SecurityXploded Blog

Unleashing VASTO – A Virtualization Assesment Toolkit

VASTO is the first of its kind toolkit designed to asses the security of various Virtualization solutions including VMWare and Xen server.  It is implemented as set of modules which can be integrated into Metasploit , the popular penetration testing framework.  This makes it very easy for pen testers to directly integrate VASTO with their existing Metasploit framework and start using it on the fly without any or few changes.  It has been tested with latest Metasploit version 3.4.2 on Ubuntu Linux and it is expected to work on all other platforms supported by Metasploit.

The latest version of VASTO 0.3 which was showcased in the recent BlackHat 2010 promises a great deal on Virtualization front as there are very few tools available for penetration testing of these appliances

Here is the short video demonstration of fingerprinting VMware Server using VASTO’s “vmware_version.rb” module,


In this video it shows how one can directly launch the vmware version fingerprinting module through Metasploit to remotely detect the VMWare server version.   Armed with version of remote VMWare server, attacker can then execute right exploit against the vulnerable VMWare server to bring it down or pwn it completely.  You will find couple of other interesting videos on home page of VASTO which demonstrate the usage of other modules.
Here is the current list of modules available for pen testing as part of VASTO
  • abiquo_guest_stealer.rb => Exploits a path traversal in Abiquo up to version 1.5
  • abiquo_poison.rb => Serves evil VM if a MITM is performed.
  • eucalyptus_bouncer.rb => Turn Eucalyptus systems in proxy servers.
  • eucalyptus_poison.rb =>Serves evil VM if a MITM is performed.
  • vmware_guest_stealer.rb =>Exploits a path traversal in VMware products.
  • vmware_login.rb =>Brute forcing for VMware
  • vmware_session_rider.rb =>Local proxy to ride stolen SOAPID sessions with VI Client
  • vmware_sfcbd_exec.rb =>Command exec (authenticated) on Studio and Data Protection
  • vmware_studio_upload.rb =>Arbitrary file upload on Studio 2.0 beta
  • vmware_updatemanager_traversal.rb  => Jetty path traversal
  • vmware_version.rb => Fingerprints VMware products
  • vmware_vilurker.rb => MITM code execution against VI Client
  • vmware_webaccess_portscan.rb =>Turn VMware WebAccess into a portscanner (or a proxy)
  • vmware_autopwn.rb  => Automatizes exploiting the updatemanager traversal to ride a session
  • xen_login.rb =>Brute forcer for XEN server
Though VASTO currently showcases modules mainly against VMWare (and few against XEN) ,  hopefully in the near future we will be able to see more against other Virtualization appliances too.
With Virtualization taking high off across the computer industry, there is bulging need for scrutinizing  Virtualization security.  In this direction,  tools like VASTO looks more promising.

Leave a Reply