vmauthd_version & vmauthd_login does not seem to work

[Ak74-577]

Local OS:
Linux mint 19.03 64bit

Target OS:
ESXI 6.5

Metasploit Version:
Framework: 5.0.95-dev-
Console : 5.0.95-dev-

note: que account, password, ip are correct

Module Error:
msf5 > use auxiliary/scanner/vmware/vmauthd_version
msf5 auxiliary(scanner/vmware/vmauthd_version) > set rhosts 192.168.159.150
msf5 auxiliary(scanner/vmware/vmauthd_version) > set rport 902
msf5 auxiliary(scanner/vmware/vmauthd_version) > run

[] 192.168.159.150:902 - 192.168.159.150:902 Switching to SSL connection...
[] 192.168.159.150:902 - Error: 192.168.159.150: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=error: no protocols available
[] 192.168.159.150:902 - Scanned 1 of 1 hosts (100% complete)
[] Auxiliary module execution completed

$ tail -f .msf4/logs/framework.log
[06/27/2020 18:37:37] [e(0)] core: Error running against host 192.168.159.150: SSL_connect returned=1 errno=0 state=error: no protocols available
/opt/metasploit-framework/embedded/framework/modules/auxiliary/scanner/vmware/vmauthd_version.rb:107:in connect' /opt/metasploit-framework/embedded/framework/modules/auxiliary/scanner/vmware/vmauthd_version.rb:107:in swap_sock_plain_to_ssl'
/opt/metasploit-framework/embedded/framework/modules/auxiliary/scanner/vmware/vmauthd_version.rb:57:in run_host' /opt/metasploit-framework/embedded/framework/lib/msf/core/auxiliary/scanner.rb:117:in block (2 levels) in run'
/opt/metasploit-framework/embedded/framework/lib/msf/core/thread_manager.rb:106:in `block in spawn'

---

msf5 > use auxiliary/scanner/vmware/vmauthd_login
msf5 auxiliary(scanner/vmware/vmauthd_login) > set rhosts 192.168.159.150
msf5 auxiliary(scanner/vmware/vmauthd_login) > set password admin!@#45
msf5 auxiliary(scanner/vmware/vmauthd_login) > set username root
msf5 auxiliary(scanner/vmware/vmauthd_login) > set rport 902
msf5 auxiliary(scanner/vmware/vmauthd_login) > run

[] 192.168.159.150:902 - 192.168.159.150:902 - Starting bruteforce
[] 192.168.159.150:902 - Error: 192.168.159.150: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=error: no protocols available
[] 192.168.159.150:902 - Scanned 1 of 1 hosts (100% complete)
[] Auxiliary module execution completed

$ tail -f .msf4/logs/framework.log
[06/27/2020 18:38:54] [e(0)] core: Error running against host 192.168.159.150: SSL_connect returned=1 errno=0 state=error: no protocols available
/opt/metasploit-framework/embedded/framework/lib/metasploit/framework/login_scanner/vmauthd.rb:91:in connect' /opt/metasploit-framework/embedded/framework/lib/metasploit/framework/login_scanner/vmauthd.rb:91:in swap_sock_plain_to_ssl'
/opt/metasploit-framework/embedded/framework/lib/metasploit/framework/login_scanner/vmauthd.rb:47:in attempt_login' /opt/metasploit-framework/embedded/framework/lib/metasploit/framework/login_scanner/base.rb:231:in block in scan!'
/opt/metasploit-framework/embedded/framework/lib/metasploit/framework/login_scanner/base.rb:179:in block in each_credential' /opt/metasploit-framework/embedded/framework/lib/metasploit/framework/credential_collection.rb:121:in each'
/opt/metasploit-framework/embedded/framework/lib/metasploit/framework/login_scanner/base.rb:141:in each_credential' /opt/metasploit-framework/embedded/framework/lib/metasploit/framework/login_scanner/base.rb:205:in scan!'
/opt/metasploit-framework/embedded/framework/modules/auxiliary/scanner/vmware/vmauthd_login.rb:89:in run_host' /opt/metasploit-framework/embedded/framework/lib/msf/core/auxiliary/scanner.rb:117:in block (2 levels) in run'
/opt/metasploit-framework/embedded/framework/lib/msf/core/thread_manager.rb:106:in `block in spawn'

[h00die]

what is the target vmware product and version?

edit, esxi 6.5, disregard.

[h00die]

I'm able to replicate on 6.7u3 for vmauthd_version and vmauthd_login

[github-actions]

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here.
If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.

[chick0n]

Is there a workaround for "vmauthd_login"?
Doesnt work for me either.

[bcoles]

Is there a workaround for "vmauthd_login"?
Doesnt work for me either.

The error above is due to failed SSL/TLS protocol negotiation. You could try different SSL settings such as SSLVersion. However SSL/TLS protocol is Auto by default, so this probably won't help.

msf6 auxiliary(scanner/vmware/vmauthd_login) > show advanced

Module advanced options (auxiliary/scanner/vmware/vmauthd_login):

   Name                  Current Setting  Required  Description
   ----                  ---------------  --------  -----------
   CHOST                                  no        The local client address
   CPORT                                  no        The local client port
   ConnectTimeout        10               yes       Maximum number of seconds to establish a TCP connection
   MaxGuessesPerService  0                no        Maximum number of credentials to try per service instance. If set to zero or a non-number, this option will not be used.
   MaxGuessesPerUser     0                no        Maximum guesses for a particular username for the service instance. Note that users are considered unique among different services, so a user at 10.1.1.1:22 is different from one at 10.2.2.2:22, and both will be tried up to the MaxGuessesPerUser limit. If set to zero or a non-number, this option will not be used.
   MaxMinutesPerService  0                no        Maximum time in minutes to bruteforce the service instance. If set to zero or a non-number, this option will not be used.
   Proxies                                no        A proxy chain of format type:host:port[,type:host:port][...]
   REMOVE_PASS_FILE      false            yes       Automatically delete the PASS_FILE on module completion
   REMOVE_USERPASS_FILE  false            yes       Automatically delete the USERPASS_FILE on module completion
   REMOVE_USER_FILE      false            yes       Automatically delete the USER_FILE on module completion
   SSL                   false            no        Negotiate SSL/TLS for outgoing connections
   SSLCipher                              no        String for SSL cipher - "DHE-RSA-AES256-SHA" or "ADH"
   SSLVerifyMode         PEER             no        SSL verification method (Accepted: CLIENT_ONCE, FAIL_IF_NO_PEER_CERT, NONE, PEER)
   SSLVersion            Auto             yes       Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
   ShowProgress          true             yes       Display progress messages during a scan
   ShowProgressPercent   10               yes       The interval in percent that progress should be shown
   TRANSITION_DELAY      0                no        Amount of time (in minutes) to delay before transitioning to the next user in the array (or password when PASSWORD_SPRAY=true)
   WORKSPACE                              no        Specify the workspace for this module

msf6 auxiliary(scanner/vmware/vmauthd_login) > 

As for workarounds, you could try an intermediary SSL/TLS proxy (mitmproxy?).

If the vmware authd protocol does not require SSL/TLS then you could try clear text with set ssl false.