.

Detecting virtualization on servers located behind routers?

<<

manoj9372

Jr. Member
Jr. Member

Posts: 72

Joined: Mon Oct 05, 2009 8:54 am

Post Thu Nov 18, 2010 3:26 am

Detecting virtualization on servers located behind routers?

1)I have a scene like this,

Assume "A" is a target network on the internet running some windows servers using "XEN" virtualization and some linux servers inside vmware workstations,

Now assume i am on some random network on the internet,with different ISP ,I need to detect  or confirm whether the target servers  with any kind of "virtulaization" technology,


Also is there any difference between a OS running inside a "virtual environment" and "non-virtual environment"?with what kind of characters i can identify this?

As my target network is located behind router,I am struggling to determine this,..Looking for some ideas ???
__________________________________________________________________

2)I am much more interested in Practicing enumeration on a NAT network,
but considering legal issues ,I don't know where to practice this enumeration,Also i don't know where to find a NAT network for practicing,Can any body give some suggestions for this problem?


Hope i will find some help...
<<

SephStorm

User avatar

Hero Member
Hero Member

Posts: 570

Joined: Sat Apr 17, 2010 12:12 pm

Post Thu Nov 18, 2010 3:38 am

Re: Detecting virtualization on servers located behind routers?

Running nmap with OS detection can generally determine an os running on VMWare, not sure about Zen. As for getting through the router, you will have to find someway to bypass it, I assume. NMAP has features for that as well.

To attack a NAT network, you would simply need a properly configured lab... one router giving you your own network for attacking, and another router being the NAT network with hosts behind it. Most SOHO (linksys/netgear) routers have NAT capability, so get two cheap routers, set one as 10.0.0.0 and one as 192.168.1.0.

I think the issue would be there that you have no outside network... The only legal suggestion that I can provide would be to purchase two internet connections. The problem there is that performing attacks over the internet is not advised... But I know this is done, I don't know how though...
sectestanalysis.blogspot.com/‎
<<

manoj9372

Jr. Member
Jr. Member

Posts: 72

Joined: Mon Oct 05, 2009 8:54 am

Post Thu Nov 18, 2010 4:22 am

Re: Detecting virtualization on servers located behind routers?

  Code:
Running nmap with OS detection can generally determine an os running on VMWare, not sure about Zen. As for getting through the router, you will have to find someway to bypass it, I assume. NMAP has features for that as well.

To attack a NAT network, you would simply need a properly configured lab... one router giving you your own network for attacking, and another router being the NAT network with hosts behind it. Most SOHO (linksys/netgear) routers have NAT capability, so get two cheap routers, set one as 10.0.0.0 and one as 192.168.1.0.

I think the issue would be there that you have no outside network... The only legal suggestion that I can provide would be to purchase two internet connections. The problem there is that performing attacks over the internet is not advised... But I know this is done, I don't know how though...


i am not talking about detecting OS,i want to know they are hosted inside "virutal environment or not",i am wondering how i can detect this with nmap,

Also i dont have money to buy routers ATM,i am looking for some virtualization solutions such as emulators etc?

will it be a good idea?

Need some more suggestions...
<<

COm_BOY

User avatar

Full Member
Full Member

Posts: 129

Joined: Tue Feb 03, 2009 10:40 am

Post Thu Nov 18, 2010 4:06 pm

Re: Detecting virtualization on servers located behind routers?

I did a -A scan and got the folllowing line which might be interesting

MAC Address: 00:50:56:BC:7B:D9 (VMware)

If you dont have money to invest then better google pfsence , smoothwall , they are good all in one firewall type solutions and open source .
It has become appallingly obvious that our technology has exceeded our humanity.
<<

SephStorm

User avatar

Hero Member
Hero Member

Posts: 570

Joined: Sat Apr 17, 2010 12:12 pm

Post Thu Nov 18, 2010 6:05 pm

Re: Detecting virtualization on servers located behind routers?

Agreed, performing OS detection will determine, in my experience, a system running in a VM.

Also, Hak5 did a video on turning a mini-PC into a router/firewall. I enjoyed it u dutil they changed the firewall software they were using in another video...
sectestanalysis.blogspot.com/‎
<<

manoj9372

Jr. Member
Jr. Member

Posts: 72

Joined: Mon Oct 05, 2009 8:54 am

Post Fri Nov 19, 2010 1:02 am

Re: Detecting virtualization on servers located behind routers?

