Thursday 29 November 2007

Debugging VMware systems

The aim of this excercise is to debug the Virtual drive using cygwin to find the usernames and passwords of users on the system. We will then be using john the cracker for cracking the password. We will be using debian as the guest machine and the host is based on a winblows XP system.

Theory
=-=-=-

By examining a virtual drive we should be able to locate some basic stuff about the system. We are mainly looking for strings containing passwords, users, versions, services etc in this case stored in /etc directory. We also want to find a basic file structure and access restricted files stored by directly accessing the drive. If the system seems to be unencrypted, the data may be stored in clear text so by using simple tools we could access restricted data.

Once we have some basic information on the file structure we can determine the type of Operating system we have access to and where specific files are that we want to access.

Required Tools
=-=-=-=-=-=-=-
VMware
A Base Debian OS
Notepad
Cygwin (Linux environment for winblows) or a copy of linux
John the password cracker

Install CYGWIN
=-=-=-=-=-=-=-
1. Download Cygwin from the main website
2. Execute cygwin.exe
3. Follow the instructions selecting all files

Install VMware
=-=-=-=-=-=-=-
1. Goto the VMware website and download a copy of VMware server.
2. Install VMware server.
3. Configure the Host to use 128M of memory if based on a 256 Meg system.

Installing a Virtual Environment
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
1. Create a new virtual machine.
2. Create a custom configuration.
3. Set the OS as Other Linux.
4. Select the name of the system i will be using (Virtual Debug).
5. Set the directory to /My documents/My virtual machines/Virtual Debug.
6. Make the machine private.
7. Run the Virtual machine as a user.
8. Select how many processors you have.
9. Select the amount of memory available to the environment.
10. Select host only networking.
11. Select a I/O adapter device.
12. Create a new virtual disk.
13. Select disk type.
14. Select disk size I have set it to 0.5Gb which is 500Mb.
15. Select the name and where to store the disk to.
16. Edit the settings of your environment and change the CDROM to boot from ISO image.
17. Install the system following all the instructions
18. Assign a root password, add this to a text file. This will be used as a wordlist.

Prepare the system for debugging
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Once you have an installed machine you can then copy the main vmdk file which contains the virtual disk, to a directory of your choice. personally i would copy one to c:\temp\drive.vmdk as this is easier to access from within cygwin. Once you have a drive to play with open up cygwin and edit your .bashrc config file by typing the following in to the bash prompt:

cat >> $HOME/.bashrc; export DRIVE=/cygdrive/c/temp/drive.vmdk

Restart the bash prompt and type:

echo $DRIVE

This should display the location of the virtual drive you selected. Now you are ready for the next step.

Ripping strings off the drive
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Ripping the strings from the drive and copying them to a file is easy just type at the bash prompt:

strings $DRIVE > $HOME/strings.txt

this file contains useful information is you know where to look. by searching through this file you can find a number of strings which can be used for accessing the virtual system. To search for strings use the grep by typing:

grep (string) $HOME/strings.txt

Searching for strings
=-=-=-=-=-=-=-=-=-=-=
Using the grep command can locate encrypted password, services and various bits of code and directories, so lets look for some encrypted passwords by using the grep command. Type:

grep :0: $HOME/strings.txt

you will notice that the screen will fill up with various bits of data, what we are interested in is this secti0on of text, or anything similar.

example code:
root::0:0:root:/root:/bin/bash
root:x:0:0:root:/root:/bin/bash
root:x:0:0:root:/root:/bin/bash
root:x:0:0:root:/root:/bin/bash
root:$1$i0202sb/$lqo4ZWdu8fQ966TppSEVP1:13388:0:99999:7:::
daemon:*:13388:0:99999:7:::
bin:*:13388:0:99999:7:::
sys:*:13388:0:99999:7:::
sync:*:13388:0:99999:7:::
games:*:13388:0:99999:7:::
man:*:13388:0:99999:7:::
lp:*:13388:0:99999:7:::
mail:*:13388:0:99999:7:::
news:*:13388:0:99999:7:::

Notice that the string we searched for :0: is used in the shadow and password file located in the /etc directory. If you notice you will see that the hashed password is also displayed.

root: $1$i0202sb/$lqo4ZWdu8fQ966TppSEVP1 :13388:0:99999:7:::

The string between the root: and :13388 etc is the string we are after. Now that we have thins string you can pump it into a password cracker and retreive the hashed password for the system as root.

Summary
=-=-=-=

As you can see a virtual disk is vulnerable to various attacks as the data is stored as plain text. we can secure the drive by creating the system in your own account and placing it in a directory that only you have access to. Then we can start strengthening it with file encryption to make your virtual system, inaccessable from other accounts and from users using a boot disk to access your system.

No comments: