Droping a VM during pentesting

[johnemiller at gmail.com (johnemiller at gmail.com)]

Qemu can run directly from the USB drive. I've got it booting the default  
test image within seconds after the USB drive is installed. This requires  
that the drive stay plugged in, but that is still easier than hiding a full  
WRT.

I'm going to work on getting a custom debian install to boot headless and  
hopefully silently.

On Mar 10, 2009 10:46am, John Sawyer <jsawyer at ufl.edu> wrote:
> This is an interesting approach. It's like a virtualized dropbox minus  
> the hardware investment. I think you're right about the antivirus  
> detection. Since the tools would be contained within a VM, they should  
> stay hidden from antivirus making detection more difficult. Detecting big  
> changes in disk space might alert to something suspicious depending on  
> the size of the VM, but I don't know how many, if any, IT shops that do  
> that for client machines.


> It could be deployed via USB thumb drive, though depending on the size of  
> the VM, it might be slow copying a couple of gigs to the victim. Or, if  
> you pop it remotely and has SYSTEM privs, a small, easy-to-deploy package  
> could be pushed via meterpreter or similar.


> Several years ago, Microsoft and the University of Michigan created  
> something similar but more evil called subvirt that modified the boot  
> process and inserted a rootkitted hypervisor thereby subverting the  
> entire victim OS. As far as I know, they never released a working example  
> but there were some papers and I think a presentation at BH.


> Google the following for more info on the subvirt research.
> microsoft michigan rootkit hypervisor


> -jhs

> On Mar 10, 2009, at 10:20 AM, Jim Halfpenny wrote:

> Hi all,
> I've spent a few cycles thinking about the idea from a previous of  
> installing a virtual machine as a drop-box and I just wanted to dump my  
> ideas and get some feedback. It has some distinct The idea is to install  
> virtualisation software and a virtual machine on a target system for  
> example by gaining physical access or by abusing autorun on a removable  
> medium. Being a VM may shield it from anti-malware scanners so nefarious  
> tools can be loaded an run on the target without detection.

> One possible stack to use would be Qemu and a damn small Linux  
> derivative. It would be self contained and easy to install and remove and  
> not require any changes to the networking on the host system. Once  
> installed I would envision that the VM would perform reconnaissance  
> against the target network and deliver the data over a covert channel.

> What do you think? Ideas and suggestions most welcome.

> Jim
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090310/a892670b/attachment.htm