Title: Detecting virtualization on servers located behind routers?
Post by: manoj9372 on November 18, 2010, 02:26:46 AM

1)I have a scene like this,

Assume "A" is a target network on the internet running some windows servers using "XEN" virtualization and some linux servers inside vmware workstations,

Now assume i am on some random network on the internet,with different ISP ,I need to detect or confirm whether the target servers with any kind of "virtulaization" technology,

Also is there any difference between a OS running inside a "virtual environment" and "non-virtual environment"?with what kind of characters i can identify this?

As my target network is located behind router,I am struggling to determine this,..Looking for some ideas ???
__________________________________________________________________

2)I am much more interested in Practicing enumeration on a NAT network,
but considering legal issues ,I don't know where to practice this enumeration,Also i don't know where to find a NAT network for practicing,Can any body give some suggestions for this problem?

Hope i will find some help...

Title: Re: Detecting virtualization on servers located behind routers?
Post by: SephStorm on November 18, 2010, 02:38:48 AM

Running nmap with OS detection can generally determine an os running on VMWare, not sure about Zen. As for getting through the router, you will have to find someway to bypass it, I assume. NMAP has features for that as well.

To attack a NAT network, you would simply need a properly configured lab... one router giving you your own network for attacking, and another router being the NAT network with hosts behind it. Most SOHO (linksys/netgear) routers have NAT capability, so get two cheap routers, set one as 10.0.0.0 and one as 192.168.1.0.

I think the issue would be there that you have no outside network... The only legal suggestion that I can provide would be to purchase two internet connections. The problem there is that performing attacks over the internet is not advised... But I know this is done, I don't know how though...

Title: Re: Detecting virtualization on servers located behind routers?
Post by: manoj9372 on November 18, 2010, 03:22:14 AM

Code:

i am not talking about detecting OS,i want to know they are hosted inside "virutal environment or not",i am wondering how i can detect this with nmap,

Also i dont have money to buy routers ATM,i am looking for some virtualization solutions such as emulators etc?

will it be a good idea?

Need some more suggestions...

Title: Re: Detecting virtualization on servers located behind routers?
Post by: COm_BOY on November 18, 2010, 03:06:31 PM

I did a -A scan and got the folllowing line which might be interesting

MAC Address: 00:50:56:BC:7B:D9 (VMware)

If you dont have money to invest then better google pfsence , smoothwall , they are good all in one firewall type solutions and open source .

Title: Re: Detecting virtualization on servers located behind routers?
Post by: SephStorm on November 18, 2010, 05:05:30 PM

Agreed, performing OS detection will determine, in my experience, a system running in a VM.

Also, Hak5 did a video on turning a mini-PC into a router/firewall. I enjoyed it u dutil they changed the firewall software they were using in another video...

Title: Re: Detecting virtualization on servers located behind routers?
Post by: manoj9372 on November 19, 2010, 12:02:38 AM

Code:

Thanks for your idea sir,but if possible can you tell me the possible mac address range for the vmware?

and pfsense and smoothwall supports NAT uhh?
can i use them to play my NAT enumeration on them?

Code:

I don't know how OS determination will help us in identifying the virtualization technology used on the target,besides mac address what are the other things i should look for to identify the virtualization?

Also if it is hosted using virtualization other than vmware workstation means how can we detect them?

Title: Re: Detecting virtualization on servers located behind routers?
Post by: SephStorm on November 19, 2010, 03:36:21 AM

hmm, I am still researching but according to this:

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=507

VMWare uses the OUI 00:50:56 The MAC address range is 00:50:56:00:00:00 - 00:50:56:3F:FF:FF. According to the article this is for manually assigned addresses, but based on Com_boy's post, I'm going to assume it is the range for auto settings as well.

EDIT:That range varies based on the vmware version, seperate ranges for VMware server, and ESXi based on this.

http://communities.vmware.com/message/1233229

The OS detection tells you, in parentheses, what virtualization technology is in use, in this case, VMware. You will have to test Zen out for yourself.

The best way would be to test it, fire up a vm running the microsoft vm solution, Zen and any others you can get your hand on.

Title: Re: Detecting virtualization on servers located behind routers?
Post by: hell_razor on November 19, 2010, 02:06:56 PM

You can actually specify the MAC in the vmx file in vmwware I believe.

Title: Re: Detecting virtualization on servers located behind routers?
Post by: chrisj on November 19, 2010, 02:57:58 PM

I ran nmap -A against a VirtualBox guest and a Citrix Xen guest. Neither reported the MAC address, nor if it was a virtual machine.

