8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 1/72
Penetration Testing in a Virtualized EnvironmentTim Pierson
President, Data-Sentry.com
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 2/72
Who is this Guy?
Tim Pierson AS, BS, MS
Professional PenTester, Instructor and Consultant for over 26 years.
• Very Intriguedwith the VirtualEnvironment.
EcCouncil – Instructor of the year recipient 2009 from a large pool of nominees.
Contributing author to the book-VMware vSphere™ and Virtual Infrastructure Security: Securing ESX and the Virtual
Environment
ISBN-10: 0137158009 Pearson Publishing
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 3/72
My work Environment
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 4/72
Shameless Plug
Creator of: HackingUncovered:VMware
• Available throughout the training industry and online.
• Seems to be most Popular in Europe.
• Get more info at: www.data-sentry.com
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 5/72
What Could Possibly Go Wrong?
When a Glaring Vulnerability is provided or
shown!
I will stand –
And Now Since we are in Miami…..
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 6/72
Why Do we do a pen test in the first place?
Provide a more secure environment?
Make sure that our workers are protected?
Make sure our customers are protected?
I will ask my good friend Joe McCray to Comment…..
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 7/72
FORCED TO DO SO….
Compliance!!!
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 8/72
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 9/72
How Vulnerable is ESX?
9
Now into its 4th Generation Finding its rootsfrom *NIX (UNIX) architecture.
It is still just another layer to attack!
VMsafe? Really? Just as the name implies?
Common Management Errors.
ARP/DNS Cache Poisoning
Web Interface
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 10/72
The elephant in the room
Will we be Escaping the VM?
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 11/72
Escaping the VM
Yes, it can be done
Yes, it is due to an exploit
Yes, it can be patched
Yes, it will happen again
No, it is not something you can easily audit
We‟re going to attack virtualizationinfrastructure
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 12/72
New World Same Problems
• Widely utilized in today's hacks.
Social Engineering
• www.progenic.com
Exploits
• Today’s hacks employ a combination of many hacks toaccomplish the goal.
Chained Exploits
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 13/72
Chained Exploit Example
130 Million Credit Cards Stolen – GonzalezIndictment
• SQL Injection Attacks
• SQL Injection Strings
• Malware
• Root kits
• Visiting the stores
• Disabling the logs
• Using Proxies
Little Known Fact:
Occurred on a Virtual-Switch!!
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 14/72
Exploiting Potential Vulnerabilities…
14
Default Weaknesses
Insecurities Left in by Default.
Manufacturers often will default what will cause them the least amountof Tech Support Calls. Not necessarily what is the most Secure!
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 15/72
Are you ready for a Pen Test?
I can‟t tell youhow many timesI was asked to
delay a pen test because theclient was not
READY???
What is that?
When was thelast time a
hacker asked ifyou were ready
before heattacked you?
What is yourcurrent
posture?
How secure are
you?
How youempowered
your people todo the correct
things?
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 16/72
Breaking virtualization means…
- Virtual Physical Access
…hacking the underlying layer
…accessing systems locally
…bypassing access and network controls
…hitting multiple targets at once
96% of the Fortune 1000 *
Small number of different solutions deployed
* http://www.vmware.com/company/customers/
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 17/72
VMware ESX™ and vSphere™VMware has Boiled down its
Network Securityin both VI3 and vSphere* product
line to threeCheck Boxes
None of the defaults will foil what Iam about to show you.
vSphere has added VMsafe and vShield zones and v2 which significantlytightens security, if implemented correctly, as well as Private Vlans and
roles and permissions around Networking with its 4.x version
Note:
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 18/72
Typical OSSTMM Methodology
Information Gathering
Scanning
Enumeration
Penetration
Fail
Start Over or tellthem great job
Succeed
EscalatePrivileges
Steal Data orLeave proof of
hack
Cover Tracks Leave Backdoors
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 19/72
Scanning for ESX
We have to find the systems first.
Just like any other service, ESX has its own
NMAP – will give you what you need, mostly.
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 20/72
How about Getting a Hand for the
Search? Using Shodan
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 21/72
Shodan
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 22/72
Shodan
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 23/72
Stealing the Password
VIC Client
Login
23
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 24/72
DECISION TIME!
24
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 25/72
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 26/72
Human Habits
Sometimes referred to as Social Engineering
Sometimes the MFG has TAUGHT us to do
it this way!!!
