APPENDIX C
VIRTUALIZATION AND ETHICAL HACKING
This appendix gives you an overview of virtualization as it applies to security testers, reviews some virtualization vulnerabilities that security testers should consider, and explains how to create a virtual machine with the free VMware Server.
VIRTUALIZATION AND SECURITY TESTING
A virtual machine is a software-based system that acts like a hardware system. It runs on a software layer called the hypervisor, which can run on a system without an OS installed (called a “bare-metal system”) or on one with an OS, such as Linux or Windows. Virtual machine computing offers several advantages; for enterprise networks, the main advantage is that multiple systems with different OSs can run on the same physical hardware, which reduces costs, increases flexibility, and improves management efficiency. Virtualization enables an organization or a single user to get the most out of computer resources. Schools, for example, can use virtualization to turn a single server into a virtual server that can host two, three, or more OSs. One computer can house five virtual servers running Windows Server 2008 and Red Hat Enterprise Linux, for example. This capability saves the school money on servers and enables more students to work on their own virtual machines.
As a security tester, being able to turn a single computer into a virtual system that you can run multiple OSs on, without having to alter the current OS, is priceless. Instead of testing new code or security tools on a client’s live environment, a security tester can create a virtual mockup of the client’s network that includes multiple OSs and configurations and run them all on one physical system. This setup is also ideal for performing the BackTrack Linux activities in this book. You can still run your current OS, such as Windows Vista or Windows 7, and then install virtualization software and use BackTrack Linux in a virtual window or “session.” When you’re finished with the chapter activities, you simply remove the virtualization software, and you’re back where you started with your original OS.
Virtualization technology has also been incorporated in backup and disaster recovery systems as a way to reduce downtime after system failures and data corruption and loss. By taking snapshots (images of a virtual machine’s current state) regularly, network administrators can restore service after virtual machine or hardware failures in minutes or seconds rather than hours or days.
In addition, virtualization is an important part of cloud computing, in which application resources are accessed and maintained on the Internet (the “cloud”), instead of on an organization’s physical premises or servers. With virtualization, cloud-based computing resources can be allocated based on demand. In the past few years, cloud computing has become a new buzzword in the IT community, partly because of the growing popularity of netbooks and nettops. These “lightweight” computers access desktop applications via a Web browser instead of on the hard drive. Many large organizations, such as Motorola and the City of Los Angeles, have migrated to cloud-based e-mail and other applications, and this trend is expected to accelerate in the next few years.
Virtualization Vulnerabilities
Along with the increased efficiency virtualization offers, using virtualization means preparing for potential risks. In addition to the risk of one physical system being affected by an attack, a root-level compromise of the hypervisor can mean the compromise of many systems. For example, in June 2009, the compromise of virtual machine hypervisors for the Web-hosting company VAServ allowed a hacker to wipe out more than 100,000 Web sites. Many of these Web sites had no backup, so they were irretrievably lost.
Attackers use virtualization to perfect their attacks. In a sophisticated attack, they scan and enumerate the target network, and then create a detailed mockup of this network by using virtual machines. They can then perfect an attack against the replicated network without being detected by the organization’s intrusion detection systems that might alert security professionals to their intentions.
A hypervisor compromise can be magnified even more with cloud-based elastic computing, in which the number of virtual machines used for a Web application or site is based on the application load. If the application load increases, more virtual machines can be brought on “elastically” to handle the load. In other words, virtual machine power expands dynamically in proportion to the load. When the load decreases, the number of virtual machines is reduced automatically. In this way, the application owner doesn’t have to pay for more computing power than needed, and the gains in efficiency improve the bottom line. Amazon is the first company to market pay-for-use cloud-based computing widely with its Elastic Compute Cloud (EC2), although many companies and initiatives emerged around the same time, in the early 2000s. (For more information, visit http://aws.amazon.com.)
What if attackers are able to access credentials (or keys, in Amazon’s EC2 system) for a large elastic-computing customer? They could install malware on virtual machines during heavy load periods, such as the holiday shopping season. They could also reconfigure virtual machines to send spam or malicious e-mail attachments or launch DoS attacks. In fact, all these attacks have occurred with cloud-based virtual machines.
