Hacking Virtual Machines Part 1 - Sniffing

Wednesday, November 17, 2010

Bozidar Spirovski

E973b16363b3de77b360563237df7e32

Virtualization is considered to be the new renaissance in computing. Suddenly, all those over sized servers are put to great use by putting multiple Guest OS's on them.

But running IT services in a virtualized environment brings a whole host of new opportunities for hackers.

We will discuss the opportunities in this series of articles, with uncreative title "Hacking Virtual Machines".

Sniffing Attack



/uploads/remoteimg/bb03a11d28d13f780a47a0e68c74d133.jpg

By definition, a virtualization host will have several Guest OS systems running. Possibly, these systems will have a different purpose, and different levels of patching and functional configuration.

The Guest OS systems should be perfectly isolated between each other and not access the same resource at the same time.

But most virtualization implementations collide on this rule at the network level. It is quite common that all Guest OS systems are accessing the LAN via one Network Adapter.

And not many implementations of Virtual servers have configured virtual VLans.

All this means that if one virtual machine starts a sniffer - putting the adapter in a promiscuous mode - it is quite possible to sniff traffic from the other virtual machines, and collect all sorts of interesting information.

The sniffing attack is a second phase attack, after the first virtual machine has been compromised.

The sniffing target is a web server, running the Hacmebank web application. The sniffing easily captures authentication process, as well as money transfer transactions.

Cross-posted from ShortInfosec

Possibly Related Articles:
17830
Network->General
Hacking Virtualization Virtual PC Sniffing
Post Rating I Like this!
85ac6feb584b665e85664974c546cfec
Ray Tan Can not agree with you any more.
1290063599
B64e021126c832bb29ec9fa988155eaf
Dan Dieterle Great Article! I highly recommend following the Cross-Posted link and watching the video that is attached to the original article. Sniffing traffic from other virtual machines using Wireshark. Stunning.
1290097989
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.