Detecting virtualization on servers located behind routers?

Viewing 15 reply threads
  • Author
    Posts
    • #5820
      manoj9372
      Participant

      1)I have a scene like this,

      Assume “A” is a target network on the internet running some windows servers using “XEN” virtualization and some linux servers inside vmware workstations,

      Now assume i am on some random network on the internet,with different ISP ,I need to detect  or confirm whether the target servers  with any kind of “virtulaization” technology,

      Also is there any difference between a OS running inside a “virtual environment” and “non-virtual environment”?with what kind of characters i can identify this?

      As my target network is located behind router,I am struggling to determine this,..Looking for some ideas ???
      __________________________________________________________________

      2)I am much more interested in Practicing enumeration on a NAT network,
      but considering legal issues ,I don’t know where to practice this enumeration,Also i don’t know where to find a NAT network for practicing,Can any body give some suggestions for this problem?

      Hope i will find some help…

    • #36567
      SephStorm
      Participant

      Running nmap with OS detection can generally determine an os running on VMWare, not sure about Zen. As for getting through the router, you will have to find someway to bypass it, I assume. NMAP has features for that as well.

      To attack a NAT network, you would simply need a properly configured lab… one router giving you your own network for attacking, and another router being the NAT network with hosts behind it. Most SOHO (linksys/netgear) routers have NAT capability, so get two cheap routers, set one as 10.0.0.0 and one as 192.168.1.0.

      I think the issue would be there that you have no outside network… The only legal suggestion that I can provide would be to purchase two internet connections. The problem there is that performing attacks over the internet is not advised… But I know this is done, I don’t know how though…

    • #36568
      manoj9372
      Participant

      Running nmap with OS detection can generally determine an os running on VMWare, not sure about Zen. As for getting through the router, you will have to find someway to bypass it, I assume. NMAP has features for that as well.

      To attack a NAT network, you would simply need a properly configured lab... one router giving you your own network for attacking, and another router being the NAT network with hosts behind it. Most SOHO (linksys/netgear) routers have NAT capability, so get two cheap routers, set one as 10.0.0.0 and one as 192.168.1.0.

      I think the issue would be there that you have no outside network... The only legal suggestion that I can provide would be to purchase two internet connections. The problem there is that performing attacks over the internet is not advised... But I know this is done, I don't know how though...

      i am not talking about detecting OS,i want to know they are hosted inside “virutal environment or not”,i am wondering how i can detect this with nmap,

      Also i dont have money to buy routers ATM,i am looking for some virtualization solutions such as emulators etc?

      will it be a good idea?

      Need some more suggestions…

    • #36569
      COm_BOY
      Participant

      I did a -A scan and got the folllowing line which might be interesting

      MAC Address: 00:50:56:BC:7B:D9 (VMware)

      If you dont have money to invest then better google pfsence , smoothwall , they are good all in one firewall type solutions and open source .

    • #36570
      SephStorm
      Participant

      Agreed, performing OS detection will determine, in my experience, a system running in a VM.

      Also, Hak5 did a video on turning a mini-PC into a router/firewall. I enjoyed it u dutil they changed the firewall software they were using in another video…

    • #36571
      manoj9372
      Participant

      I did a -A scan and got the folllowing line which might be interesting

      MAC Address: 00:50:56:BC:7B:D9 (VMware)

      If you dont have money to invest then better google pfsence , smoothwall , they are good all in one firewall type solutions and open source .

      Thanks for your idea sir,but if possible can you tell me the possible mac address range for the vmware?

      and pfsense and smoothwall supports NAT uhh?
      can i use them to play my NAT enumeration on them?



      Agreed, performing OS detection will determine, in my experience, a system running in a VM.

      Also, Hak5 did a video on turning a mini-PC into a router/firewall. I enjoyed it u dutil they changed the firewall software they were using in another video...

      I don’t know how OS determination will help us in identifying the virtualization technology used on the target,besides mac address what are the other things i should look for to identify the virtualization?

