Home page logo

pen-test logo Penetration Testing mailing list archives

Re: VMWare and which linux distro?
From: "Roger A. Grimes" <rogerg () cox net>
Date: Sun, 18 Jan 2004 19:49:56 -0700


I don't know if this is a solution for you, but I do a lot of honeypot work
and I've seen similiar packet manipulation problems when running virtual
environments.  I use Honeyd (a virtual honeypot) system a fair amount, and
its author requires that it have its own, unique IP network address space so
that the host OS doesn't "accidentally adjust" the virtual host's packets on
the lower levels when passing traffic to and from the virtual environment.
Although I'm purely guessing, maybe try setting up the VMWare session with
its own IP subnet and IP address, and set up static routes on the
workstation (i.e. route add -p ....) to point to the new virtual IP address
space.  For example, if you put the VMWare on it's own virtual IP subnet
(say and your host IP is, here's the static
route command to add to the host PC:

route add -p mask

which is route add -p destnetwork mask subnetmask gatewayaddress

It might be worth a quick try to see if it helps.


*Roger A. Grimes, Computer Security Consultant
*CPA, MCSE:Security (NT/2000/2003/MVP), CNE (3/4), A+
*email: rogerg () cox net
*cell: 757-615-3355
*Author of Malicious Mobile Code:  Virus Protection for Windows by O'Reilly
*Author of upcoming Honeypots for Windows (Apress)

----- Original Message ----- 
From: "Pete Herzog" <pete () isecom org>
To: <pen-test () securityfocus com>
Sent: Friday, January 16, 2004 5:17 PM
Subject: RE: VMWare and which linux distro?


In our testing lab, we have seen some problems with the sending and
receiving of various types of TCP / UDP packets from within a Virtual
Machine as part of an attack system.  Now this won't effect all security
tests but it has become a problem in the scalpel-like precision required
certain tests where we are looking for certain packets within a given time
frame.  Source and Destination ports, for instance, comes to mind as an
example of the corruption occurring with tests.  Our suspician is a
corruption which occurs in the binding with the ethernet card and
of OS or whether the VM has it's own external IP address or not, it still
occurs enough that we had to stop using a VM to make tests from.

We have not done any further tests on this.  Has anyone else seen this
problem though?  Anyone have more information on this?


Pete Herzog, Managing Director
Institute for Security and Open Methodologies
www.isecom.org - www.osstmm.org
www.hackerhighschool.org - www.isestorm.org



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]