SlideShare uma empresa Scribd logo

Guest Stealing...The VMware Way

S
SecurityTube.Net
1 de 19
Baixar para ler offline
SSID: FYRM URL: http://172.16.254.1 STEALING GUESTS... THE VMWARE WAY Justin Morehouse & Tony Flick ShmooCon 2010
SSID: FYRM URL: http://172.16.254.1 DISCLAIMER Standard disclaimer verbiage... •Everything said, showed, implied, etc. is not the opinion of our employers, friends, dogs, VMware, ShmooCon, etc. •This disclaimer is not endorsed by our lawyers.
SSID: FYRM URL: http://172.16.254.1 ABOUT US Justin Morehouse • Assessment Lead @ Large Retailer in Southeast USA • Controls 58.2% of the MacBook Pro flipping market on Craigslist Tony Flick • Principal @ FYRM Associates • Has never mistaken Hunts ketchup for Heinz ketchup...EVER!
SSID: FYRM URL: http://172.16.254.1 WARNING What this presentation IS NOT: • 0 day release - worked w/ VMware • A demonstration of rocket science What this presentation IS: • A reminder of the security implications of virtualization • The culmination of ‘sanity’ projects
SSID: FYRM URL: http://172.16.254.1 TIMELINE • Vulnerability identified on 5/14/09 • Reported to VMware on 5/15/09 • VMware responded on 5/21/09 • CVE-2009-3733 reserved on 10/20/09 • VMSA-2009-0015 released on 10/27/09 • ‘b. Directory Traversal vulnerability’
SSID: FYRM URL: http://172.16.254.1 IDENTIFICATION • Originally identified on VMware Server 2.0.1 build 156745 (on Ubuntu 8.04) • Thought to be localized to inside of NAT interface of Host (8307/tcp) • Can steal VMs from within other VMs... if NAT’d • Kinda cool, not really practical • What we originally reported to VMware & submitted to ShmooCon but......
SSID: FYRM URL: http://172.16.254.1 DOES THIS LOOK FAMILIAR?
SSID: FYRM URL: http://172.16.254.1 HOW ABOUT THIS?
SSID: FYRM URL: http://172.16.254.1 VULNERABILITY •Web Access web servers also vulnerable •Server (default ports 8222/8333) - ../ x 6 •ESX/ESXi (default ports 80/443) - %2E%2E/ x 6 •No longer requires NAT mode / Remotely exploitable •Not as straightforward as originally thought •Still trivial to exploit because...
SSID: FYRM URL: http://172.16.254.1 IT’S GOOD TO BE ROOT •Web servers are running as root = complete access •ESX/ESXi •Server
SSID: FYRM URL: http://172.16.254.1 HOW IT WORKS ON SERVER •Proxy used to redirect requests based on URL •/etc/vmware/hostd/proxy.xml (includes mappings) •/sdk = 8307/tcp •/ui = 8308/tcp
SSID: FYRM URL: http://172.16.254.1 HOW IT WORKS ON SERVER •Web server on 8308/tcp is vulnerable, but will only serve certain filetypes (xml, html, images, etc.) •Web server on 8307/tcp is also vulnerable, but serves ALL filetypes •Simply append /sdk to our URL request and we’ve got complete access to Host filesystem (including other Virtual Machines) •ESX/ESXi - ALL web servers return ALL filetypes (no /sdk)
SSID: FYRM URL: http://172.16.254.1 VULNERABLE VERSIONS Server • VMware Server 2.x < 2.0.2 build 203138 (Linux) • VMware Server 1.x < 1.0.10 build 203137 (Linux) ESX/ESXi • ESX 3.5 w/o ESX350-200901401-SG • ESX 3.0.3 w/o ESX303-200812406-BG • ESXi 3.5 w/o ESXe350-200901401-I-SG
SSID: FYRM URL: http://172.16.254.1 GUESTSTEALER •Perl script remotely ‘steals’ virtual machines from vulnerable hosts •Supports Server, ESX, ESXi •Allows attacker to select which Guest to ‘steal’ •Utilizes VMware configuration files to identify available Guests and determine associated files
SSID: FYRM URL: http://172.16.254.1 VMINVENTORY.XML •/etc/vmware/hostd/vmInventory.xml (default location) •Gives us Guest inventory & location information
SSID: FYRM URL: http://172.16.254.1 GUEST .VMX & .VMDK • .vmx gives us Guest config and file locations •.vmdk (disk image) can point to other .vmdk images
SSID: FYRM URL: http://172.16.254.1 LIVE DEMO
SSID: FYRM URL: http://172.16.254.1 MITIGATION STRATEGIES • Patch, patch, patch • Hosts are an attractive target (compromise one = access many) • Better yet...Segment, segment, segment • Segment management interfaces • Segment systems of different security levels • Don’t share physical NICs between different security levels • Virtualization is not always the ‘best answer’
SSID: FYRM URL: http://172.16.254.1 QUESTIONS? GuestStealer available for download @ www.fyrmassociates.com

Recomendados

STUDY EDUCATIONAL OPERATING SYSTEM MINIX OPERATING SYSTEM AND DEVELOP REASO...
STUDY EDUCATIONAL OPERATING SYSTEM MINIX OPERATING SYSTEM AND DEVELOP REASO...STUDY EDUCATIONAL OPERATING SYSTEM MINIX OPERATING SYSTEM AND DEVELOP REASO...
STUDY EDUCATIONAL OPERATING SYSTEM MINIX OPERATING SYSTEM AND DEVELOP REASO...
ANJALAI AMMAL MAHALINGAM ENGINEERING COLLEGE
 
Hypervisor Security - OpenStack Summit Hong Kong
Hypervisor Security - OpenStack Summit Hong KongHypervisor Security - OpenStack Summit Hong Kong
Hypervisor Security - OpenStack Summit Hong Kong
Robert Clark
 
Lessons On Hyper V
Lessons On Hyper VLessons On Hyper V
Lessons On Hyper V
Aidan Finn
 
Virtualization support by intel
Virtualization support by intelVirtualization support by intel
Virtualization support by intel
Inzemamul Haque
 
Distro Recipes 2013: Secure Boot and Linux: several issues, one solution
Distro Recipes 2013: Secure Boot and Linux: several issues, one solutionDistro Recipes 2013: Secure Boot and Linux: several issues, one solution
Distro Recipes 2013: Secure Boot and Linux: several issues, one solution
Anne Nicolas
 
ELC2019: Static Partitioning Made Simple
ELC2019: Static Partitioning Made SimpleELC2019: Static Partitioning Made Simple
ELC2019: Static Partitioning Made Simple
The Linux Foundation
 
Virtualization lab
Virtualization labVirtualization lab
Virtualization lab
Yogendra Tamang
 
Venom vulnerability
Venom vulnerabilityVenom vulnerability
Venom vulnerability
Portcullis Computer Security
 

Recomendados

STUDY EDUCATIONAL OPERATING SYSTEM MINIX OPERATING SYSTEM AND DEVELOP REASO...
STUDY EDUCATIONAL OPERATING SYSTEM MINIX OPERATING SYSTEM AND DEVELOP REASO...STUDY EDUCATIONAL OPERATING SYSTEM MINIX OPERATING SYSTEM AND DEVELOP REASO...
STUDY EDUCATIONAL OPERATING SYSTEM MINIX OPERATING SYSTEM AND DEVELOP REASO...
ANJALAI AMMAL MAHALINGAM ENGINEERING COLLEGE
 
Hypervisor Security - OpenStack Summit Hong Kong
Hypervisor Security - OpenStack Summit Hong KongHypervisor Security - OpenStack Summit Hong Kong
Hypervisor Security - OpenStack Summit Hong Kong
Robert Clark
 
Lessons On Hyper V
Lessons On Hyper VLessons On Hyper V
Lessons On Hyper V
Aidan Finn
 
Virtualization support by intel
Virtualization support by intelVirtualization support by intel
Virtualization support by intel
Inzemamul Haque
 
