Using a Virtualized Pen Test Platform
|
View:
New views
10 Messages
—
Rating Filter:
Alert me
|
 |
Using a Virtualized Pen Test Platform
by Jon Kibler-2
::
Rate this Message:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 All, I have traditionally used a multi-boot Linux box as my pen-test platform. It has always had the disadvantage that I had to reboot into Windows to run some tools that seem to break under wine. For the past several months, I have been tinkering with using VMware Workstation as my base platform, so I can just switch VMs rather than having to reboot. So far, it seems to work pretty well. However, I am wondering if I am missing something that is broken by VMware that I have not yet detected. For example, does VMware break any of the packet crafters or other tools that do 'unusual' things, that may cause the packet to not traverse correctly from VMware to the outside target? What other issues do I need to be aware of? Also, is there any advantage or disadvantage of running Workstation vs. Server vs. ESXi as the underlying VMware system? What would be the advantages or disadvantages of running XEN? Does it have any issues as a pen test platform hypervisor? THANKS! Jon Kibler - -- Jon R. Kibler Chief Technical Officer Advanced Systems Engineering Technology, Inc. Charleston, SC USA o: 843-849-8214 c: 843-813-2924 s: 843-564-4224 s: JonRKibler e: Jon.Kibler@... e: Jon.R.Kibler@... http://www.linkedin.com/in/jonrkibler My PGP Fingerprint is: BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkrd4DYACgkQUVxQRc85QlO60gCfT2sQ2gsBJo6vcSYIxPHtSA9U 8WgAn2dAPMxow+r0lx2ThokdjtX6o0+z =bmip -----END PGP SIGNATURE----- ================================================== Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email. ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------ |
|
|
Re: Using a Virtualized Pen Test Platform
by Dave Aitel-2
::
Rate this Message:
A lot of our customers use Ubuntu Linux to run CANVAS in a VM with
Bridged Mode in VMWare Workstation. This works well, but you ARE going through some extra special network "hardware" that you may find has interesting effects on low-level TCP/IP fingerprinting. I've seen more weirdness on the other end of things though - people will IPFingerprint systems running Virtualized and come up with the wrong result because VMWare modifies the ICMP as it comes back to you. -dave > Hash: SHA1 > > All, > > I have traditionally used a multi-boot Linux box as my pen-test platform. It has > always had the disadvantage that I had to reboot into Windows to run some tools > that seem to break under wine. > > For the past several months, I have been tinkering with using VMware Workstation > as my base platform, so I can just switch VMs rather than having to reboot. So > far, it seems to work pretty well. However, I am wondering if I am missing > something that is broken by VMware that I have not yet detected. For example, > does VMware break any of the packet crafters or other tools that do 'unusual' > things, that may cause the packet to not traverse correctly from VMware to the > outside target? > > What other issues do I need to be aware of? > > Also, is there any advantage or disadvantage of running Workstation vs. Server > vs. ESXi as the underlying VMware system? > > What would be the advantages or disadvantages of running XEN? Does it have any > issues as a pen test platform hypervisor? > > THANKS! > > Jon Kibler > - -- > Jon R. Kibler > Chief Technical Officer > Advanced Systems Engineering Technology, Inc. > Charleston, SC USA > o: 843-849-8214 > c: 843-813-2924 > s: 843-564-4224 > s: JonRKibler > e: Jon.Kibler@... > e: Jon.R.Kibler@... > http://www.linkedin.com/in/jonrkibler > > My PGP Fingerprint is: > BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253 > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.8 (Darwin) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkrd4DYACgkQUVxQRc85QlO60gCfT2sQ2gsBJo6vcSYIxPHtSA9U > 8WgAn2dAPMxow+r0lx2ThokdjtX6o0+z > =bmip > -----END PGP SIGNATURE----- > > > > > ================================================== > Filtered by: TRUSTEM.COM's Email Filtering Service > http://www.trustem.com/ > No Spam. No Viruses. Just Good Clean Email. > > > > ------------------------------------------------------------------------ > This list is sponsored by: Information Assurance Certification Review Board > > Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. > > http://www.iacertification.org > ------------------------------------------------------------------------ > ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------ |
|
|
Re: Using a Virtualized Pen Test Platform
by Joshua Gimer
::
Rate this Message:
Jon