Because of simple human nature….
Once a procedure is taught in a specific wayit is very difficult to Un-Teach someone.
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 27/72
Can This be fixed??
If you haveTrained your
people to click
the ignore buttonfor some period
of time
My argument isNO it can never
be fixed now.• Let me explain.
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 28/72
Password Revealed…
28
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 29/72
Demo
29
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 30/72
iSCSI
iSCSI protocol –
How it is virtuallyimpossible to secure if
you have access to the
network it uses… giventhe tools shipped from
VMware.
30
HACKER
Remote Data Storage
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 31/72
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 32/72
Tools,Tools, Tools
A Plumber has a spannerWrench
A Mechanic has water pumppliers
A Carpenter has a ShingleHammer
Where are the VirtualizationPenTesters‟s Specific Tools?
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 33/72
But What about Specific Tools?
The Virtualization Pen TesterNeeds his specialized tools too!
He is dealing with a SpecializedEnviroment.
Why Shouldn't he have his ownspecial tools?
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 34/72
Pooling Our Skillset
Tim Pierson
Claudio Criscione
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 35/72
VASTO
The Virtualization ASsessment TOolkit
It is an “exploit pack” for Metasploit focusing on virtualization and cloud
security.
Announcing Beta 0.3 – Available from Download Link at end of presentationafter validation.
Credits to Claudio Cristione for the majority of the work, Tim Pierson for theHost Attack and VIC attack Modules and Luca Carettoni, Paolo Canaletti,drk1wi for helping with the Metasploit modules!
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 36/72
Client
Hypervisor
SupportManagement
Internal
VASTO Areas to focus our Attacks
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 37/72
Tools
Of The
Trade
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 38/72
Recon
Local – are youin a VM?
Easy – CheckMAC address,
processes
Not so easy – Hardware
access
Remote – where‟s
Virtualization?
Fingerprintingnetworkservices
Helpful todiscover “hidden”
virtualizationinstallations
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 39/72
vmware_version
Handy SOAP APIto call
Works on mostVMwareproducts
Module leveragesstandard Metasploit
scanner features(e.g. IP range
scanning)
[…]<RetrieveServiceContent
xmlns=\"urn:internalvim25\"><_this
type=\"ServiceInstance\">
ServiceInstance
</_this></RetrieveServiceContent>
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 40/72
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 41/72
In the beginning was the command line
We used to have binary clients
Then everyone moved to web applications
Now, back to binary clients, like XEN Center, or VMware VIclient
Can we exploit these clients? Let‟s see…
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 42/72
VI Client Auto Update feature
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 43/72
clients.xml – WCPGW?<ConfigRoot>
<clientConnection id="0000">
<authdPort>902</authdPort>
<version>3</version>
<patchVersion>3.0.0</patchVersion>
<apiVersion>3.1.0</apiVersion>
<downloadUrl>https://*/client/VMware-viclient.exe</downloadUrl>
</clientConnection>
</ConfigRoot>
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 44/72
vmware_vilurker
The VIlurker module can performuser-assisted code execution provided
you can do MITM on a client.
Almost no one is using trustedcertificates.
No code signing on updates, but usergets a certificate warning.
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 45/72
SchmooCon 2010
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 46/72
SchmooCon 2010
VULNERABILITY (WCPGW?)
Web Server Running asRoot!!!!
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 47/72
vmware_guest_stealer
CVE-2009-3733
This path traversal was discovered by Flick and Morehouseand presented last year.
Exploit was released as a perl script and it has been ported
to VASTO.
It can be used to retrieve any file as the root user, includingnon-running guests. Works on outdated ESX, ESXi, Server.
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 48/72
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 49/72
Attacking Support Component's
I love the Irony of it!
Must have the Host Update Feature Running
Responsible for deploying security patches onremote ESX, ESXi Servers.
It runs an outdated version of Jetty and it isvulnerable to Path Traversal (again)
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 50/72
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 51/72
Introducing vpxd-profiler-*
It is a “debug” file written by vCenter.
Lots of information inside. Let‟s go for low-hanging fruits for now. More
to come!
/SessionStats/SessionPool/Session/Id='06B90BCB-A0A4-4B9C-B680-FB72656A1DCB'/Username=„FakeDomain\FakeUser'/SoapSession/Id='AD45B176-63F3-4421-BBF0-FE1603E543F4'/Count/total 1
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 52/72
So where do I write the SOAP ID?