      Also if it is hosted using virtualization other than vmware workstation means how can we detect them?

    • #36572
      SephStorm
      Participant

      hmm, I am still researching but according to this:

      http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=507

      VMWare uses the OUI 00:50:56 The MAC address range is 00:50:56:00:00:00 – 00:50:56:3F:FF:FF. According to the article this is for manually assigned addresses, but based on Com_boy’s post, I’m going to assume it is the range for auto settings as well.

      EDIT:That range varies based on the vmware version, seperate ranges for VMware server, and ESXi based on this.

      http://communities.vmware.com/message/1233229

      The OS detection tells you, in parentheses, what virtualization technology is in use, in this case, VMware. You will have to test Zen out for yourself.

      The best way would be to test it, fire up a vm running the microsoft vm solution, Zen and any others you can get your hand on.

    • #36573
      hell_razor
      Participant

      You can actually specify the MAC in the vmx file in vmwware I believe.

    • #36574
      rattis
      Participant

      I ran nmap -A against a VirtualBox guest and a Citrix Xen guest. Neither reported the MAC address, nor if it was a virtual machine.

    • #36575
      sil
      Participant

      Be cautious when relying on nmap for detection especially when its VMWare related. The following is an example that illustrates this. Four different scans against my Window7 Ultimate machine:


      [sil@asphyxia sil]# nmap -sS -O 10.4.4.79 -T5 -v -P0

      Initiating SYN Stealth Scan against 10.4.4.79 [1680 ports] at 16:56

      Interesting ports on 10.4.4.79:
      Not shown: 1673 filtered ports
      PORT    STATE SERVICE
      21/tcp  open  ftp
      135/tcp  open  msrpc
      389/tcp  open  ldap
      636/tcp  open  ldapssl
      1030/tcp open  iad1
      2809/tcp open  corbaloc
      9100/tcp open  jetdirect
      Device type: general purpose
      Running: OpenBSD 3.X
      OS details: OpenBSD 3.5 - 3.9, OpenBSD 3.6
      TCP Sequence Prediction: Class=truly random
                              Difficulty=9999999 (Good luck!)
      IPID Sequence Generation: Randomized

      Nmap finished: 1 IP address (1 host up) scanned in 14.416 seconds
                    Raw packets sent: 3372 (149.192KB) | Rcvd: 17 (880B)

      [sil@asphyxia sil]# nmap -sS -sV -P0 -A -vvv 10.4.4.79

      Initiating SYN Stealth Scan against 10.4.4.79 [1680 ports] at 16:47

      Interesting ports on 10.4.4.79:
      Not shown: 1673 filtered ports
      PORT    STATE SERVICE    VERSION
      21/tcp  open  ftp?
      135/tcp  open  msrpc      Microsoft Windows RPC
      389/tcp  open  ldap      Microsoft LDAP server
      636/tcp  open  tcpwrapped
      1030/tcp open  msrpc      Microsoft Windows RPC
      2809/tcp open  corbaloc?
      9100/tcp open  jetdirect?


      SF-Port2809-TCP:V=4.11%I=7%D=11/19%Time=4CE6F079%P=i686-redhat-linux-gnu%r
      SF:(GetRequest,C,"GIOPx01x02x06")%r(HTTPOptions,C,"GIOPx01x
      SF:02x06")%r(RTSPRequest,C,"GIOPx01x02x06")%r(RPCC
      SF:heck,C,"GIOPx01x02x06")%r(DNSVersionBindReq,C,"GIOPx01x0
      SF:2x06")%r(DNSStatusRequest,C,"GIOPx01x02x06")%r(
      SF:SSLSessionReq,C,"GIOPx01x02x06")%r(SMBProgNeg,C,"GIOPx01
      SF:x02x06")%r(X11Probe,C,"GIOPx01x02x06")%r(FourOh
      SF:FourRequest,C,"GIOPx01x02x06")%r(LDAPBindReq,C,"GIOPx01x
      SF:02x06")%r(LANDesk-RC,C,"GIOPx01x02x06")%r(NCP,C
      SF:,"GIOPx01x02x06")%r(NotesRPC,C,"GIOPx01x02x06
      SF:")%r(NessusTPv10,C,"GIOPx01x02x06")%r(WMSRequest,C,"GIOPx
      SF:01x02x06")%r(oracle-tns,C,"GIOPx01x02x06");

