Honeypots mailing list archives
Re: (pacsec bonus) Re: VMWare Detection?
From: Stef <stefmit () gmail com>
Date: Thu, 18 Nov 2004 22:15:44 -0600
Comments in-line On Thu, 18 Nov 2004 21:36:04 -0600, Lance Spitzner <lance () honeynet org> wrote:
Lots of great discussions and tools demonstrated on detecting the use of VMware. Some pondering, if I may. - In reference to honeypots, is the detection of VMware a bad thing? Okay, the attacker gains access and identifies the system is using VMware. Lots of legitimate organizations use VMware, the economics of virtualization can be a big motivator. In fact, this will potentially grow. So, I would contend that the detection of VMware does not automatically mean honeypot.
Perfectly true! In fact none of our VMWare [production!] machines are honeypots - honeypots are everything BUT virtualized environments of any sort. By the way - if not willing or - even worse - not paying attention to changing them - the MAC addresses would betray VMWare, also ;) ( http://www.giac.org/practical/GCIA/Dana_Webber_GCIA.pdf and http://tinyurl.com/566lw )
- If an attacker does detect VMware, and assume its a honeypot and leaves the system, does this mean that VMware is potentially more secure for production systems?
If that would be true, then I would really move all my servers to VMWare ...
- If attackers or automated threats do begin running automated detection mechanisms for VMware, would it not then be possible to put those very same signatures into legitimate systems, so threats now avoid them?
Yes!!! ... or at least I hope so (see previous point) ...
I'm not attempting to downplay the detection issue, but just some random thoughts. lance
All very good points, Lance, and the more so that people - for whatever reasons - seem to equate VMWare with HONeypot (VMW = HON :)) Stef
On Nov 16, 2004, at 16:35, Kurt Seifried wrote:Computer BIOS One way to identify VMware systems is by their BIOS, there are a number of free windows utilities that can query the BIOS for information and even extract a copy of the BIOS from the VMware system. The good news is that from within Windows NT/2000 you cannot easily access the BIOS and send commands as direct access to the hardware is blocked. You can however easily query the BIOS for information from within the guest operating system you will be given the following information:
Current thread:
- VMWare Detection? Polazzo Justin (Nov 16)
- (pacsec bonus) Re: VMWare Detection? Laurent OUDOT (Nov 16)
- Re: (pacsec bonus) Re: VMWare Detection? Kurt Seifried (Nov 16)
- RE: [in] Re: (pacsec bonus) Re: VMWare Detection? Curt Purdy (Nov 17)
- Re: (pacsec bonus) Re: VMWare Detection? Lance Spitzner (Nov 18)
- Re: (pacsec bonus) Re: VMWare Detection? Stef (Nov 19)
- Re: (pacsec bonus) Re: VMWare Detection? Mike Tremoulet (Nov 19)
- Re: (pacsec bonus) Re: VMWare Detection? MrDemeanour (Nov 19)
- Re: (pacsec bonus) Re: VMWare Detection? awalters (Nov 19)
- Re: (pacsec bonus) Re: VMWare Detection? Dave Dittrich (Nov 22)
- Re: (pacsec bonus) Re: VMWare Detection? Kurt Seifried (Nov 16)
- (pacsec bonus) Re: VMWare Detection? Laurent OUDOT (Nov 16)