Distro Recipes 2013: Secure Boot and Linux: several issues, one solution
Distro Recipes 2013: Secure Boot and Linux: several issues, one solutionDistro Recipes 2013: Secure Boot and Linux: several issues, one solution
Distro Recipes 2013: Secure Boot and Linux: several issues, one solution
Anne Nicolas
 
ELC2019: Static Partitioning Made Simple
ELC2019: Static Partitioning Made SimpleELC2019: Static Partitioning Made Simple
ELC2019: Static Partitioning Made Simple
The Linux Foundation
 
Virtualization lab
Virtualization labVirtualization lab
Virtualization lab
Yogendra Tamang
 
Venom vulnerability
Venom vulnerabilityVenom vulnerability
Venom vulnerability
Portcullis Computer Security
 
FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web Server
Muhammad Moinur Rahman
 
Securing your Cloud Environment
Securing your Cloud EnvironmentSecuring your Cloud Environment
Securing your Cloud Environment
ShapeBlue
 
Poodle sha2 open mic
Poodle sha2 open micPoodle sha2 open mic
Poodle sha2 open mic
Rahul Kumar
 
Hack & Fix, Hands on ColdFusion Security Training
Hack & Fix, Hands on ColdFusion Security TrainingHack & Fix, Hands on ColdFusion Security Training
Hack & Fix, Hands on ColdFusion Security Training
ColdFusionConference
 
Unidade3 roteiro proxy
Unidade3 roteiro proxyUnidade3 roteiro proxy
Unidade3 roteiro proxy
Leandro Almeida
 
Introduction to vSphere APIs Using pyVmomi
Introduction to vSphere APIs Using pyVmomiIntroduction to vSphere APIs Using pyVmomi
Introduction to vSphere APIs Using pyVmomi
Michael Rice
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
Felipe Prado
 
FIDO Technical Overview at FIDO KWG Hackathon
FIDO Technical Overview at FIDO KWG HackathonFIDO Technical Overview at FIDO KWG Hackathon
FIDO Technical Overview at FIDO KWG Hackathon
Ki-Eun Shin
 
Owning computers without shell access dark
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access dark
Royce Davis
 
DevOPS training - Day 1/2
DevOPS training - Day 1/2DevOPS training - Day 1/2
DevOPS training - Day 1/2
Vincent Mercier
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!
Scott Sutherland
 
Virtualization security and threat
Virtualization security and threatVirtualization security and threat
Virtualization security and threat
Ammarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
IBM Sametime 9 Installation Woes and Proactive Repairs by Keith Brooks
IBM Sametime 9 Installation Woes and Proactive Repairs by Keith BrooksIBM Sametime 9 Installation Woes and Proactive Repairs by Keith Brooks
IBM Sametime 9 Installation Woes and Proactive Repairs by Keith Brooks
Keith Brooks
 
No more ARP : Another MiTm Attacks
No more ARP : Another MiTm AttacksNo more ARP : Another MiTm Attacks
No more ARP : Another MiTm Attacks
Khajornchol Puwarang
 
Simple tips to improve Server Security
Simple tips to improve Server SecuritySimple tips to improve Server Security
Simple tips to improve Server Security
ResellerClub
 
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Luca Bongiorni
 
So you want to be a security expert
So you want to be a security expertSo you want to be a security expert
So you want to be a security expert
Royce Davis
 
VMworld 2014: ESXi Hypervisor Security
VMworld 2014: ESXi Hypervisor SecurityVMworld 2014: ESXi Hypervisor Security
VMworld 2014: ESXi Hypervisor Security
VMworld
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015
kriptonium
 
Web security 101
Web security 101Web security 101
Web security 101
Kristaps Kūlis
 
Gsm Srsly (Shmoocon)
Gsm Srsly (Shmoocon)Gsm Srsly (Shmoocon)
Gsm Srsly (Shmoocon)
SecurityTube.Net
 