      Device type: general purpose
      Running: OpenBSD 3.X
      OS details: OpenBSD 3.5 - 3.9, OpenBSD 3.6
      OS Fingerprint:
      TSeq(Class=TR%IPID=RD)
      T1(Resp=Y%DF=Y%W=4000%ACK=S++%Flags=AS%Ops=MNWNNT)
      T2(Resp=Y%DF=Y%W=0%ACK=S%Flags=AR%Ops=)
      T3(Resp=Y%DF=Y%W=4000%ACK=S++%Flags=AS%Ops=MNWNNT)
      T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
      T5(Resp=N)
      T6(Resp=N)
      T7(Resp=N)
      PU(Resp=N)

      TCP Sequence Prediction: Class=truly random
                              Difficulty=9999999 (Good luck!)
      IPID Sequence Generation: Randomized
      Service Info: OS: Windows

      Nmap finished: 1 IP address (1 host up) scanned in 70.602 seconds
                    Raw packets sent: 3373 (149.236KB) | Rcvd: 19 (986B)


      [sil@asphyxia sil]# nmap -sS -sV -P0  -vvv 10.4.4.79

      Initiating SYN Stealth Scan against 10.4.4.79 [1680 ports] at 16:48

      Interesting ports on 10.4.4.79:
      Not shown: 1673 filtered ports
      PORT    STATE SERVICE    VERSION
      21/tcp  open  ftp?
      135/tcp  open  msrpc      Microsoft Windows RPC
      389/tcp  open  ldap      Microsoft LDAP server
      636/tcp  open  tcpwrapped
      1030/tcp open  msrpc      Microsoft Windows RPC
      2809/tcp open  corbaloc?
      9100/tcp open  jetdirect?

      SF-Port2809-TCP:V=4.11%I=7%D=11/19%Time=4CE6F0D8%P=i686-redhat-linux-gnu%r
      SF:(GetRequest,C,"GIOPx01x02x06")%r(HTTPOptions,C,"GIOPx01x
      SF:02x06")%r(RTSPRequest,C,"GIOPx01x02x06")%r(RPCC
      SF:heck,C,"GIOPx01x02x06")%r(DNSVersionBindReq,C,"GIOPx01x0
      SF:2x06")%r(DNSStatusRequest,C,"GIOPx01x02x06")%r(
      SF:SSLSessionReq,C,"GIOPx01x02x06")%r(SMBProgNeg,C,"GIOPx01
      SF:x02x06")%r(X11Probe,C,"GIOPx01x02x06")%r(FourOh
      SF:FourRequest,C,"GIOPx01x02x06")%r(LDAPBindReq,C,"GIOPx01x
      SF:02x06")%r(LANDesk-RC,C,"GIOPx01x02x06")%r(NCP,C
      SF:,"GIOPx01x02x06")%r(NotesRPC,C,"GIOPx01x02x06
      SF:")%r(NessusTPv10,C,"GIOPx01x02x06")%r(WMSRequest,C,"GIOPx
      SF:01x02x06")%r(oracle-tns,C,"GIOPx01x02x06");
      Service Info: OS: Windows

      Nmap finished: 1 IP address (1 host up) scanned in 68.101 seconds
                    Raw packets sent: 3355 (147.620KB) | Rcvd: 9 (414B)

      [sil@asphyxia sil]# nmap -sS -O -v 10.4.4.79

      Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2010-11-19 16:54 EST
      Note: Host seems down. If it is really up, but blocking our ping probes, try -P0
      Nmap finished: 1 IP address (0 hosts up) scanned in 2.124 seconds
                    Raw packets sent: 4 (136B) | Rcvd: 0 (0B)

      Don’t always rely on one tool 😉

    • #36576
      manoj9372
      Participant

      Be cautious when relying on nmap for detection especially when its VMWare related. The following is an example that illustrates this. Four different scans against my Window7 Ultimate machine:

      Don't always rely on one tool

      you are right sir,also i am looking for multiple confirmations,
      other than “mac” part what are the things we can look for?

