danielsauder

IT security is a matter of trust.

Memdumps, Volatility, Mimikatz, VMs – Part 9: Logging & Monitoring ESXi

So why might this be relevant anyway? All management consoles should be in your separated management network anyway, right? Well, unfortunately that is not always the case:

shodandce1afd8621c8cf131afca4d7451dca5

As you can see about 85.000 ports from the VMware Authentication Deamon are open over the internet.
And you can even bruteforce accounts:
https://www.rapid7.com/db/modules/auxiliary/scanner/vmware/vmauthd_login
Further, during an onsite test you might find some esxi machines and credentials for management consoles. Also vulnerabilites might exist where it is possible to pwn the vm hypervisor via a virtual machine.
So what is to do for the blue team?
Here are some ideas:
– log network connections to the esxi servers
– log logins
– log changes to vms
– log creation of snapshots
– log reboots and uploads
… and when I say log I mean mainly, collect em. In the links section is an example for Elk and for Splunk.
Relevant log file entries in the vmware.log file for snapshots
The log for can be found in the datastore:
dslog4a7ef9d247c31587dd7399cf5a89bf55
And here is some output from the relevant logfiles after making a snapshot with VMWare Wokstation connected to the ESXi server:
log10c71e5f655bcec62fbf007ac4076d03c
And when doing a snapshot over ssh:
log27879476bcacfd758b78ccee433346b15
Overview:
https://govolution.wordpress.com/2016/02/06/memdumps-volatility-mimikatz-vms-overview/
Links:
https://github.com/harrytruman/logstash-vmware
https://mtalavera.wordpress.com/2015/05/18/monitoring-vmware-esxi-with-the-elk-stack/
http://www.vhersey.com/2012/02/configuring-virtual-machine-vmware-log-file-rotation/
https://wiki.splunk.com/Community:VMwareESXSyslog
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1007805

Published by

Daniel

One response to “Memdumps, Volatility, Mimikatz, VMs – Part 9: Logging & Monitoring ESXi”

  1. Memdumps, Volatility, Mimikatz, VMs – Overview | govolution

    […] The last weeks I experimented around with how to get user crendentials from memory dumps, and hopefully I will have the time to contiue this little “research” (I know, it is not really research when you just writup stuff 😉 ). There are many different ways to dump credentials as hashes or in cleartext from various types of memory dumps, so I think that will become a few short articles. I added links for sources and more in depth information. Highly interesting for me is how to obtain memory dumbs from virtual machines when you have access to the host system. Further I will have a look at countermeasures in a later part (whereby I mean monitoring and logging). Overview Part 1: Mimikatz & lsass.exe Dump Part 2: Windows 7 Full Memory Dump & Get Hashes Part 3: WinDBG Mimikatz Extension Part 4: Volatility & Mimikatz Part 5: Virtualbox & LM/NTLM Hashes Part 6: VMWare Workstation Part 7: ESXi Server Part 8: Attacking Scenario – Volatility on ESXi Part 9: Logging & Monitoring ESXi […]

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: