After removing the security setting in the dvPortGroup explicitly allowing promiscous mode you can connect a vmkernle port to the dvPortGroup and perform a tcpdump via the commandline

The help for tcpdump-uw is the following:


~ # tcpdump-uw --help
tcpdump-uw version 4.0.0
libpcap version 1.0.0
Usage: tcpdump-uw [-aAdDefIKlLnNOpqRStuUvxX] [ -B size ] [ -c count ]
                [ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
                [ -i interface ] [ -M secret ] [ -r file ]
                [ -s snaplen ] [ -T type ] [ -w file ] [ -W filecount ]
                [ -y datalinktype ] [ -z command ] [ -Z user ]
                [ expression ]

Control+C to interrupt the capture

From isfullofcrap Flickr photo stream. Creative Commons License

BlackhatEU : Virtual Forensics
By Christiaan Beek

What are the challenges when you have to do forensics on a virtual environment?
•    What are the tools available?
•    Are the tools forensically sound?
•    Where is the data?
•    Who owns the data?
•    What forensic techniques do we use?
•    How to acquire data from the cloud?

Citrix is a nightmare for forensics investigators. There is no personal hard disk to investigate, only a personal profile which does not have very much data in it.
Information sources for Citrix are:
•    Last login logfile
•    User profile (NTUser.dat;registry;temp files)
•    Citrix Access Gateway logs
•    Radius log

VMWare need different approach and tools for static of live forensics. If you are making a disk image of a VMWare server, you better bring some big disks.

VM’s are used by criminals to perform illegal transactions and then destroying the VM to cover their tracks.

In his slides Christiaan had a list of useful files for VMWare forensics:

Useful software is:
•    FTK Imager
•    Liveview
•    Encase
•    MMLS & DD
•    Mounting and carving tools like Foremost and Photorec

There is also a VMWare snapshot comparison tool made by Zairon

In Windows 7 virtualization is a part of the OS: VHD, XP mode and Virtual PC. On the positive side you can mount a VHD read-only to do investigations. However being able to boot from a VHD gives entire different opportunities for abuse. Also system backups are made in VHD format.

Contrary to VMDK files VHD files can be investigated with FTK.

Even though XP Mode creates a virtual machine, this machine shares all media between the host and the guest OS.

If Windows 7 creates a VHD file for XP mode, it does not format it, but just leaves the old data that was there when it was created.

XP mode also has a undo mode the is not enabled by default. The VUD files that get created are like VMware snapshots. VUD cannot be read by tools like FTK. VUD and VHD headers are very similar. If you rename a VUD file to a VHD file you can investigate it normally.

Then he started to explain how he was able to build up his cloudburst exploit.he focused on the guest os devices, because the device are omnipresent in all VMWare pruducts, they run on the host, can be accessed from the guest, are written in C/C++ and parse some complex data.

Cloudburst is a reliable guest to host escape on recent VMWare products: Workstation, Fusion?, ESX Server (4.0 RC Hardfreeze). All the bugs in his presentation have already been patched patched.

Couldburst is a combination of 3 / 4 bugs in VMWare emulated video.

• Host memory leak into the guest
• Host arbitrary memory write from the guest into the host, both absolute and relative.

Also some functions in VMWare where very helpful to bypass DEP.

The VMWare VGA device is a virtual PCI device. And it does support 3D on VMWare on windows. There are bugs in 2D video that allow arbitrary read from the host process, but not bugs that allow an arbitrary memory write in the right area’s of memory in functions that are enabled by default. 3D however offers better possibilities in that it actually ahs a default enabled arbitrary memory write function. It was also in ESX 4.0 RC Hardfreeze, but got fixed before ESX4 reached production.

In order to fully exploit the bug, Kostya had to use the MOSDEF shell code and communicate via de video buffer. This means that the compromised guest OS communicates with the shell code in the compromised host using BMP images.

Kostya’s conclusions are: VMWare is not a security layer, it is just another layer to find bugs in. Given the right bug primitives, you can exploit anything.

He is also wondering why is the 3D video function code is even included in ESX?

He finished by successfully demonstrating the attack to us

VMware vCenter Lab Manager is the ideal solution for IT organizations who want to provide self-service provisioning and management capabilities to internal teams. Policy-based access control reduces administrative burden for IT, lowers infrastructure management costs and empowers project teams to deliver applications more quickly and with greater agility.

