Hacking Virtual Machines Part 1 - Sniffing

Wednesday, November 17, 2010

Bozidar Spirovski


Virtualization is considered to be the new renaissance in computing. Suddenly, all those over sized servers are put to great use by putting multiple Guest OS's on them.

But running IT services in a virtualized environment brings a whole host of new opportunities for hackers.

We will discuss the opportunities in this series of articles, with uncreative title "Hacking Virtual Machines".

Sniffing Attack


By definition, a virtualization host will have several Guest OS systems running. Possibly, these systems will have a different purpose, and different levels of patching and functional configuration.

The Guest OS systems should be perfectly isolated between each other and not access the same resource at the same time.

But most virtualization implementations collide on this rule at the network level. It is quite common that all Guest OS systems are accessing the LAN via one Network Adapter.

And not many implementations of Virtual servers have configured virtual VLans.

All this means that if one virtual machine starts a sniffer - putting the adapter in a promiscuous mode - it is quite possible to sniff traffic from the other virtual machines, and collect all sorts of interesting information.

The sniffing attack is a second phase attack, after the first virtual machine has been compromised.

The sniffing target is a web server, running the Hacmebank web application. The sniffing easily captures authentication process, as well as money transfer transactions.

Cross-posted from ShortInfosec

Possibly Related Articles:
Hacking Virtualization Virtual PC Sniffing
Post Rating I Like this!
Ray Tan Can not agree with you any more.
Dan Dieterle Great Article! I highly recommend following the Cross-Posted link and watching the video that is attached to the original article. Sniffing traffic from other virtual machines using Wireshark. Stunning.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.