Re: Using a Virtualized Pen Test Platform

[Pete Herzog <lists () isecom org>]

Hi Jon,

I just saw this so sorry that I'm a little late to respond.

You're right to worry if things are breaking that you don't see. It 
happens. Low level packet crafting gets messed up and we have even 
noticed lost packets when receiving. We chalked this up to multiple 
layers of abstraction which occurs between the human interaction and 
the packet send or receive. This is why Windows systems also make bad 
test machines for low level tests. But for application-level tests, we 
find it much more capable. I have yet to find more than just memory 
capacity errors from a virtual session for application tests. This 
info comes from hundreds of hours of testing multi-level tests for the 
OPST (OSSTMM Professional Security Tester) certification exam. It was 
such a problem that we had to discontinue the use of virtual sessions 
for OPST exams already back in 2004.

Before this post becomes flame bait, I want to say that 
virtualization, especially with hardware support, has come a long way 
since we stopped using it. However, recently we concluded a 3.5 year 
EU project where we worked fairly exclusively with XEN and L4 on linux 
systems and found that even with proper hardware support, it had 
packet problems.

My advice is to get a 2nd, small, cheap system and keep linux on it 
for testing. This way you won't be wasting your time with inefficiencies.

Sincerely,
-pete.

Pete Herzog, Managing Director, ISECOM
www.isecom.org

Jon Kibler wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> All,
>
> I have traditionally used a multi-boot Linux box as my pen-test platform. It has
> always had the disadvantage that I had to reboot into Windows to run some tools
> that seem to break under wine.
>
> For the past several months, I have been tinkering with using VMware Workstation
> as my base platform, so I can just switch VMs rather than having to reboot. So
> far, it seems to work pretty well. However, I am wondering if I am missing
> something that is broken by VMware that I have not yet detected. For example,
> does VMware break any of the packet crafters or other tools that do 'unusual'
> things, that may cause the packet to not traverse correctly from VMware to the
> outside target?
>
> What other issues do I need to be aware of?
>
> Also, is there any advantage or disadvantage of running Workstation vs. Server
> vs. ESXi as the underlying VMware system?
>
> What would be the advantages or disadvantages of running XEN? Does it have any
> issues as a pen test platform hypervisor?
>
> THANKS!
>
> Jon Kibler
> - --
> Jon R. Kibler
> Chief Technical Officer
> Advanced Systems Engineering Technology, Inc.
> Charleston, SC  USA
> o: 843-849-8214
> c: 843-813-2924
> s: 843-564-4224
> s: JonRKibler
> e: Jon.Kibler () aset com
> e: Jon.R.Kibler () gmail com

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------