Penetration Testing mailing list archives

Re: Suggested lab materials/systems/setup?

From: Tim <tim-pentest () sentinelchicken org>
Date: Sat, 16 Jul 2005 09:02:32 -0400

I'd considered Vmware for just the reasons you (and others) mentioned but
since I have the extra hardware lying about I might as well put it to use.
One thing that I need to read up on (or get some info from list members) is
how Vmware handles socket connections. A lot of the assessment tools out
there can query raw sockets (either via network or on the host depending on
type of tool). Since Vmware runs the guest OS in a virtual machine, will the
host OS layer skew report results or external data injection techniques etc?


For instance, let's say Windows 2k3 is susceptible to a new tcp/ip attack
due to the way the 2k3 stack handles things. If I ran a 2k3 guest virtual OS
under a Linux host OS (which does not have vulnerabilities to the same
tcp/ip stack weaknesses) would the host OS interfere when passing that data
to the guest? One hypothetical scenario to help illustrate what I mean:
attacker/tester sends malformed tcp packets to target "2k3" machine. Linux
host OS (which is not vulnerable) accepts packet, ignoring or (worse)
dropping the malformed payload portion, and passes it on to the guest
virtual 2k3 OS. The attack/test fails but in the real world it wouldn't.
Oops.


Yes, I think this is a legitimate concern, if you want to attack things
below the application layer.  If you are using a Linux host (which I
suggest you do), then you can open up the guest to lower-layer attacks
by using the Linux bridging kernel module(s).

Let me draw a diagram:

     eth1   ==============  host             guest    =================
------------| Linux host |----------------------------| Win 2k3 guest |
            ============== virtual          virtual   =================
                 |
                 | eth0
                 |


Here, the Linux host has two physical interfaces.  If you then configure
bridging to join eth1 and the host virtual adapter, you'll open up the
guest to much more direct attacks.  The Linux host will no longer be
able to assign an IP to eth1, which is why you'd want the second
interface.

I first read of this configuration on the honeynet website, in an
article about using VMWare guests as honeypots, with the host acting as
a bridging firewall.  I am sure you can still find the details on their
site.

You can also use this configuration with other VM software, such as
Bochs and Qemu.

HTH,
tim

Current thread:

Suggested lab materials/systems/setup? Erin Carroll (Jul 10)
- RE: Suggested lab materials/systems/setup? Nathan Einwechter (Jul 10)
- Re: Suggested lab materials/systems/setup? Terry Vernon (Jul 10)
- Re: Suggested lab materials/systems/setup? Mike Sweeney (Jul 10)
  - Re: Suggested lab materials/systems/setup? John Kinsella (Jul 11)
- <Possible follow-ups>
- RE: Suggested lab materials/systems/setup? glemmon (Jul 11)
- RE: Suggested lab materials/systems/setup? Desai, Dipen (Jul 15)
  - RE: Suggested lab materials/systems/setup? Erin Carroll (Jul 15)
    - RE: Suggested lab materials/systems/setup? Lyal Collins (Jul 16)
    - Re: Suggested lab materials/systems/setup? Tim (Jul 16)
  - Re: Suggested lab materials/systems/setup? ilaiy (Jul 19)
- RE: Suggested lab materials/systems/setup? Billy Dodson (Jul 18)
  - RE: Suggested lab materials/systems/setup? R. DuFresne (Jul 18)
- RE: Suggested lab materials/systems/setup? Desai, Dipen (Jul 18)