............................................................................................................INFOSEGURA.NET................................................................................................................
.
ViMTruder 1.0 Virtual Machine Trojan
Pentester Manual
April 2009
ViMtruder is a Virtual Machine Trojan. For
an introduction to the
concept, please read this article.
The objective of this manual is to show you
how to configure and deploy ViMtruder,
so you, as a pentester, can demonstrate to your client how he/she is
vulnerable
to this type of attack.
This manual assumes you have a basic
understanding on how to use virtual
machines, basic skills in Linux, and basic knowledge of Nmap.
INSTALLATION
Please download ViMtruder from http://code.google.com/p/vimtruder/.
ViMtruder is written in Python, and consists
of two separate pieces of
software: vimtruder-client, and vimtruder-server.
ViMtruder is delivered to the target’s
network via a virtual machine. In
a real attack scenario, the attacker would configure a virtual machine
with
some desirable function, and insert vimtruder-client into it. The
victim,
wanting to try out the functions of the virtual machine, would download
it, and
run it in his/her local network
So the first thing you need to do is to
download and install VMware
Server on your pentester laptop. You can download it from http://www.vmware.com/products/server/
The next thing you need to do is create a
virtual machine. You can
download the ISO of the Linux distro you are most comfortable with. The
one I
recommend is Fedora (http://fedoraproject.org/).
Once the virtual machine with Linux is up
and running, upload
vimtruder-client.py to your directory: /home/username.
(You will need to be root or superuser at
all times).
Make sure Python is installed. Type “python”
and you’ll know. If it’s
not installed, type “yum install python”, or the equivalent in your
system.
You also need to install Nmap: “yum install
nmap”.
Now we need to configure the virtual machine
so vimtruder-client.py runs
automatically in the background on boot up. Go to the directory /etc.
Then type
“vi rc.local”. In this file we can add commands we want to run when the
system
boots up. Note that the location of the file rc.local may be different
in other
Linux distros.
Add the following lines to rc.local:
python /home/username/vimtruder-client.py &
disown
Needless to say, don’t use “username”
literally; /home/username is the
path of your specific home directory, where you uploaded
vimtruder-client.py.
In case you are wondering, the “&” tells
Linux to run the Python
script in the background, so the victim won’t notice it, and the
“disown”
command
allows the process to run independently of a console.
OK so the client is all set. Now we need to
configure the server.
We are going first to create a virtual
machine to host the server and
run tests, and when you are ready to do your pentesting, you will need
to
deploy the server on the Internet.
Create a new virtual machine on your laptop,
and upload
vimtruder-server.py to your home directory, /home/username.
Now make sure iptables allows inbound
connections to port 80. The
simplest way of doing this is flushing all the iptables rules by typing
“iptables –F”. (Depending on your configuration, you may need to do
this every
time you reboot).
If you are using DHCP, type “ifconfig” to
see what is the IP address of
the server virtual machine. Now go back to the client virtual machine,
and open
the client with an editor: “vi vimtruder-client.py”, or use whatever
editor you
prefer. This is the code of vimtruder-client.py (see how simple it
is??). Set
the variable serverHost to the server virtual machine IP. Make sure to
put them
in quotation marks. Leave the serverPort at 80 (NO quotation marks).
The
“seconds” variable determines the how long the client waits to
reconnect to the
server in case it cannot find it. For pentesting purposes you can leave
it at 5
(no quotation marks either). Save and quit.
Now let’s test the setup. Go to the server
virtual machine, and in the
/home/username directory, type “python vimtruder-server.py”. You will
see the
following message: “ViMtruder 1.0, Server listening on port 80”.
Switch to the client virtual machine, and
type /etc/rc.local to see if
our script will run properly on boot up.
If all goes well, in the server virtual
machine you will see “Connection
established from xxx.xxx.xxx”, with the IP of the client virtual
machine. And
the client virtual machine will go blank.
