VMware
Default Ports: 443, 902, 903, 5480, 5989
VMware vCenter and ESXi manage virtual machines, hosts, datastores, networks, clusters, snapshots, and permissions. In pentests, a weak VMware management plane can expose critical workloads, VM consoles, datastore files, snapshots, and privileged infrastructure operations.
Common Ports
Scan both vCenter and direct ESXi host addresses.
| Port | Service |
|---|---|
| 443/TCP | vSphere Client, vCenter API, ESXi Host Client |
| 902/TCP | ESXi NFC and VM console traffic |
| 903/TCP | Legacy remote console access |
| 5480/TCP | VCSA management interface |
| 5988/TCP | CIM over HTTP |
| 5989/TCP | CIM over HTTPS |
| 427/TCP/UDP | Service Location Protocol |
| 22/TCP | ESXi or appliance SSH |
Connect
Using Web Browser
The browser confirms whether the target is vCenter, ESXi, or the appliance manager.
https://vcenter.target.local/ui
https://esxi01.target.local/ui
https://vcenter.target.local:5480
Using curl
Use curl for safe fingerprinting of common web paths.
curl -k -I https://vcenter.target.local/
curl -k -I https://vcenter.target.local/ui/
curl -k -I https://esxi01.target.local/ui/
curl -k -I https://vcenter.target.local:5480/
Using govc
govc validates vSphere API access and permissions.
export GOVC_URL='https://user:password@vcenter.target.local/sdk'
export GOVC_INSECURE=1
govc about
govc datacenter.info
Using PowerCLI
PowerCLI is useful for Windows-based VMware administration testing.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -Confirm:$false
Connect-VIServer -Server vcenter.target.local
Get-View ServiceInstance
Get-Datacenter
Using REST API
The REST API can validate credentials and enumerate inventory.
curl -k -u 'user:password' -X POST https://vcenter.target.local/rest/com/vmware/cis/session
curl -k -H 'vmware-api-session-id: SESSION_ID' https://vcenter.target.local/rest/vcenter/vm
Recon
Service Detection with Nmap
Scan common VMware management and host ports.
nmap -p 22,80,443,902,903,427,5480,5988,5989 -sV target.local
nmap -p 443,5480 --script http-title,http-headers,ssl-cert,ssl-enum-ciphers target.local
nmap -p 443 --script vmware-version target.local
Certificate Review
Certificates often reveal internal hostnames, appliance names, and domains.
openssl s_client -connect vcenter.target.local:443 -servername vcenter.target.local </dev/null 2>/dev/null | openssl x509 -noout -subject -issuer -dates -ext subjectAltName
openssl s_client -connect vcenter.target.local:5480 -servername vcenter.target.local </dev/null 2>/dev/null | openssl x509 -noout -subject -issuer -dates
Product Fingerprinting
Common VMware paths help identify vCenter, ESXi, VCSA, and disabled features.
curl -k -I https://target.local/ui/
curl -k -I https://target.local/sdk/
curl -k -I https://target.local/mob/
curl -k -I https://target.local/rest/
httpx -u https://target.local -title -tech-detect -status-code -follow-redirects
Management Surface Mapping
Check which management interfaces are reachable from the tester network.
curl -k -s https://vcenter.target.local:5480/ | head
nmap -p 22 --script ssh2-enum-algos,ssh-hostkey esxi01.target.local
nmap -p 5988,5989 -sV esxi01.target.local
Asset Discovery
VMware hostnames often follow predictable names.
dig vcenter.target.local
dig esxi01.target.local
printf "vcenter\nvcsa\nesxi01\nesx01\nvmhost01\n" > vmware-hosts.txt
httpx -l vmware-hosts.txt -ports 443,5480 -title -status-code -follow-redirects
Enumeration
Authentication Enumeration
Check login paths, SSO behavior, and SDK reachability.
curl -k -I https://vcenter.target.local/ui/
curl -k -I https://vcenter.target.local/websso/
curl -k -I https://vcenter.target.local/sdk/
Inventory Enumeration
Inventory access shows visible datacenters, clusters, hosts, VMs, and networks.
govc ls
govc find / -type d
govc find / -type h
govc find / -type m
govc find / -type n
govc host.info
govc vm.info -json
PowerCLI Enumeration
PowerCLI gives a readable view of VMware objects.
Get-Datacenter
Get-Cluster
Get-VMHost
Get-VM
Get-Datastore
Get-VirtualPortGroup
Permission Enumeration
Review inherited roles and broad administrator assignments.
govc permissions.ls /
govc permissions.ls /Datacenter/vm
govc permissions.ls /Datacenter/host
govc role.ls
Get-VIRole
Get-VIPermission | Select-Object Principal,Role,Entity,Propagate
Datastore Enumeration
Datastores can contain VM files, ISOs, exports, logs, and sensitive leftovers.
govc datastore.ls
govc datastore.info
govc datastore.ls -ds datastore1
govc datastore.ls -ds datastore1 -R | grep -Ei '\.(vmx|vmdk|nvram|iso|ova|ovf|log|txt|conf)$'
Snapshot Enumeration
Snapshots can expose sensitive rollback points and data copies.
govc find / -type m
govc snapshot.tree -vm VM_NAME
govc vm.info VM_NAME
govc device.ls -vm VM_NAME
Event Enumeration
Events reveal logins, administrative changes, snapshots, and console activity.
