Advanced Vmware Security The Lastest Threats and Tools

Transcription

1 Advanced Vmware Security The Lastest Threats and Tools

2 Introduction Who is VMTraining VMWARE Security around VMware

3 What are you in for? Hold On! Does ESX really have some major issues? Recent Cases involving ESX Pen Testing Methodology Gueststealer VASTO Mitigation techniques Future?

4 What is Happening today? VMware 80% of the Market Share Do the Tools used in Pen Testing work with virtualization? Are there hacks being designed just for VMware? What is this costing us?

5 Time to Discuss What are the main security concerns associated with virtualization in general? Segregation of Duties Accounting/Logging Who really has access to the cloud? Are these security mitigation techniques tested? Share Resources can they be attacked? Memory, CPU, Datastore

6 How Vulnerable is ESX or ESXi? It is really a hardened Red Hat and thus pretty darn secure in its own right. It is still just another layer to attack! Common management errors ARP Cache Poisoning Web Interface Lazy Admins SSLv3/TLS Renegotiation Web Server Vulnerablity Full on Exploits Metasploit and Exploit DB

7 Differences: VMware ESX vs. ESXi VMware ESX Hypervisor SC VMware ESXi Type1 Hypervisor L2-Switch L2-Switch Posix Shell

8 Differences: VMware ESX and ESXi ESX ESXi

9 Chained Exploit Example

10 Are you ready for a Pen Test? I can t tell you how many times I was asked to delay a pen test because the client was not READY??? What is that? When was the last time a hacker asked if you were ready before he attacked you. What is your current posture? How secure are you? How you empowered your people to do the correct things?

11 Methodology This does not change, regardless of the environment being tested. Information Gathering Scanning Enumeration Penetration Fail Start Over or tell them great job Succeed Escalate Privileges Steal Data or Leave proof of hack Cover Tracks Leave Backdoors

12 Tools. Google NMAP Since v4.8 Ettercap Cain and Abel Metasploit Claudio Criscione VASTO Virtualization ASsessment TOolkit

13 Shodan You have to be kidding me!

14

15 Scanning for ESX We have to find the systems first. Just like any other service, ESX has its own tells. NMAP will give you what you need. Lets see this in action!

16 How about the Web Interface? Enabled by default ESX 3.5 vsphere 4 Simple to understand the URL settings VirtualMachine vm=?? inventory=none or disabled tabs=hide or show

17 How we understand Fake Certificate Injection to work. ESX Sever SSL request SSL reply (Fake certificate) F&JLMDHGST*KU Stop Copy & Alter Cleartext SSL request SSL reply (Real Self Signed Cert) ARP Cache Poisoning will allow us to perform a successful SSL crack! The hacking tools will create fake certificates. Two simultaneous SSL connections are established. One between the victim and the hacker, the other between the hacker and the real server. The communication process starts on port 443 and once the SSL authentication has been established VMware moves the communication to port 902.

18 Stealing the Password VIC Client Login

19 DECISION TIME!

20 Password Revealed

21 Other Problems

22 HOW IT WORKS ON SERVER

23 Presented at SchmooCon 2010

24 Presented at SchmooCon 2010

25 Presented at SchmooCon 2010 VMINVENTORY.XML /etc/vmware/hostd/vminventory.xml (default location) Gives us Guest inventory & location information

26 GUEST.VMX &.VMDK.vmx gives us Guest config and file locations.vmdk (disk image) can point to other.vmdk images

27 VASTO Let s See the Gueststealer in Action!

28 VASTO - VILurker The nasty MiTM Attack!

29 Client Connection Process

30 VASTO VI luker The Auto Update Process <patchversion>3.0.0</patchversion> <apiversion>3.1.0</apiversion> <downloadurl> The Evil Guy <patchversion>10.0.0</patchversion> <apiversion>3.1.0</apiversion> <downloadurl>

31 VILurker Change the clients.xml filename The package will run under the user s priviledge! Administrator Anyone? Provide your nasty trojan package. Could be combined with other attacks. Create a fake web interface so you look ligit! This can be done as MiTM or Rouge Server You will trigger a certificate error Let s See this one in action! We are Troopers!

32 Other Clients VMware Converter Client Does not check SSL certificates VMware Server Does not Check SSL certificates

33 VASTO Other Modules Dictionary Attack How Large is your dictionary file? Fingerprinting Tool Need to know exactly what is running?

34 Generic TLS renegotiation prefix injection vulnerability ESX Sever Clien t STEP 1 Attack er Server (HTTPS) 1 TLS Handshake Session #1 (client <> server)

35 Generic TLS renegotiation prefix injection vulnerability ESX Sever Clien t STEP 2 Attack er 1.1 TLS Handshake Session #2 (attacker <> server) Server (HTTPS) Attacker sends application layer command of his choice Renegotiation is triggered

36 ESX Sever Clien t STEP 3 Attack er 3 Server (HTTPS) TLS Handshake Session #1 continued (client<>server) Within the encrypted session #2 (attacker<>server) 4 Client data is encrypted within session #1 (Green) (The attacker cannot read/manipulate this data), previous data (1,2) prefixed to newly sent clientdata

37 Other Problems Will VMWare Renegotiate? Ye s No

38 Mitigation Techniques

39 Future Security Concerns? Race Conditions? VMsafe? DataStores? Other Plugins?

40 Review