Archive
Network sniffing in VMware ESXi
VMWare ESXi is perfect for a self contained lab, but as I’m used to having full access to a ‘real’ network there are a few things I miss not having control over for testing and other things. The biggest of these is a spanf port (or mirror port depending on your hardware). If you’re not familiar, the basic premise is to configure one (or more ports) to reproduce any traffic flowing through any port(s). This provides packet level access for debugging network problems, passing to an I[D/P]S, etc.
ESXi doesn’t provide this functionality, but does allow you to set a vSwitch to be ‘promiscuous’. Unfortunately this isn’t as controllable as a span/mirror port as (from the quick tests I’ve run) essentially turns the vSwitch into a vHub. Not a problem in my lab environment but you probably want to give it some serious thought before enabling in a production environment; do you really want every server on the network to be able to see all traffic on the (virtual) wire?
To make the change in ESXi you need host -> Configuration -> Networking and set the properties as shown below:
vSwitch properties
Once this change is made, any guests connected to the vSwitch can all see any of the network traffic on that switch.
For testing you can build a quick lab scenario with 3 live boot BackTrack systems. Each machine has a different role; server, client and ‘sniffer’. The sniffing machine is now able to view direct communication between the other two systems. Using wireshark’s Follow TCP stream functionality shows the conversation:
sniffed TCP stream
–Andrew Waite
Vyatta: First Impressions
I’ve known about Vyatta for a while, but whilst the premise has always seemed appealing I’ve not had a reason to dig deeper. Vyatta propose to be ‘The open source alternative to Cisco’, which appeals as a nice fit into a low-cost training and development lab so tonight I decided to take a closer look.
I started by downloading Vyatta’s prebuilt VMware image, which can be downloaded here along with a Xen image and an ISO file for physical install. The VMware image is designed for workstation applications, but a quick run through my new friend in VMware Converter I quickly had the image transfered across to my ESXi based environment and booting without issue.
Vyatta provide a wealth of information in the documentation section (which requires registration, although it did not require the usual ‘activation’ email so dummy values may be enough). I haven’t had a chance to delve fully into the documentation and functionality but starting out has so far been simple enough: Logging onto the Vyatta device at the command-line requires the default user credentials of vyatta/vyatta. Once logged in you can start the configuration by entering ‘configure’
Once in configuration mode setting up interfaces is simple enough:
vyatta@vyatta# set interfaces ethernet eth0 description “WAN”
vyatta@vyatta# set interfaces ethernet eth0 address 192.168.1.254/24
vyatta@vyatta# save
vyatta@vyatta# commit
vyatta@vyatta# exit
Configuring different parts of the system are similarly simple, and with a bit of experience theVyatta systems seems intuitive enough and from basic testing performance is more that adequate, at least for my requirements. The time I’ve spent getting to grips with a new system has paid of so far, and for the time being I have a nice new addition to my lab environment. I’m hoping this system can provide some seperation between between between target/test systems and provide additional realism t my lab.
Machine migration with vmware converter
For anyone that has had to migrate machines to a virtual environment VMware’s Converter will likely be nothing new. It allows a straight forward way to migrate an existing server (both physical and most common virtual environments) to VMware’s Infrastracture, Server or Workstation product suites.
Whilst this is hugely useful in a real-world environment for p2v or v2v migration strategies it doesn’t have too much use in a lab environment as you would typically build your environment and servers once and then test away. But I’ve recently found another use, with a few simple clicks I can now easily transfer a virtual server/servers from my ESXi lab environment to my laptop to continue working away from the office, and without the need for maintaining parallel victim machines within each of my virtual environments.
The transfer process does take some time, image below shows the start of the transfer of a 20GB machine from my laptop to ESXi server of local 100Mbps network. However don’t be too put off initially, original estimated run time is nearly four hours, when in actuality it completed in a little over one. Good for fire and forget transfers whilst you make dinner.
VMware converter
Some people I’ve discussed the tool with have anecdotal stories of having issues and failures with VMware Converter, I haven’t encountered any problems with my usage but your mileage may vary depending on scenario. At the very least is should be simpler than my previous method utilising DD.
Review: Professional Penetration Testing (for EH-net)
I was recently asked by Don over at EH-Net if I would be interested in reviewing a new book by Thomas Wilhelm of Heorot.net: ‘Professional Penetration Testing: Creating and operating a formal hacking lab’. Naturally I jumped at the opportunity.