govc events -n 50
Get-Task | Sort-Object StartTime -Descending | Select-Object -First 25
Direct ESXi Enumeration
Direct host access may bypass central vCenter assumptions.
export GOVC_URL='https://root:password@esxi01.target.local/sdk'
export GOVC_INSECURE=1
govc about
govc host.info
govc vm.info
govc datastore.ls
Attack Vectors
Exposed Management Interfaces
vCenter, ESXi, VCSA, SSH, and CIM should not be reachable from broad networks.
nmap -p 22,443,902,903,5480,5988,5989 --open -sV 10.10.10.0/24
httpx -l vmware-targets.txt -ports 443,5480 -title -status-code -tech-detect
Weak Credentials
Validate only scoped credentials and avoid noisy password attacks.
export GOVC_URL='https://user:password@vcenter.target.local/sdk'
export GOVC_INSECURE=1
govc about
curl -k -u 'user:password' -X POST https://vcenter.target.local/rest/com/vmware/cis/session
Excessive Permissions
Dangerous rights include console, datastore, snapshot, host configuration, and role management.
govc permissions.ls /
govc permissions.ls /Datacenter
govc permissions.ls / | grep -Ei 'admin|administrator|domain admins|vmware admins'
Datastore File Exposure
Read-only datastore access can still expose sensitive VM configuration.
govc datastore.download -ds datastore1 path/to/vm/vm.vmx ./vm.vmx
grep -Ei 'guestinfo|annotation|ethernet|uuid|displayName|sched|tools' ./vm.vmx
Console and Guest Operations
Console and guest operations privileges can become interactive VM access.
govc vm.info VM_NAME | grep -Ei 'tools|guest'
govc permissions.ls /Datacenter/vm/VM_NAME
Snapshot and Clone Abuse
Snapshot, clone, and export rights can expose production data.
govc snapshot.tree -vm VM_NAME
govc role.ls ROLE_NAME | grep -Ei 'clone|snapshot|disk|datastore'
ESXi SSH Exposure
SSH on ESXi should be tightly controlled and rarely exposed.
nmap -p 22 --script ssh2-enum-algos,ssh-hostkey esxi01.target.local
ssh root@esxi01.target.local
SSO and Directory Weaknesses
AD or LDAP group mappings can grant broad vCenter privileges.
Get-VIPermission | Where-Object {$_.Principal -match "DOMAIN|@"} | Select-Object Principal,Role,Entity,Propagate
Get-VIPermission | Where-Object {$_.Role -match "Admin"} | Select-Object Principal,Entity,Propagate
Post-Exploitation
Inventory Impact
Summarize the visible VMware environment.
govc datacenter.info
govc find / -type h
govc find / -type m
govc datastore.ls
govc find / -type n
Permission Review
Document root, datacenter, VM, and datastore permissions.
govc permissions.ls /
govc permissions.ls /Datacenter
govc permissions.ls /Datacenter/vm
govc permissions.ls /Datacenter/datastore
Sensitive File Review
Search datastore listings for exports, snapshots, and memory files.
govc datastore.ls -ds datastore1 -R | grep -Ei 'backup|export|secret|password|credential|\.vmsn|\.vmem|\.ova|\.ovf|\.iso'
govc snapshot.tree -vm DomainController01
govc snapshot.tree -vm Database01
Network Mapping
VMware inventory reveals port groups, VLAN names, and workload placement.
govc find / -type n
govc vm.info -json | jq '.VirtualMachines[] | {name: .Name, networks: .Guest.Net}'
Get-VM | Select-Object Name,@{N="Network";E={(Get-NetworkAdapter -VM $_).NetworkName}}
Evidence Collection
Collect low-risk evidence instead of downloading disks or memory files.
govc about > vmware-about.txt
govc permissions.ls / > vmware-root-permissions.txt
govc find / -type h > vmware-hosts.txt
govc find / -type m > vmware-vms.txt
Common API Endpoints
| Endpoint | Purpose |
|---|---|
/ui/ | vSphere Client |
/sdk/ | vSphere SOAP API |
/rest/com/vmware/cis/session | REST session endpoint |
/api/session | Newer API session endpoint |
/rest/vcenter/vm | VM inventory |
/mob/ | Managed Object Browser |
:5480/ | VCSA management |
/folder/ | Datastore browser path |
Useful Tools
| Tool | Purpose |
|---|---|
nmap | Service detection |
curl | Endpoint checks |
openssl | Certificate review |
govc | vSphere API enumeration |
PowerCLI | VMware administration checks |
pyvmomi | Python vSphere automation |
httpx | Web fingerprinting |
jq | JSON parsing |
Security Misconfigurations
| Misconfiguration | Risk |
|---|---|
| vCenter or ESXi exposed broadly | Management-plane attack surface |
| Direct ESXi access from user networks | Central control bypass |
| Weak administrator credentials | Infrastructure compromise |
| Excessive root or datacenter roles | Broad VM and host control |
| Datastore browser exposed | VM file and config leakage |
| VM console access too broad | Interactive workload access |
| Snapshot or clone rights too broad | Production data copying |
| ESXi SSH enabled broadly | Host-level access |
| VCSA management exposed | Appliance administration risk |
| Missing MFA for admins | Credential theft impact |
| Outdated VMware components | Known vulnerability exposure |