Honeypots mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Counter measures to VMware fingerprinting

From: Ryan.Barnett () atf gov
Date: Mon, 12 Jan 2004 12:38:01 -0500
Comment #1 - I applaud any effort to fingerprint/identify an application or
OS.  This type of understanding can only increase the effectiveness of
future security measures.

Comment #2 - With EMC's recent acquisition of VMware, the future validity of
classifying vmware hosts as most likely "honeypot" systems will be
decreased.  VMware is a fabulous tool for honeypot/honeynet research,
however its use in production environments looks like it will only increase.
This will help us honeypotters with blending in with our environment ;)


Most Respectfully,
Ryan C. Barnett
SANS: GCFA, GCIH, GCUX, GSEC
Department of Justice - ATF
Information Services Division
Operations Security Team Lead
 




-----Original Message-----
From: Kostya KORTCHINSKY [mailto:kostya.kortchinsky () renater fr]
Sent: Monday, January 12, 2004 4:27 AM
To: honeypots () securityfocus com
Subject: Counter measures to VMware fingerprinting


Hi,

Included with this mail is a patch that addresses a few of the most 
obvious ways to fingerprint locally a guest OS running under VMware.

The modifications done are :
- names of the IDE devices (HD & CDROM)
- names of the SCSI devices (HD & CDROM)
- PCI vendor and device ID of the video adapter
- I/O backdoor (feel free to modify the magic number !)

This version targets VMware Workstation for Linux version 4.0.5.

Only constants are modified (except for the SCSI CDROM where a little 
code injection was needed since vendor and revision strings are 
originally the same as for the SCSI HD), which shouldn't raise any 
security issue.

This is only an early version of the patch, and the one being 
developped 
has more features, including BIOS replacements. Anyway, I 
would like to 
have some return from experienced people regarding this, 
perhaps other 
things to patch, or other ways to fingerprint VMware.

I stress the fact that you should _backup_ your *vmware-vmx* binary 
before using this, and preferably your guest OS, in case 
things goes wrong.

Regards,

Kostya KORTCHINSKY
French HoneyNet Project
http://www.frenchhoneynet.org
Previous By Date Next
Previous By Thread Next

Current thread: