Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Vmware Servers and Hosts

From: Robert Slater <robert () synapticsolutions com au>
Date: Tue, 27 Mar 2007 22:26:51 +1000
This is a quick hello..
Before I descend into lurk mode.
I have been using nmap for many years, it's one of those tools that are 
immediately updated on new systems.

One  of the things that is pretty high on my priority list is Windows 
OS and Service detection.
Using a combination of smb and nmap you can suck lots of information 
about an unknown network.

I have scanned a couple of the  networks from their Internal interface. 
Iinteresting results, mainly because I use VMWare virtual machines.
Example:
####################################
PORT     STATE SERVICE      VERSION
53/tcp   open  domain       Microsoft DNS
88/tcp   open  kerberos-sec Microsoft Windows kerberos-sec
<CUT>
MAC Address: 00:0C:29:02:B9:8B (VMware)
No exact OS matches for host (If you know what OS is running on it, see 
http://insecure.org/nmap/submit/ ).
Network Distance: 1 hop
Service Info: OS: Windows
########################################
I have submitted this as an unidentified OS, so have cut the 
fingerprint and a few of the expected services detected correctly.
This next one is the same physical machine.
######################################
MAC Address: 00:16:76:9D:E1:21 (Intel)
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.9 - 2.6.12 (x86)
Uptime: 47.791 days (since Thu Feb  8 03:43:33 2007)
Network Distance: 1 hop
Service Info: OS: Linux
####################################



Here is another machine running SME  7 server  on CentOS 4.3 base
#######################################
MAC Address: 00:0C:29:73:F3:C4 (VMware)
Device type: general purpose
Running: Linux 2.4.X|2.5.X|2.6.X
OS details: Linux 2.4.18 - 2.6.4 (x86)
#######################################

The interesting thing about vmware servers is that they **always** seem 
to have the fact that it is VMware in the <virtual> Mac Address.
  Is this just fluke on 5 virtual machines or can someone verify this?

The physical machine appears quiet a few times within nmap. Especially 
if each VMware server has it's own interface.

If VMWare server is installed with the console you always seem to get
#####
902/tcp   open  ssl/vmware-auth VMware GSX Authentication Daemon x.xx
#####
on the VMware host

So from this is it safe to conclude that:
A]  If a machine has 902/tcp open then it is a VMWare host.
B] If the scanned machine has a vmware MAC address then the machine is 
virtual.

If this is the case then is there anyway of linking  A to B ?
So we can know which virtual machine/s lives on which host/s?

regards
Robert Slater


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: