Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve post/linux/gather/checkvm #18190

Merged
merged 12 commits into from
Sep 6, 2023
Merged

Improve post/linux/gather/checkvm #18190

merged 12 commits into from
Sep 6, 2023

Conversation

jvoisin
Copy link
Contributor

@jvoisin jvoisin commented Jul 16, 2023
edited by adfoster-r7
Loading

Sister of #18179 but for Linux.

Verification

List the steps needed to make sure this thing works

  • Test VirtualBox detection
  • Test VMware detection
  • Test Qemu detection
  • Test Hyper-V detection
  • Test Xen detection

@jvoisin jvoisin mentioned this pull request Jul 16, 2023
Merged
4 tasks
@jvoisin jvoisin changed the title Checkvm linux Improve post/linux/gather/checkvm Jul 16, 2023
@jheysel-r7 jheysel-r7 self-assigned this Jul 17, 2023
@jheysel-r7
Copy link
Contributor

Hey @jvoisin, I was able to test most of the changes in this PR and everything is looking good so far. I was wondering if you'd be able to test the Xen and Hyper-V detections for me?

My dev machine is running Mac OSX so I can't run Hyper-V enabled Windows VMs in my VMware Fusion. I think I should be able to run Xen in a Linux VM in order to host another Linux VM to test the detection however the nested virtualization was giving me some issues. Let me know, thanks!

msf6 post(linux/gather/checkvm) > run

[*] Gathering System info ....
[+] This appears to be a 'VirtualBox' virtual machine
[*] Post module execution completed


msf6 post(linux/gather/checkvm) > run

[*] Gathering System info ....
[+] This appears to be a 'VMware' virtual machine
[*] Post module execution completed


msf6 post(linux/gather/checkvm) > run

[*] Gathering System info ....
[+] This appears to be a 'Qemu/KVM' virtual machine
[*] Post module execution completed

@jvoisin
Copy link
Contributor Author

jvoisin commented Jul 18, 2023

I don't think I'll be able to test Xen and Hyper-V anytime soon :/

jheysel-r7
jheysel-r7 reviewed Jul 19, 2023
View reviewed changes
Copy link
Contributor

@jheysel-r7 jheysel-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @jvoisin, no worries on the Hyper-V / Xen testing, I'll see if anyone else on the team might be able to help out.

modules/post/linux/gather/checkvm.rb Show resolved Hide resolved
@bwatters-r7
Copy link
Contributor

Testing this on a Hyper-V VM:

msf6 payload(linux/x64/meterpreter/reverse_tcp) > sessions -i -1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer     : 10.5.132.143
OS           : Ubuntu 22.04 (Linux 5.19.0-32-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > background
[*] Backgrounding session 1...
msf6 payload(linux/x64/meterpreter/reverse_tcp) > use post/linux/gather/checkvm 
msf6 post(linux/gather/checkvm) > show options

Module options (post/linux/gather/checkvm):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on


View the full module info with the info, or info -d command.

msf6 post(linux/gather/checkvm) > set verbose true
verbose => true
msf6 post(linux/gather/checkvm) > set session 1
session => 1
msf6 post(linux/gather/checkvm) > run

[*] Gathering System info ....
[+] This appears to be a 'MS Hyper-V' virtual machine
[*] Post module execution completed
msf6 post(linux/gather/checkvm) >

@jheysel-r7 jheysel-r7 added the blocked Blocked by one or more additional tasks label Aug 16, 2023
jvoisin added 12 commits August 22, 2023 12:34
@jvoisin
Add detection via /sys/class/dmi/id/sys_vendor
4027a6e
@jvoisin
Add a comment
26b6ad2
@jvoisin
Add detection of Xen via /proc/xen/capabilities
af22ca9 
Xen's dom0 has `control_d` in its /proc/xen/capabilities
@jvoisin
Add some Hyper-v kernel modules
f84cbab 
Taken from https://learn.microsoft.com/en-us/windows-server/virtualization/hyper-v/manage/manage-hyper-v-integration-services
@jvoisin
Add some more virtualbox kernel modules
95b964a 
Taken from https://www.virtualbox.org/wiki/Guest_resizing
and https://linuxconfig.org/install-virtualbox-guest-additions-on-linux-guest
@jvoisin
Add some process-based detection
0af4e98
@jvoisin
Add another Hyper-V detection
cd1fc1a
@jvoisin
Add detection via /sys/devices/virtual/dmi/id/bios_vendor
2a55950
@jvoisin
Add detection via /proc/cpuinfo
bee2b6b
@jvoisin
Be a bit more stealthy when looking at kernel modules
995dcfd 
No need to run a binary if reading a file is enough
@jvoisin
Add a bunch of virtio modules to detect KVM
126b544
@jvoisin
Use a better detection method for Xen
b79549f 
Based on @adfoster-r7's feedback.
@jvoisin jvoisin requested a review from adfoster-r7 August 22, 2023 10:37
@jheysel-r7 jheysel-r7 added enhancement and removed blocked Blocked by one or more additional tasks labels Sep 6, 2023
@jheysel-r7 jheysel-r7 merged commit 4ade167 into rapid7:master Sep 6, 2023
1 check passed
@jheysel-r7
Copy link
Contributor

Release Notes

This PR improves the linux checkvm post module by adding new techniques to identify the hypervisor in which the session is running.

@jheysel-r7 jheysel-r7 added the rn-enhancement release notes enhancement label Sep 6, 2023
@jvoisin jvoisin deleted the checkvm_linux branch September 6, 2023 18:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jheysel-r7 jheysel-r7 jheysel-r7 left review comments

@adfoster-r7 adfoster-r7 adfoster-r7 approved these changes

Assignees

@jheysel-r7 jheysel-r7

Labels
enhancement rn-enhancement release notes enhancement
Projects
Metasploit Kanban
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jvoisin @jheysel-r7 @bwatters-r7 @adfoster-r7