Keynote - Closing the TLS Authentication Gap
Keynote - Closing the TLS Authentication GapKeynote - Closing the TLS Authentication Gap
Keynote - Closing the TLS Authentication Gap
SecurityTube.Net
 

Mais conteúdo relacionado

Semelhante a Guest Stealing...The VMware Way

Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!
Scott Sutherland
 

Semelhante a Guest Stealing...The VMware Way (20)

FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web Server
 
Securing your Cloud Environment
Securing your Cloud EnvironmentSecuring your Cloud Environment
Securing your Cloud Environment
 
Poodle sha2 open mic
Poodle sha2 open micPoodle sha2 open mic
Poodle sha2 open mic
 
Hack & Fix, Hands on ColdFusion Security Training
Hack & Fix, Hands on ColdFusion Security TrainingHack & Fix, Hands on ColdFusion Security Training
Hack & Fix, Hands on ColdFusion Security Training
 
Unidade3 roteiro proxy
Unidade3 roteiro proxyUnidade3 roteiro proxy
Unidade3 roteiro proxy
 
Introduction to vSphere APIs Using pyVmomi
Introduction to vSphere APIs Using pyVmomiIntroduction to vSphere APIs Using pyVmomi
Introduction to vSphere APIs Using pyVmomi
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
 
FIDO Technical Overview at FIDO KWG Hackathon
FIDO Technical Overview at FIDO KWG HackathonFIDO Technical Overview at FIDO KWG Hackathon
FIDO Technical Overview at FIDO KWG Hackathon
 
Owning computers without shell access dark
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access dark
 
DevOPS training - Day 1/2
DevOPS training - Day 1/2DevOPS training - Day 1/2
DevOPS training - Day 1/2
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!
 
Virtualization security and threat
Virtualization security and threatVirtualization security and threat
Virtualization security and threat
 
IBM Sametime 9 Installation Woes and Proactive Repairs by Keith Brooks
IBM Sametime 9 Installation Woes and Proactive Repairs by Keith BrooksIBM Sametime 9 Installation Woes and Proactive Repairs by Keith Brooks
IBM Sametime 9 Installation Woes and Proactive Repairs by Keith Brooks
 
No more ARP : Another MiTm Attacks
No more ARP : Another MiTm AttacksNo more ARP : Another MiTm Attacks
No more ARP : Another MiTm Attacks
 
Simple tips to improve Server Security
Simple tips to improve Server SecuritySimple tips to improve Server Security
Simple tips to improve Server Security
 
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
 
So you want to be a security expert
So you want to be a security expertSo you want to be a security expert
So you want to be a security expert
 
VMworld 2014: ESXi Hypervisor Security
VMworld 2014: ESXi Hypervisor SecurityVMworld 2014: ESXi Hypervisor Security
VMworld 2014: ESXi Hypervisor Security
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015
 
Web security 101
Web security 101Web security 101
Web security 101
 

Mais de SecurityTube.Net

Keynote - Closing the TLS Authentication Gap
Keynote - Closing the TLS Authentication GapKeynote - Closing the TLS Authentication Gap
Keynote - Closing the TLS Authentication Gap
SecurityTube.Net
 
Learning By Breaking O W A S P B W A Doug Wilson Shmoo 2010
Learning By Breaking O W A S P B W A Doug Wilson Shmoo 2010Learning By Breaking O W A S P B W A Doug Wilson Shmoo 2010
Learning By Breaking O W A S P B W A Doug Wilson Shmoo 2010
SecurityTube.Net
 
Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010
Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010
Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010
SecurityTube.Net
 
GPU vs CPU Supercomputing Security Shootout
GPU vs CPU Supercomputing Security ShootoutGPU vs CPU Supercomputing Security Shootout
GPU vs CPU Supercomputing Security Shootout
SecurityTube.Net
 
Wifi Security, or Descending into Depression and Drink
Wifi Security, or Descending into Depression and DrinkWifi Security, or Descending into Depression and Drink
Wifi Security, or Descending into Depression and Drink
SecurityTube.Net
 
