VEXED - vSphere EXploitation & Extraction Dumper

Welcome to V's Fear

vSphere Post-Exploitation Security Assessment Tool

A Python CLI tool for authorized security assessments of VMware ESXi hosts and vCenter Server appliances. Enumerates users, extracts Kerberos credentials, scans process memory, and tests for known misconfigurations — all from a single SSH/API session.

---

Legal Disclaimer

THIS TOOL IS PROVIDED FOR AUTHORIZED SECURITY TESTING ONLY.

VEXED is intended for use in:
  - Authorized penetration testing engagements
  - Security research in isolated lab environments
  - Blue team validation and hardening verification
  - Conference demonstrations (Black Hat, DEF CON, etc.)

Unauthorized access to computer systems is illegal. You are solely
responsible for obtaining proper authorization before using this tool.
The authors assume no liability for misuse.

---

What's New in v2.0

• SAML Token Forgery — Extracts the STS signing certificate and private key from vCenter's vmdir LDAP, forges a SAML assertion for administrator@vsphere.local, and obtains an admin session cookie
• Auto-Pivot to Managed ESXi Hosts — Decrypts VPX database credentials (symkey.dat + AES-256-CBC) and automatically SSH pivots to every managed ESXi host, running read-only assessment modules on each
• Interactive Attack Graph — Cytoscape.js force-directed visualization embedded in the HTML report showing the complete attack chain: initial access, credential extraction, SAML forgery, VMCA cert forging, lateral movement, and domain compromise paths
• Domain Compromise Paths — Maps extracted keytabs, TGTs, machine passwords, and forged certificates to Active Directory compromise vectors (pass-the-ticket, silver tickets, PKINIT cert forgery)
• Interactive SSO Password Prompt — vCenter targets automatically prompt for the SSO admin password when not provided on the command line

---

Features

Reconnaissance & Enumeration

• Auto-detect ESXi vs vCenter — Fingerprints the target via SSH banner, vmware -v, and API productLineId
• User/group/permission enumeration — Local accounts, Active Directory users (Likewise), vSphere API permissions and sessions

Credential Extraction

• Kerberos keytab extraction and parsing — Full principal, enctype, KVNO, and key material from /etc/krb5.keytab
• Credential cache (ccache) extraction — TGTs and service tickets with flags, expiry, and session keys
• Likewise registry machine password — Cleartext AD machine account password from Likewise registry
• Shadow hash extraction — Password hashes from /etc/shadow
• VPX database credential decryption — Decrypts vpxuser passwords for every managed ESXi host using symkey.dat (AES-256-CBC)

Certificate & Key Extraction

• VMCA root CA private key — The crown jewel: enables forging any certificate in the vSphere PKI
• SSL private keys — Host SSL keys, VECS certificate stores, solution user keys
• Encryption keys — symkey.dat, vmentitykey.dat, data encipherment keys

SAML Token Forgery (vCenter)

• STS signing material extraction — Extracts the IdP certificate and private key from vmdir LDAP
• SAML assertion forging — Builds and signs a SAML 2.0 assertion for administrator@vsphere.local
• Session cookie exchange — Obtains an admin vSphere session via LoginByToken or REST API fallback

Lateral Movement (vCenter)

• Auto-pivot to managed ESXi hosts — Uses VPX-decrypted credentials to SSH into each managed host
• Read-only child assessments — Runs detect, enumerate, credentials, vmca, proc_memory, and hardening on each pivoted host
• Finding aggregation — Merges all child findings, credentials, and users into the parent report

Attack Graph

• Interactive Cytoscape.js visualization — Force-directed graph embedded in the HTML report
• Node types — Hosts (hexagons), assets (diamonds), users (ellipses), objectives (octagons), attacker (star)
• Attack paths shown:
  • SSH initial access → credential extraction
  • STS cert → SAML forgery → admin API access
  • VMCA key → forged certificates → solution user impersonation / PKINIT cert forgery
  • symkey.dat → VPX password decryption → vpxuser SSH pivot
  • Keytabs → forge tickets → domain compromise
  • TGTs → pass-the-ticket → domain compromise
  • Machine password → domain compromise
• Click-to-inspect detail panel, zoom/fit controls, PNG export

Memory Scanning

• JVM heap scanning — Dumps vCenter STS process memory via gcore and scans for SAML tokens, passwords, and session material
• ESXi process memory — Attaches to hostd/lwsmd via strace to capture live authentication data
• Persistent monitoring mode — Continuous JVM heap scanning at configurable intervals