Title: Re: Detecting virtualization on servers located behind routers?
Post by: sil on November 19, 2010, 04:02:56 PM

Be cautious when relying on nmap for detection especially when its VMWare related. The following is an example that illustrates this. Four different scans against my Window7 Ultimate machine:

--------------

Code:

[sil@asphyxia sil]# nmap -sS -O 10.4.4.79 -T5 -v -P0

Initiating SYN Stealth Scan against 10.4.4.79 [1680 ports] at 16:56

Interesting ports on 10.4.4.79:
Not shown: 1673 filtered ports
PORT STATE SERVICE
21/tcp open ftp
135/tcp open msrpc
389/tcp open ldap
636/tcp open ldapssl
1030/tcp open iad1
2809/tcp open corbaloc
9100/tcp open jetdirect
Device type: general purpose
Running: OpenBSD 3.X
OS details: OpenBSD 3.5 - 3.9, OpenBSD 3.6
TCP Sequence Prediction: Class=truly random
Difficulty=9999999 (Good luck!)
IPID Sequence Generation: Randomized

Nmap finished: 1 IP address (1 host up) scanned in 14.416 seconds
Raw packets sent: 3372 (149.192KB) | Rcvd: 17 (880B)

--------------

Code:

[sil@asphyxia sil]# nmap -sS -sV -P0 -A -vvv 10.4.4.79

Initiating SYN Stealth Scan against 10.4.4.79 [1680 ports] at 16:47

Interesting ports on 10.4.4.79:
Not shown: 1673 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp?
135/tcp open msrpc Microsoft Windows RPC
389/tcp open ldap Microsoft LDAP server
636/tcp open tcpwrapped
1030/tcp open msrpc Microsoft Windows RPC
2809/tcp open corbaloc?
9100/tcp open jetdirect?

SF-Port2809-TCP:V=4.11%I=7%D=11/19%Time=4CE6F079%P=i686-redhat-linux-gnu%r
SF:(GetRequest,C,"GIOP\x01\x02\0\x06\0\0\0\0")%r(HTTPOptions,C,"GIOP\x01\x
SF:02\0\x06\0\0\0\0")%r(RTSPRequest,C,"GIOP\x01\x02\0\x06\0\0\0\0")%r(RPCC
SF:heck,C,"GIOP\x01\x02\0\x06\0\0\0\0")%r(DNSVersionBindReq,C,"GIOP\x01\x0
SF:2\0\x06\0\0\0\0")%r(DNSStatusRequest,C,"GIOP\x01\x02\0\x06\0\0\0\0")%r(
SF:SSLSessionReq,C,"GIOP\x01\x02\0\x06\0\0\0\0")%r(SMBProgNeg,C,"GIOP\x01\
SF:x02\0\x06\0\0\0\0")%r(X11Probe,C,"GIOP\x01\x02\0\x06\0\0\0\0")%r(FourOh
SF:FourRequest,C,"GIOP\x01\x02\0\x06\0\0\0\0")%r(LDAPBindReq,C,"GIOP\x01\x
SF:02\0\x06\0\0\0\0")%r(LANDesk-RC,C,"GIOP\x01\x02\0\x06\0\0\0\0")%r(NCP,C
SF:,"GIOP\x01\x02\0\x06\0\0\0\0")%r(NotesRPC,C,"GIOP\x01\x02\0\x06\0\0\0\0
SF:")%r(NessusTPv10,C,"GIOP\x01\x02\0\x06\0\0\0\0")%r(WMSRequest,C,"GIOP\x
SF:01\x02\0\x06\0\0\0\0")%r(oracle-tns,C,"GIOP\x01\x02\0\x06\0\0\0\0");

Device type: general purpose
Running: OpenBSD 3.X
OS details: OpenBSD 3.5 - 3.9, OpenBSD 3.6
OS Fingerprint:
TSeq(Class=TR%IPID=RD)
T1(Resp=Y%DF=Y%W=4000%ACK=S++%Flags=AS%Ops=MNWNNT)
T2(Resp=Y%DF=Y%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=Y%W=4000%ACK=S++%Flags=AS%Ops=MNWNNT)
T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=N)
T6(Resp=N)
T7(Resp=N)
PU(Resp=N)

TCP Sequence Prediction: Class=truly random
Difficulty=9999999 (Good luck!)
IPID Sequence Generation: Randomized
Service Info: OS: Windows

Nmap finished: 1 IP address (1 host up) scanned in 70.602 seconds
Raw packets sent: 3373 (149.236KB) | Rcvd: 19 (986B)

--------------

Code:

[sil@asphyxia sil]# nmap -sS -sV -P0 -vvv 10.4.4.79

Initiating SYN Stealth Scan against 10.4.4.79 [1680 ports] at 16:48

Interesting ports on 10.4.4.79:
Not shown: 1673 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp?
135/tcp open msrpc Microsoft Windows RPC
389/tcp open ldap Microsoft LDAP server
636/tcp open tcpwrapped
1030/tcp open msrpc Microsoft Windows RPC
2809/tcp open corbaloc?
9100/tcp open jetdirect?

