I just came across a cool trick you can try which allows you to crack passwords on a remote system that is running the VMware Authentication Daemon. This service installs and runs by default on Windows host machines that have VMware Virtual Workstation installed, and listens on TCP port 912. It shows up on nmap as apex-mesh, but doesn’t follow the APEX protocol at all. Instead, it looks a little bit like a hybrid between an FTP and SMTP server:
220 VMware Authentication Daemon Version 1.0, ServerDaemonProtocol:SOAP, MKSDisplayProtocol:VNC , ? 530 Please login with USER and PASS. USER test 331 Password required for test. PASS test 530 Login incorrect. USER Graham 331 Password required for Graham. PASS <snip> 230 User Graham logged in. ? 500 Unknown command '?' HELP 500 Unknown command 'HELP' INFO 500 Unknown command 'INFO' STAT 500 Unknown command 'STAT' CD C:\ 500 Unknown command 'CD C:\' HELO 500 Unknown command 'HELO' HELLO 500 Unknown command 'HELLO' EXIT 500 Unknown command 'EXIT' QUIT 221 Goodbye
As you can see, I couldn’t find any working commands. The interesting part is that it accepted my real NT username and password for the machine that the service was running on. Even more interesting, it doesn’t seem to have any rate-limiting or obvious “failed attempt” logs, so it’s much more stealthy than attacking RDP or SMB directly. In fact, this may translate over to Linux user accounts, too.
It turns out that someone already created a metasploit module for exactly this purpose, so go nuts!