrity first
  3. Patch vulnerabilities - Apply latest security updates
  4. Rotate all credentials - Change all passwords and certificates
  5. Monitor for persistence - Watch for re-infection indicators

References

Quick Reference

Common VMware Ports

PortServiceProtocol
22SSHTCP
443vSphere ClientTCP
902vSphere AgentTCP
903vSphere AgentTCP
902-903vSphere ServicesTCP

Critical Files to Monitor

  • /var/log/
    - System logs
  • /var/log/vmware/
    - VMware-specific logs
  • /etc/vmware/
    - Configuration files
  • /vmfs/volumes/
    - VM datastores
  • /var/lib/vmware/
    - VMware state files