Security Testing

• LDAP group modification — Tests for CVE-2024-37085 ESX Admins group privilege escalation
• ESXi admin group reassignment — Tests configurable admin group persistence
• Local user creation — Creates a vexed assessment user with SSH key for persistent access

Hardening Audit

• ESXi (14 checks) — SSH, shell timeouts, lockdown mode, syslog, NTP, SNMP, MOB, VIB acceptance, account lockout, TLS, firewall, DCUI timeout, keytab permissions, AD membership
• vCenter (7+ checks) — NTP, syslog, password expiry, root shell, PostgreSQL binding, VAMI, SSH timeout, identity source LDAPS, IWA/SPNEGO

Reporting

• Self-contained HTML report — Dark-themed single file with findings, credentials, hardening audit, pivot results, and interactive attack graph
• JSON output — Machine-readable output for SIEM ingestion and automation pipelines

---

Requirements

• Python 3.9+
• paramiko — SSH/SFTP connectivity
• pyvmomi — vSphere SOAP API
• rich — Terminal formatting and progress display
• click — CLI framework
• jinja2 — HTML report templating

Optional (for full functionality):

• signxml — SAML assertion XML-DSig signing
• lxml — XML processing for SAML forgery
• cryptography — STS private key parsing and certificate handling
• pycryptodome — Local AES decryption for VPX credentials (falls back to openssl on target)

---

Installation

From source (recommended)

git clone https://github.com/dfirdeferred/vexed.git
cd vexed
pip install -e .
vexed --version

Without install

git clone https://github.com/dfirdeferred/vexed.git
cd vexed
pip install -r requirements.txt
python -m vexed --version

---

Quick Start

Full vCenter assessment (interactive prompts for all credentials):

vexed --auto --dumpcreds

vCenter with all credentials specified:

vexed -t vcenter.corp.local -u root -p 'password' --sso-password 'sso_pass' --auto --dumpcreds

ESXi standalone assessment:

vexed -t 10.0.1.10 -u root --auto

SSH only (no API connection):

vexed -t 10.0.1.10 -u root -m ssh

Select specific modules:

vexed -t 10.0.1.10 -u root --modules detect,enumerate,credentials,vmca,attack_graph

Persistent JVM heap monitoring (vCenter):

vexed -t vcenter.corp.local -u root --persistent --interval 30

JSON output:

vexed -t 10.0.1.10 -u root --auto --json

Custom output directory:

vexed -t 10.0.1.10 -u root -o /tmp/assessment

---

CLI Options

Flag	Long	Description
-t	--target	Target host (IP or FQDN) — prompts if not provided
-u	--username	SSH/API username — prompts if not provided
-p	--password	Password — prompts securely if not provided
-m	--method	Connection method: ssh, api, or both (default: both)
	--port	SSH port (default: 22)
	--api-port	vSphere API port (default: 443)
	--sso-password	SSO admin password for SAML forgery — prompts on vCenter if not provided
	--modules	Comma-separated module list (default: all applicable)
	--auto	Non-interactive mode — skip all prompts
	--persistent	Enable persistent monitoring (JVM heap loop)
	--interval	Monitoring interval in seconds (default: 60)
	--dumpcreds	Download credential files to disk (keytabs, keys, caches)
	--json	Write JSON output alongside HTML report
-o	--output-dir	Output directory (default: ./vexed_output)
	--no-report	Skip HTML report generation
-v	--verbose	Verbose output
	--version	Show version and exit
-h	--help	Show help and exit

---

Modules

VEXED runs modules in a fixed order. Each module appends findings, credentials, and users to a shared AssessmentContext. Modules automatically skip if their target type doesn't match (e.g., vCenter-only modules skip on ESXi).

