raw2vmdk is an OS independent Java utility that allows you to mount raw disk images, like images created by “dd”, using VMware, VirtualBox or any other virtualization platform supporting the VMDK disk format.

It could be an interesting tool for doing forensics examinations on compromised boxes when all you have is a dd dump of the drive to work on, it allows you to easily mount the disk in your favourite virtualization platform and get to work doing some forensic analysis.

It analyzes the raw image and creates an appropriately formatted “.vmdk” file that can be used to mount the image right away.

raw2vmdk is written in Java and is designed to be OS independent, simple and flexible. It creates an appropriately structured VMDK file that refers to the raw image, which can then be mounted by VMware, VirtualBox or any other virtualization platform supporting the VMDK disk format, as if it were an actual virtual drive. Thus preserving space and allowing for very fast deployment.

It is extremely simple to use and provides the required results in seconds. This is a new tool, so if you have any feedback please do leave it in the comments below or contact the author directly.

You can download raw2vmdk here:

raw2vmdk-0.1.1.tar.gz

*EDIT* 18/6/2010

keydet89 on Twitter asked about the difference between this tool and LiveView so I asked the author and here’s his reply:

Actually I’m using a couple of their classes to get the disk geometry details needed for the vmdk file. I acknowledge that in my blog and the AUTHORS file.

You see I needed to boot a 74GB pfSense raw image for analysis and “qemu-img convert” is too slow for that kind of thing. Then I came across LiveView, I reviewed the code and manually replicated the process of creating a suitable vmdk file in order to boot the image using VMware.

After I was done my first plan was to port LiveView to *nix, but after a chat with the maintainer and a more detailed review of the LiveView code it proved to be too time consuming. So I decided to automate the manual process I followed and because there’s no need to reinvent the wheel I reused the classes LiveView is using to get the disk geometry.

LiveView is a good tool but very tightly coupled with MS Windows and can’t work from the command line. I needed something OS independent and easy to incorporate into scripts, mainly because I don’t use Windows. Plus, in the code it seemed that LiveView is actually manipulating the VMware ESX, I didn’t much care for that.

I think it’s best to just create the required .vmdk file to allow someone to boot/mount the drive they need and just get the hell out of their way. So overnight I had raw2vmdk ready and you know the rest. :)

You can read more about raw2vmdk at his blog here:

Zapotek’s train of thought…

Or read more here.

Web Security Dojo is a free open-source self-contained training environment for Web Application Security penetration testing. Tools + Targets = Dojo

What?
Various web application security testing tools and vulnerable web applications were added to a clean install of Ubuntu v9.10.

Why?

The Web Security Dojo is for learning and practicing web app security testing techniques. It is ideal for training classes and conferences since it does not need a network connection. The Dojo contains everything needed to get started – tools, targets, and documentation.

Web Security Dojo currently contains:

Targets –

• OWASP’s WebGoat v5.2
• Damn Vulnerable Web App v1.0.6
• Hacme Casino v1.0
• OWASP InsecureWebApp v1.0
• Simple training targets by Maven Security (including REST and JSON)

Tools -

• Burp Suite (free version) v1.3
• w3af cvs version
• OWASP Skavengerv0.6.2a
• OWASP Dirbuster v1.0 RC1
• Paros v3.2.13
• Webscarab v20070504-1631
• Ratproxy v1.57-beta
• sqlmap v0.7
• Helpful Firefox add-ons

You can download Web Security Dojo here:

VMWare image – dojo_v1.0-vmware.zip
VirtualBox image – dojo_v1.0-virtualbox.zip

Or read more here.

A lot of companies are moving towards virtualization, blade servers and sharing hardware components makes sense when you can have multiple logical servers on one physical machine. I’ve used VMWare in a few situations myself but mostly I don’t see a real requirement for using virtual machines (apart from hosting with a VPS).

There have always been debates about the security, it’s harder to segregate as the virtual machines are somehow attached at the system level so if you can break out of the ‘jail’ (into the ‘hypervisor’) you can effectively access everything on that physical server. There is still a lot of skepticism about the security of virtual servers and the big 3 providers (VMWare, Citrix Xen and Microsoft) are apparently working on some new security solutions, but as they haven’t been released yet you better be careful.

