Penetration Testing in a Virtualized Environment - Hacker Halted
Penetration Testing in a Virtualized Environment - Hacker Halted
Penetration Testing in a Virtualized Environment - Hacker Halted
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Penetration</strong> <strong>Test<strong>in</strong>g</strong> <strong>in</strong> a <strong>Virtualized</strong> <strong>Environment</strong><br />
Tim Pierson<br />
President, Data-Sentry.com
Who is this Guy?<br />
Tim Pierson AS, BS, MS<br />
Professional PenTester, Instructor and Consultant for over 26 years.<br />
EcCouncil – Instructor of the year recipient 2009 from a large pool of nom<strong>in</strong>ees.<br />
• Very Intrigued<br />
with the Virtual<br />
<strong>Environment</strong>.<br />
Contribut<strong>in</strong>g author to the book-<br />
VMware vSphere and Virtual Infrastructure Security: Secur<strong>in</strong>g ESX and the Virtual<br />
<strong>Environment</strong><br />
ISBN-10: 0137158009 Pearson Publish<strong>in</strong>g
My work <strong>Environment</strong>
Shameless Plug<br />
Creator of: Hack<strong>in</strong>g<br />
Uncovered:VMware<br />
• Available throughout the tra<strong>in</strong><strong>in</strong>g <strong>in</strong>dustry and onl<strong>in</strong>e.<br />
• Seems to be most Popular <strong>in</strong> Europe.<br />
• Get more <strong>in</strong>fo at: www.data-sentry.com
What Could Possibly Go Wrong?<br />
• When a Glar<strong>in</strong>g Vulnerability is provided or<br />
shown!<br />
• I will stand –<br />
• And Now S<strong>in</strong>ce we are <strong>in</strong> Miami…..
Why Do we do a pen test <strong>in</strong> the first place?<br />
• Provide a more secure environment?<br />
• Make sure that our workers are protected?<br />
• Make sure our customers are protected?<br />
• I will ask my good friend Joe McCray to Comment…..
FORCED TO DO SO….<br />
•Compliance!!!
How Vulnerable is ESX?<br />
Now <strong>in</strong>to its 4 th Generation F<strong>in</strong>d<strong>in</strong>g its roots<br />
from *NIX (UNIX) architecture.<br />
It is still just another layer to attack!<br />
VMsafe? Really? Just as the name implies?<br />
Common Management Errors.<br />
ARP/DNS Cache Poison<strong>in</strong>g<br />
Web Interface<br />
9
The elephant <strong>in</strong> the room<br />
Will we be Escap<strong>in</strong>g the VM?
Escap<strong>in</strong>g the VM<br />
Yes, it can be done<br />
Yes, it is due to an exploit<br />
Yes, it can be patched<br />
Yes, it will happen aga<strong>in</strong><br />
No, it is not someth<strong>in</strong>g you can easily audit<br />
We‟re go<strong>in</strong>g to attack virtualization<br />
<strong>in</strong>frastructure
New World Same Problems<br />
Social Eng<strong>in</strong>eer<strong>in</strong>g<br />
• Widely utilized <strong>in</strong> today's hacks.<br />
Exploits<br />
• www.progenic.com<br />
Cha<strong>in</strong>ed Exploits<br />
• Today’s hacks employ a comb<strong>in</strong>ation of many hacks to<br />
accomplish the goal.
Cha<strong>in</strong>ed Exploit Example<br />
130 Million Credit Cards Stolen – Gonzalez<br />
Indictment<br />
• SQL Injection Attacks<br />
• SQL Injection Str<strong>in</strong>gs<br />
• Malware<br />
• Root kits<br />
• Visit<strong>in</strong>g the stores<br />
• Disabl<strong>in</strong>g the logs<br />
• Us<strong>in</strong>g Proxies<br />
Little Known Fact:<br />
Occurred on a Virtual-Switch!!
Exploit<strong>in</strong>g Potential Vulnerabilities…<br />
Default Weaknesses<br />
Insecurities Left <strong>in</strong> by Default.<br />
Manufacturers often will default what will cause them the least amount<br />
of Tech Support Calls. Not necessarily what is the most Secure!<br />
14
Are you ready for a Pen Test?<br />
I can‟t tell you<br />
how many times<br />
I was asked to<br />
delay a pen test<br />
because the<br />
client was not<br />
READY???<br />
What is your<br />
current<br />
posture?<br />
How you<br />
empowered<br />
your people to<br />
do the correct<br />
th<strong>in</strong>gs?<br />
What is that?<br />
When was the<br />
last time a<br />
hacker asked if<br />
you were ready<br />
before he<br />
attacked you?<br />
How secure are<br />
you?
