kach
Contributor
Contributor

Nmap revealed some security info about VM?

I did a scanning with Nmap as the parament below:

root@attacker# nmap -sS -P0 myserver.com

Starting Nmap 4.20 ( http://insecure.org ) at 2007-10-20 15:02 ICT

Interesting ports on 203.153.167.169.sta.isp-thailand.com (203.153.167.169):

Not shown: 1692 filtered ports

PORT STATE SERVICE

25/tcp open smtp

53/tcp open domain

80/tcp open http

443/tcp closed https

1935/tcp open rtmp

MAC Address: 00:50:56:81:1C:90 (VMWare)

Is there any way to prevent VM expose the red info above?

0 Kudos
6 Replies
larstr
Champion
Champion

The mac address that vmware products assign to virtual machines are always in ranges that VMware own to avoid conflicts with other vendors. When you\re using bridging (or esx) these mac addresses will be visible on the local network. It is however possible to change the mac address[/url] from inside the VM, but atleast on esx this can be prevented by the product, because allowing VMs to use fake mac addresses might also have some (security) implications.

Lars

0 Kudos
virtualdud3
Expert
Expert

Within the guest operating system, you can change the MAC address to a desired value that doesn't begin with the prefix "00:50:"

What is the guest OS? If I know this, I can provide some additional assistance.

############### Under no circumstances are you to award me any points. Thanks!!!
0 Kudos
kach
Contributor
Contributor

My concern is I want to remove VMWare label not to change the MAC.

0 Kudos
Dave_Mishchenko
Immortal
Immortal

nmap is putting the VMware label label based on the MAC address. Each vendor for NICs has specific ranges and VMware is no different. Here's a list of ranges / vendors that you can refer to - http://standards.ieee.org/regauth/oui/oui.txt. If you change the MAC in the OS to something out of the VMware ranges - for example to start with 00-05-68, then nmap would check it's mac-prefixes database and come up with another vendor.

0 Kudos
larstr
Champion
Champion

Or see the link I provided above as it contains info on changing mac on

windows, linux and bsd.

Lars

0 Kudos
virtualdud3
Expert
Expert

Just to illustrate, below is the result of an nmap scan on a test VM, using the VMware-generated MAC address:

########

$ sudo nmap -sS -P0 192.168.15.237

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2007-10-21 09:56 MDT

Interesting ports on 192.168.15.237:

Not shown: 1677 closed ports

PORT STATE SERVICE

135/tcp open msrpc

139/tcp open netbios-ssn

445/tcp open microsoft-ds

MAC Address: 00:50:56:A1:50:34 (VMWare)

########

And, here is the result after I changed the 00:50.. to 00:15.. within the guest OS:

########

$ sudo nmap -sS -P0 192.168.15.237

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2007-10-21 09:57 MDT

Interesting ports on 192.168.15.237:

Not shown: 1677 closed ports

PORT STATE SERVICE

135/tcp open msrpc

139/tcp open netbios-ssn

445/tcp open microsoft-ds

MAC Address: 00:15:56:A1:50:34 (Sagem SA)

############### Under no circumstances are you to award me any points. Thanks!!!
0 Kudos