Free Drawing for 1 seat in the VMware Advanced Security Class
with Firebrand.
Slide 3
vSphere Just Another Layer to Attack? Recent Cases involving
VMware Pen Testing Methodology Gueststealer TomCat Zero Day
Directory Traversal VASTO Mitigation Techniques 3 rd Party
Mitigation Tools
Slide 4
VMware 80% of the Market Share Do the Tools used in Pen Testing
work with virtualization? Are there hacks being designed just for
VMware? What is this costing us?
Slide 5
CyberCrime and CyberWar Predictions for 2011 #2 Cloud Computing
and Virtual Machines (VM) will be specifically targeted by
cybercriminals and cyber terrorists resulting in VM malware and
Cloud downtime and Cloud data theft. Hackin9 Issue 01/2011(37)
Slide 6
What are the main security concerns associated with
virtualization in general? Segregation of Duties Accounting/Logging
New APIs VMsafe vStorage vNetwork VMsafe Virtual Appliances
Plug-Ins Share Resources can they be attacked? Memory, CPU,
Datastore
Slide 7
vSphere Client APIs Plugins - VMware Update Manager Guided
Consolidation VMware Converter Storage vMotion Plugins - 3rd Party
Back Up Solutions (3rd Party - Veeam) RDP - (3rd Party - The RDP
plug-in, by Juxtaposition) Invoke Plugin Management Interfaces
Slide 8
ESX and vCenter both use a Web Service vCenter on by default
Why? ESX disabled Thank God Tomcat Web Service How many holes have
we found here? WOW Utilizes a Proxy The is the same proxy used by
hostd.
Slide 9
VMware is using an old version of TomCat that leaves the
username and password in a world readable file! Fixed by a recent
update for vCenter 4.1
Slide 10
It provides communication between VMs and trusted endpoints on
the host, and from VM to VM. The vmkernel is considered a trusted
end-point. This interface is implemented as a virtual PCI device,
present by default in all VMs created with virtual hardware version
7. VMCI, or Virtual Machine Communications Interface is an
interface designed in the hardware of a VM.
http://pubs.vmware.com/vmci-sdk/VMCI_intro.html
Slide 11
Threats Perceived Known Risks Probability Potential Impact
Slide 12
Secunia Historic Advisories ESX 4.x ESXi 4.x vCenter Server 4.x
nvd.nist.gov Over 40 Vulnerabilities for VMware Products McAfee
Threats VMware ESX Server Heap Buffer Overflow vCenter Update
Manager CSS vCenter Update Manager Directory Traversal
Slide 13
130 Million Credit Cards Stolen Gonzalez Indictment SQL
Injection Attacks SQL Injection Strings Malware Root kits Visiting
the stores Disabling the logs Using Proxies Little Known Fact:
Occurred on VMware!!!!
Slide 14
This does not change, regardless of the environment being
tested. Information Gathering Scanning Enumeration Penetration Fail
Start Over or tell them great job Succeed Escalate Privileges Steal
Data or Leave proof of hack Cover Tracks Leave Backdoors
Slide 15
Google NMAP Since v4.8 Ettercap Cain and Abel Metasploit
Claudio Criscione VASTO Virtualization ASsessment TOolkit
Slide 16
Slide 17
Slide 18
We have to find the systems first. Just like any other service,
ESX has its own tells. NMAP will give you what you need. Lets see
this in action!
Slide 19
Yes you can create your own modules. We will take a look at
VASTO Virtualization ASsessment Toolkit by Claudio Criscione
Auxiliary Modules The purpose of meterpreter scripts are to give
end-users an easy interface to write quick scripts that can be run
against remote targets after successful exploitation. (Metasploit)
Meterpreter is an effective tool for creating backdoors.
