My new e-book “Deep VMware™ Guest Tools and Guest-Hypervisor communication” at Amazon

Just published my new e-book “Deep VMware™ Guest Tools and Guest-Hypervisor communication” at Amazon.

Check it out.

Most virtualization platforms provide some sort of mechanism of communication between the the hypervisor and its guest virtual machines. “Open VM Tools” is a set of tools that implements such communication mechanisms for VMware™ virtual machines and hypervisors. In this book we analyze each of these these tools and APIs, from high-level usage to low-level communication details, between the guest and the host. This information can be used for a better understating of what actually happens when using a guest machine with these tools. It can also be used as inspiration for using and extending guest-hypervisor communication and penetration testing.

Screen Shot 10-05-17 at 12.44 PM

cover.jpg

Advertisements

DDoS prevention and mitigation

There are many DDoS prevention and mitigation products. Many of these products work at the network level, filtering out malicious packets.

For example, Guard-Host states that it provides:

  • a mitigation solution based on VAC technology

    • Analyse all packets at high speed in real time
    • Vacuum your server’s incoming traffic
    • Mitigate i.e. singling out all the illegitimate IP packets, while allowing legitimate ones to pass through
  •  “To detect the attack, we use the netflow sent by the routers and analysed by the Arbor Peakflow boxes. Each router sends a summary of 1/2000 of the traffic that is actually passing through it. The Arbor Peakflow boxes analyse this and compare it to the attack signatures. If the comparison is positive, mitigation is activated within seconds.
  • The signatures analysed are based on traffic thresholds of
    • “packets per second” (pps, Kpps, Mpps, Gpps) or
    • “bits per second” (bps, Kbps, Mbps, Gbps) on certain packet types”

DDoS attack types

For example, Guard-Host acknowledges the following DDoS attack types:

DDoS Attack Types

DDoS Attack Types

Mitigation phase

In the following diagram, the packets in the red area are flagged as belonging to a DDoS attack and are thus discarded and not sent to the server under attack.

Attack detection

References

 

New e-Book: “VMware™ hypervisor fingerprinting”

Just published a new e-book at Amazon.com: “VMware™ hypervisor fingerprinting”.

You can find it here:

«In this book, we show how to determine hypervisor properties by running commands in the guest operating system, without any special privileges in the host machine running the hypervisor. This can be useful for penetration testing, information gathering, determining the best software configuration for virtualization-sensitive and virtualization-aware software. Finally, we present a reporting tool that unifies all the presented methods, by running them all in sequence and gathering the information in a useful report that can be run from any guest system.»

VMware hypervisor fingerprinting Tool ( & Paper)

Just published a new tool vmhost_report.rb (and a paper about it) for VMware hypervisor fingerprinting. The tool is released with an open source license (GPL), you can use it freely.

In the paper, I show you how to determine hypervisor properties (such as hypervisor version or virtual CPU Limits) by running commands in the guest operating system, without any special privileges in the host machine running the hypervisor.

This can be useful for penetration testing, information gathering, determining the best software configuration for virtualization-sensitive and virtualization-aware software.

I have developed a reporting tool vmhost_report.rb that unifies all the presented methods, by running them all in sequence and gathering the information in a useful report that can be run from any guest system. Currently, Linux and Nested ESXi are supported.

You can run it as “ruby vmhost_report.rb“. It will return a lot of useful information in the vmhost_report.log file.

These reports can be used to learn a lot about VMware internals or a particular guest system or network. You can find report examples in the Paper’s “Annex A”.

Some of the described methods can be used even if the VMware Tools are disabled or not installed, or if some of the methods are disabled by host configuration. Some of the methods require “root” privileges, while others do not need it.

Downloads

Screenshots

 

Anomaly & Intrusion Detection+Prevention – Overview and Survey

Anomaly Detection is an scientific subject focused on detecting “unusual” and “interesting” patterns on system events (a.k.a. “outliers”).