Break<strong>in</strong>g virtualization means…<br />
- Virtual Physical Access<br />
…hack<strong>in</strong>g the underly<strong>in</strong>g layer<br />
…access<strong>in</strong>g systems locally<br />
…bypass<strong>in</strong>g access and network controls<br />
…hitt<strong>in</strong>g multiple targets at once<br />
96% of the Fortune 1000 *<br />
Small number of different solutions deployed<br />
* http://www.vmware.com/company/customers/
VMware ESX and vSphere<br />
VMware has Boiled down its<br />
Network Security<br />
<strong>in</strong> both VI3 and vSphere* product<br />
l<strong>in</strong>e to three<br />
Check Boxes<br />
None of the defaults will foil what I<br />
am about to show you.<br />
Note:<br />
vSphere has added VMsafe and vShield zones and v2 which significantly<br />
tightens security, if implemented correctly, as well as Private Vlans and<br />
roles and permissions around Network<strong>in</strong>g with its 4.x version
Typical OSSTMM Methodology<br />
Information Gather<strong>in</strong>g<br />
Scann<strong>in</strong>g<br />
Enumeration<br />
<strong>Penetration</strong><br />
Fail<br />
Succeed<br />
Start Over or tell<br />
them great job<br />
Escalate<br />
Privileges<br />
Steal Data or<br />
Leave proof of<br />
hack<br />
Cover Tracks<br />
Leave Backdoors
Scann<strong>in</strong>g for ESX<br />
We have to f<strong>in</strong>d the systems first.<br />
Just like any other service, ESX has its own<br />
NMAP – will give you what you need, mostly.
How about Gett<strong>in</strong>g a Hand for the<br />
Search? Us<strong>in</strong>g Shodan
Shodan
Shodan
• VIC Client<br />
Log<strong>in</strong><br />
Steal<strong>in</strong>g the Password<br />
23
DECISION TIME!<br />
24
Human Habits<br />
Sometimes referred to as Social Eng<strong>in</strong>eer<strong>in</strong>g<br />
Sometimes the MFG has TAUGHT us to do<br />
it this way!!!<br />
Because of simple human nature….<br />
Once a procedure is taught <strong>in</strong> a specific way<br />
it is very difficult to Un-Teach someone.
Can This be fixed??<br />
If you have<br />
Tra<strong>in</strong>ed your<br />
people to click<br />
the ignore button<br />
for some period<br />
of time<br />
My argument is<br />
NO it can never<br />
be fixed now.<br />
• Let me expla<strong>in</strong>.
Password Revealed…<br />
28
Demo<br />
29
Remote Data Storage<br />
iSCSI protocol –<br />
How it is virtually<br />
impossible to secure if<br />
you have access to the<br />
network it uses… given<br />
the tools shipped from<br />
VMware.<br />
HACKER<br />
iSCSI<br />
30
Tools,Tools, Tools<br />
A Plumber has a spanner<br />
Wrench<br />
A Mechanic has water pump<br />
pliers<br />
A Carpenter has a Sh<strong>in</strong>gle<br />
Hammer<br />
Where are the Virtualization<br />
Pen Testers‟s Specific Tools?
But What about Specific Tools?<br />
The Virtualization Pen Tester<br />
Needs his specialized tools too!<br />
He is deal<strong>in</strong>g with a Specialized<br />
Enviroment.<br />
Why Shouldn't he have his own<br />
special tools?
Pool<strong>in</strong>g Our Skillset<br />
Tim Pierson<br />
Claudio Criscione
VASTO<br />
The Virtualization ASsessment TOolkit<br />
It is an “exploit pack” for Metasploit focus<strong>in</strong>g on virtualization and cloud<br />
security.<br />
Announc<strong>in</strong>g Beta 0.3 – Available from Download L<strong>in</strong>k at end of presentation<br />
after validation.<br />
Credits to Claudio Cristione for the majority of the work, Tim Pierson for the<br />
Host Attack and VIC attack Modules and Luca Carettoni, Paolo Canaletti,<br />
drk1wi for help<strong>in</strong>g with the Metasploit modules!