I also use virtualization for a pen-testing platform and have for some time. The only issue that I would be aware of is your network interface configuration. You have the ability to setup your virtual interfaces in either a bridged or shared mode a lot of the time, the later of which performs Network Address Translation (NAT). If you were performing tests where you were either sending or sampling a large amount of traffic, there is a possibility that you could fill up your NAT tables which will have adverse consequences in terms of valid test results. -- Thx Joshua Gimer On Tue, Oct 20, 2009 at 10:07 AM, Jon Kibler <Jon.Kibler@...> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > All, > > I have traditionally used a multi-boot Linux box as my pen-test platform. It has > always had the disadvantage that I had to reboot into Windows to run some tools > that seem to break under wine. > > For the past several months, I have been tinkering with using VMware Workstation > as my base platform, so I can just switch VMs rather than having to reboot. So > far, it seems to work pretty well. However, I am wondering if I am missing > something that is broken by VMware that I have not yet detected. For example, > does VMware break any of the packet crafters or other tools that do 'unusual' > things, that may cause the packet to not traverse correctly from VMware to the > outside target? > > What other issues do I need to be aware of? > > Also, is there any advantage or disadvantage of running Workstation vs. Server > vs. ESXi as the underlying VMware system? > > What would be the advantages or disadvantages of running XEN? Does it have any > issues as a pen test platform hypervisor? > > THANKS! > > Jon Kibler > - -- > Jon R. Kibler > Chief Technical Officer > Advanced Systems Engineering Technology, Inc. > Charleston, SC USA > o: 843-849-8214 > c: 843-813-2924 > s: 843-564-4224 > s: JonRKibler > e: Jon.Kibler@... > e: Jon.R.Kibler@... > http://www.linkedin.com/in/jonrkibler > > My PGP Fingerprint is: > BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253 > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.8 (Darwin) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkrd4DYACgkQUVxQRc85QlO60gCfT2sQ2gsBJo6vcSYIxPHtSA9U > 8WgAn2dAPMxow+r0lx2ThokdjtX6o0+z > =bmip > -----END PGP SIGNATURE----- > > > > > ================================================== > Filtered by: TRUSTEM.COM's Email Filtering Service > http://www.trustem.com/ > No Spam. No Viruses. Just Good Clean Email. > > > > ------------------------------------------------------------------------ > This list is sponsored by: Information Assurance Certification Review Board > > Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. > > http://www.iacertification.org > ------------------------------------------------------------------------ > ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------ |
|
|
Re: Using a Virtualized Pen Test Platform
by Kevin L. Shaw, CISSP, GCIH
::
Rate this Message:
It's a pain to reboot, almost as much as it is to carry two machines to
run some activities concurrently. I have read that several prominent penetration testers use VMs; and there is some information out there about booting one partition and running the second partition in a virtual machine instead of booting back and forth. I haven't heard of any reported problems with these - the only item of interest I know is of VM-aware malware that will shut itself off if you try to examine it inside a virtual machine; but this shouldn't affect you if you are performing that sort of work. A friend of mine who works for RedHat swears by Xen; however you should probably test it yourself. One issue I have run into with any VM solution is the hardware may not support virtualization; I've had that problem with several Toshiba laptops. I know ESXi has pages dedicated to hardware compatibility lists. Jon Kibler wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > All, > > I have traditionally used a multi-boot Linux box as my pen-test platform. It has > always had the disadvantage that I had to reboot into Windows to run some tools > that seem to break under wine. > > For the past several months, I have been tinkering with using VMware Workstation > as my base platform, so I can just switch VMs rather than having to reboot. So > far, it seems to work pretty well. However, I am wondering if I am missing > something that is broken by VMware that I have not yet detected. For example, > does VMware break any of the packet crafters or other tools that do 'unusual' > things, that may cause the packet to not traverse correctly from VMware to the > outside target? > > What other issues do I need to be aware of? > > Also, is there any advantage or disadvantage of running Workstation vs. Server > vs. ESXi as the underlying VMware system? > > What would be the advantages or disadvantages of running XEN? Does it have any > issues as a pen test platform hypervisor? > > THANKS! > > Jon Kibler > - -- > Jon R. Kibler > Chief Technical Officer > Advanced Systems Engineering Technology, Inc. > Charleston, SC USA > o: 843-849-8214 > c: 843-813-2924 > s: 843-564-4224 > s: JonRKibler > e: Jon.Kibler@... > e: Jon.R.Kibler@... > http://www.linkedin.com/in/jonrkibler > > My PGP Fingerprint is: > BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253 > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.8 (Darwin) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkrd4DYACgkQUVxQRc85QlO60gCfT2sQ2gsBJo6vcSYIxPHtSA9U > 8WgAn2dAPMxow+r0lx2ThokdjtX6o0+z > =bmip > -----END PGP SIGNATURE----- > > > > > ================================================== > Filtered by: TRUSTEM.COM's Email Filtering Service > http://www.trustem.com/ > No Spam. No Viruses. Just Good Clean Email. > > > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------ > This list is sponsored by: Information Assurance Certification Review Board > > Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. > > http://www.iacertification.org > ------------------------------------------------------------------------ ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------ |
|
|
Re: Using a Virtualized Pen Test Platform
by Arjunen
::
Rate this Message:
One disadvantage that I know in VMWare is the host(windows in my case)
machine doesn't forward the 802.1Q tagged packets to the VMWare. So its not possible to VLAN Hop and use a virtual interface on VMWare. This might be a concern for you if you are doing a VoIP pen testing. Arjun On Wed, Oct 21, 2009 at 2:03 PM, Dave Aitel <dave.aitel@...> wrote: > A lot of our customers use Ubuntu Linux to run CANVAS in a VM with > Bridged Mode in VMWare Workstation. This works well, but you ARE going > through some extra special network "hardware" that you may find has > interesting effects on low-level TCP/IP fingerprinting. > > I've seen more weirdness on the other end of things though - people > will IPFingerprint systems running Virtualized and come up with the > wrong result because VMWare modifies the ICMP as it comes back to you. > > -dave > >> Hash: SHA1 >> >> All, >> >> I have traditionally used a multi-boot Linux box as my pen-test platform. It has >> always had the disadvantage that I had to reboot into Windows to run some tools >> that seem to break under wine. >> >> For the past several months, I have been tinkering with using VMware Workstation >> as my base platform, so I can just switch VMs rather than having to reboot. So >> far, it seems to work pretty well. However, I am wondering if I am missing >> something that is broken by VMware that I have not yet detected. For example, >> does VMware break any of the packet crafters or other tools that do 'unusual' >> things, that may cause the packet to not traverse correctly from VMware to the >> outside target? >> >> What other issues do I need to be aware of? >> >> Also, is there any advantage or disadvantage of running Workstation vs. Server >> vs. ESXi as the underlying VMware system? >> >> What would be the advantages or disadvantages of running XEN? Does it have any >> issues as a pen test platform hypervisor? >> >> THANKS! >> >> Jon Kibler >> - -- >> Jon R. Kibler >> Chief Technical Officer >> Advanced Systems Engineering Technology, Inc. >> Charleston, SC USA >> o: 843-849-8214 >> c: 843-813-2924 >> s: 843-564-4224 >> s: JonRKibler >> e: Jon.Kibler@... >> e: Jon.R.Kibler@... >> http://www.linkedin.com/in/jonrkibler >> >> My PGP Fingerprint is: >> BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253 >> >> >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.4.8 (Darwin) >> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ >> >> iEYEARECAAYFAkrd4DYACgkQUVxQRc85QlO60gCfT2sQ2gsBJo6vcSYIxPHtSA9U >> 8WgAn2dAPMxow+r0lx2ThokdjtX6o0+z >> =bmip >> -----END PGP SIGNATURE----- >> >> >> >> >> ================================================== >> Filtered by: TRUSTEM.COM's Email Filtering Service >> http://www.trustem.com/ >> No Spam. No Viruses. Just Good Clean Email. >> >> >> >> ------------------------------------------------------------------------ >> This list is sponsored by: Information Assurance Certification Review Board >> >> Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. >> >> http://www.iacertification.org >> ------------------------------------------------------------------------ >> > > ------------------------------------------------------------------------ > This list is sponsored by: Information Assurance Certification Review Board > > Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. > > http://www.iacertification.org > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------ |
|
|
|
|
|
Re: Using a Virtualized Pen Test Platform
by JoePete
::
Rate this Message:
On Tue, 2009-10-20 at 12:07 -0400, Jon Kibler wrote:
> For the past several months, I have been tinkering with using VMware Workstation > as my base platform, so I can just switch VMs rather than having to reboot. In terms of virtualization, I would recommend giving Sun's VirtualBox a look. It does a pretty job without the cost of VMware. But one problem you do run into with pentesting is getting at the network hardware, particularly any internal wireless card that you might use WLAN cracking. -- JoePete ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------ |
|
|
Re: Using a Virtualized Pen Test Platform
by Pete Herzog
::
Rate this Message:
Hi Jon,
I just saw this so sorry that I'm a little late to respond. You're right to worry if things are breaking that you don't see. It happens. Low level packet crafting gets messed up and we have even noticed lost packets when receiving. We chalked this up to multiple layers of abstraction which occurs between the human interaction and the packet send or receive. This is why Windows systems also make bad test machines for low level tests. But for application-level tests, we find it much more capable. I have yet to find more than just memory capacity errors from a virtual session for application tests. This info comes from hundreds of hours of testing multi-level tests for the OPST (OSSTMM Professional Security Tester) certification exam. It was such a problem that we had to discontinue the use of virtual sessions for OPST exams already back in 2004. Before this post becomes flame bait, I want to say that virtualization, especially with hardware support, has come a long way since we stopped using it. However, recently we concluded a 3.5 year EU project where we worked fairly exclusively with XEN and L4 on linux systems and found that even with proper hardware support, it had packet problems. My advice is to get a 2nd, small, cheap system and keep linux on it for testing. This way you won't be wasting your time with inefficiencies. Sincerely, -pete. Pete Herzog, Managing Director, ISECOM www.isecom.org Jon Kibler wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > All, > > I have traditionally used a multi-boot Linux box as my pen-test platform. It has > always had the disadvantage that I had to reboot into Windows to run some tools > that seem to break under wine. > > For the past several months, I have been tinkering with using VMware Workstation > as my base platform, so I can just switch VMs rather than having to reboot. So > far, it seems to work pretty well. However, I am wondering if I am missing > something that is broken by VMware that I have not yet detected. For example, > does VMware break any of the packet crafters or other tools that do 'unusual' > things, that may cause the packet to not traverse correctly from VMware to the > outside target? > > What other issues do I need to be aware of? > > Also, is there any advantage or disadvantage of running Workstation vs. Server > vs. ESXi as the underlying VMware system? > > What would be the advantages or disadvantages of running XEN? Does it have any > issues as a pen test platform hypervisor? > > THANKS! > > Jon Kibler > - -- > Jon R. Kibler > Chief Technical Officer > Advanced Systems Engineering Technology, Inc. > Charleston, SC USA > o: 843-849-8214 > c: 843-813-2924 > s: 843-564-4224 > s: JonRKibler > e: Jon.Kibler@... > e: Jon.R.Kibler@... ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------ |
|
|
Re: Using a Virtualized Pen Test Platform
by jcran
::
Rate this Message:
I'm going to throw another vote out there for virtualbox. I use it on
top of ubuntu to virtualize windows, and it networks, suspends, and generally /works/ flawlessly. Make sure to download the version from sun (as opposes to the dpkg/apt repos) because it offers USB support, among other things. jcran Sent from my iPod On Oct 24, 2009, at 11:08 PM, JoePete <joepete@...> wrote: > On Tue, 2009-10-20 at 12:07 -0400, Jon Kibler wrote: >> For the past several months, I have been tinkering with using >> VMware Workstation >> as my base platform, so I can just switch VMs rather than having to >> reboot. > > In terms of virtualization, I would recommend giving Sun's > VirtualBox a > look. It does a pretty job without the cost of VMware. But one problem > you do run into with pentesting is getting at the network hardware, > particularly any internal wireless card that you might use WLAN > cracking. > > -- > JoePete > > > --- > --------------------------------------------------------------------- > This list is sponsored by: Information Assurance Certification > Review Board > > Prove to peers and potential employers without a doubt that you can > actually do a proper penetration test. IACRB CPT and CEPT certs > require a full practical examination in order to become certified. > > http://www.iacertification.org > --- > --------------------------------------------------------------------- > ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------ |
|
|
Re: Using a Virtualized Pen Test Platform
by Robin Wood-2
::
Rate this Message:
2009/11/9 0x0e.org <jcran@...>:
> I'm going to throw another vote out there for virtualbox. I use it on top of > ubuntu to virtualize windows, and it networks, suspends, and generally > /works/ flawlessly. Make sure to download the version from sun (as opposes > to the dpkg/apt repos) because it offers USB support, among other things. I'll add my vote to virtualbox, I started using it when vmware server started getting slow to start up. It works really well for running on a headless box as it is really easy to control by command line. Robin > > jcran > > Sent from my iPod > > On Oct 24, 2009, at 11:08 PM, JoePete <joepete@...> wrote: > >> On Tue, 2009-10-20 at 12:07 -0400, Jon Kibler wrote: >>> >>> For the past several months, I have been tinkering with using VMware >>> Workstation >>> as my base platform, so I can just switch VMs rather than having to >>> reboot. >> >> In terms of virtualization, I would recommend giving Sun's VirtualBox a >> look. It does a pretty job without the cost of VMware. But one problem >> you do run into with pentesting is getting at the network hardware, >> particularly any internal wireless card that you might use WLAN >> cracking. >> >> -- >> JoePete >> >> >> ------------------------------------------------------------------------ >> This list is sponsored by: Information Assurance Certification Review >> Board >> >> Prove to peers and potential employers without a doubt that you can >> actually do a proper penetration test. IACRB CPT and CEPT certs require a >> full practical examination in order to become certified. >> >> http://www.iacertification.org >> ------------------------------------------------------------------------ >> > > ------------------------------------------------------------------------ > This list is sponsored by: Information Assurance Certification Review Board > > Prove to peers and potential employers without a doubt that you can actually > do a proper penetration test. IACRB CPT and CEPT certs require a full > practical examination in order to become certified. > http://www.iacertification.org > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------ |
| Free embeddable forum powered by Nabble | Forum Help |