#	Module	Description	Target
1	detect	Target fingerprinting (ESXi vs vCenter)	All
2	enumerate	User, group, and permission enumeration	All
3	credentials	Keytab, ccache, registry, shadow extraction	All
4	vmca	VMCA/SSL key and certificate extraction	All
5	vpx_decrypt	VPX database credential decryption	vCenter
6	proc_memory	ESXi process memory scanning (strace)	ESXi
7	jvm_heap	vCenter JVM heap scanning (gcore)	vCenter
8	saml_forge	SAML token forgery via STS cert extraction	vCenter
9	ldap_mod	CVE-2024-37085 LDAP group modification	Optional
10	group_admin	ESXi admin group reassignment	Optional, ESXi
11	user_create	Local assessment user creation	Optional
12	hardening	Configuration hardening audit	All
13	pivot	Auto-pivot to managed ESXi hosts	vCenter
14	attack_graph	Interactive attack graph generation	All

---

Attack Flow

vCenter Full Chain

  Attacker
     │
     ▼ SSH (root)
  vCenter ──────────────────────────────────────────────
     │
     ├─► Keytab ────────────────────► Domain Compromise
     │                                (forge tickets)
     ├─► vmdir LDAP ─► STS Cert
     │                    │
     │                    ▼
     │               Forged SAML Token ─► Admin API Access
     │
     ├─► VMCA Key ─► Forged Certificates
     │                    ├─► Solution User Impersonation
     │                    └─► PKINIT Cert Forgery ──► Domain Compromise
     │
     ├─► symkey.dat ─► AES Decrypt ─► VPX Passwords
     │                                    │
     │                                    ▼ vpxuser SSH
     │                              ┌─── ESXi Host 1
     │                              │       ├─► Keytab ──► Domain Compromise
     │                              │       └─► Machine Password ──► Domain Compromise
     │                              │
     │                              └─── ESXi Host 2
     │                                      ├─► Keytab ──► Domain Compromise
     │                                      └─► TGTs ──► Domain Compromise
     │
     └─► TGTs (ccache) ────────────► Domain Compromise
                                     (pass-the-ticket)

ESXi Standalone

  Attacker
     │
     ▼ SSH (root)
  ESXi Host
     │
     ├─► Keytab ──────────────────► Domain Compromise (forge tickets)
     ├─► TGTs (ccache) ──────────► Domain Compromise (pass-the-ticket)
     ├─► Machine Password ───────► Domain Compromise (machine account auth)
     ├─► Shadow Hashes ──────────► Offline Cracking
     └─► Service Tickets ────────► Service Access

---

Output

VEXED produces reports in the specified output directory. Use --dumpcreds to also download credential files to disk.

vexed_output/
├── report_20260301_143022.html          # Self-contained HTML report with attack graph
├── report_20260301_143022.json          # JSON results (if --json)
├── pivot_10.0.1.11/                     # Per-host pivot output (if hosts found)
│   └── ...
├── keytab/                              # (--dumpcreds only)
│   └── krb5.keytab
├── ccache/                              # (--dumpcreds only)
│   └── krb5cc_0
├── likewise/                            # (--dumpcreds only)
│   └── registry.db
├── keys/                                # (--dumpcreds only)
│   ├── etc_vmware_ssl_rui.key
│   ├── var_lib_vmware_vmca_privatekey.pem
│   └── etc_vmware-vpx_ssl_symkey.dat
└── vecs/                                # (--dumpcreds only)
    └── MACHINE_SSL_CERT_key.pem

HTML Report

The HTML report is a single self-contained file with a dark theme. It includes:

• Executive summary with finding counts by severity
• User enumeration and permission matrix
• Credential tables (keytabs, ccaches, VPX passwords, shadow hashes, JVM heap findings)
• Per-module findings with severity, evidence, and remediation guidance
• Configuration hardening audit results (pass/fail table)
• Lateral movement results (pivot success/failure per host)
• Interactive Cytoscape.js attack graph with click-to-inspect nodes

JSON Output

When --json is specified, a structured JSON file is written containing all assessment data suitable for ingestion by SIEM platforms, reporting pipelines, or custom tooling.

---

References

• CVE-2024-37085 — VMware ESXi Active Directory Integration Authentication Bypass
  • VMware Advisory VMSA-2024-0013
• CVE-2022-22948 — vCenter Server Information Disclosure (symkey.dat file permissions)
  • VMware Advisory VMSA-2022-0009
• SAML Token Forgery — vCenter STS signing material extraction and SAML assertion forging
• Kerberos keytab format — MIT Kerberos documentation
• Kerberos ccache format — MIT Kerberos ccache format
• ADCS abuse (ESC1-ESC8) — SpecterOps Certified Pre-Owned
• ESXi authentication internals — VMware vSphere 8.0 Security Guide

---

License

Apache License 2.0 — see LICENSE for details.