Hacking Virtual Machines: Sniffing Guest Traffic with Wireshark
Thanks to Bozidar Spirovski’s article on Infosecisland for the heads up on this. I have always been concerned with virtual machine security. One place I worked at had thousands of virtual machines. My concern was always – if a guest OS was compromised, could they access the other guests or worst, the host?
I read the other day in “Protect Your Windows Network: From Perimeter to Data” (Excellent book by the way) that most virtual machine interfaces act more like an old style hub (re-broadcasts all traffic to every port), instead of a switch (broadcasts data only on destination port). In essence, if you can compromise a guest OS, and put the network card in promiscuous mode, you can view all of the data of all of the virtual machines using the physical NIC.
Well, the video above is a sample of this in action. A guest OS is compromised, and Wireshark is installed. With it running, they capture simulated traffic on another guest OS that includes user names, bank accounts and passwords.
The book “Protect Your Windows Network: From Perimeter to Data” was written 5 years ago! The video was made last month…
I’ll look into this some more, but it is insane if this is still possible. By the way, the video author claims this works in VMWare and Microsoft’s Hyper-V.