Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve post/windows/gather/checkvm #18179

Merged
merged 14 commits into from
Sep 6, 2023
Merged

Improve post/windows/gather/checkvm #18179

merged 14 commits into from
Sep 6, 2023

Conversation

jvoisin
Copy link
Contributor

@jvoisin jvoisin commented Jul 11, 2023

I tried to split this PR into meaningful commits.

Verification

List the steps needed to make sure this thing works

  • Test Parallels detection
  • Test VirtualBox detection
  • Test VMware detection
  • Test Qemu detection
  • Test Hyper-V detection
  • Test Xen detection

@jvoisin jvoisin mentioned this pull request Jul 16, 2023
5 tasks
@jheysel-r7 jheysel-r7 self-assigned this Jul 17, 2023
@jvoisin jvoisin requested a review from jheysel-r7 July 18, 2023 17:32
@jheysel-r7
Copy link
Contributor

Testing Windows 7 running in Qemu

msf6 post(windows/gather/checkvm) > sessions -i -1
[*] Starting interaction with 2...
meterpreter > getuid
Server username: msfuser-PC\msfuser
meterpreter > sysinfo
Computer        : MSFUSER-PC
OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > bg
[*] Backgrounding session 2...
msf6 exploit(multi/handler) > use post/windows/gather/checkvm
msf6 post(windows/gather/checkvm) > set session -1
session => -1
msf6 post(windows/gather/checkvm) > run
[*] Checking if the target is a Virtual Machine ...
[+] This is a Qemu/KVM Virtual Machine
[*] Post module execution completed

Testing Windows 7 running in Virtual Box

msf6 post(windows/gather/checkvm) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > getuid
Server username: WINDOW7\msfuser
meterpreter > sysinfo
Computer        : WINDOW7
OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > bg
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > use post/windows/gather/checkvm
msf6 post(windows/gather/checkvm) > rexploit
[*] Reloading module...
[*] Checking if the target is a Virtual Machine ...
[+] This is a VirtualBox Virtual Machine
[*] Post module execution completed

Testing Windows 11 running in VMware (with Hyper-V enabled)

msf6 exploit(multi/handler) > sessions -i -1
[*] Starting interaction with 3...
meterpreter > getuid
Server username: msfdevice\msfuser
meterpreter > sysinfo
Computer        : MSFDEVICE
OS              : Windows 10 (10.0 Build 22621).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > bg
[*] Backgrounding session 3...
msf6 exploit(multi/handler) > use post/windows/gather/checkvm
msf6 post(windows/gather/checkvm) > set session -1
session => -1
msf6 post(windows/gather/checkvm) > rexploit
[*] Reloading module...
[*] Checking if the target is a Virtual Machine ...
[+] This is a VMware Virtual Machine
[*] Post module execution completed

Testing Windows 11 running in Parallels

msf6 exploit(multi/handler) > sessions -i -1
[*] Starting interaction with 4...
meterpreter > getuid
Server username: JACKHEYSELAAD5\jheysel
meterpreter > sysinfo
Computer        : JACKHEYSELAAD5
OS              : Windows 10 (10.0 Build 22621).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > bg
[*] Backgrounding session 4...
msf6 exploit(multi/handler) > use multi/handler
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > use post/windows/gather/checkvm
msf6 post(windows/gather/checkvm) > set session -1
session => -1
msf6 post(windows/gather/checkvm) > run
[*] Checking if the target is a Virtual Machine ...
[+] This is a Parallels Virtual Machine
[*] Post module execution completed

@gardnerapp
Copy link
Contributor

I have attempted to DRY up this modules code and avoid redundant queries to the registry, processes and services. You can find my code here and a deeper explanation of the improvements in my comments at #18149 . Is it OK to request a pull ?

@jvoisin
Copy link
Contributor Author

jvoisin commented Jul 24, 2023

Absolutely :)

@jheysel-r7
Copy link
Contributor

Hey @jvoisin, after speaking with the team we think the Virtual PC (due to it's age) and JoeSandbox (due to it being a cloud based malware analysis tool and not a hypervisor) detections should probably be removed from this PR.

Xen testing is still blocking this PR and the post/linux/gather/checkvm changes.

@jvoisin
Copy link
Contributor Author

jvoisin commented Aug 11, 2023

Sure, done :)

@jheysel-r7 jheysel-r7 added the blocked Blocked by one or more additional tasks label Aug 16, 2023
Copy link
Contributor

@jheysel-r7 jheysel-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After reviewing the two untested detections Hyper-V and Xen I think this should be good to be landed.

The only change to Hyper-V detection was changing all the registry_getvaldata to get_regval_str which we know helps prevent against an array being return instead of a string.

As for the Xen detection looking in the reg value HKLM\\HARDWARE\\DESCRIPTION\\System\\BIOS\\SystemProductName for the string xen is backed by this blog titled Determine if a machine is virtual

@jheysel-r7 jheysel-r7 added enhancement and removed blocked Blocked by one or more additional tasks labels Sep 6, 2023
@jheysel-r7 jheysel-r7 merged commit 1317438 into rapid7:master Sep 6, 2023
1 check passed
@jheysel-r7 jheysel-r7 added the rn-enhancement release notes enhancement label Sep 6, 2023
@jheysel-r7
Copy link
Contributor

Release Notes

This PR improves the windows checkvm post module by adding new techniques to identify the hypervisor in which the session is running.

@jvoisin jvoisin deleted the improve_vm branch September 6, 2023 18:33
zgoldman-r7 pushed a commit to zgoldman-r7/metasploit-framework that referenced this pull request Sep 11, 2023
zgoldman-r7 pushed a commit to zgoldman-r7/metasploit-framework that referenced this pull request Sep 11, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement rn-enhancement release notes enhancement
Projects
Archived in project
Development

Successfully merging this pull request may close these issues.

4 participants