Like any enterprise that aims to get the most bang for the buck, cybercriminal organizations can also use cloud computing to further their criminal activities. Cloud computing is a way to collect a large amount of computing power without needing a physical facility. As more targets, such as businesses, begin storing sensitive information in the cloud, cybercriminals will target cloud-based infrastructures more often. The cloud-based WPA Cracker Web site (www.wpacracker.com), created by the security researcher Moxie Marlinspike, is an example of how cloud-based computing power can be leveraged to crack passwords. Because password cracking requires a lot of processor power, having 400 CPUs available without having to pay rent for a facility can be useful for both ethical hackers and criminal hackers.
Despite the security risks, the role of virtualization in businesses shows no sign of slowing. That means you, as a security tester, will have to consider virtualization in your security testing. The numbers certainly indicate that security testers need to pay attention. A search of the National Vulnerability Database at http://nvd.nist.gov reveals hundreds of vulnerabilities related to hypervisors, so testing for hypervisor and other virtual machine infrastructure vulnerabilities will be a necessary part of your job. At the same time, the capabilities gained with virtualization can make your job easier by providing an efficient, cost-effective testing environment.
INSTALLING AND USING VIRTUALIZATION SOFTWARE
This appendix includes a step-by-step guide for turning a single computer into a virtual system hosting one or more virtual machines. VMware Server 2.0 is used as an example because it’s one of the most popular virtualization products, and it’s free. However, there are other free virtualization products you should be familiar with, described in the following list. The first six products are hosted virtualization systems, which simply means they run on top of a regular OS, such as Windows Vista. The last two, Citrix Xen Server and VMware ESXi, are dedicated hypervisors, so they can’t be installed on top of a regular OS. Instead, they take the place of your OS. Compared with hosted virtualization systems, dedicated hypervisors offer performance advantages.
Microsoft Virtual PC—Intended for use on workstations to host another OS, such as a Windows Server 2008 virtual machine; can be installed on Windows hosts only.
Microsoft Virtual Server—Intended for use on servers to host multiple virtual machines, including Windows Server 2008 and other OSs; can be installed on Windows hosts only.
Microsoft Hyper-V—Intended for use on servers to host multiple virtual machines, including Windows Server 2008 and other OSs; can be installed on Windows hosts only.
VMware Server—Intended for use on servers to host multiple virtual machines; included as part of Windows Server 2008 and 2008 R2. It supports most Windows and several Linux OSs.
Kernel-based Virtual Machine (KVM)—Available as an optional package in most Linux distributions, KVM is a lightweight virtualization infrastructure that can run most Linux and Windows versions as guest OSs; can be installed on Linux hosts only.
Sun xVM (VirtualBox)—Intended for use on a workstation or server to host multiple virtual machines, including most versions of Linux, BSD UNIX, Solaris, and Windows; can be installed on Solaris, Windows, Linux, and Macintosh hosts.
Citrix Xen Server—A hypervisor intended for use on servers without an OS already installed; can host multiple virtual machines, including most versions of Linux and Windows. Xen Server is the virtualization product behind Amazon’s Elastic Compute Cloud.
VMware ESXi—A hypervisor intended for use on servers without an OS already installed; can host multiple virtual machines, including those running most versions of Linux and Windows.
Overview of VMware Server
VMware Server enables you to set up virtual machines to run Windows or Linux OSs. VMware Server 2.0 is a major update from previous versions and offers the following new features:
Enables you to manage virtual machines from the VMware Infrastructure Web Access window or the Remote Console window
Allows configuring different levels of permissions
Allows configuring which OSs start when VMware Server is started
Offers editors for configuring hardware devices
Includes support for virtual machines running Windows Vista, Windows Server 2008, Red Hat Enterprise Linux 5.0, and Ubuntu Linux through version 9.x, among others
Handles increased memory (to 8 GB) and more NICs (up to 10) in the host machine
Supports 64-bit guest OSs on 64-bit (x64 but not IA-64) host computers
Offers hot-add capability (meaning components can be added without shutting down the virtual machine) for new SCSI and tape devices
Includes the Volume Shadow Copy Service (VSS) for backups on Windows guest OSs
Allows using Firefox 3 or Internet Explorer for the VMware Infrastructure Web Access window
Supports hardware virtualization—for example, AMD CPUs with AMD-V capability and Intel CPUs with Intel VT
Supports multiple monitors (to see different virtual machines on different displays)
Guest and Host OSs Supported in VMware Server
VMware Server 2.0 supports running many different OSs on virtual machines, including most Linux OSs, Windows XP and later, FreeBSD UNIX, Sun Solaris, and Novell NetWare. VMware Server 2.0 runs on more host OSs than Microsoft Virtual PC or Virtual Server because it can run on several Linux distributions. It will probably run on most Linux and Windows versions you use, and support for new OSs is added continually. For the latest information on supported host and guest OSs in VMware 2.0, check www.vmware.com/products/server.
For Windows host OSs, you must download the VMware Server version for Windows, which is in .exe format. For Linux host OSs, you must download the VMware Server version for Linux, which is in .tar format.
Requirements for VMware Server
VMware Server has the following hardware and software requirements:
CPU—Any standard x86 or x64 computer, including the following processors: dualcore or quad-core Intel Zeon, Intel Core 2, AMD Opteron, or Athlon (733 MHz or faster)
RAM—A minimum of 512 MB but must include enough RAM for the minimum requirements of the total number of OSs (host and guest) you plan to run
Disk space—Enough disk storage for the OSs (host and guest) you plan to run
VMware Infrastructure Web Access window—Internet Explorer 6.0 and later (for Windows hosts) or Mozilla Firefox 2.0 and later (for Linux hosts)
Note
VMware Server 2.0 virtual machines can connect to hard, optical, and floppy drives, and USB 2.0 connections are supported.
Downloading and Installing VMware Server
To download VMware Server, follow these steps:
1. Start your Web browser, and go to www.vmware.com/products/server. (Note: Web links and specific instructions change periodically. You might need to search at www.vmware.com if this link doesn’t work.) Click Download to download the latest version of VMware Server 2.0.
2. Complete the registration form, if prompted. Next, read the licensing information, and then click Yes or Accept.
3. Record the serial number for the Windows version, and then click the link to download the binary (.exe) file for VMware Server for Windows Operating Systems.
4. Click Save, and select a download location for the file. Click Save again.
5. Click Close, if necessary, when the download is finished, and then exit your Web browser.
The general steps for installing VMware Server are as follows:
1. Browse to the folder where you saved the VMware Server installation file, and doubleclick VMware-server-2.x.x-xxxxxx (replacing 2.x.x-xxxxxx with the VMware Server version).
2. When the Installation Wizard for VMware Server starts, click Next.
3. Read the license agreement, click Yes, I accept the terms in the license agreement, and then click Next.
4. In the Destination Folder window, verify the destination folder for the VMware Server files (or click Change to select a different folder), and then click Next.
5. In the Server Configuration Information window, verify the fully qualified domain name (FQDN) for the host computer, and make sure 8222 is entered in the Server HTTP Port text box and 8333 is entered in the Server HTTPS Port text box. Make any necessary changes, such as the host and domain names (but leave the default settings for ports). If you want to use an external or a network drive instead of the default DocumentsVirtual Machines storage path, click the Change button next to the “Please select the virtual machine storage path” option. The installation wizard selects the drive with the most available free space, so if you have an attached external drive with more space than your system drive, the wizard selects that drive automatically. When you’re finished with your selections, click Next.
6. In the Configure Shortcuts window, make sure the shortcuts you want are selected, as shown in Figure C.1, and then click Next.
7. In the Ready to Install the Program window, click Install. If you’re prompted to install device software, click Install.
8. In the Registration Information window, enter your name, school or company name, and the serial number you recorded when you downloaded the software, and then click Enter.
9. Click Finish, and then click Yes to restart your system.
Creating a Virtual Machine and Installing a Guest OS
Now that VMware Server is installed, the next steps are creating a virtual machine and installing the guest OS. The following steps explain these procedures, using the BackTrack Linux files for the guest OS:
Note
The Remote Console window you use later requires that the host computer must be resolved through DNS. Before you start, make sure your host can be resolved through DNS on your network (or that DNS is installed on the host). For example, the network’s DNS server should have a host address (A) resource record for the host computer.
1. Double-click the VMware Server Home Page icon on the desktop or taskbar. (You can also click Start, point to All Programs, click VMware Server, and click VMware Server Home Page.)
Note
If you’re using Internet Explorer, you might need to address security requirements, such as providing a digital certificate, specifying whether to set up a phishing filter, and adding the VMware site as a trusted site.
2. Log on with your host computer account (or the Administrator account) and enter your password. (Use the same account you used to install VMware Server.) Click Log In, and after your credentials are accepted, you see the VMware Infrastructure Web Access (VI Web Access, for short) window (see Figure C.2).
Figure C.2
The VMware Infrastructure Web Access window
Note
A certificate error is reported in Figure C.2 because this new site doesn’t have a trusted certificate yet. If you have this problem, you might be able to import a certificate by clicking Certificate Error at the top, clicking the View certificates link, and clicking Install Certificate. Another option is to talk to your network administrator about importing a certificate.
3. Make sure your host computer is selected in the Inventory pane on the left, and click the Virtual Machines tab in the workspace in the center.
4. In the Commands pane on the right, click Create Virtual Machine to start the Create Virtual Machine Wizard.
5. In the Name and Location window, type BackTrack Linux for the virtual machine name, and then click Next.
6. In the Guest Operating System window, click the Linux operating system option button. In the Version list box, click Ubuntu Linux (32-bit), and then click Next.
Figure C.3
Configuring virtual disk properties
7. In the Memory and Processors window, set the memory size to 512 MB or higher. (For 32-bit Ubuntu Linux, 512 MB is the default.) Also, if your system has a dual-core or quad-core CPU or is an SMP system, you can select the number of processors to use. After the virtual machine has been set up, however, you can’t reconfigure the number of processors. Click Next.
8. In the Hard Disk window, click Create a New Virtual Disk (a disk on the current computer) to open the Properties dialog box. (The other option is Use an Existing Virtual Disk, which is a previously created virtual disk file with a .vmdk file extension.) In the Capacity text box, type 20, and make sure the units are set to GB (see Figure C.3). Adjust any settings as needed, which include the following:
Location—You can select a file location other than the default for the virtual disk.
File Options—You can choose to allocate disk space now and split the disk into two files.
Disk Mode—You can select the option to create independent disks, which aren’t affected by snapshots.
Virtual Device Node—You can select a SCSI or an IDE disk.
Policies—You can select the option to optimize for safety (the default) or for performance.
9. Click Next. In the Network Adapter window, you can add a network adapter for access over a network. Click Add a Network Adapter to open the Properties dialog box. If you don’t want to use the default settings for a network connection (bridged) and for connecting automatically when the virtual machine is powered on (yes), change these settings. The options for the Network Connection setting are as follows:
Bridged—This setting gives the virtual machine its own network identity (so that it’s seen as a different computer from the host), which enables other computers on the network to communicate with it. It also means the virtual machine can access the Internet through the local network. If you plan to use this virtual machine for activities in this book, you should use a bridged network adapter.
HostOnly—With this setting, only the host computer and other virtual machines on the same host can access the virtual machine, which means it isn’t accessible through the local network.
NAT—The virtual machine shares the host’s IP and MAC addresses, which means it doesn’t have its own identity on the local network. You might select this option if IP addresses are in short supply for your network or if your network policy allows only one IP address for a computer.
10. Click Next. In the CD/DVD Drive window, you can select options to use a physical CD/DVD drive (or no drive). You can also specify an ISO image file for installing the guest OS. (In this case, you would click Browse next to the Image File text box to select the ISO image.) Click the Use a Physical Drive option button to open the Properties dialog box. Make sure the correct CD/ DVD drive for the host is selected (such as drive E), verify that the Connect at Power On option is set to Yes, and then click Next.
11. In the Floppy Drive window, you can select options to use a physical drive (if your computer has a floppy drive) or specify an ISO image file for installing the guest OS. For this activity, click Don’t Add a Floppy Drive.
12. In the USB Controller window, you can select whether to add a USB controller, if you want to access a flash drive, for example. Make your selection, and the wizard advances to the next window automatically.
13. In the Ready to Complete window, review your selections, and then click Finish. The Task pane at the bottom of the VI Web Access window should display “Success” in the Status column to show that you created the virtual machine successfully.
If you have selected different configuration options and then clicked Back to return to preceding steps, you might get an error message, or you might not end up with an installed virtual machine. If this happens, start over and avoid undoing selections you have made.
14. Next, you install the guest OS. Insert the BackTrack Linux DVD that you burned from this book’s online supporting files. In the Inventory pane, click the new BackTrack Linux virtual machine under the host computer’s name. (You might have to expand entries under the host’s name first.)
15. Click the Summary tab in the workspace, if necessary, and scroll down to the Hardware section. Click the CD/DVD Drive 1 (drive type) down arrow and click Edit. In the CD/ DVD Drive dialog box, review the settings for the host’s CD/DVD drive, make any needed changes, and click OK.
16. Click the Console tab in the workspace, and then click Install plug-in to install the Remote Console plug-in.
Note
If you see a message box about noticing the Information Bar, click Close. Also, if the plug-in isn’t installed successfully in Internet Explorer, you might see a message that you must click to continue. Click the message, and then click to install the elements Internet Explorer requires, such as the ActiveX control. Next, click Install plug-in again, and, if necessary, click Install and Next.
17. After the Remote Console plug-in is installed, restart your browser and log back on to the VI Web Access window. In the Inventory pane, click the BackTrack Linux virtual machine.
18. On the toolbar at the top, click the Play icon (a green triangle that serves as a switch to turn the virtual machine on or off). Click the Console tab. Click anywhere in the reduced console on the right (the Remote Control window). BackTrack starts, and you see the logon prompt in Figure C.4.
Note
To leave the Remote Console window, you must press Ctrl+Alt to return mouse and keyboard control to the host until you install VMware Tools later in this appendix.
19. Type startx and press Enter to start the KDE desktop manager. Double-click the install.sh desktop icon to start the BackTrack hard drive Install Wizard.
Figure C.4
BackTrack in the Remote Console window
20. In the Where are you? list box, make your time zone selection, and then click Forward. In the Keyboard layout list box, make your selection, such as USA, and then click Forward.
21. In the Prepare disk space window, click Forward to accept the default setting, Guided - use entire disk.
22. In the Ready to install window, click Install. The installation script begins installing BackTrack Linux. You’ll see progress information about scanning and copying files, configuring hardware, and completing the installation. This process takes 15 minutes or longer.
23. When you see the message about the installation being finished, remove your BackTrack DVD, and then click Restart now. After the OS restarts, log on with the username root and the password toor.
24. At this point, BackTrack Linux is installed as a guest OS on a VMware Server virtual machine. To explore what’s available, type startx and press Enter to start the KDE desktop manager. When you’re finished, log off and close the VI Web Access window. (You can use the Remote Console window later to access BackTrack Linux.)
Tip
You can close the Remote Console window at any time, but note that the virtual machine keeps running. To stop it, you must shut down the guest OS in the Remote Console window and power the virtual machine off in the VI Web Access window.
Tip
To access online help documentation, click the Help option at the upper right of the VI Web Access window.
Configuring Networking Options
As you learned earlier, the three network connection options are Bridged, HostOnly, and NAT. Each network type has a default name: VMnet0 for the Bridged option, VMnet1 for the HostOnly option, and VMnet8 for the NAT option.
You use the Virtual Network Editor to configure virtual networking options. For example, you can configure internal DHCP server capability for HostOnly and NAT networks. Bridged networks use an external DHCP server, such as a router or a Windows Server 2008 server configured for this service. To explore the Virtual Network Editor, follow these steps:
1. Click Start, point to All Programs, click VMware, click VMware Server, and click Manage Virtual Networks. The Virtual Network Editor has the following tabs (see Figure C.5):
Summary—Displays general information for virtual networks, including VMnet0, VMnet1, and VMnet8
Automatic Bridging—Used to control bridging between the VMnet0 network and the host’s network adapter
Host Virtual Network Mapping—Used to link virtual networks to physical network adapters and virtual network adapters and to configure subnet and DHCP properties
Host Virtual Adapters—Shows virtual adapter connections, virtual networks, and the status of connections
Figure C.5
The Virtual Network Editor
DHCP—Used to configure DHCP settings for VMnet1 and VMnet8 and start, stop, and restart the DHCP service
NAT—Used to associate the NAT service with a virtual network, configure NAT settings, and start, stop, and restart the NAT service
2. Click each tab, and explore the available options. When you’re finished, click the DHCP tab again. Click VMnet1 and click Properties. In the DHCP Settings dialog box, notice that you can configure the range of IP addresses to use and configure DHCP lease settings for clients. Click Cancel.
