ESXi console / shell
Last updated
Last updated
ESXi is a custom kernel. Typical IR tools which are designed for Linux kernels are going to fail.
Management via SSH needs to be enabled via the web interface prior to being accessible via the CLI. To enable it, go to https://hostname:/ui/#/manage/services and search for SSH (TSH-SSH) and enable it.
After connecting via SSH, you'll be droped into a shell. It's a cutdown/customised BusyBox shell. Note: SSH authorised keys are here /etc/ssh/keys-root/authorized_keys
Common log file locations
A lot of incident response scripts (UAC for example) will attempt to identify the kernel of the operating system based on the output of uname -a or lsb_release -a.
[root@localhost:~] uname -a
VMkernel hostname.domain 7.0.3 #1 SMP Release build-19193900 Jan 11 2022 15:57:16 x86_64 x86_64 x86_64 ESXi
[root@localhost:~]
UAC execution/triaging on an ESXi hypervisor. If you're using UAC v2.1.0 or earlier, it will fail unless you specify the kernel using the '-s' switch.
[root@localhost:~] ./uac -p full /output-directory -s linux
Hash functions still exist on ESXi (md5sum, sha1sum, sha256sum, sha512sum) Imaging can be done via dd Compression can be done via gzip
The following is a list of the commands available on ESXi 7.0 RC3
[root@localhost:~]
BootModuleConfig.sh esxtokend net-lbt stty
VmfsLatencyStats.py esxtop net-stats sum
Xorg esxupdate netdbg summarize-dvfilter
[ expr netdbg.py sync
[[ false nfcd tail
amldump fgrep nfsStats tar
apiForwarder filter-modified-files.pyc nicmgmtd taskset
apply-host-profiles find nohup tcpdump-uw
applyHostProfile firmwareConfig.py nologin techsupport.sh
applyHostProfileWrapper gdbserver nslookup tee
ash generate-certificates ntp-keygen test
authd getAccessToken ntpd time
auto-backup.sh getty ntpq timeout
awk gpuvm od tmpwatch.py
backup-check grabCIMData openssl touch
backup.sh grep openwsmand tpm2emu
basename gstorecli pam_tally2 tracenet
bootOption gunzip partedUtil traceroute
bunzip2 gzip passwd true
bzip2 halt pcpu-exec-stats udpTraceLogger
cat hbrfilterctl pcscd uname
chardevlogger head pgrep uniq
check_serial hexdump pidof unlzop
chgrp host_reboot.sh pigz unzip
chkconfig host_shutdown.sh ping updateProductLockerPolicy
chmod hostd ping6 uptime
chown hostd-probe pkill usleep
chvt hostd-probe.sh pktcap-uw uwstats
cim-diagnostic.sh hostdCgiServer pmemGC vdf
cim_host_powerops hostname powerOffVms vdq
cksum hwclock poweroff vdu
clear indcfg printf vi
cmmds-tool inetd prop_of_instances viewAudit
configstorecli init ps vim-cmd
cp init-launcher ptpd vm-support
crond initSystemStorage pwqcheck vmdumper
crx-cli initterm.sh python vmfs-support
crypto-util install python3 vmfsfilelockinfo
cut io-stats python3.5 vmkbacktrace
date ioinsight python3.8 vmkchdev
dcbd irqinfo randomSeed vmkdevmgr
dcui jumper2 readlink vmkdump_extract
dcuiweasel jumpstart reboot vmkerrcode
dd kdestroy remoteDeviceConnect vmkflames.pyc
df kill reset vmkfstools
dhclient-uw kinit resize vmkipcrm
diff klist rhttpproxy vmkipcs
dirname less rm vmkiscsid
dmesg libvmkdevmgr.so rmdir vmkload_mod
dnsdomainname lldpnetmap rollbackUtil.pyc vmkmkdev
doat ln rpcfg vmkperf
dosfsck loadESXEnable runInRP vmkping
du localcli sandboxd vmkramdisk
echo lockfile sched-stats vmkvsitools
egrep logchannellogger schedsnapshot vmtar
eject logger scp vmtoolsd
enum_instances login sdrsInjector vmware
env ls secpolicytools vmware-autostart.sh
esxcfg-advcfg lsacpi sed vmware-toolbox-cmd
esxcfg-dumppart lsof sensord vmware-usbarbitrator
esxcfg-fcoe lsom-stats seq vmware-vimdump
esxcfg-hwiscsi lspci services.sh vmx
esxcfg-info lsud setsid vmx-buildtype