SF-Port2809-TCP:V=4.11%I=7%D=11/19%Time=4CE6F0D8%P=i686-redhat-linux-gnu%r
SF:(GetRequest,C,"GIOP\x01\x02\0\x06\0\0\0\0")%r(HTTPOptions,C,"GIOP\x01\x
SF:02\0\x06\0\0\0\0")%r(RTSPRequest,C,"GIOP\x01\x02\0\x06\0\0\0\0")%r(RPCC
SF:heck,C,"GIOP\x01\x02\0\x06\0\0\0\0")%r(DNSVersionBindReq,C,"GIOP\x01\x0
SF:2\0\x06\0\0\0\0")%r(DNSStatusRequest,C,"GIOP\x01\x02\0\x06\0\0\0\0")%r(
SF:SSLSessionReq,C,"GIOP\x01\x02\0\x06\0\0\0\0")%r(SMBProgNeg,C,"GIOP\x01\
SF:x02\0\x06\0\0\0\0")%r(X11Probe,C,"GIOP\x01\x02\0\x06\0\0\0\0")%r(FourOh
SF:FourRequest,C,"GIOP\x01\x02\0\x06\0\0\0\0")%r(LDAPBindReq,C,"GIOP\x01\x
SF:02\0\x06\0\0\0\0")%r(LANDesk-RC,C,"GIOP\x01\x02\0\x06\0\0\0\0")%r(NCP,C
SF:,"GIOP\x01\x02\0\x06\0\0\0\0")%r(NotesRPC,C,"GIOP\x01\x02\0\x06\0\0\0\0
SF:")%r(NessusTPv10,C,"GIOP\x01\x02\0\x06\0\0\0\0")%r(WMSRequest,C,"GIOP\x
SF:01\x02\0\x06\0\0\0\0")%r(oracle-tns,C,"GIOP\x01\x02\0\x06\0\0\0\0");
Service Info: OS: Windows

Nmap finished: 1 IP address (1 host up) scanned in 68.101 seconds
Raw packets sent: 3355 (147.620KB) | Rcvd: 9 (414B)

--------------

Code:

[sil@asphyxia sil]# nmap -sS -O -v 10.4.4.79

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2010-11-19 16:54 EST
Note: Host seems down. If it is really up, but blocking our ping probes, try -P0
Nmap finished: 1 IP address (0 hosts up) scanned in 2.124 seconds
Raw packets sent: 4 (136B) | Rcvd: 0 (0B)

Don't always rely on one tool ;)

Title: Re: Detecting virtualization on servers located behind routers?
Post by: manoj9372 on November 19, 2010, 04:27:37 PM

Code:

you are right sir,also i am looking for multiple confirmations,
other than "mac" part what are the things we can look for?

Like shares,dlls,i think there must be some differences between a normal OS and virtualized OS..

looking for some more confirmations :)

Title: Re: Detecting virtualization on servers located behind routers?
Post by: COm_BOY on November 19, 2010, 04:49:45 PM

Quote from: manoj9372 on November 19, 2010, 12:02:38 AM

Code:

As per wikipedia following are the features supported by Pfsence

* Firewall
* State Table
* NAT
* Redundancy
o CARP - CARP from OpenBSD allows for hardware failover. Two or more firewalls can be configured as a failover group. If one interface fails on the primary or the primary goes offline entirely, the secondary becomes active. pfSense also includes configuration synchronization capabilities where changes made to the primary firewall will automatically synchronize to the secondary firewall.
o pfsync - pfsync ensures the firewall's state table is replicated to all failover configured firewalls. This means your existing connections will be maintained in the case of failure, which is important to prevent network disruptions.
* Outbound and Inbound Load Balancing
* VPN - IPsec, OpenVPN, PPTP
* PPPoE Server
* RRD Graphs Reporting
* Real Time Information - Using AJAX
* Dynamic DNS
* Captive portal
* DHCP Server and Relay
* Live CD Version Available
* Proxy server
* Support for software extensions.
o Notable expansions are : Squid proxy server and Snort intrusion prevention/detection system.

