0

How can the host environment (not just the OS) be identified from a running guest VM. To determine what the underlying host and virtualization stacks being used actually are. I.e. whether there's a VMWare, Cisco, OpenStack or other IaaS solution powering it.

I already know of imvirt and virt-what but they don't provide a lot more info than the basic type of virtualization used, like KVM, Xen, etc.

How can I dig a level deeper and find out more specifics about the underlying stack and products being used. Are there any known reliable fingerprinting approaches?

  • MAC address look ups don't seem to work
  • Searching for Hardware vendor names in the output of dmidecode seems not reliable as these names are often customized and branded by the company running the infrastructure.

How reliable are lspciresults like:

00:02.0 VGA compatible controller: VMware SVGA II Adapter
00:03.0 Ethernet controller: Red Hat, Inc Virtio network device
00:04.0 SCSI storage controller: Red Hat, Inc Virtio block device

Does this mean that VMWare on Red Hat is used? Or does it mean nothing at all as these virtual devices can be used by anyone?

Thanks

PS: There is a related question here but quite old (from 08) and not quite the same: https://stackoverflow.com/questions/154163/detect-virtualized-os-from-an-application

Community
  • 1
binaryanomaly
  • 1,291
  • 3
  • 13
  • 21

1 Answers1

-1

About trying to identify the virtualization stack, a KVM host can be identified by issuing a combination of some commands like these: dmesg |grep KVM lscpu |grep Hypervisor (it should return Hypervisor vendor: KVM)

You can even try to fingerprint the host with nmap with OS detection option (nmap -O host_to_check_ip), it can give you some information about the MAC address.

I think the same can be done to try to identify VMware hosts and other kind of hypervisors too.

shardan
  • 109
  • 2
  • Please read my post again. – binaryanomaly May 08 '14 at 05:47
  • Ok, sorry if my post before was unclear.As in the discussion you posted from 2008 the answer is: there are not reliable fingerprinting ways to determine the underlying stack. (unless you exploit some vulns on the Hypervisor for a guest-to-host virtual machine escape). There are only some methods though you can try to use toghether to try to have the "big picture". For example:from the lspci output you posted, I would try to get more details using the Metasploit module auxiliary/scanner/vmware/esx_fingerprint to see if the host is running on VMware,but as said before it's not 100% accurate. – shardan May 08 '14 at 11:00