I don’t want to discuss the book in too much detail here, as you can read the full review at Ethical Hacker here, but the book is a great addition to my home library. Don also worked his magic to convince the publisher to release a chapter from the book free of charge, chapter four covers the initial setup and configuration of hack lab environment, and can be downloaded from the review.
Hope the review is of use to someone out there, thanks to Thomas for writing the book in the first place and to Don for hooking me up with the review.
Screen Capture and Editing
As part of an upcoming project I’ve been playing with some screen capture and editing software. As I’ve never been one for for the graphical/fluffy side of IT it’s a new area for me, and I was shocked with how simple it can be.
For screen capture I used the free CamStudio application, at first try it seems small, lightweight and most importantly simple and intuitive to use.
Finding decent editing software for free was difficult, @usedtire suggested Cinelerra for Linux. From the site it looks to be an impressive application, but I’ll admit I found no easy way to get this running under Debian/Ubuntu and ended up in dependency hell, so I installed Windows Movie Maker thanks to the links/instructions I found here.
Whilst experimenting with my new found tools I’ve created the somewhat obligitory Metasploit tutorials:
VMware, Win7 & VirtualXP
<update-20091129>
Very grateful to Timmedin for pointing me in the direction of his recent work with the same issue. In usual form, Tim has even packaged up a powershell script to automate the workaround. Check his fix here, much cleaner and slicker than my own. If your still curious, read on for the backstory.
</update>
Since rebuilding part of my toolkit I’ve had issues connecting to my ESXi host server. I had originally thought this was a result of an upgrade from ESXi 3.5 to ESXi 4.0, and the resultant change from VMWare infrastructure client to the new vSphere client. After several hours and days fighting down a blind alley I found a forum post that highlighted Windows 7 as the culprit.
Further reading indicated that this is a widespread issue with no real solution. Best workaround appears to be to run the client within a sandbox via Microsoft’s Virtual XP environment for Windows 7.
After a couple of false starts the install process was fairly straightforward, found here. Simply select hardware architecture (32/64-bit), install a patch, then finally the Virtual XP image. Everything beyond this works as expected, a virtual XP machine. Once in the virtual environment install the vSphere client as normal to regain access your VMWare environment.
vSphere via virtualXP
Knowing my preferences, observant readers may be wondering why not achieve the same results using a VMWare guest with the vSphere client installed. VMWare Server is already installed on my machine, and was one of my initial thoughts. However, Virtual XP and VMWare utilise virtualisation for different results. The Virtual XP client has several intergration features (can be disabled if prefered) that allow simple, native access of resources on the host machine (files, directories, peripherals etc) from within the guest. This makes working with either, and between, host and guess seamless. Obviously such intergration would be unsuitable for a lab environment as you want/need isolation, seperation and protection from the guest machines so VMWare still has it’s place. As usual, using the right tool for the right job is essential.
At this point I’m back in my lab, and the R&D rolls on, but the experience has led me to look more indepth and Virtual PC. I have started building a BackTrack4 guest with Virtual PC to run within my standard machine for everyday use. Having access to a Linux environment as simply as a double-click as per normal applications will hopefully be a nice addition to my usual working practice.
<UPDATE> BT4 works fine, but the X GUI fails to start. Guess I’ll need to polish up on my commandline kung fu </UPDATE>
May SuperMondays Presentation: The Aftermath
I had a really enjoyable night at last night’s SuperMondays event.
Some of the innovative uses for technology on display from Newcastle University provided a great glimpse of where we could be heading in the future towards ubiquitous computing. Of special interest were the research being undertaken with surface computing, which seems to have taken centre stage of new technologies recently, although unfortunately the expected MS Surface device wasn’t available at the last minute.
I also liked the work being done by the Ambient Kitchen project. While the technology is still in it’s early stages it is easy to see how this technology could be a part of every day life. With the focus the group has on providing assistance and support to people with cognitive difficulties the fruits of the project could go a long way to genuinely improving people’s lives. It makes a nice change to see new technology being developed for a real, useful purpose rather than the usual, ‘we can, it’s cool, why not’ approach to some tech development.
Linked with these new technologies Patrick Oliver and Jayne Wallace demo’d and talked about some of their work with developing cultural and meaningful technologies. One example was a twinned pair of necklaces which allowed the wearers to communicate some acts of distance, for example holding one pendant would cause the other to vibrate. As wireless communications become more pervasive I can envision similar technologies becoming more subtle and common place. Despite my initial perception of the topic as being ‘arty’ and not really that useful, I enjoyed the presentation and can see some valid and quite exciting uses for this technology in the future.
The event finished with a change of pace, with me presenting about my experience with using honeypot systems and hopefully convincing others that the system are valid additions to any network, and are good fun in the process. From my perspective I feel that the presentation went well, although I blew through the material a bit rapidly. I was genuinely relieved and thrilled with the amount of questions and discussion that was generated at the end of my presentation.
Unfortunately I believe that there isn’t a recording of this presentation, as is customary with SuperMondays talks, as the video camera decided to flatten it’s battery just before I started. As a compromise I’ve posted my slide-deck from the presentation. Hopefully people may find this useful, I’m always open to questions or discussions so please let me know your thoughts.
Bottom line from all this? SuperMondays is a blast, if you’re in the area and haven’t been along yet, why not? I’m definitely going to make more of an effort to ensure I’m available for future events, see you all there next time.
– Andrew Waite
Random Malware Analysis
Having recently been left with several hours to kill with nothing but a laptop and my virtual lab I thought I’d try my hand at some rudimentary malware analysis. For a random live sample I selected the most recent submission to my Nepenthes Server.
$ tail -n1 /opt/nepenthes/var/log/logged_submissions
[2009-05-21T19:10:59] 90.130.169.175 -> 195.97.252.143 creceive://90.130.169.175:2526 93715cfc2fbb07c0482c51e02809b937
To start with I wanted to get an idea of what I was dealing with, so I passed the file’s hash to VirusTotal’s Hash Search utility; and promptly found that VirusTotal had no knowledge of this particular hash. Means we could be dealing with a completely new malware strain or variant! or more likely a polymorphic binary creating a unique file signature…
The question was promptly answered when transferring the binary to my analysis machine by AVG, ‘Threat detected: worm/Allaple.b’. Not wanting to take the word of a single AV vendor I proceeded to upload the binary itself to VirusTotal (have I mentioned I like VirusTotal yet?). Sure enough most AV engines agree with AVG’s analysis although there was some dissention over which version of Allaple the sample was. Most AV engines (37/40) flagged file as malicious (Comodo, nProtect and PrevX gave the binary a clean bill of health.)
Beginning with some static analysis, the ‘strings’ utility is always a safe place to start. As I’m using a Windows platform for this analysis I use the SysInternals strings binary. This revealed little, other than confirming the binary is a windows executable (usual ‘!This program cannot be run in DOS mode.’ string) and a reference to Kernal32.dll and some function names (FindFirstVolumeW, GetShortPathNameA, GetConsoleAliasesLengthW, AddConsoleAliasA, GetModuleHandleW, CreateProcessA, GetUserDefaultUILanguage, LocalReAlloc, SetHandleInformation, SetConsoleCursorInfo).
As there was limited information available from a plaintext strings search my next step was to see if the binary had been packed. For this I used PEiD utility, PEiD initially stated that there was ‘Nothing Detected’ although the entropy found within the file (7.93) caused PEiD to suggest that the binary had indeed been packed.
With some basic static analysis undertaken (this could/should have been taken further but my RE/assembly-fu is a bit rusty, especially at 3am) I changed tact and went with some initial behavioural analysis. For an initial run I utilised iDefense’s SysAnalzer tool written by David Zimmer. SysAnalyzer is a great utility for automating behavioural analysis and capturing system changes, from it’s download page:
SysAnalyzer is an automated malcode run time analysis application that monitors various aspects of system and process states.
SysAnalyzer was designed to enable analysts to quickly build a comprehensive report as to the actions a binary takes on a system.
The tool snapshots (not to be confused with VM snapshots) the state of the system, runs a given binary, then snapshots the system after execution before comparing the two snapshots. This can provide some detailed, succinct information to an analyst, but may miss any dynamic and temporary system changes. One weakness (or strength, depending on your perspective) that SysAnalyzer has is that it does not sandbox the malicious binary from the analysis system. Meaning that if the binary is destructive it *will* hose the system it is being analysed on, obviously if you’re utilising virtualisation and snapshop functionality this shouldn’t be an issue.
On starting the analysis, the malicious executable promptly errored (usual Windows’ ‘executable has failed, please send all information to Microsoft’ type pop-up) and SysAnalysis stated that the system was unchanged by the binary. Well that was disappointing, possible some form of VM detection causing the malware to shut down?
Not to be denied, I re-ran the process: Again the executable crashed with Microsoft’s pop-up, but this time SysAnalysis saw some system changes, from API and registry calls to the creation of new processes. However on further analysis the new processes and files were all only related to the DWWIN.exe executable which, as explained here, is part of Windows itself and is the cause of the pop-ups discussed above.
One aspect that may be causing the binary to lock up is that it is isolated from the network. From experience some malware will perform an initial lookup to an external resource, if the code can’t access said resource the malware assumes it is on a closed system and shuts down. To test this theory I re-ran the executable (this time manually, without the SysAnalysis utility) with Wireshark sniffing all network interfaces. As expected the binary crashed with the same error pop-up, reviewing the wireshark capture no traffic was generated outbound to any resource from the infected host.
Another possible reason for malware to refuse to run is newer VM detection techniques. However no evidence of this is present in the API calls captured by SysAnalysis, nor can I find any reference to VM detection capabilities present within the Allaple family from a search of the web. Ideally to test this theory the malware would be executed on a natively installed OS to bypass any potential VM detection. Unfortunately at this stage I do not have resources available to sacrifice a physical machine in this manner, so analysis must stop here.
One final possibility is simply that the binary is defective, just because the malware is spreading does not necessarily mean that the payload delivered upon exploitation is fully functional. It is not uncommon to have one malware strain being propogated by an entirely different strain. This is rapidly becoming more prevelant as ‘cybercrime’ (I hate that phrase) matures with the recent emergence of crimeware-as-a-service.
What-ever the reason for the binary failing to have any perceivable impact on the system, the behaviour that has been observed during this sample’s execution does not match that which is expected from other analysis of the Allaple.b malware strain. Sophos’ analysis for example, states that upon infection Allabple.b will:
- When first run W32/Allaple-B copies itself to [system]\urdvxc.exe.
- The W32/Allaple-B is registered as a COM object.
- W32/Allaple-B installs itself as a service with the name “MSWindows”.
No evidence of this behaviour has been seen during analysis, nor are any of the changes present on the system post infection. This is a good example of why there isn’t always a need to panic when AV picks up a malicious item. Until the infection has been analysed in more depth there is no way of knowing how scary the compromise and infection is.
VMware ESXi updates
A couple of SANs ISC diaries (“Recent VMware updates available” and “VMware exploits – just how bad is it?“) should be a concern for anyone running a VMware lab (or VMware production environment). The ISC diaries explain the situation better than I could, but to cut a long story short the exploits allow a malicious user/payload to escape the guest system and gain direct access to the host.
Looks like I know what I’ll be doing after work tonight. I’ll try to document the update process as I go, watch this space…
Sec610 Reverse Engineering Malware Demo
I spent a very interesting hour with Lenny Zeltser (and others) around a week ago with a live demo of part of Lenny’s Sec610 course. For those interested in taking the course, or malware in general, then I’d suggest that if the demo is a representative sample of the course then you’re likely to really enjoy it. If you’re interested the webcast session was recorded; I’m not going to provide the link here as I do not know if it is intended for public consumption, but I’m sure if you contact SANS they’ll be able to hook you up.
I don’t want to give to much away but the demo session focused on reversing an unfamiliar binary that was a dummy MSN application for password harvesting. A lot of the overall tools and theory would have been fairly straightforward for anyone with knowledge in this area, basic RE tools (VMWare, OllyDbg & Wireshark etc.) were covered as related. The demo also focused on some more specialised and less well known (at least to me) tools. Mostly these were system monitoring utils and snapshot status gathering tools to get a better feel for what the malware was up to.
The main utilities that caught my attention were fakeDNS and MailPot, these tools are designed to fake standard systems to allow the malware to communicate with external sources in a safe environment. These come part of the Malcode Analysis Pack that is distributed by iDefense. Until this point I have been using fully blown (virtual) servers to run sandboxed DNS, SMTP, etc. services for malware anaylsis, I’m hoping these utilities should reduce the implementation time required for specific analysis, leaving more time and resources available to focus on the malware itself.
