New e-Book: “VMware™ hypervisor fingerprinting”

Just published a new e-book at Amazon.com: “VMware™ hypervisor fingerprinting”.

You can find it here:

«In this book, we show how to determine hypervisor properties by running commands in the guest operating system, without any special privileges in the host machine running the hypervisor. This can be useful for penetration testing, information gathering, determining the best software configuration for virtualization-sensitive and virtualization-aware software. Finally, we present a reporting tool that unifies all the presented methods, by running them all in sequence and gathering the information in a useful report that can be run from any guest system.»

VMware hypervisor fingerprinting Tool ( & Paper)

Just published a new tool vmhost_report.rb (and a paper about it) for VMware hypervisor fingerprinting. The tool is released with an open source license (GPL), you can use it freely.

In the paper, I show you how to determine hypervisor properties (such as hypervisor version or virtual CPU Limits) by running commands in the guest operating system, without any special privileges in the host machine running the hypervisor.

This can be useful for penetration testing, information gathering, determining the best software configuration for virtualization-sensitive and virtualization-aware software.

I have developed a reporting tool vmhost_report.rb that unifies all the presented methods, by running them all in sequence and gathering the information in a useful report that can be run from any guest system. Currently, Linux and Nested ESXi are supported.

You can run it as “ruby vmhost_report.rb“. It will return a lot of useful information in the vmhost_report.log file.

These reports can be used to learn a lot about VMware internals or a particular guest system or network. You can find report examples in the Paper’s “Annex A”.

Some of the described methods can be used even if the VMware Tools are disabled or not installed, or if some of the methods are disabled by host configuration. Some of the methods require “root” privileges, while others do not need it.

Downloads

Screenshots

 

Anomaly & Intrusion Detection+Prevention – Overview and Survey

Anomaly Detection is an scientific subject focused on detecting “unusual” and “interesting” patterns on system events (a.k.a. “outliers”).

Screen Shot 07-15-16 at 06.47 PM.PNG

Just published a new slide presentation on academia.edu focused on:

  • Anomaly Detection,
  • Anomaly Detection vs Intrusion Detection,
  • Intrusion Detection and Prevention Systems (IDPS),
  • Open Source IDPS systems

You can check it here:

 

Fundamental References

  1. Intrusion prevention system – http://en.wikipedia.org/wiki/Intrusion_prevention_system
  2. Guide to Intrusion Detection and Prevention Systems – http://csrc.nist.gov/publications/drafts/800-94-rev1/draft_sp800-94-rev1.pdf
  3. Network Intrusion Detection Signatures, Part Five – http://www.symantec.com/connect/articles/network-intrusion-detection-signatures-part-five
  4. Network Intrusion Detection Systems – http://www.cse.scu.edu/~tschwarz/COEN250_07/LN/NIDS.ppt
  5. Intrusion detection system evasion techniques – https://en.wikipedia.org/wiki/Intrusion_detection_system_evasion_techniques
  6. An Overview of Intrusion Detection Systems Technology and Research – http://www.bzaugg.com/2010/06/an-overview-of-intrusion-detection-systems-technology-and-research/
  7. An intrusion-detection model (DE Denning) – http://web2.utc.edu/~djy471/CPSC4660/DenningModel.pdf
  8. Intrusion Detection using Sequences of System Calls – http://www.cs.unm.edu/~forrest/publications/int_decssc.pdf
  9. Anomaly Detection : A Survey – http://dl.acm.org/citation.cfm?id=1541882
  10. Learning Nonstationary Models of Normal Network Traffic for Detecting Novel Attacks – https://repository.lib.fit.edu/bitstream/handle/11141/106/cs-2002-06.pdf?sequence=1
  11. Learning Rules for Anomaly Detection of Hostile Network Traffic – https://repository.lib.fit.edu/bitstream/handle/11141/123/cs-2003-16.pdf?sequence=1
  12. Open source intrusion detection tools (a quick overview) – https://www.alienvault.com/blogs/security-essentials/open-source-intrusion-detection-tools-a-quick-overview
  13. Security Onion – http://blog.securityonion.net/p/securityonion.html https://securityonion.net/
  14. Snort – https://www.snort.org/https://www.snort.org/faq/
  15. Snorby – https://www.snorby.org/
  16. Squert – http://www.squertproject.org/
  17. BRO – https://www.bro.org/documentation/index.html
  18. Network Taps – http://en.wikipedia.org/wiki/Network_taphttps://www.blackbox.com/resource/genpdf/Network-Taps.pdf
  19. vSphere 5 Networking : Port Mirroring – http://blogs.vmware.com/vsphere/2011/08/vsphere-5-new-networking-features-port-mirroring.html
  20. OSSEC – http://ossec-docs.readthedocs.io/en/latest/

TOR: introduction

TOR stands for “The Onion Router”.

It is a network designed to protect its users anonymity by routing the user’s TCP/IP traffic through multiple layers of encryption and multiple proxy nodes, obfuscating the user’s real IP address.

The proxy nodes are contributed by network volunteers,  mostly in a distributed and decentralized fashion.

Web servers are normally unable to detect the user’s real IP, as traffic seems to originate from the last proxy node in the user’s TOR proxy chain (a.k.a. TOR circuit).

A TOR circuit is typically composed by:

  • the user’s real IP
  • 3 TOR nodes
    • 1 Entry node
    • 1 intermediate node
    • 1 Exit node

Traffic is encrypted using several “onion layers”, for TCP/IP connections (UDP is not supported), as follows (simplified):

  • A data packet (DP1) is encrypted with the Exit Node’s public key
    • P1 = PKexit(DP1)
  • The encrypted packet is again encrypted with the Intermediate  Node’s public key:
    • P2 = PKiterm( PKexit(DP1) )
  • The encrypted packet is again encrypted with the Entry Node’s public key:
    • P3 = PKentry ( PKiterm( PKexit(DP1) ) )

Each node only knows the preceding and following node. No node gets to “know” the complete circuit.

TOR can be useful in a number of situations, for example:

  • protect whistle blowers identity
  • circumvent network censorship in censored regions
  • NGOs communicating with its volunteers in a foreign country
  • users can publish web sites without needing to reveal the location of the site (using TOR’s hidden services)

Nevertheless, TOR must be used carefully, so that no “real IP” address leaks or other identity leaks occur (more info here (TOR Overview) ). Attention must also be paid to the risk of possible attacks from powerful adversaries, such as governments and agencies.

Usually a “TOR Browser” is used in combination with TOR. The TOR Browser is a modified version of the official Mozilla Firefox web browser. It usually disables dangerous features for anonymity, such as javascript, cookies and direct TCP/IP connections (it always routes all connection through the TOR network).

TOR Browser

To connect to the TOR network, a user usually has to install the “TOR Client” in its device or network. You can download it at here (TOR project official site)

I’ll be exploring “TOR Client” low-level features in future posts.

[UPDATED with the new posts:]

References