esxcfg-init lsusb sfcbd vmx-debug
esxcfg-ipsec lzop sh vmx-stats
esxcfg-module lzopcat sha1sum voma
esxcfg-mpath mcopy sha256sum vprobe
esxcfg-nas md5sum sha512sum vsantop
esxcfg-nics mdir sharedStorageHostProfile.sh vscsiStats
esxcfg-rescan memstats shutdown.sh vsi_traverse
esxcfg-resgrp mkdir sleep vsish
esxcfg-route mkfifo slpd vvold
esxcfg-scsidevs mknod smartd watch
esxcfg-swiscsi mktemp smbiosDump watchdog.sh
esxcfg-vmknic mmd snmpd wc
esxcfg-volume more sntp wget
esxcfg-vswitch mtools sort which
esxcli mv ssh who
esxcli.py nc ssl_client xargs
esxgdpd net-cdp stat xkbcomp
esxhpcli net-dvs storageRM xz
esxhpedit net-lacp strace zcat
[root@localhost:~]
BootModuleConfig.sh esxtokend net-lbt stty
VmfsLatencyStats.py esxtop net-stats sum
Xorg esxupdate netdbg summarize-dvfilter
[ expr netdbg.py sync
[[ false nfcd tail
amldump fgrep nfsStats tar
apiForwarder filter-modified-files.pyc nicmgmtd taskset
apply-host-profiles find nohup tcpdump-uw
applyHostProfile firmwareConfig.py nologin techsupport.sh
applyHostProfileWrapper gdbserver nslookup tee
ash generate-certificates ntp-keygen test
authd getAccessToken ntpd time
auto-backup.sh getty ntpq timeout
awk gpuvm od tmpwatch.py
backup-check grabCIMData openssl touch
backup.sh grep openwsmand tpm2emu
basename gstorecli pam_tally2 tracenet
bootOption gunzip partedUtil traceroute
bunzip2 gzip passwd true
bzip2 halt pcpu-exec-stats udpTraceLogger
cat hbrfilterctl pcscd uname
chardevlogger head pgrep uniq
check_serial hexdump pidof unlzop
chgrp host_reboot.sh pigz unzip
chkconfig host_shutdown.sh ping updateProductLockerPolicy
chmod hostd ping6 uptime
chown hostd-probe pkill usleep
chvt hostd-probe.sh pktcap-uw uwstats
cim-diagnostic.sh hostdCgiServer pmemGC vdf
cim_host_powerops hostname powerOffVms vdq
cksum hwclock poweroff vdu
clear indcfg printf vi
cmmds-tool inetd prop_of_instances viewAudit
configstorecli init ps vim-cmd
cp init-launcher ptpd vm-support
crond initSystemStorage pwqcheck vmdumper
crx-cli initterm.sh python vmfs-support
crypto-util install python3 vmfsfilelockinfo
cut io-stats python3.5 vmkbacktrace
date ioinsight python3.8 vmkchdev
dcbd irqinfo randomSeed vmkdevmgr
dcui jumper2 readlink vmkdump_extract
dcuiweasel jumpstart reboot vmkerrcode
dd kdestroy remoteDeviceConnect vmkflames.pyc
df kill reset vmkfstools
dhclient-uw kinit resize vmkipcrm
diff klist rhttpproxy vmkipcs
dirname less rm vmkiscsid
dmesg libvmkdevmgr.so rmdir vmkload_mod
dnsdomainname lldpnetmap rollbackUtil.pyc vmkmkdev
doat ln rpcfg vmkperf
dosfsck loadESXEnable runInRP vmkping
du localcli sandboxd vmkramdisk
echo lockfile sched-stats vmkvsitools
egrep logchannellogger schedsnapshot vmtar
eject logger scp vmtoolsd
enum_instances login sdrsInjector vmware
env ls secpolicytools vmware-autostart.sh
esxcfg-advcfg lsacpi sed vmware-toolbox-cmd
esxcfg-dumppart lsof sensord vmware-usbarbitrator
esxcfg-fcoe lsom-stats seq vmware-vimdump
esxcfg-hwiscsi lspci services.sh vmx
esxcfg-info lsud setsid vmx-buildtype
esxcfg-init lsusb sfcbd vmx-debug
esxcfg-ipsec lzop sh vmx-stats
esxcfg-module lzopcat sha1sum voma
esxcfg-mpath mcopy sha256sum vprobe
esxcfg-nas md5sum sha512sum vsantop
esxcfg-nics mdir sharedStorageHostProfile.sh vscsiStats
esxcfg-rescan memstats shutdown.sh vsi_traverse
esxcfg-resgrp mkdir sleep vsish
esxcfg-route mkfifo slpd vvold
esxcfg-scsidevs mknod smartd watch
esxcfg-swiscsi mktemp smbiosDump watchdog.sh
esxcfg-vmknic mmd snmpd wc
esxcfg-volume more sntp wget
esxcfg-vswitch mtools sort which
esxcli mv ssh who
esxcli.py nc ssl_client xargs
esxgdpd net-cdp stat xkbcomp
esxhpcli net-dvs storageRM xz
esxhpedit net-lacp strace zcat