Does transitioning to virtualization increase security risks within a company? IT managers appear to be at loggerheads with IT security professionals over that question, even while sharing similar opinions on where risks might lie, according to a new survey.

The 2009 Security Mega Trends Survey from research firm Ponemon Institute — which also looked at attitudes on other topics, such as outsourcing and Web 2.0 technologies — shows roughly two-thirds of IT operations staff who responded said they felt virtualization of computer resources did not increase information-security risks. But about two-thirds of information security professionals surveyed felt the opposite way.

A full three-quarters of the survey’s 1,402 respondents, all active in U.S.-based private sector firms or government agencies, said their organizations had already implemented virtualization of their computer resources, with about 90% in both the IT and security camps saying they were “familiar” or “very familiar” with virtualization

It’s strange to see the opinions are almost polarized and exactly opposite, 2/3s of managers think that virtualization does not increase risk but 2/3s of security pros think that it does. I’d personally have to say it does increase risk, especially at the moment where it’s still quite a new technology and the implementation and security measures are not mature yet.

Stay away from virtualization for extremely data critical operations.

The survey reflects the often upbeat attitudes about virtualization expressed by experienced IT pros about how the technology, most commonly that of VMware, Microsoft of Citrix Xen, is bringing them the benefit of server consolidation.

“We started virtualization in a development and test environment, and now the main applications we have using VMware in production instances are file and print servers,” says Rich Wagner, director of IT infrastructure at Columbus, Ohio-based Hexion Specialty Chemicals. Wagner says virtualization hasn’t raised red flags as far as security requirements. The main concern, he says, is “from a performance standpoint — the CPU and memory and disk I/O — in sharing a large box,” with database servers seen as a resource-intensive application that might not be well-suited for virtualization.

There’s a far more skeptical view of virtualization security often expressed by seasoned IT security pros, who harbor doubts that vendors on the virtualization front have really sorted out or addressed the risks associated with the underlying hypervisor transformation.

I agree it’s definitely best for a testing/staging situation where you can set up multiple different environments concurrently on the same piece of hardware without having to reboot.

It’s great in a development environment too if you need to test a piece of code on multiple operating systems with different specifications.

But as I said above, for CPU intensive activities and for servers that hold critical data I just don’t think it’s a good idea.

Source: Network World

Lab rats at Microsoft Research and the University of Michigan have teamed up to create prototypes for virtual machine-based rootkits that significantly push the envelope for hiding malware and that can maintain control of a target operating system.

The proof-of-concept rootkit, called SubVirt, exploits known security flaws and drops a VMM (virtual machine monitor) underneath a Windows or Linux installation.

Subvirt certainly sounds like an interesting project.

I have heard about such a thing before in the blackhat community, but for Linux only, I didn’t know anyone had actually worked on a Windows variant.

Quite an amazing piece of technology, the thing is, it might already be out there..Blackhats tend to do it first, and do it dirty, but not talk about it to the media ;)

Using current methods, these root kits CANNOT be detected by the host machine.

Once the target operating system is hoisted into a virtual machine, the rootkit becomes impossible to detect because its state cannot be accessed by security software running in the target system, according to documentation seen by eWEEK.

The prototype, which will be presented at the IEEE Symposium on Security and Privacy later in 2006, is the brainchild of Microsoft’s Cybersecurity and Systems Management Research Group, the Redmond, Wash., unit responsible for the Strider GhostBuster anti-rootkit scanner and the Strider HoneyMonkey exploit detection patrol.

The problem being the malware is a lower layer than the malware detection utilities available, so it runs under the level that it can be detected. The SubVirt project has implemented VM-based rootkits on two platforms “Linux/VMWare and Windows/VirtualPC” and was able to write malicious services without detection.

It is a very stealthy attack, and perhaps it could be used to also fight against malicious code and malware.

“We believe the VM-based rootkits are a viable and likely threat,” the research team said. “Virtual-machine monitors are available from both the open-source community and commercial vendors … On today’s x86 systems, [VM-based rootkits] are capable of running a target OS with few visual differences or performance effects that would alert the user to the presence of a rootkit.”

Hardware detection is one thing that could overcome this kind of subversion by virtual machines. Intel and AMD have discussed hardware based malware scanning (AMD Execution Protection to prevent buffer overflows).

Source: eWeek