RE: [in] Re: (pacsec bonus) Re: VMWare Detection?

["Curt Purdy" <purdy () tecman com>]

Kurt Seifried wrote:
>  Computer BIOS
> One way to identify VMware systems is by their BIOS, there 
> are a number of free windows utilities that can query the 
> BIOS for information and even extract a copy of the BIOS from 
> the VMware system. The good news is that from within Windows 
> NT/2000 you cannot easily access the BIOS and send commands 
<snip>

Very cool Kurt.  This is the first I've seen of this.  But this concept has
always been in the back of my mind and bothered me, which is why in addition
to a VMWare virtual subnet and Honeywall virtual subnet, I have real, plain
vanilla boxes scattered throughout my honeynet.  

I monitor this Class C for ANY activity with Snort.  Since it is a dead
subnet, any alert is not a false-positive and any true hacker that is not
fooled by my virtual nets will get stuck by the real boxes (don't use tarpit
cause I don't want to piss-off anybody ;)  That gives me the time I need to
harden/closely monitor my real subnets.

Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA
Information Security Engineer 
DP Solutions

-----------------------------

If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked.
-- former White House cybersecurity zar Richard Clarke