Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Nmap Development: Vmware Servers and Hosts

Vmware Servers and Hosts

From: Robert Slater <robert_at_synapticsolutions.com.au>
Date: Tue, 27 Mar 2007 22:26:51 +1000

This is a quick hello..
Before I descend into lurk mode.
I have been using nmap for many years, it's one of those tools that are
immediately updated on new systems.

One of the things that is pretty high on my priority list is Windows
OS and Service detection.
Using a combination of smb and nmap you can suck lots of information
about an unknown network.

I have scanned a couple of the networks from their Internal interface.
Iinteresting results, mainly because I use VMWare virtual machines.
Example:
####################################
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS
88/tcp open kerberos-sec Microsoft Windows kerberos-sec
<CUT>
MAC Address: 00:0C:29:02:B9:8B (VMware)
No exact OS matches for host (If you know what OS is running on it, see
http://insecure.org/nmap/submit/ ).
Network Distance: 1 hop
Service Info: OS: Windows
########################################
I have submitted this as an unidentified OS, so have cut the
fingerprint and a few of the expected services detected correctly.
This next one is the same physical machine.
######################################
MAC Address: 00:16:76:9D:E1:21 (Intel)
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.9 - 2.6.12 (x86)
Uptime: 47.791 days (since Thu Feb 8 03:43:33 2007)
Network Distance: 1 hop
Service Info: OS: Linux
####################################

Here is another machine running SME 7 server on CentOS 4.3 base
#######################################
MAC Address: 00:0C:29:73:F3:C4 (VMware)
Device type: general purpose
Running: Linux 2.4.X|2.5.X|2.6.X
OS details: Linux 2.4.18 - 2.6.4 (x86)
#######################################

The interesting thing about vmware servers is that they **always** seem
to have the fact that it is VMware in the <virtual> Mac Address.
  Is this just fluke on 5 virtual machines or can someone verify this?

The physical machine appears quiet a few times within nmap. Especially
if each VMware server has it's own interface.

If VMWare server is installed with the console you always seem to get
#####
902/tcp open ssl/vmware-auth VMware GSX Authentication Daemon x.xx
#####
on the VMware host

So from this is it safe to conclude that:
A] If a machine has 902/tcp open then it is a VMWare host.
B] If the scanned machine has a vmware MAC address then the machine is
virtual.

If this is the case then is there anyway of linking A to B ?
So we can know which virtual machine/s lives on which host/s?

regards
Robert Slater

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Received on Mar 27 2007

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]