  Code:
I did a -A scan and got the folllowing line which might be interesting

MAC Address: 00:50:56:BC:7B:D9 (VMware)

If you dont have money to invest then better google pfsence , smoothwall , they are good all in one firewall type solutions and open source .


Thanks for your idea sir,but if possible can you tell me the possible mac address range for the vmware?

and pfsense and smoothwall supports NAT uhh?
can i use them to play my NAT enumeration on them?

  Code:

Agreed, performing OS detection will determine, in my experience, a system running in a VM.

Also, Hak5 did a video on turning a mini-PC into a router/firewall. I enjoyed it u dutil they changed the firewall software they were using in another video...


I don't know how OS determination will help us in identifying the virtualization technology used on the target,besides mac address what are the other things i should look for to identify the virtualization?

Also if it is hosted using virtualization other than vmware workstation means how can we detect them?
<<

SephStorm

User avatar

Hero Member
Hero Member

Posts: 570

Joined: Sat Apr 17, 2010 12:12 pm

Post Fri Nov 19, 2010 4:36 am

Re: Detecting virtualization on servers located behind routers?

hmm, I am still researching but according to this:

http://kb.vmware.com/selfservice/micros ... rnalId=507

VMWare uses the OUI 00:50:56 The MAC address range is 00:50:56:00:00:00 - 00:50:56:3F:FF:FF. According to the article this is for manually assigned addresses, but based on Com_boy's post, I'm going to assume it is the range for auto settings as well.

EDIT:That range varies based on the vmware version, seperate ranges for VMware server, and ESXi based on this.

http://communities.vmware.com/message/1233229

The OS detection tells you, in parentheses, what virtualization technology is in use, in this case, VMware. You will have to test Zen out for yourself.

The best way would be to test it, fire up a vm running the microsoft vm solution, Zen and any others you can get your hand on.
Last edited by SephStorm on Fri Nov 19, 2010 4:39 am, edited 1 time in total.
sectestanalysis.blogspot.com/‎
<<

hell_razor

User avatar

Jr. Member
Jr. Member

Posts: 90

Joined: Wed Jul 14, 2010 10:44 am

Post Fri Nov 19, 2010 3:06 pm

Re: Detecting virtualization on servers located behind routers?

You can actually specify the MAC in the vmx file in vmwware I believe.
A+, Network+, Server+, CISSP, GSEC, GCIH, GPEN, GCIA, GISP, GCFW
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Fri Nov 19, 2010 3:57 pm

Re: Detecting virtualization on servers located behind routers?

I ran nmap -A against a VirtualBox guest and a Citrix Xen guest. Neither reported the MAC address, nor if it was a virtual machine.
OSWP, Sec+
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Fri Nov 19, 2010 5:02 pm

Re: Detecting virtualization on servers located behind routers?

Be cautious when relying on nmap for detection especially when its VMWare related. The following is an example that illustrates this. Four different scans against my Window7 Ultimate machine:


--------------

  Code:
[sil@asphyxia sil]# nmap -sS -O 10.4.4.79 -T5 -v -P0

Initiating SYN Stealth Scan against 10.4.4.79 [1680 ports] at 16:56

Interesting ports on 10.4.4.79:
Not shown: 1673 filtered ports
PORT     STATE SERVICE
21/tcp   open  ftp
135/tcp  open  msrpc
389/tcp  open  ldap
636/tcp  open  ldapssl
1030/tcp open  iad1
2809/tcp open  corbaloc
9100/tcp open  jetdirect
Device type: general purpose
Running: OpenBSD 3.X
OS details: OpenBSD 3.5 - 3.9, OpenBSD 3.6
TCP Sequence Prediction: Class=truly random
                         Difficulty=9999999 (Good luck!)
IPID Sequence Generation: Randomized

Nmap finished: 1 IP address (1 host up) scanned in 14.416 seconds
               Raw packets sent: 3372 (149.192KB) | Rcvd: 17 (880B)



--------------


  Code:
[sil@asphyxia sil]# nmap -sS -sV -P0 -A -vvv 10.4.4.79

Initiating SYN Stealth Scan against 10.4.4.79 [1680 ports] at 16:47

Interesting ports on 10.4.4.79:
Not shown: 1673 filtered ports
PORT     STATE SERVICE    VERSION
21/tcp   open  ftp?
135/tcp  open  msrpc      Microsoft Windows RPC
389/tcp  open  ldap       Microsoft LDAP server
636/tcp  open  tcpwrapped
1030/tcp open  msrpc      Microsoft Windows RPC
2809/tcp open  corbaloc?
9100/tcp open  jetdirect?


SF-Port2809-TCP:V=4.11%I=7%D=11/19%Time=4CE6F079%P=i686-redhat-linux-gnu%r
SF:(GetRequest,C,"GIOP\x01\x02\0\x06\0\0\0\0")%r(HTTPOptions,C,"GIOP\x01\x
SF:02\0\x06\0\0\0\0")%r(RTSPRequest,C,"GIOP\x01\x02\0\x06\0\0\0\0")%r(RPCC
SF:heck,C,"GIOP\x01\x02\0\x06\0\0\0\0")%r(DNSVersionBindReq,C,"GIOP\x01\x0
SF:2\0\x06\0\0\0\0")%r(DNSStatusRequest,C,"GIOP\x01\x02\0\x06\0\0\0\0")%r(
SF:SSLSessionReq,C,"GIOP\x01\x02\0\x06\0\0\0\0")%r(SMBProgNeg,C,"GIOP\x01\
SF:x02\0\x06\0\0\0\0")%r(X11Probe,C,"GIOP\x01\x02\0\x06\0\0\0\0")%r(FourOh
SF:FourRequest,C,"GIOP\x01\x02\0\x06\0\0\0\0")%r(LDAPBindReq,C,"GIOP\x01\x
SF:02\0\x06\0\0\0\0")%r(LANDesk-RC,C,"GIOP\x01\x02\0\x06\0\0\0\0")%r(NCP,C
SF:,"GIOP\x01\x02\0\x06\0\0\0\0")%r(NotesRPC,C,"GIOP\x01\x02\0\x06\0\0\0\0
SF:")%r(NessusTPv10,C,"GIOP\x01\x02\0\x06\0\0\0\0")%r(WMSRequest,C,"GIOP\x
SF:01\x02\0\x06\0\0\0\0")%r(oracle-tns,C,"GIOP\x01\x02\0\x06\0\0\0\0");

Device type: general purpose
Running: OpenBSD 3.X
OS details: OpenBSD 3.5 - 3.9, OpenBSD 3.6
OS Fingerprint:
TSeq(Class=TR%IPID=RD)
T1(Resp=Y%DF=Y%W=4000%ACK=S++%Flags=AS%Ops=MNWNNT)
T2(Resp=Y%DF=Y%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=Y%W=4000%ACK=S++%Flags=AS%Ops=MNWNNT)
T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=N)
T6(Resp=N)
T7(Resp=N)
PU(Resp=N)

TCP Sequence Prediction: Class=truly random
                         Difficulty=9999999 (Good luck!)
IPID Sequence Generation: Randomized
Service Info: OS: Windows

Nmap finished: 1 IP address (1 host up) scanned in 70.602 seconds
               Raw packets sent: 3373 (149.236KB) | Rcvd: 19 (986B)




--------------


  Code:
[sil@asphyxia sil]# nmap -sS -sV -P0  -vvv 10.4.4.79

Initiating SYN Stealth Scan against 10.4.4.79 [1680 ports] at 16:48

Interesting ports on 10.4.4.79:
Not shown: 1673 filtered ports
PORT     STATE SERVICE    VERSION
21/tcp   open  ftp?
135/tcp  open  msrpc      Microsoft Windows RPC
389/tcp  open  ldap       Microsoft LDAP server
636/tcp  open  tcpwrapped
1030/tcp open  msrpc      Microsoft Windows RPC
2809/tcp open  corbaloc?
9100/tcp open  jetdirect?

SF-Port2809-TCP:V=4.11%I=7%D=11/19%Time=4CE6F0D8%P=i686-redhat-linux-gnu%r
SF:(GetRequest,C,"GIOP\x01\x02\0\x06\0\0\0\0")%r(HTTPOptions,C,"GIOP\x01\x
SF:02\0\x06\0\0\0\0")%r(RTSPRequest,C,"GIOP\x01\x02\0\x06\0\0\0\0")%r(RPCC
SF:heck,C,"GIOP\x01\x02\0\x06\0\0\0\0")%r(DNSVersionBindReq,C,"GIOP\x01\x0
SF:2\0\x06\0\0\0\0")%r(DNSStatusRequest,C,"GIOP\x01\x02\0\x06\0\0\0\0")%r(
SF:SSLSessionReq,C,"GIOP\x01\x02\0\x06\0\0\0\0")%r(SMBProgNeg,C,"GIOP\x01\
SF:x02\0\x06\0\0\0\0")%r(X11Probe,C,"GIOP\x01\x02\0\x06\0\0\0\0")%r(FourOh
SF:FourRequest,C,"GIOP\x01\x02\0\x06\0\0\0\0")%r(LDAPBindReq,C,"GIOP\x01\x
SF:02\0\x06\0\0\0\0")%r(LANDesk-RC,C,"GIOP\x01\x02\0\x06\0\0\0\0")%r(NCP,C
SF:,"GIOP\x01\x02\0\x06\0\0\0\0")%r(NotesRPC,C,"GIOP\x01\x02\0\x06\0\0\0\0
SF:")%r(NessusTPv10,C,"GIOP\x01\x02\0\x06\0\0\0\0")%r(WMSRequest,C,"GIOP\x
SF:01\x02\0\x06\0\0\0\0")%r(oracle-tns,C,"GIOP\x01\x02\0\x06\0\0\0\0");
Service Info: OS: Windows

Nmap finished: 1 IP address (1 host up) scanned in 68.101 seconds
               Raw packets sent: 3355 (147.620KB) | Rcvd: 9 (414B)



--------------

  Code:
[sil@asphyxia sil]# nmap -sS -O -v 10.4.4.79

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2010-11-19 16:54 EST
Note: Host seems down. If it is really up, but blocking our ping probes, try -P0
Nmap finished: 1 IP address (0 hosts up) scanned in 2.124 seconds
               Raw packets sent: 4 (136B) | Rcvd: 0 (0B)


Don't always rely on one tool ;)
<<

manoj9372

Jr. Member
Jr. Member

Posts: 72

Joined: Mon Oct 05, 2009 8:54 am

Post Fri Nov 19, 2010 5:27 pm

Re: Detecting virtualization on servers located behind routers?

  Code:
Be cautious when relying on nmap for detection especially when its VMWare related. The following is an example that illustrates this. Four different scans against my Window7 Ultimate machine:

Don't always rely on one tool



you are right sir,also i am looking for multiple confirmations,
other than "mac" part what are the things we can look for?


Like shares,dlls,i think there must be some differences between a normal OS and virtualized OS..

looking for some more confirmations :)
<<

COm_BOY

User avatar

Full Member
Full Member

Posts: 129

Joined: Tue Feb 03, 2009 10:40 am

Post Fri Nov 19, 2010 5:49 pm

Re: Detecting virtualization on servers located behind routers?

manoj9372 wrote:
  Code:
I did a -A scan and got the folllowing line which might be interesting

MAC Address: 00:50:56:BC:7B:D9 (VMware)

If you dont have money to invest then better google pfsence , smoothwall , they are good all in one firewall type solutions and open source .


Thanks for your idea sir,but if possible can you tell me the possible mac address range for the vmware?

and pfsense and smoothwall supports NAT uhh?
can i use them to play my NAT enumeration on them?

  Code:

Agreed, performing OS detection will determine, in my experience, a system running in a VM.

Also, Hak5 did a video on turning a mini-PC into a router/firewall. I enjoyed it u dutil they changed the firewall software they were using in another video...


I don't know how OS determination will help us in identifying the virtualization technology used on the target,besides mac address what are the other things i should look for to identify the virtualization?

Also if it is hosted using virtualization other than vmware workstation means how can we detect them?