Meterpreter
Slide 20
ARP Cache Poisoning will allow us to perform a successful SSL
crack! The hacking tools will create fake certificates. Two
simultaneous SSL connections are established. One between the
victim and the hacker, the other between the hacker and the real
server. The communication process starts on port 443 and once the
SSL authentication has been established VMware moves the
communication to port 902. SSL request SSL reply (Fake certificate)
SSL request SSL reply (Real Self Signed Cert)
F&JLMDHGST*KUP)JDGH$FDSD@ Cleartext Copy & Alter Stop ESX
Sever
Slide 21
VIC Client Login VIC Client Login
Slide 22
Slide 23
Slide 24
You are still vulnerable even if you use vCenter. I can offer
this: Once the above password is stolen you can login to the host
with the vpxuser and above password.
Thanks for the Virtual Machines! GuestStealer How Large is your
dictionary file? Dictionary Attack Need to know exactly what is
running? Fingerprinting Tool
Slide 27
Auto Update Process 3.0.0 3.1.0
https://*/client/VMware-viclient.exe ClientServer 1 2 3 4 GET
/client/clients.xml AutoUpdate URL RetrieveServiceInstance
ServiceInstance RetrieveServiceStatus Status GET
/client/clients.xml Autoupdate URL Login
Slide 28
The Auto Update Process 3.0.0 3.1.0 https://*/client/VMware-
viclient.exe The Evil Guy 10.0.0 3.1.0
https://evilserver.com/evilpay poad.exe
Slide 29
Change the clients.xml filename The package will run under the
users privilege! Administrator Anyone? Provide your nasty trojan
package. Could be combined with other attacks. Create a fake web
interface so you look ligit! This can be done as MiTM or Rouge
Server You will trigger a certificate error
Slide 30
Autopwn How easy can it get? Uses a flaw in the Tomcat Web
Server Transfers the Latest Session File from vCenter using a
Directory Traversal Attack. Admin rights without knowing a username
or password!
Slide 31
Vmware vShield Zones 3rd Party Altor Reflex CheckPoint Astaro
Security Gateway Tripwire Catbird HyTrust Mitigation Tools Best of
the Breed
Slide 32
Slide 33
Slide 34
Trend Micro Deep Security provides advanced security for
physical, virtual, and cloud servers and virtual desktops. Modules
Agentless Malware Detection for VMs Deep Packet Inspection
Intrusion Detection and Prevention Web Application and Protection
Application Control Bidirectional Stateful Firewall Integrity
Monitoring Log Inspection
Slide 35
Slide 36
Catbird TrustZones policy- based security envelope for virtual
infrastructures and the cloud. Enforces protection and measures
compliance across virtual clusters and data centers. Catbird
virtual security appliance performs several functions: Hypervisor
auditing Virtual network IPS Network segmentation and access
control Vulnerability management Multi-tenant security Reports to
management console Catbird virtual security appliance performs
several functions: Hypervisor auditing Virtual network IPS Network
segmentation and access control Vulnerability management
Multi-tenant security Reports to management console
Slide 37
Catbird appliances collect data and enforce policies Appliances
report events to management console Management console analyses
events and correlates to compliance framework
Slide 38
1. Course Introduction and Methodology 2. Penetration Testing
101 3. Primer and Reaffirming our Knowledge 4. Security
Architecture, vCPU, vMemory 5. Routing and the vNetwork 6. vStorage
Architecture and Security Implementations 7. Hardening the Virtual
Machines 8. Hardening the Host 9. Hardening Virtual Center 10.
Virtualizing your DMZ 11. 3rd Party Mitigation Tools 12. Putting it
all Together
Slide 39
1. Course Intro & Methodology 2. Virtualization Overview 3.
Planning & Installing ESX/ESXi 4 4. Using Tools to Administer a
VMware Environment 5. Configuring Networking 6. Configuring Storage
7. vCenter Server 4 and Licensing 8. VM Creation and Configuration
& Snapshots 9. Security and Permissions 10. Server and VM
Monitoring 11. Advanced ESX and vCenter Management 12. Patching and
Upgrading ESX/ESXi 13. Disaster Recovery and Backup 50 Hours of
Training 6.5 Classes in ONE
Slide 40
Does vSphere really have some major issues? Recent Cases
involving ESX Pen Testing Methodology Web Related issues VASTO
Mitigation techniques Questions?