Cryptography Lecture by Sam Bowne
Cryptography Lecture by Sam BowneCryptography Lecture by Sam Bowne
Cryptography Lecture by Sam Bowne
SecurityTube.Net
 
SSL MITM Attack Over Wireless
SSL MITM Attack Over WirelessSSL MITM Attack Over Wireless
SSL MITM Attack Over Wireless
SecurityTube.Net
 

Mais de SecurityTube.Net (15)

Gsm Srsly (Shmoocon)
Gsm Srsly (Shmoocon)Gsm Srsly (Shmoocon)
Gsm Srsly (Shmoocon)
 
Keynote - Closing the TLS Authentication Gap
Keynote - Closing the TLS Authentication GapKeynote - Closing the TLS Authentication Gap
Keynote - Closing the TLS Authentication Gap
 
Learning By Breaking O W A S P B W A Doug Wilson Shmoo 2010
Learning By Breaking O W A S P B W A Doug Wilson Shmoo 2010Learning By Breaking O W A S P B W A Doug Wilson Shmoo 2010
Learning By Breaking O W A S P B W A Doug Wilson Shmoo 2010
 
Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010
Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010
Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010
 
GPU vs CPU Supercomputing Security Shootout
GPU vs CPU Supercomputing Security ShootoutGPU vs CPU Supercomputing Security Shootout
GPU vs CPU Supercomputing Security Shootout
 
Wifi Security, or Descending into Depression and Drink
Wifi Security, or Descending into Depression and DrinkWifi Security, or Descending into Depression and Drink
Wifi Security, or Descending into Depression and Drink
 
Network Attacks
Network AttacksNetwork Attacks
Network Attacks
 
TCP/IP basics
TCP/IP basicsTCP/IP basics
TCP/IP basics
 
Wireless Security Basics
Wireless Security BasicsWireless Security Basics
Wireless Security Basics
 
Linux Vulnerabilities
Linux VulnerabilitiesLinux Vulnerabilities
Linux Vulnerabilities
 
Microsoft OS Vulnerabilities
Microsoft OS VulnerabilitiesMicrosoft OS Vulnerabilities
Microsoft OS Vulnerabilities
 
Cryptography Lecture by Sam Bowne
Cryptography Lecture by Sam BowneCryptography Lecture by Sam Bowne
Cryptography Lecture by Sam Bowne
 
Active Https Cookie Stealing
Active Https Cookie StealingActive Https Cookie Stealing
Active Https Cookie Stealing
 
Black Hat Dc 09 Marlinspike Defeating Ssl
Black Hat Dc 09 Marlinspike Defeating SslBlack Hat Dc 09 Marlinspike Defeating Ssl
Black Hat Dc 09 Marlinspike Defeating Ssl
 
SSL MITM Attack Over Wireless
SSL MITM Attack Over WirelessSSL MITM Attack Over Wireless
SSL MITM Attack Over Wireless
 

Guest Stealing...The VMware Way

  • 1. SSID: FYRM URL: http://172.16.254.1 STEALING GUESTS... THE VMWARE WAY Justin Morehouse & Tony Flick ShmooCon 2010
  • 2. SSID: FYRM URL: http://172.16.254.1 DISCLAIMER Standard disclaimer verbiage... •Everything said, showed, implied, etc. is not the opinion of our employers, friends, dogs, VMware, ShmooCon, etc. •This disclaimer is not endorsed by our lawyers.
  • 3. SSID: FYRM URL: http://172.16.254.1 ABOUT US Justin Morehouse • Assessment Lead @ Large Retailer in Southeast USA • Controls 58.2% of the MacBook Pro flipping market on Craigslist Tony Flick • Principal @ FYRM Associates • Has never mistaken Hunts ketchup for Heinz ketchup...EVER!
  • 4. SSID: FYRM URL: http://172.16.254.1 WARNING What this presentation IS NOT: • 0 day release - worked w/ VMware • A demonstration of rocket science What this presentation IS: • A reminder of the security implications of virtualization • The culmination of ‘sanity’ projects
  • 5. SSID: FYRM URL: http://172.16.254.1 TIMELINE • Vulnerability identified on 5/14/09 • Reported to VMware on 5/15/09 • VMware responded on 5/21/09 • CVE-2009-3733 reserved on 10/20/09 • VMSA-2009-0015 released on 10/27/09 • ‘b. Directory Traversal vulnerability’
  • 6. SSID: FYRM URL: http://172.16.254.1 IDENTIFICATION • Originally identified on VMware Server 2.0.1 build 156745 (on Ubuntu 8.04) • Thought to be localized to inside of NAT interface of Host (8307/tcp) • Can steal VMs from within other VMs... if NAT’d • Kinda cool, not really practical • What we originally reported to VMware & submitted to ShmooCon but......
  • 7. SSID: FYRM URL: http://172.16.254.1 DOES THIS LOOK FAMILIAR?
  • 8. SSID: FYRM URL: http://172.16.254.1 HOW ABOUT THIS?
  • 9. SSID: FYRM URL: http://172.16.254.1 VULNERABILITY •Web Access web servers also vulnerable •Server (default ports 8222/8333) - ../ x 6 •ESX/ESXi (default ports 80/443) - %2E%2E/ x 6 •No longer requires NAT mode / Remotely exploitable •Not as straightforward as originally thought •Still trivial to exploit because...
  • 10. SSID: FYRM URL: http://172.16.254.1 IT’S GOOD TO BE ROOT •Web servers are running as root = complete access •ESX/ESXi •Server
  • 11. SSID: FYRM URL: http://172.16.254.1 HOW IT WORKS ON SERVER •Proxy used to redirect requests based on URL •/etc/vmware/hostd/proxy.xml (includes mappings) •/sdk = 8307/tcp •/ui = 8308/tcp
  • 12. SSID: FYRM URL: http://172.16.254.1 HOW IT WORKS ON SERVER •Web server on 8308/tcp is vulnerable, but will only serve certain filetypes (xml, html, images, etc.) •Web server on 8307/tcp is also vulnerable, but serves ALL filetypes •Simply append /sdk to our URL request and we’ve got complete access to Host filesystem (including other Virtual Machines) •ESX/ESXi - ALL web servers return ALL filetypes (no /sdk)
  • 13. SSID: FYRM URL: http://172.16.254.1 VULNERABLE VERSIONS Server • VMware Server 2.x < 2.0.2 build 203138 (Linux) • VMware Server 1.x < 1.0.10 build 203137 (Linux) ESX/ESXi • ESX 3.5 w/o ESX350-200901401-SG • ESX 3.0.3 w/o ESX303-200812406-BG • ESXi 3.5 w/o ESXe350-200901401-I-SG
  • 14. SSID: FYRM URL: http://172.16.254.1 GUESTSTEALER •Perl script remotely ‘steals’ virtual machines from vulnerable hosts •Supports Server, ESX, ESXi •Allows attacker to select which Guest to ‘steal’ •Utilizes VMware configuration files to identify available Guests and determine associated files
  • 15. SSID: FYRM URL: http://172.16.254.1 VMINVENTORY.XML •/etc/vmware/hostd/vmInventory.xml (default location) •Gives us Guest inventory & location information
  • 16. SSID: FYRM URL: http://172.16.254.1 GUEST .VMX & .VMDK • .vmx gives us Guest config and file locations •.vmdk (disk image) can point to other .vmdk images
  • 17. SSID: FYRM URL: http://172.16.254.1 LIVE DEMO
  • 18. SSID: FYRM URL: http://172.16.254.1 MITIGATION STRATEGIES • Patch, patch, patch • Hosts are an attractive target (compromise one = access many) • Better yet...Segment, segment, segment • Segment management interfaces • Segment systems of different security levels • Don’t share physical NICs between different security levels • Virtualization is not always the ‘best answer’
  • 19. SSID: FYRM URL: http://172.16.254.1 QUESTIONS? GuestStealer available for download @ www.fyrmassociates.com