From: Jeremiah Cornelius (jeremiah@nur.net)
Date: Sun Mar 23 2008 - 16:46:30 EST
Vmware is a poor choice for hosting a pen/recon toolset. I suspect that to be true of anything like QEMU or Virtual PC, too.
Tools like nmap and hping give misleading results and horrible response, when piped through a virtual adaptor. In the case of Vmware, there are between 10 and 15 messages passed from the vm to the host and back - just to transmit a single packet/datagram.
The vnetworking stack also works like a transparent layer 2 proxy - altering, normalising and 'optimising' network behavior for the expected workloads I have wasted hours of mapping time this way in the past, and would save you the trouble of trying it...
Also, Vista as a host needs to have the firewall and IPsec filtering disabled.
The OS is also subject to the connetion and pacet rate filtering that was introduced for XP SP2. There are unauthorized binary patches that must be made to TCPIP.SYS, for either OS to function as a testers platform. Otherwise scans crawl to zero, and usefull open SYN traffic waits for timeouts in a limiting queue, before new SYNs are sent. Add the message-passing latency of your VM stack, and this is intolerable.
This is one case where the addage "right tool for the right job" applies. Vmware and Vista may have merits for certain applications. In the pentest environment, these should remain as targets - where they will not impede the investigator, nor obscure meaningful network information from examination.
Jeremiah
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:29 EDT