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 53/72
vmware_session_rider
Using the session is complex: VIclient has tight timeouts.
• approx every 5 minutesDoes not write log information
immediatatly –
• The Proxy is what we actually login to in order tograb the session.
The module acts as a proxy toaccess vCenter using the stolen
session.
• Can be easily tweaked to act as a password grabber
(unlike VIlurker).Will fake the login to the client.
The last exploits combined :vmware_autopwn
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 54/72
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 55/72
Fresh from Black Hat!
You all know Tomcat.
VMware knows too.
Administration was disabled in version 4.0.
Not in version 4.1: VMwareAdmin is your friend!
In all my tests (3), passwords were 4 uppercase, 1 number, 1lowercase (starting lowercase)
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 56/72
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 57/72
vmware_webaccess_portscan
CVE-2010-0686
“URL Forwarding” means performingPOST requests on remote hosts.
Can be used to exploit IP-based
trusts and reach internal networks.
Not just portscan!
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 58/72
Management is not just interface
vCenter connects to ESX server via SSL [SOAP]
Certificates are usually not trusted, but stored.
MITM via Connection Broken
On reconnection, the vCenter will check for the certificate CN
Spoof the CN and Admin gets usual warning
Admin agrees and password sniffed
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 59/72
Once again
Do MITM between ESX and vCenter
Take the ESX offline.Wait for reconnection by admin.
Spoof ESX‟s certificate CN.
Admin gets a warning, you get his password.
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 60/72
If everything else failed…
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 61/72
vmware_login
If nothing works, you can always bruteforce!
Will do standard metasploit bruteforcing
No lockout on standard accounts (unless joined on AD) means a lot of bruteforcing fun
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 62/72
What’s On the Horizion?
• Will eventually include these as modules aswell
• Discovered by great researchers
• Low level attacks, close to the CPU or OS
Multiple localEscalationOfPriv
in Virtual
Machines
What else?
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 63/72
What’s different?
• Will eventually include these as modules aswell
• Discovered by great researchers
• Low level attacks, close to the CPU or OS
Multiple localEscalationOfPriv
in Virtual
Machines
What else?
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 64/72
vmware_sfcb_exec
CVE-2010-2667
A vulnerability inVirtual Appliance
ManagementInfrastructure resulting
in code exec as root
Requires authenticationOR can be exploitedlocally without any
authentication.
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 65/72
So, can we attack virtualization?
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 66/72
Other ProblemsGeneric TLS renegotiation prefix injection
vulnerability
Other Problems
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 67/72
Other Problems
Will VMWare Renegotiate?
Yes
No
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 68/72
Mitigation Techniques
68
All of the problems I havedemonstrated have mitigation
techniques.
We have mentioned just two or threeof the indirect flaws of this overall
FANTASTIC product!
You really need to perform a completePen Test on each Piece of the
environment in order to figure out ifyou are secure.
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 69/72
What about Compliance?
69
Can you be complaint with an outof the box installation?
• Do you have a way to report changesmade to the ESX server via the ServiceConsole?
• How many have access to root?
• Why do we use the root account?
You must have a 3rd party SIEM inplace.
• (SEIM Security Event and IncidentManagement)
Here are a few options that go beyond a basic SIEM to includeother needed security measures.
• Catbird
• HyTrust
• ISO 2700x
• A Pen Tester must recommend mitigation
techniques and tools.
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 70/72
Other Considerations….
70
Since most infrastructure is moving to the virtual environmentwe should pose the question critical infrastructure.
• Power Grid• Fresh Drinking Water
• Transportation Services
Virutalize a Physical Enviroment before you PenTest it.
• Use PlateSpin or equiv to Virtualize a Physical DMZ then hammer it to death.With approval use a successful attack to attempt the same.
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 71/72
Whose responsibility is it?
Since thisConference is I
would be amiss ifI did not mentionwho‟s responsiblefor this security.
DataOwner?
CloudCustodian?
User?
8/10/2019 Pen Testing a Virtualization-Tim Pierson
http://slidepdf.com/reader/full/pen-testing-a-virtualization-tim-pierson 72/72
Review
It is still just another layer to attack!
VMsafe? Really
Scanning
Common management errors.
ARP Cache Poisoning
Tools
Web Interface (Like Nancy Regan Said… Just don‟t do it) But sometimes you have no choice….