Hacking Virtual Machines: Sniffing Guest Traffic with Wireshark

Thanks to Bozidar Spirovski’s article on Infosecisland for the heads up on this. I have always been concerned with virtual machine security. One place I worked at had thousands of virtual machines. My concern was always – if a guest OS was compromised, could they access the other guests or worst, the host?

I read the other day in “Protect Your Windows Network: From Perimeter to Data” (Excellent book by the way) that most virtual machine interfaces act more like an old style hub (re-broadcasts all traffic to every port), instead of a switch (broadcasts data only on destination port). In essence, if you can compromise a guest OS, and put the network card in promiscuous mode, you can view all of the data of all of the virtual machines using the physical NIC.

Well, the video above is a sample of this in action. A guest OS is compromised, and Wireshark is installed. With it running, they capture simulated traffic on another guest OS that includes user names, bank accounts and passwords.

The book “Protect Your Windows Network: From Perimeter to Data” was written 5 years ago! The video was made last month…

I’ll look into this some more, but it is insane if this is still possible. By the way, the video author claims this works in VMWare and Microsoft’s Hyper-V.  


4 thoughts on “Hacking Virtual Machines: Sniffing Guest Traffic with Wireshark”

  1. Silly me, I just realized that if you have a virtual test network lab, like I have, you have probably compromised a virtual machine numerous times. But, this has jogged some memories.

    About a year ago, I played with Ettercap a bit. Doing some research I found several new things that you can do to a virtual machine with Ettercap that I hadn’t seen before.

    I will be doing a few posts showing some of Ettercap’s features. Stay tuned!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.