In the server virtual machine, at the
“>>>” prompt, type an Nmap command
to map IPs in
the LAN. This command will be sent to the client
virtual machine and executed, and the client will return the Nmap
result to the
server console. To exit the server, type “exit”. In the directory you
will see
a file called “report”, that holds all the Nmap results you do, and a
file
called “logdata”, which is the log. The file “buffer” stores the
Nmap result temporarily, before sending it to the server.
Now go back to the client virtual machine,
and do a ctrl-c. You may
think that you killed the vimtruder-client.py process, but you did not;
remember it’s running in the background. Go back to the server virtual
machine
and run python vimtruder-server.py; you’ll see that the client is still
phoning
home. (If you get a socket error “address already in use” it means port
80 has
not finished closing yet; just give it a couple of minutes and try
again).
Go back to the client virtual machine. What
command can we use to see
running processes? That’s right, type “ps”. You will see the python
PID; go ahead
and kill it by typing “kill” and the PID.
OK now let’s see how it works with an actual
reboot. Go to the server
virtual machine, and make sure to exit from vimtruder-server.py by
typing
“exit”. Now go back to the client virtual machine, and do a reboot. Go
back
immediately to the server virtual machine before the client reboots,
and type “python
vimtruder-server.py” to start the server again, and wait for the other
virtual
machine to boot. If all goes well, you will soon see “Connection
established
from xxx.xxx.xxx.xxx”. Success!
Go ahead and login to the client virtual
machine. Open a console, and
type “ps”. That’s right, the vimtruder-client.py process is not there,
because
we didn’t start it from this console. In fact, we didn’t start it from
any
console. Therefore, the only way of seeing the process is using –A
(show all
processes) or –x (show processes without controlling consoles). Type
“ps –x |
grep .py” and you will see our trojan.
Type “netstat –pan | grep python”, and you
will see the established
connection.
Once the setup worked using a virtual
machine server, you need to set up
vimtruder-server.py in a real server in the Internet, so you can show
your
client how you can run Nmap scans inside his network, controlling the
trojan
from the Internet. Now THAT should catch the attention of your client.
PENTESTING METHODOLOGY
1) Create a virtual machine and load
vimtruder-client.py as indicated in
the INSTALLATION section. Make sure to configure the serverHost
variable inside
vimtruder-client.py with the IP of the server that will host
vimtruder-server.py.
2) Zip the client virtual machine, and put
it in your ftp server in the
Internet.
3) Set up a server on the Internet and load
vimtruder-server.py. Make
sure to open port 80.
4) To simulate a user downloading a virtual
machine without any
precaution, download the zipped client virtual machine into your
client’s
network. Unzip, and run using the VMware server.
5) Again simulating the actions of a user,
make sure the virtual machine
has access to the Internet. Remember, if you cannot bridge the virtual
network
adapter, you can NAT it and use the IP of the host machine.
6) Now, simulating the actions of the
attacker, check your server to see
if the vimtruder client made a connection. Once it does, run all sorts
of Nmap
scans on the target network.
7) Show your client the “report” document, with all the Nmap scans done on his network,
from the Internet, right through his firewall. Make client understand
that a
virtual machine trojan can be programmed to run sniffers, password
crackers,
and even exploit platforms. Also show “logdata”.
8) Proceed to make security recommendations
and sell further consulting.
CONCLUSION
As I mentioned in the article, there is no easy
countermeasure against Virtual Machine Trojans (VMTs). The main defense
you
should recommend your client is to control virtual machine sprawl.
Vulnerability scanners (such as QualysGuard, for whom I
work) can help you
detect both virtual machines and hosts with virtualization servers
installed.
t It's important to note that ViMtruder does not create a full
http
tunnel; rather, it connects through port 80, but using raw TCP.
Therefore if your client has a firewall that does deep packet
inspection, or a proxy firewall, that actually checks for proper
protocol sequences, then ViMtruder's connection may be detected. Which
is good, of course, but the next version of ViMtruder will have an http
tunnel, and steganographic communication.
If you have any comments or questions, you can contact
me at sergio<at>infosegura.net.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
|