Blog

Can you stealth a VM?

(Originally posted in SANS Cloud Security Blog)

This topic comes up from time to time, and I had someone ask me about it the other day, so I figured it was worthy of a blog post.

I’ve seen a lot of discussions revolving around whether you can hide the fact that an operating system is running within a VM as opposed to running directly on hardware. Most of the discussions revolve around interaction with interrupts and memory addresses. In other words, most of the tricks I’ve seen assume the person doing the probing has shell access to the system.

To be honest, its even easier than that. If you know your way around TCP/IP communications, there are subtle clues you can leverage that can reveal the OS is running in a virtualized environment with nothing more than a TCP three packet handshake. This means that if you know what you are doing, even Web servers can be properly identified.

For example, in this trace we have an Ubuntu server running directly on hardware:

[root@fubar ~]# tshark -n -T fields -e ip.src -e tcp.window_size -e
tcp.options.wscale_val
Capturing on eth0
192.168.100.4 5792 5
192.168.100.4 245
192.168.100.4 336
192.168.100.4 426
192.168.100.4 517
192.168.100.4 607
192.168.100.4 698

And here is the exact same OS running as a virtual machine via VMware:

[root@fubar ~]# tshark -n -T fields -e ip.src -e tcp.window_size -e tcp.options.wscale_val
Capturing on eth0
192.168.100.7 5792 4
192.168.100.7 490
192.168.100.7 671
192.168.100.7 852
192.168.100.7 1033
192.168.100.7 1214
192.168.100.7 1395

A couple of points worth noting:

  • The VM deployment starts of negotiating a smaller window scale size (4 rather than 5)
  • This results in the VM deployment negotiating a larger window size value at a faster rate
  • The hardware deployment consistently negotiates a larger overall window size (when you combine the window size value with the window scale) than the VM deployment

So no shell access required, just create a connection with any TCP port, launch your sniffer of choice, and its pretty easy to ID an OS running within a virtual machine. Uber brownie points if you can figure out the hypervisor its running on as well. ­čśë

So what’s the take away? Don’t bother trying to focus on obscurity when it comes to VM deployments. Rely on core security techniques, like the ones we discuss here.

HTH,

Chris

Related Posts