VASTO - Areas to focus our Attacks<br />
Client<br />
Internal<br />
Hypervisor<br />
Management<br />
Support
Tools<br />
Of<br />
The<br />
Trade
Recon<br />
Local – are you<br />
<strong>in</strong> a VM?<br />
Easy – Check<br />
MAC address,<br />
processes<br />
Not so easy –<br />
Hardware<br />
access<br />
Remote –<br />
where‟s<br />
Virtualization?<br />
Helpful to<br />
discover “hidden”<br />
virtualization<br />
<strong>in</strong>stallations<br />
F<strong>in</strong>gerpr<strong>in</strong>t<strong>in</strong>g<br />
network<br />
services
vmware_version<br />
Handy SOAP API<br />
to call<br />
Works on most<br />
VMware<br />
products<br />
Module leverages<br />
standard Metasploit<br />
scanner features<br />
(e.g. IP range<br />
scann<strong>in</strong>g)<br />
[…]<br />
<br />
<br />
ServiceInstance<br />
<br />
In the beg<strong>in</strong>n<strong>in</strong>g was the command l<strong>in</strong>e<br />
We used to have b<strong>in</strong>ary clients<br />
Then everyone moved to web applications<br />
Now, back to b<strong>in</strong>ary clients, like XEN Center, or VMware VI<br />
client<br />
Can we exploit these clients? Let‟s see…
VI Client Auto Update feature
clients.xml –WCPGW?<br />
<br />
<br />
902<br />
3<br />
3.0.0<br />
3.1.0<br />
https://*/client/VMware-viclient.exe<br />
<br />
vmware_vilurker<br />
The VIlurker module can perform<br />
user-assisted code execution provided<br />
you can do MITM on a client.<br />
Almost no one is us<strong>in</strong>g trusted<br />
certificates.<br />
No code sign<strong>in</strong>g on updates, but user<br />
gets a certificate warn<strong>in</strong>g.
SchmooCon 2010<br />
VULNERABILITY (WCPGW?)<br />
Web Server Runn<strong>in</strong>g as<br />
Root!!!!
vmware_guest_stealer<br />
CVE-2009-3733<br />
This path traversal was discovered by Flick and Morehouse<br />
and presented last year.<br />
Exploit was released as a perl script and it has been ported<br />
to VASTO.<br />
It can be used to retrieve any file as the root user, <strong>in</strong>clud<strong>in</strong>g<br />
non-runn<strong>in</strong>g guests. Works on outdated ESX, ESXi, Server.
Attack<strong>in</strong>g Support Component's<br />
I love the Irony of it!<br />
Must have the Host Update Feature Runn<strong>in</strong>g<br />
Responsible for deploy<strong>in</strong>g security patches on<br />
remote ESX, ESXi Servers.<br />
It runs an outdated version of Jetty and it is<br />
vulnerable to Path Traversal (aga<strong>in</strong>)
Introduc<strong>in</strong>g vpxd-profiler-*<br />
It is a “debug” file written by vCenter.<br />
Lots of <strong>in</strong>formation <strong>in</strong>side. Let‟s go for low-hang<strong>in</strong>g fruits for now. More<br />
to come!<br />
/SessionStats/SessionPool/Session/Id='06B90BCB-A0A4-4B9C-B680-<br />
FB72656A1DCB'/Username=„FakeDoma<strong>in</strong>\FakeUser'/SoapSession/Id='AD45B176-<br />
63F3-4421-BBF0-FE1603E543F4'/Count/total 1
So where do I write the SOAP ID?
vmware_session_rider<br />
Us<strong>in</strong>g the session is complex: VI<br />
client has tight timeouts.<br />
Does not write log <strong>in</strong>formation<br />
immediatatly –<br />
The module acts as a proxy to<br />
access vCenter us<strong>in</strong>g the stolen<br />
session.<br />
Will fake the log<strong>in</strong> to the client.<br />
• approx every 5 m<strong>in</strong>utes<br />
• The Proxy is what we actually log<strong>in</strong> to <strong>in</strong> order to<br />
grab the session.<br />
• Can be easily tweaked to act as a password grabber<br />
(unlike VIlurker).<br />
The last exploits comb<strong>in</strong>ed :<br />
vmware_autopwn
Fresh from Black Hat!<br />
You all know Tomcat.<br />
VMware knows too.<br />
Adm<strong>in</strong>istration was disabled <strong>in</strong> version 4.0.<br />
Not <strong>in</strong> version 4.1: VMwareAdm<strong>in</strong> is your friend!<br />
In all my tests (3), passwords were 4 uppercase, 1 number, 1<br />
lowercase (start<strong>in</strong>g lowercase)
vmware_webaccess_portscan<br />
CVE-2010-0686<br />
“URL Forward<strong>in</strong>g” means perform<strong>in</strong>g<br />
POST requests on remote hosts.<br />
Can be used to exploit IP-based<br />
trusts and reach <strong>in</strong>ternal networks.<br />
Not just portscan!
Management is not just <strong>in</strong>terface<br />
vCenter connects to ESX server via SSL [SOAP]<br />
Certificates are usually not trusted, but stored.<br />
MITM via Connection Broken<br />
On reconnection, the vCenter will check for the certificate CN<br />
Spoof the CN and Adm<strong>in</strong> gets usual warn<strong>in</strong>g<br />
Adm<strong>in</strong> agrees and password sniffed
Once aga<strong>in</strong><br />
Do MITM between ESX and vCenter<br />
Take the ESX offl<strong>in</strong>e.<br />
Wait for reconnection by adm<strong>in</strong>.<br />
Spoof ESX‟s certificate CN.<br />
Adm<strong>in</strong> gets a warn<strong>in</strong>g, you get his password.
If everyth<strong>in</strong>g else failed…
vmware_log<strong>in</strong><br />
If noth<strong>in</strong>g works, you can always bruteforce!<br />
Will do standard metasploit bruteforc<strong>in</strong>g<br />
No lockout on standard accounts (unless<br />
jo<strong>in</strong>ed on AD) means a lot of bruteforc<strong>in</strong>g fun
What’s On the Horizion?<br />
Multiple local<br />
EscalationOfPriv<br />
<strong>in</strong> Virtual<br />
Mach<strong>in</strong>es<br />
• Will eventually <strong>in</strong>clude these as modules as<br />
well<br />
• Discovered by great researchers<br />
• Low level attacks, close to the CPU or OS<br />
What else?
What’s different?<br />
Multiple local<br />
EscalationOfPriv<br />
<strong>in</strong> Virtual<br />
Mach<strong>in</strong>es<br />
• Will eventually <strong>in</strong>clude these as modules as<br />
well<br />
• Discovered by great researchers<br />
• Low level attacks, close to the CPU or OS<br />
What else?
vmware_sfcb_exec<br />
CVE-2010-2667<br />
Requires authentication<br />
OR can be exploited<br />
locally without any<br />
authentication.<br />
A vulnerability <strong>in</strong><br />
Virtual Appliance<br />
Management<br />
Infrastructure result<strong>in</strong>g<br />
<strong>in</strong> code exec as root
So, can we attack virtualization?
Other Problems<br />
Generic TLS renegotiation prefix <strong>in</strong>jection<br />
vulnerability
Other Problems<br />
Will VMWare Renegotiate?<br />
Yes<br />
No
Mitigation Techniques<br />
All of the problems I have<br />
demonstrated have mitigation<br />
techniques.<br />
We have mentioned just two or three<br />
of the <strong>in</strong>direct flaws of this overall<br />
FANTASTIC product!<br />
You really need to perform a complete<br />
Pen Test on each Piece of the<br />
environment <strong>in</strong> order to figure out if<br />
you are secure.<br />
68
What about Compliance?<br />
Can you be compla<strong>in</strong>t with an out<br />
of the box <strong>in</strong>stallation?<br />
• Do you have a way to report changes<br />
made to the ESX server via the Service<br />
Console?<br />
• How many have access to root?<br />
• Why do we use the root account?<br />
You must have a 3 rd party SIEM <strong>in</strong><br />
place.<br />
• (SEIM Security Event and Incident<br />
Management)<br />
Here are a few options that go<br />
beyond a basic SIEM to <strong>in</strong>clude<br />
other needed security measures.<br />
• Catbird<br />
• HyTrust<br />
• ISO 2700x<br />
• A Pen Tester must recommend mitigation<br />
techniques and tools.<br />
69
Other Considerations….<br />
S<strong>in</strong>ce most <strong>in</strong>frastructure is mov<strong>in</strong>g to the virtual environment<br />
we should pose the question critical <strong>in</strong>frastructure.<br />
• Power Grid<br />
• Fresh Dr<strong>in</strong>k<strong>in</strong>g Water<br />
• Transportation Services<br />
Virutalize a Physical Enviroment before you PenTest it.<br />
• Use PlateSp<strong>in</strong> or equiv to Virtualize a Physical DMZ then hammer it to death.<br />
With approval use a successful attack to attempt the same.<br />
70
Whose responsibility is it?<br />
S<strong>in</strong>ce this<br />
Conference is I<br />
would be amiss if<br />
I did not mention<br />
who‟s responsible<br />
for this security.<br />
Data<br />
Owner?<br />
Cloud<br />
Custodian?<br />
User?
Review<br />
It is still just another layer to attack!<br />
VMsafe? Really<br />
Scann<strong>in</strong>g<br />
Common management errors.<br />
ARP Cache Poison<strong>in</strong>g<br />
Tools<br />
Web Interface (Like Nancy Regan Said… Just don‟t do it) But sometimes you have no choice….<br />
72