      Like shares,dlls,i think there must be some differences between a normal OS and virtualized OS..

      looking for some more confirmations 🙂

    • #36577
      COm_BOY
      Participant

      @manoj9372 wrote:


      I did a -A scan and got the folllowing line which might be interesting

      MAC Address: 00:50:56:BC:7B:D9 (VMware)

      If you dont have money to invest then better google pfsence , smoothwall , they are good all in one firewall type solutions and open source .

      Thanks for your idea sir,but if possible can you tell me the possible mac address range for the vmware?

      and pfsense and smoothwall supports NAT uhh?
      can i use them to play my NAT enumeration on them?



      Agreed, performing OS detection will determine, in my experience, a system running in a VM.

      Also, Hak5 did a video on turning a mini-PC into a router/firewall. I enjoyed it u dutil they changed the firewall software they were using in another video...

      I don’t know how OS determination will help us in identifying the virtualization technology used on the target,besides mac address what are the other things i should look for to identify the virtualization?

      Also if it is hosted using virtualization other than vmware workstation means how can we detect them?

      As per wikipedia following are the features supported by Pfsence 

          * Firewall
          * State Table
          * NAT
          * Redundancy
                o CARP – CARP from OpenBSD allows for hardware failover. Two or more firewalls can be configured as a failover group. If one interface fails on the primary or the primary goes offline entirely, the secondary becomes active. pfSense also includes configuration synchronization capabilities where changes made to the primary firewall will automatically synchronize to the secondary firewall.
                o pfsync – pfsync ensures the firewall’s state table is replicated to all failover configured firewalls. This means your existing connections will be maintained in the case of failure, which is important to prevent network disruptions.
          * Outbound and Inbound Load Balancing
          * VPN – IPsec, OpenVPN, PPTP
          * PPPoE Server
          * RRD Graphs Reporting
          * Real Time Information – Using AJAX
          * Dynamic DNS
          * Captive portal
          * DHCP Server and Relay
          * Live CD Version Available
          * Proxy server
          * Support for software extensions.
                o Notable expansions are : Squid proxy server and Snort intrusion prevention/detection system.

      Also if you are in LAN subnet you can issue a ping command and then check the local arp table for mac address conformation , then you can match it with nmap results .

    • #36578
      SephStorm
      Participant

      @hell_razor wrote:

      You can actually specify the MAC in the vmx file in vmwware I believe.

      this was noted in the second vmware link I posted, most of what was being discussed is beyond my level of virtualization knowledge, but it seems that even when you change the MAC in there, it is restricted to a specific range.

    • #36579
      dante
      Participant

      Joanna’s blue pill and the conflict that rose among security researchers should be noted here.

      This sums it up – http://www.zdnet.com/blog/ou/detecting-the-blue-pill-hypervisor-rootkit-is-possible-but-not-trivial/297.

      When detecting that your program is running on a VM or not from within a VM is a difficult task, I guess determining a remote system is running under a VM or not, is not entirely out of the plate. One of the common techniques used is timing delay in the response of the OS as it is running on a VM. But adding it up with network latency, the reliability of the technique significantly reduces. I bet a project like that could sure make it to the blackhat conference.

    • #36580
      sil
      Participant

      @dante wrote:

      When detecting that your program is running on a VM or not from within a VM is a difficult task, I guess determining a remote system is running under a VM or not, is not entirely out of the plate. One of the common techniques used is timing delay in the response of the OS as it is running on a VM. But adding it up with network latency, the reliability of the technique significantly reduces. I bet a project like that could sure make it to the blackhat conference.