As per wikipedia following are the features supported by Pfsence 

    * Firewall
    * State Table
    * NAT
    * Redundancy
          o CARP - CARP from OpenBSD allows for hardware failover. Two or more firewalls can be configured as a failover group. If one interface fails on the primary or the primary goes offline entirely, the secondary becomes active. pfSense also includes configuration synchronization capabilities where changes made to the primary firewall will automatically synchronize to the secondary firewall.
          o pfsync - pfsync ensures the firewall's state table is replicated to all failover configured firewalls. This means your existing connections will be maintained in the case of failure, which is important to prevent network disruptions.
    * Outbound and Inbound Load Balancing
    * VPN - IPsec, OpenVPN, PPTP
    * PPPoE Server
    * RRD Graphs Reporting
    * Real Time Information - Using AJAX
    * Dynamic DNS
    * Captive portal
    * DHCP Server and Relay
    * Live CD Version Available
    * Proxy server
    * Support for software extensions.
          o Notable expansions are : Squid proxy server and Snort intrusion prevention/detection system.


Also if you are in LAN subnet you can issue a ping command and then check the local arp table for mac address conformation , then you can match it with nmap results .
It has become appallingly obvious that our technology has exceeded our humanity.
<<

SephStorm

User avatar

Hero Member
Hero Member

Posts: 570

Joined: Sat Apr 17, 2010 12:12 pm

Post Fri Nov 19, 2010 9:32 pm

Re: Detecting virtualization on servers located behind routers?

hell_razor wrote:You can actually specify the MAC in the vmx file in vmwware I believe.


this was noted in the second vmware link I posted, most of what was being discussed is beyond my level of virtualization knowledge, but it seems that even when you change the MAC in there, it is restricted to a specific range.
sectestanalysis.blogspot.com/‎
<<

dante

User avatar

Jr. Member
Jr. Member

Posts: 58

Joined: Wed Jul 21, 2010 10:17 pm

Post Mon Nov 22, 2010 12:52 pm

Re: Detecting virtualization on servers located behind routers?

Joanna's blue pill and the conflict that rose among security researchers should be noted here.

This sums it up - http://www.zdnet.com/blog/ou/detecting- ... rivial/297.

When detecting that your program is running on a VM or not from within a VM is a difficult task, I guess determining a remote system is running under a VM or not, is not entirely out of the plate. One of the common techniques used is timing delay in the response of the OS as it is running on a VM. But adding it up with network latency, the reliability of the technique significantly reduces. I bet a project like that could sure make it to the blackhat conference.
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Mon Nov 22, 2010 1:25 pm

Re: Detecting virtualization on servers located behind routers?

dante wrote:When detecting that your program is running on a VM or not from within a VM is a difficult task, I guess determining a remote system is running under a VM or not, is not entirely out of the plate. One of the common techniques used is timing delay in the response of the OS as it is running on a VM. But adding it up with network latency, the reliability of the technique significantly reduces. I bet a project like that could sure make it to the blackhat conference.


Rutkowsa's RP/BP doesn't apply to what the initial question needed answered. I've spoken with people about her theories via the Daily Dave list once upon a time (http://seclists.org/dailydave/2008/q4/author.html) which is how I derived: "plague" which is a proof of concept undetectable backdoor. This came about after the Matasano/Rutkowska/etc. challenge. (http://www.darkreading.com/security/sec ... index.html) This came about when they offered like a $100,000 challenge to put up or shut up... I joined in on the fray and asked Peter Ferrie if I could join, submitted my PoC and they said no :(

Anyhow, apples and oranges. It's actually easy to detect if you're on a virtual machine that's not the issue. Detecting it FROM the network is an issue. Timing and latency have little to do with anything. For example, 1) if I semi-flooded all the machines with traffic, your timing theory is thrown out the door. 2) If I changed my TTL responses on each machine, that too is thrown out the door.

For the most part, there isn't an effective way of remotely determining whether or not the remote machine is running on a VM image. If it's on your RFC1918 space, it would be easier, but if I decided to do some NAT voodoo and place a VMWare image from ONE address block, say in England, mapped it via tunneling to an American IP space... You'd never know where that machine is/was. Please see: http://www.mail-archive.com/nanog@merit ... 52017.html to validate/confirm/understand this.

Just doing NAT alone adds ms overheard as would traversing networks. Throw in a firewall, some IDS and your entire fingerprint is out of whack.
Next

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software