ESXi console / shell

ESXi is a custom kernel. Typical IR tools which are designed for Linux kernels are going to fail.

Management via SSH needs to be enabled via the web interface prior to being accessible via the CLI. To enable it, go to https://hostname:/ui/#/manage/services and search for SSH (TSH-SSH) and enable it.

After connecting via SSH, you'll be droped into a shell. It's a cutdown/customised BusyBox shell. Note: SSH authorised keys are here /etc/ssh/keys-root/authorized_keys

Common log file locations

LogovSphere Monitoring and PerformanceCA INC

A lot of incident response scripts (UAC for example) will attempt to identify the kernel of the operating system based on the output of uname -a or lsb_release -a.

UAC execution/triaging on an ESXi hypervisor. If you're using UAC v2.1.0 or earlier, it will fail unless you specify the kernel using the '-s' switch.

Hash functions still exist on ESXi (md5sum, sha1sum, sha256sum, sha512sum) Imaging can be done via dd Compression can be done via gzip

The following is a list of the commands available on ESXi 7.0 RC3

PreviousPartitions / VolumesNextGuest Virtual Machines

Last updated