Deliver Higher Service Levels and Lower Infrastructure Costs

Lab Manager offers unique capabilities to simplify management of the internal cloud for dev/test:

• Self Service Portal – Provides on-demand access to a library of virtual machine configurations for end users while eliminating time-consuming provisioning tasks for IT by 95%.
• Automated Resource Management – Allows dynamic allocation of resources in a multi-team environment, enforces quotas and access rights, and reclaims unused infrastructure services.

Enterprise Scalability – Provides long-term return on investment with a scalable architecture for worldwide deployment, best in class performance and seamless integrations with in-house and 3rd party solutions.

A stretched cluster is the practice of having ESX member servers in a cluster that are geographically separated.   The reason this is generally done is to provide the ability to dynamically move workloads from one datacenter to another.   Often, the customer is also considering it for disaster recovery purposes (“I’ll just VMotion in case of a disaster”).  Can this be done – ABSOLUTELY – but not considered lightly.

More here: http://virtualgeek.typepad.com/virtual_geek/2008/06/the-case-for-an.html

When we look at the competition in the IT industry there’s nothing that beats the marketing guerrilla we are experiencing in the virtualization space.

This is perfectly understandable considering that the vendor in control of the hypervisor is able to influence and in many ways able to control all the other companies that provide other pieces of the computing stack.
For the first time ever the absolute domain of the OS vendor is threatened by the hypervisor vendor so that the former tries to turn virtualization into a platform feature while the latter tries to impose the technology as absolutely independent.

It’s also true that compared to ten years ago the vendors have new tools to spread fear, uncertainty and doubts (FUD) against their competitors: paid bloggers, Twitter, Facebook, YouTube and so much more are available to influence the prospects and build armies of fanboys that are ready to overreact and defend their beloved products no matter what.

Nowadays is becoming increasingly common that marketing departments cross the line.
It’s much more uncommon to see a company that publicly apologies for a bad marketing action.

It’s the case of VMware which apologized for distributing a video of Microsoft Hyper-V crashing when its virtual machines were running a certain version of the proprietary VMmark benchmark platform.

The video, which was available here, was realized by the VMware Performance Team and uploaded on YouTube by Scott Drummonds, Technical Marketing Manager at the company.
Despite Drummonds is in the VMware Performance Team, where every aspect of the virtual infrastructure is taken deadly seriously, he didn’t publish any technical information about the test environment.

The lack of details unleashed a number of negative comments obliging Bruce Herndon, Senior Manager of R&D at VMware, to unveil that VMmark was executed inside Hyper-V virtual machines with unsupported configurations.

At the end of the saga Drummonds had to apology and Herndon had to admit that:

One of the more interesting emails I received pointed out that it unreasonable to blame Hyper-V for the collapse of these very large and very busy websites. Hyper-V’s stability issues would bring down individual VMs or small groups when the parent partition blue screened. I think that this is a reasonable observation, so its worth including here. I can’t say that Hyper-V was responsible for the MSDN and TechNet crashes. That would be for Microsoft to say, when and if they choose to expose the issue behind the outage.

Of course Microsoft couldn’t be happier to overreact: part 1, part 2, part 3, part 4 and part 5.

The few vendors busy in the virtual lab automation space (which include VMware, Surgient, VMLogix, Skytap and the almost died StackSafe) may soon have a big, big problem called Microsoft.

After wasting years not leveraging its huge developers community to spread virtualization in every corner of the world, the company is finally moving on.

Announced in November 2008, the integration between Visual Studio 2010, System Center Virtual Machine Manager (SCVMM) 2008 and Hyper-V 1.0/2.0 for virtual lab automation scenarios is now a reality called Visual Studio 2010 Lab Management.

The product just entered the beta 1 phase and has the potential to become a huge hit in the .NET world.

more

Time synchronisation on Active Directory is particularly important because of Kerberos, if clocks are more then 5 minutes (Default value) out of sync from the Domain Controller authentication fails. NTP is your friend here.

• Timekeeping in VMWare virtual machines
• TAC 9710 -Virtualizing a Windows Active Directory Domain Infrastructure (From 2006 but still usefull especially the Active Directory related inf0)