Nmap Development mailing list archives
Vmware Servers and Hosts
From: Robert Slater <robert () synapticsolutions com au>
Date: Tue, 27 Mar 2007 22:26:51 +1000
This is a quick hello.. Before I descend into lurk mode. I have been using nmap for many years, it's one of those tools that are immediately updated on new systems. One of the things that is pretty high on my priority list is Windows OS and Service detection. Using a combination of smb and nmap you can suck lots of information about an unknown network. I have scanned a couple of the networks from their Internal interface. Iinteresting results, mainly because I use VMWare virtual machines. Example: #################################### PORT STATE SERVICE VERSION 53/tcp open domain Microsoft DNS 88/tcp open kerberos-sec Microsoft Windows kerberos-sec <CUT> MAC Address: 00:0C:29:02:B9:8B (VMware) No exact OS matches for host (If you know what OS is running on it, see http://insecure.org/nmap/submit/ ). Network Distance: 1 hop Service Info: OS: Windows ######################################## I have submitted this as an unidentified OS, so have cut the fingerprint and a few of the expected services detected correctly. This next one is the same physical machine. ###################################### MAC Address: 00:16:76:9D:E1:21 (Intel) Device type: general purpose Running: Linux 2.6.X OS details: Linux 2.6.9 - 2.6.12 (x86) Uptime: 47.791 days (since Thu Feb 8 03:43:33 2007) Network Distance: 1 hop Service Info: OS: Linux #################################### Here is another machine running SME 7 server on CentOS 4.3 base ####################################### MAC Address: 00:0C:29:73:F3:C4 (VMware) Device type: general purpose Running: Linux 2.4.X|2.5.X|2.6.X OS details: Linux 2.4.18 - 2.6.4 (x86) ####################################### The interesting thing about vmware servers is that they **always** seem to have the fact that it is VMware in the <virtual> Mac Address. Is this just fluke on 5 virtual machines or can someone verify this? The physical machine appears quiet a few times within nmap. Especially if each VMware server has it's own interface. If VMWare server is installed with the console you always seem to get ##### 902/tcp open ssl/vmware-auth VMware GSX Authentication Daemon x.xx ##### on the VMware host So from this is it safe to conclude that: A] If a machine has 902/tcp open then it is a VMWare host. B] If the scanned machine has a vmware MAC address then the machine is virtual. If this is the case then is there anyway of linking A to B ? So we can know which virtual machine/s lives on which host/s? regards Robert Slater _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Vmware Servers and Hosts Robert Slater (Mar 27)
- Re: Vmware Servers and Hosts Jan Engelhardt (Mar 27)