# VMware ESX / vCenter Pentesting

{{#include ../../banners/hacktricks-training.md}}


## Enumeration

```bash
nmap -sV --script "http-vmware-path-vuln or vmware-version" -p <PORT> <IP>
msf> use auxiliary/scanner/vmware/esx_fingerprint
msf> use auxiliary/scanner/http/ms15_034_http_sys_memory_dump
```

## Bruteforce

```bash
msf> auxiliary/scanner/vmware/vmware_http_login
```

If you find valid credentials, you can use more metasploit scanner modules to obtain information.



### See also

Linux LPE via VMware Tools service discovery (CWE-426 / CVE-2025-41244):

{{#ref}}
../../linux-hardening/privilege-escalation/vmware-tools-service-discovery-untrusted-search-path-cve-2025-41244.md
{{#endref}}

{{#include ../../banners/hacktricks-training.md}}