Screen Shot 07-15-16 at 06.47 PM.PNG

Just published a new slide presentation on academia.edu focused on:

  • Anomaly Detection,
  • Anomaly Detection vs Intrusion Detection,
  • Intrusion Detection and Prevention Systems (IDPS),
  • Open Source IDPS systems

You can check it here:

 

Fundamental References

  1. Intrusion prevention system – http://en.wikipedia.org/wiki/Intrusion_prevention_system
  2. Guide to Intrusion Detection and Prevention Systems – http://csrc.nist.gov/publications/drafts/800-94-rev1/draft_sp800-94-rev1.pdf
  3. Network Intrusion Detection Signatures, Part Five – http://www.symantec.com/connect/articles/network-intrusion-detection-signatures-part-five
  4. Network Intrusion Detection Systems – http://www.cse.scu.edu/~tschwarz/COEN250_07/LN/NIDS.ppt
  5. Intrusion detection system evasion techniques – https://en.wikipedia.org/wiki/Intrusion_detection_system_evasion_techniques
  6. An Overview of Intrusion Detection Systems Technology and Research – http://www.bzaugg.com/2010/06/an-overview-of-intrusion-detection-systems-technology-and-research/
  7. An intrusion-detection model (DE Denning) – http://web2.utc.edu/~djy471/CPSC4660/DenningModel.pdf
  8. Intrusion Detection using Sequences of System Calls – http://www.cs.unm.edu/~forrest/publications/int_decssc.pdf
  9. Anomaly Detection : A Survey – http://dl.acm.org/citation.cfm?id=1541882
  10. Learning Nonstationary Models of Normal Network Traffic for Detecting Novel Attacks – https://repository.lib.fit.edu/bitstream/handle/11141/106/cs-2002-06.pdf?sequence=1
  11. Learning Rules for Anomaly Detection of Hostile Network Traffic – https://repository.lib.fit.edu/bitstream/handle/11141/123/cs-2003-16.pdf?sequence=1
  12. Open source intrusion detection tools (a quick overview) – https://www.alienvault.com/blogs/security-essentials/open-source-intrusion-detection-tools-a-quick-overview
  13. Security Onion – http://blog.securityonion.net/p/securityonion.html https://securityonion.net/
  14. Snort – https://www.snort.org/https://www.snort.org/faq/
  15. Snorby – https://www.snorby.org/
  16. Squert – http://www.squertproject.org/
  17. BRO – https://www.bro.org/documentation/index.html
  18. Network Taps – http://en.wikipedia.org/wiki/Network_taphttps://www.blackbox.com/resource/genpdf/Network-Taps.pdf
  19. vSphere 5 Networking : Port Mirroring – http://blogs.vmware.com/vsphere/2011/08/vsphere-5-new-networking-features-port-mirroring.html
  20. OSSEC – http://ossec-docs.readthedocs.io/en/latest/

TOR: introduction

TOR stands for “The Onion Router”.

It is a network designed to protect its users anonymity by routing the user’s TCP/IP traffic through multiple layers of encryption and multiple proxy nodes, obfuscating the user’s real IP address.

The proxy nodes are contributed by network volunteers,  mostly in a distributed and decentralized fashion.

Web servers are normally unable to detect the user’s real IP, as traffic seems to originate from the last proxy node in the user’s TOR proxy chain (a.k.a. TOR circuit).

A TOR circuit is typically composed by:

  • the user’s real IP
  • 3 TOR nodes
    • 1 Entry node
    • 1 intermediate node
    • 1 Exit node

Traffic is encrypted using several “onion layers”, for TCP/IP connections (UDP is not supported), as follows (simplified):

  • A data packet (DP1) is encrypted with the Exit Node’s public key
    • P1 = PKexit(DP1)
  • The encrypted packet is again encrypted with the Intermediate  Node’s public key:
    • P2 = PKiterm( PKexit(DP1) )
  • The encrypted packet is again encrypted with the Entry Node’s public key:
    • P3 = PKentry ( PKiterm( PKexit(DP1) ) )

Each node only knows the preceding and following node. No node gets to “know” the complete circuit.

TOR can be useful in a number of situations, for example:

  • protect whistle blowers identity
  • circumvent network censorship in censored regions
  • NGOs communicating with its volunteers in a foreign country
  • users can publish web sites without needing to reveal the location of the site (using TOR’s hidden services)

Nevertheless, TOR must be used carefully, so that no “real IP” address leaks or other identity leaks occur (more info here (TOR Overview) ). Attention must also be paid to the risk of possible attacks from powerful adversaries, such as governments and agencies.

Usually a “TOR Browser” is used in combination with TOR. The TOR Browser is a modified version of the official Mozilla Firefox web browser. It usually disables dangerous features for anonymity, such as javascript, cookies and direct TCP/IP connections (it always routes all connection through the TOR network).

TOR Browser

To connect to the TOR network, a user usually has to install the “TOR Client” in its device or network. You can download it at here (TOR project official site)

I’ll be exploring “TOR Client” low-level features in future posts.

[UPDATED with the new posts:]

References