      Rutkowsa’s RP/BP doesn’t apply to what the initial question needed answered. I’ve spoken with people about her theories via the Daily Dave list once upon a time (http://seclists.org/dailydave/2008/q4/author.html) which is how I derived: “plague” which is a proof of concept undetectable backdoor. This came about after the Matasano/Rutkowska/etc. challenge. (http://www.darkreading.com/security/security-management/208804717/index.html) This came about when they offered like a $100,000 challenge to put up or shut up… I joined in on the fray and asked Peter Ferrie if I could join, submitted my PoC and they said no 🙁

      Anyhow, apples and oranges. It’s actually easy to detect if you’re on a virtual machine that’s not the issue. Detecting it FROM the network is an issue. Timing and latency have little to do with anything. For example, 1) if I semi-flooded all the machines with traffic, your timing theory is thrown out the door. 2) If I changed my TTL responses on each machine, that too is thrown out the door.

      For the most part, there isn’t an effective way of remotely determining whether or not the remote machine is running on a VM image. If it’s on your RFC1918 space, it would be easier, but if I decided to do some NAT voodoo and place a VMWare image from ONE address block, say in England, mapped it via tunneling to an American IP space… You’d never know where that machine is/was. Please see: http://www.mail-archive.com/nanog@merit.edu/msg52017.html to validate/confirm/understand this.

      Just doing NAT alone adds ms overheard as would traversing networks. Throw in a firewall, some IDS and your entire fingerprint is out of whack.

    • #36581
      dante
      Participant

      @sil wrote:

      Rutkowsa’s RP/BP doesn’t apply to what the initial question needed answered. I’ve spoken with people about her theories via the Daily Dave list once upon a time (http://seclists.org/dailydave/2008/q4/author.html) which is how I derived: “plague” which is a proof of concept undetectable backdoor. This came about after the Matasano/Rutkowska/etc. challenge. (http://www.darkreading.com/security/security-management/208804717/index.html) This came about when they offered like a $100,000 challenge to put up or shut up… I joined in on the fray and asked Peter Ferrie if I could join, submitted my PoC and they said no 🙁

      Anyhow, apples and oranges. It’s actually easy to detect if you’re on a virtual machine that’s not the issue. Detecting it FROM the network is an issue. Timing and latency have little to do with anything. For example, 1) if I semi-flooded all the machines with traffic, your timing theory is thrown out the door. 2) If I changed my TTL responses on each machine, that too is thrown out the door.

      For the most part, there isn’t an effective way of remotely determining whether or not the remote machine is running on a VM image. If it’s on your RFC1918 space, it would be easier, but if I decided to do some NAT voodoo and place a VMWare image from ONE address block, say in England, mapped it via tunneling to an American IP space… You’d never know where that machine is/was. Please see: http://www.mail-archive.com/nanog@merit.edu/msg52017.html to validate/confirm/understand this.

      Just doing NAT alone adds ms overheard as would traversing networks. Throw in a firewall, some IDS and your entire fingerprint is out of whack.

      The reason I mentioned the conflict, is that, the original poster might be interested in researching and extending the techniques used to detecting the presence of a VM from OS level to the network level.

      I knew network latency is not the only thing that is going to hamper the technique thats why I blew my own theory in the post. I just wanted to point out something that can be extended. For instance, what If there is a behavior in a particular VM package that takes notably long time to respond to a specially crafted packet but the delay is not good enough for a detection technique because of other factors like network latency..

      Every detection mechanism has a reliability factor (OS detection, service detection etc). If someone is determined to protect the identity of OS/Service from popular tools he/she can. Neither detection nor protecting from detection is 100% possible. Is there a reliable way to determine the OS in a network 100% of the time? No not possible. I was going for something thats detects a VM in a network starting from a theoretical point of view and then that can be practically extended.

      I am not proposing a solution, I am pointing to something that can be researched and extended.

Viewing 15 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?