nmap-sV--script"http-vmware-path-vuln or vmware-version"-p<PORT><IP>msf>useauxiliary/scanner/vmware/esx_fingerprintmsf>useauxiliary/scanner/http/ms15_034_http_sys_memory_dump
Bruteforce
msf>auxiliary/scanner/vmware/vmware_http_login
If you find valid credentials, you can use more metasploit scanner modules to obtain information.