vmware-vcenter-attack

Solid

VMware vSphere / vCenter Server external attack matrix — version fingerprinting, the high-impact CVE chain (CVE-2021-21972 vRealize unauth file upload, CVE-2021-21985 vSAN plugin RCE, CVE-2022-22954 Workspace ONE SSTI, CVE-2023-20887 Aria RCE, CVE-2024-37085 ESXi AD bypass, CVE-2023-34048 vCenter DCERPC OOB write APT-exploited), default credentials, SSO configuration disclosure, vmdir LDAP enumeration, ESXi Open SLP RCE history. ONLY for vCenter / Workspace ONE / Aria instances exposed to the internet — internal-network vCenter is out of scope per the external-only boundary. Use when recon shows port 443 with vCenter banner, `/ui` redirect, `/websso/SAML2/Metadata`, or VMware product fingerprints.

AI & Automation 1,478 stars 216 forks Updated 5 days ago NOASSERTION

Install

View on GitHub

Quality Score: 86/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

## When to use Trigger when external recon shows ANY of: - Banner: "VMware vCenter Server", "VMware vSphere Client" - URL paths: `/ui`, `/ui/login`, `/websso/SAML2/Metadata`, `/sdk`, `/mob` (Managed Object Browser) - TLS cert SAN includes `vcenter` / `vsphere` / `vcsa` / `psc` / `vmware` - Workspace ONE Access / Identity Manager: `/SAAS`, `/SAAS/auth`, `/SAAS/login`, `/SAAS/horizon` - VMware Aria / vRealize: `/vco`, `/vco-controlcenter`, `/orchestrator`, `/lcm/api/v1` - Horizon View: `/portal`, `/admin` Do NOT use for: - Internal-network vCenter (out of scope — external boundary discipline) - Pure ESXi hypervisor exposed without management plane (rare on internet; flag as separate finding) --- ## Step 1 — Version fingerprinting ```bash TARGET="vcenter.target.com" # Build info endpoint (often public; revealing exact patch level) curl -sk "https://$TARGET/sdk/vimServiceVersions.xml" # UI build (visible in page source) curl -sk "https://$TARGET/ui/login" | grep -oE 'build[^"]{0,40}' curl -sk "https://$TARGET/ui/" | grep -oE 'vsphere[^"]{0,40}' # REST API version (vSphere 7+) curl -sk "https://$TARGET/api/appliance/system/version" # Cert metadata echo | openssl s_client -connect "$TARGET:443" -servername "$TARGET" 2>/dev/null | openssl x509 -noout -text | grep -A1 "Subject Alt" # SSO Admin Service (info disclosure) curl -sk "https://$TARGET/sso-adminserver/sdk/vsphere.local" curl -sk "https://$TARGET/websso/SAML2/Metadata/vsphere.local" ``` Map build → version → CVE ap...

Details

Author
elementalsouls
Repository
elementalsouls/Claude-BugHunter
Created
3 weeks ago
Last Updated
5 days ago
Language
Python
License
NOASSERTION

Integrates with

Anthropic · AI REST API · API

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Solid

enterprise-vpn-attack

External SSL VPN / remote-access appliance attack matrix — Cisco ASA/AnyConnect, Fortinet FortiGate/FortiOS, Citrix NetScaler/ADC, Palo Alto GlobalProtect, Pulse Secure / Ivanti Connect Secure, SonicWall, F5 Big-IP. Covers version fingerprinting, CVE matrix (2018-2026), AAA backend identification, default credentials, configuration-disclosure paths, pre-auth RCE/SSRF/path-traversal exploits where applicable. Built from authorized-engagement Cisco ASA testing plus 2024-2026 enterprise VPN CVE landscape. Use whenever the target's perimeter exposes any SSL VPN appliance or remote-access gateway — these are the most common initial-access points in 2024-2026 actor TTPs.

1,478 Updated 5 days ago
elementalsouls
AI & Automation Listed

vmware-harden

Use this skill whenever the user needs to perform VMware compliance auditing, baseline checking, or drift detection on vSphere/ESXi/NSX environments. Directly handles: CIS / DISA STIG / vSphere SCG / 等保 2.0 三级 / PCI-DSS scans; custom YAML baselines; LLM-driven remediation suggestions; web dashboard. Always use this skill for "scan compliance", "check baseline", "audit etcd", "check 等保", "drift detection", "compliance report" when the context is explicitly VMware/vSphere/ESXi. Do NOT use for general vSphere monitoring (use vmware-monitor or vmware-aiops), network changes (use vmware-nsx), or executing remediations directly (this skill only suggests; execution goes through vmware-pilot).

1 Updated 3 days ago
zw008
Code & Development Solid

fix-vulnerability

Fix a vm2 sandbox escape vulnerability given a Security Advisory ID (GHSA/CVE). Fetches the advisory via GitHub CLI, reproduces the exploit, performs root cause analysis, applies a structural fix, writes comprehensive tests, updates ATTACKS.md, and red-teams the result. Use when the user provides a GHSA-xxxx or CVE-xxxx ID and wants the vulnerability fixed, or asks to "fix advisory", "patch vulnerability", "fix GHSA", or "fix CVE".

4,071 Updated 2 weeks ago
patriksimek
AI & Automation Solid

okta-attack

Okta-as-IdP red-team attack chain — tenant discovery, user enumeration (multiple vectors), authentication flow analysis (factors enumeration, push-notification fatigue, SMS bypass), password spray with lockout discipline, Okta-specific phishing primitives (kits, FastPass abuse, OIDC redirect_uri tampering), MFA enumeration, post-compromise admin API surface. Many enterprise orgs use Okta instead of (or alongside) Entra ID. Distinct endpoints, distinct rate-limiting, distinct factor flows. Use when recon shows `<tenant>.okta.com`, `<tenant>.okta-emea.com`, `<tenant>.oktapreview.com`, or autodiscover-style records pointing at Okta IdP.

1,478 Updated 5 days ago
elementalsouls
AI & Automation Featured

exploits

Analyze exploit intelligence for a vulnerability against the current repository

2,996 Updated yesterday
davepoon