Also if you are in LAN subnet you can issue a ping command and then check the local arp table for mac address conformation , then you can match it with nmap results .

Title: Re: Detecting virtualization on servers located behind routers?
Post by: SephStorm on November 19, 2010, 08:32:57 PM

Quote from: hell_razor on November 19, 2010, 02:06:56 PM

You can actually specify the MAC in the vmx file in vmwware I believe.

this was noted in the second vmware link I posted, most of what was being discussed is beyond my level of virtualization knowledge, but it seems that even when you change the MAC in there, it is restricted to a specific range.

Title: Re: Detecting virtualization on servers located behind routers?
Post by: dante on November 22, 2010, 11:52:03 AM

Joanna's blue pill and the conflict that rose among security researchers should be noted here.

This sums it up - http://www.zdnet.com/blog/ou/detecting-the-blue-pill-hypervisor-rootkit-is-possible-but-not-trivial/297.

When detecting that your program is running on a VM or not from within a VM is a difficult task, I guess determining a remote system is running under a VM or not, is not entirely out of the plate. One of the common techniques used is timing delay in the response of the OS as it is running on a VM. But adding it up with network latency, the reliability of the technique significantly reduces. I bet a project like that could sure make it to the blackhat conference.

Title: Re: Detecting virtualization on servers located behind routers?
Post by: sil on November 22, 2010, 12:25:26 PM

Quote from: dante on November 22, 2010, 11:52:03 AM

When detecting that your program is running on a VM or not from within a VM is a difficult task, I guess determining a remote system is running under a VM or not, is not entirely out of the plate. One of the common techniques used is timing delay in the response of the OS as it is running on a VM. But adding it up with network latency, the reliability of the technique significantly reduces. I bet a project like that could sure make it to the blackhat conference.

Rutkowsa's RP/BP doesn't apply to what the initial question needed answered. I've spoken with people about her theories via the Daily Dave list once upon a time (http://seclists.org/dailydave/2008/q4/author.html) which is how I derived: "plague" which is a proof of concept undetectable backdoor. This came about after the Matasano/Rutkowska/etc. challenge. (http://www.darkreading.com/security/security-management/208804717/index.html) This came about when they offered like a $100,000 challenge to put up or shut up... I joined in on the fray and asked Peter Ferrie if I could join, submitted my PoC and they said no :(

Anyhow, apples and oranges. It's actually easy to detect if you're on a virtual machine that's not the issue. Detecting it FROM the network is an issue. Timing and latency have little to do with anything. For example, 1) if I semi-flooded all the machines with traffic, your timing theory is thrown out the door. 2) If I changed my TTL responses on each machine, that too is thrown out the door.

For the most part, there isn't an effective way of remotely determining whether or not the remote machine is running on a VM image. If it's on your RFC1918 space, it would be easier, but if I decided to do some NAT voodoo and place a VMWare image from ONE address block, say in England, mapped it via tunneling to an American IP space... You'd never know where that machine is/was. Please see: http://www.mail-archive.com/nanog@merit.edu/msg52017.html to validate/confirm/understand this.

Just doing NAT alone adds ms overheard as would traversing networks. Throw in a firewall, some IDS and your entire fingerprint is out of whack.

Title: Re: Detecting virtualization on servers located behind routers?
Post by: dante on November 22, 2010, 04:46:09 PM

Quote from: sil on November 22, 2010, 12:25:26 PM

The reason I mentioned the conflict, is that, the original poster might be interested in researching and extending the techniques used to detecting the presence of a VM from OS level to the network level.

I knew network latency is not the only thing that is going to hamper the technique thats why I blew my own theory in the post. I just wanted to point out something that can be extended. For instance, what If there is a behavior in a particular VM package that takes notably long time to respond to a specially crafted packet but the delay is not good enough for a detection technique because of other factors like network latency..

Every detection mechanism has a reliability factor (OS detection, service detection etc). If someone is determined to protect the identity of OS/Service from popular tools he/she can. Neither detection nor protecting from detection is 100% possible. Is there a reliable way to determine the OS in a network 100% of the time? No not possible. I was going for something thats detects a VM in a network starting from a theoretical point of view and then that can be practically extended.

I am not proposing a solution, I am pointing to something that can be researched and extended.

EH-Net

Ethical Hacking Discussions and Related Certifications => Network Pen Testing => Topic started by: manoj9372 on November 18, 2010, 02:26:46 AM