[Gloucs] Hypervisors.

Matthew Phillips phillips321 at gmail.com
Sun Sep 19 11:12:00 UTC 2010


Within pentesting what the first thing whe would do is perform hardware
fingerprinting if we believe we might have gained access to a vm. This
identifies specific hardware that is associated with a virtual machine, i.e.
a motherboard vendor of VMWare is a huge giveaway.

You can also attempt to make direct machien calls to the cpu to see if it is
virtual or real. (Anoither less used option is to detect where the interupt
descriptor table register is located in memeory - google red/blue pill in a
virtual machine - think like the Matrix.)

The best way to jump from the vm onto the host would be to try to exploit
the already implemented control protocols such as the vmware cmdline tools
feature. Many of the hardware drivers have issues as well, i recall a
vulnerability which allowed a malicious video being played in the vm the
ability to execute a command on the host. Can't find this in metasploit at
the mo..... not even sure if there is a name for this. Maybe virtual os
traversal???

I'm looking forward to giving the talk on Tuesday and any questions that it
generates.

Matt
On 19 September 2010 11:56, Anthony Edward Cooper <aecooper at coosoft.plus.com
> wrote:

> It is possible to detect whether you are inside a VM or not and there are
> exploits out there that can be used to jump onto the host system. The more
> widely used virtualisation software like VMware is going to be targeted more
> because of its prevalence. Ironically stiff like VirtualBox, aimed primarily
> at the home/enthusiast/college user will probably be more secure as it is
> less likely that someone would have written an exploit for it. But it is a
> good product and if they ever do an ESX style VirtualBox then who knows...
>
> However, there is a big difference between what is possible and what is
> likely. Virus/malware detector companies will always push the former and not
> the latter as it is good business to scare people. Most attacks are done by
> mindless script kiddies using other people's hard work via tools like
> metasploit. I good hardware firewall, a few free anti-virus products (AVG,
> win-clam etc) and regular patching will normally do the trick. Also regular
> backups as a good thing as well.
>
> As for unprotected windows VMs... If the host is Linux/non-windows and no
> other windows machines are booted up on your local network at the time and
> the VM has non-persistent storage then you should be ok. If you want
> persistent storage then deny the VM access to the internet by selecting host
> only networking.
>
> For what it's worth I can give a quick chat about my experiences with
> VMware and VirtualBox (but only if there is time after our main speaker :-)
> ). But nothing that most people probably wouldn't know already..... Perhaps
> posting here would be better.......
>
> Tony.
>
>
> Geoff Bagley wrote:
>
>> When running several guest  systems  on top of a hypervisor, can anyone
>> please tell me what are the implications for
>>
>> anti-malware software and  firewalls ?
>>
>>
>> Would a "guest"  Windows still be bogged down with tardy antivirus progs ?
>>
>>
>> If Windows runs better as a guest on a Linux box,  would this help entice
>> Windows users to experience Linux ?
>>
>>
>> Geoff.
>>
>>
>> _______________________________________________
>> gloucs mailing list
>> gloucs at mailman.lug.org.uk
>> https://mailman.lug.org.uk/mailman/listinfo/gloucs
>>
>
>
> _______________________________________________
> gloucs mailing list
> gloucs at mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/gloucs
>


More information about the gloucs mailing list