Unleashing VASTO – A Virtualization Assesment Toolkit

VASTO is the first of its kind toolkit designed to asses the security of various Virtualization solutions including VMWare and Xen server.  It is implemented as set of modules which can be integrated into Metasploit , the popular penetration testing framework.  This makes it very easy for pen testers to directly integrate VASTO with their existing Metasploit framework and start using it on the fly without any or few changes.  It has been tested with latest Metasploit version 3.4.2 on Ubuntu Linux and it is expected to work on all other platforms supported by Metasploit.

The latest version of VASTO 0.3 which was showcased in the recent BlackHat 2010 promises a great deal on Virtualization front as there are very few tools available for penetration testing of these appliances

Here is the short video demonstration of fingerprinting VMware Server using VASTO’s “vmware_version.rb” module,

.

.
.
In this video it shows how one can directly launch the vmware version fingerprinting module through Metasploit to remotely detect the VMWare server version.   Armed with version of remote VMWare server, attacker can then execute right exploit against the vulnerable VMWare server to bring it down or pwn it completely.  You will find couple of other interesting videos on home page of VASTO which demonstrate the usage of other modules.
.
Here is the current list of modules available for pen testing as part of VASTO
.
  • abiquo_guest_stealer.rb => Exploits a path traversal in Abiquo up to version 1.5
  • abiquo_poison.rb => Serves evil VM if a MITM is performed.
  • eucalyptus_bouncer.rb => Turn Eucalyptus systems in proxy servers.
  • eucalyptus_poison.rb =>Serves evil VM if a MITM is performed.
  • vmware_guest_stealer.rb =>Exploits a path traversal in VMware products.
  • vmware_login.rb =>Brute forcing for VMware
  • vmware_session_rider.rb =>Local proxy to ride stolen SOAPID sessions with VI Client
  • vmware_sfcbd_exec.rb =>Command exec (authenticated) on Studio and Data Protection
  • vmware_studio_upload.rb =>Arbitrary file upload on Studio 2.0 beta
  • vmware_updatemanager_traversal.rb  => Jetty path traversal
  • vmware_version.rb => Fingerprints VMware products
  • vmware_vilurker.rb => MITM code execution against VI Client
  • vmware_webaccess_portscan.rb =>Turn VMware WebAccess into a portscanner (or a proxy)
  • vmware_autopwn.rb  => Automatizes exploiting the updatemanager traversal to ride a session
  • xen_login.rb =>Brute forcer for XEN server
.
.
Though VASTO currently showcases modules mainly against VMWare (and few against XEN) ,  hopefully in the near future we will be able to see more against other Virtualization appliances too.
.
With Virtualization taking high off across the computer industry, there is bulging need for scrutinizing  Virtualization security.  In this direction,  tools like VASTO looks more promising.
.
.
Similar posts
  • SecurityXploded Mentorship Programme ... I am writing this blog to share my SecurityXploded Student Mentorship Programme experience with the future students of this programme. My mentorship programme started last year in August when I was in 2nd year of MS at IIIT-Allahabad. I knew about SecurityXploded community since I used to follow their blogs, training programmes and security tools [...]
  • Code Injection and API Hooking Techni... Hooking covers a range of techniques used for many purposes like debugging, monitoring, intercepting messages, extending functionality etc. Hooking is also used by a lot of rootkits to camouflage themselves on the system. Rootkits use various hooking techniques when they have to hide a process, hide a network port, redirect file writes to some different [...]
  • Announcement – SecurityXploded ... From the past two years we are working actively on couple of projects to support the security community. As you all may already know that we have successfully completed our reversing and malware analysis training programme and we are very glad that it was very helpful for everyone. In my opinion the success of any [...]
  • Advanced Malware Analysis Training Se... Here is the quick update on this month’s Local Security meet (SX/Null/G4H/owasp) and our advanced malware training session on (Part 2) Dissecting the HeartBeat  RAT Functionalities   This is part of our FREE ‘Advanced Malware Analysis Training’ series started from Dec 2012.       In this extended session, I explained “Decrypting various Communications Of HeartBeat [...]
  • Advanced Malware Analysis Training Se...   Here is the quick update on this month’s Local Security meet (SX/Null/G4H/owasp) and our advanced malware training session on (Part 1) Reversing & Decrypting Communications of HeartBeat RAT This is part of our FREE ‘Advanced Malware Analysis Training’ series started from Dec 2012.       In this extended session, I explained “Decrypting The [...]

Leave a Reply

Our Company

Follow us on Facebook


Join Mailing List

Get direct access to our expert trainers or mingle with like minded security folks in our mailing list