3. When you’re finished, close the Virtual Network Editor.
Configuring Hardware Options
After you create a virtual machine, you might want to go back and configure hardware options. For example, you might decide to change the network configuration from Bridged to HostOnly. To configure hardware, follow these steps:
1. Open the VI Web Access window. In the Inventory pane, click to expand the host computer’s name, and then click the BackTrack Linux virtual machine.
2. The virtual machine must be powered off to configure hardware. Click the Console tab, and shut down the OS. You can also click Virtual Machine, Power Off from the menu.
3. Click the Summary tab, and scroll down to the Hardware section.
4. Click the Processors down arrow and click Edit. A message is displayed, reminding you that changing the number of processors for a virtual machine that’s already been created might cause system instability. Click Cancel.
5. Click the Memory down arrow and click Edit. Notice the recommended size for memory allocation. You can use the Size (in multiples of 4) text box to change this setting. Click Cancel.
6. Click the Hard Disk 1 down arrow and click Edit. You can increase virtual disk capacity, configure the virtual device node, configure the disk mode, and configure policies. Click Cancel.
7. Click the Network Adapter 1 down arrow and click Edit. You can change the type of network connection, such as from Bridged to HostOnly. Information about the connection status, MAC address, and virtual device is also displayed. Click Cancel.
8. Click the CD/DVD Drive 1 down arrow and click Edit. Review the properties you can set and the connection status information. Click Cancel.
9. Review information about any other hardware devices. If you had changed any hardware settings, you would have to restart the virtual machine for the new settings to take effect. Leave the VI Web Access window open for the next steps.
Installing VMware Tools
VMware Tools is an add-on that gives you more options for managing virtual machines and improving their performance. It includes the following features:
A control panel for changing virtual machine settings and connecting devices conveniently
VMware user processes for Linux and Solaris guest OSs
Device drivers for enhanced video, audio, mouse, network, and SCSI disk performance
The Tools service, which includes a variety of tools for messaging, mouse performance, screen resolution, and others
When you install VMware Tools, the virtual machine must be started, and you should be logged on to the guest OS account you use to manage VMware Server because VMware Tools, including drivers, is installed on the guest OS. The following steps describe how to install VMware Tools on a BackTrack Linux virtual machine:
1. Open the VI Web Access window, if necessary. In the Inventory pane, click the BackTrack Linux virtual machine, and make sure it’s powered on.
2. If the guest OS isn’t running, start it. Log on to the root account in BackTrack Linux, and then type startx at the command prompt and press Enter to start the KDE desktop manager.
3. In the VI Web Access window, click the Summary tab for the BackTrack Linux virtual machine, and then click Install VMware Tools in the Status pane at the upper right. In the Install VMware Tools dialog box, click Install.
4. Back in the BackTrack Linux desktop, open a Konsole shell.
5. Copy the zipped VMware Tools file to your desktop by typing cp/cdrom/ VM*.gz. and pressing Enter. (Don’t forget the period at the end of the command.) Then type tar xvzf VM*.gz and press Enter to extract the files to a folder on your desktop.
6. To change to the extracted directory, type cd vmware-tools-distrib and press Enter. To start the VMware Tools installation script, type ./vmwareinstall.pl and press Enter. Press Enter at each prompt to accept the default installation settings.
7. The last installation question concerns the virtual machine’s screen resolution. For the best results, choose a resolution slightly lower than the host’s screen resolution. The virtual machine window changes as it detects your settings, and then you see the VMware Tools script completion message.
8. To finish the VMware Tools setup, log off KDE and then log on again by typing startx and pressing Enter. Your BackTrack Linux virtual machine now has much faster graphics performance, and you can move between the host and virtual machine windows simply by clicking.
9. Log off BackTrack Linux, and power off your virtual machine.