Hi all,
I'm facing an unusual demand from one of my clients: I know the IP of a VM guest and I need to identify the IP adress of the host it is running on.
Context: someone is running unauthorized network scans against our servers from within a VM (identified as VMware by the mac adress) on the LAN
As the VM IP is in the DHCP range, the guy must be running VMware from his desktop.
I have already thought checking the desktops with local admin rights, but this is no good.
It does not take more that 3 minutes to erase the local admin password, log in as admin, give yourself the admin rights, install VLware and drop the admin rights...
Reverse DNS is also not helpful as it just gives 'locahost'
Any idea how to do this ?
Thanks
That is not possible. Security doesn't allow to identify a host by knowing the guest IP.
But if you can scan the host disks, look for the MAC address of the guest. It is written in a text file on the host. Search all *.vmx files.
AWo
VCP 3 & 4
Author @ vmwire.net
\[:o]===\[o:]
=Would you like to have this posting as a ringtone on your cell phone?=
=Send "Posting" to 911 for only $999999,99!=
Well, I know it is not possible to identify the host ip from within the guest, but my case is slightly different, as I do not have any control on the guest.
All I know is the adresses (IP and mac) and that it is a centos machine
I could scan the disks of the hundreds workstations on the LAN for the vmx files and then check all the vmxes for the VM mac, but this would take ages...
When that guy starts a scan, I need to stop him in a matter of minutes, before he gets the production servers down...
I could start a PC with the same IP as him and hope this would stop him, but he would know he is being tracked and could just stop scanning, which would prevent my client from identifying that guy...
Any clue ??
Well, I know it is not possible to identify the host ip from within the guest,
Well I didn' wrote that. But your thread reads: "Re: How to find the host IP from the guest IP ?" and I wrote that this is not possible.
I didn't wrote that you have to try what's not possible from the guest.
I could scan the disks of the hundreds workstations on the LAN for the vmx files and then check all the vmxes for the VM mac, but this
would take ages...
O.K., I can't change that...
Either hack it back if you have the IP or go for the MAC. That's the only thing you got. But you might be able to narrow down all that to a network segment and finally to a switch port by looking at the switch MAC tables.
AWo
VCP 3 & 4
Author @ vmwire.net
\[:o]===\[o:]
=Would you like to have this posting as a ringtone on your cell phone?=
=Send "Posting" to 911 for only $999999,99!=
really tricky
if this guy is clever the host he uses does not have an IP at all
also scanning for vmx-files would not help with a clever attacker as he may use a VM stored on a USB-stick and only plug it in when he runs his scans
___________________________________
VMX-parameters- WS FAQ -[ MOAcd|http://sanbarrow.com/moa241.html] - VMDK-Handbook
Only chance is to use the switches, he can't hide the MAC....
AWo
VCP 3 & 4
Author @ vmwire.net
\[:o]===\[o:]
=Would you like to have this posting as a ringtone on your cell phone?=
=Send "Posting" to 911 for only $999999,99!=
Well, we finally got him...
We started the two tracks at the same time (switches and scanning for vmx files), but we were lucky that the guy did a really stupiud mistake...
The hacker's IP was found in the proxy logs.
He has updated the plugins of his scan engine over the week-end and used his own credentials to go through the proxy...
Thanks anyhow for the hints!
Oh dear - that was really stupid
A smarter guy could have done more harm
___________________________________
VMX-parameters- WS FAQ -[ MOAcd|http://sanbarrow.com/moa241.html] - VMDK-Handbook