Password cracking with VMware Authentication Daemon

I just came across a cool trick you can try which allows you to crack passwords on a remote system that is running the VMware Authentication Daemon. This service installs and runs by default on Windows host machines that have VMware Virtual Workstation installed, and listens on TCP port 912. It shows up on nmap as apex-mesh, but doesn’t follow the APEX protocol at all. Instead, it looks a little bit like a hybrid between an FTP and SMTP server:

220 VMware Authentication Daemon Version 1.0, ServerDaemonProtocol:SOAP, MKSDisplayProtocol:VNC ,
?
530 Please login with USER and PASS.
USER test
331 Password required for test.
PASS test
530 Login incorrect.
USER Graham
331 Password required for Graham.
PASS <snip>
230 User Graham logged in.
?
500 Unknown command '?'
HELP
500 Unknown command 'HELP'
INFO
500 Unknown command 'INFO'
STAT
500 Unknown command 'STAT'
CD C:\
500 Unknown command 'CD C:\'
HELO
500 Unknown command 'HELO'
HELLO
500 Unknown command 'HELLO'
EXIT
500 Unknown command 'EXIT'
QUIT
221 Goodbye

As you can see, I couldn’t find any working commands. The interesting part is that it accepted my real NT username and password for the machine that the service was running on. Even more interesting, it doesn’t seem to have any rate-limiting or obvious “failed attempt” logs, so it’s much more stealthy than attacking RDP or SMB directly. In fact, this may translate over to Linux user accounts, too.

It turns out that someone already created a metasploit module for exactly this purpose, so go nuts!