From: Roger A. Grimes (rogerg@cox.net)
Date: Sun Jan 18 2004 - 21:49:56 EST
Pete,
I don't know if this is a solution for you, but I do a lot of honeypot work
and I've seen similiar packet manipulation problems when running virtual
environments. I use Honeyd (a virtual honeypot) system a fair amount, and
its author requires that it have its own, unique IP network address space so
that the host OS doesn't "accidentally adjust" the virtual host's packets on
the lower levels when passing traffic to and from the virtual environment.
Although I'm purely guessing, maybe try setting up the VMWare session with
its own IP subnet and IP address, and set up static routes on the
workstation (i.e. route add -p ....) to point to the new virtual IP address
space. For example, if you put the VMWare on it's own virtual IP subnet
(say 192.168.2.0/24) and your host IP is 192.168.1.1, here's the static
route command to add to the host PC:
route add -p 192.168.2.0 mask 255.255.255.0 192.168.1.1
which is route add -p destnetwork mask subnetmask gatewayaddress
It might be worth a quick try to see if it helps.
Roger
****************************************************************************
****
*Roger A. Grimes, Computer Security Consultant
*CPA, MCSE:Security (NT/2000/2003/MVP), CNE (3/4), A+
*email: rogerg@cox.net
*cell: 757-615-3355
*Author of Malicious Mobile Code: Virus Protection for Windows by O'Reilly
*http://www.oreilly.com/catalog/malmobcode
*Author of upcoming Honeypots for Windows (Apress)
****************************************************************************
*****
----- Original Message -----
From: "Pete Herzog" <pete@isecom.org>
To: <pen-test@securityfocus.com>
Sent: Friday, January 16, 2004 5:17 PM
Subject: RE: VMWare and which linux distro?
> Hi,
>
> In our testing lab, we have seen some problems with the sending and
> receiving of various types of TCP / UDP packets from within a Virtual
> Machine as part of an attack system. Now this won't effect all security
> tests but it has become a problem in the scalpel-like precision required
for
> certain tests where we are looking for certain packets within a given time
> frame. Source and Destination ports, for instance, comes to mind as an
> example of the corruption occurring with tests. Our suspician is a
> corruption which occurs in the binding with the ethernet card and
regardless
> of OS or whether the VM has it's own external IP address or not, it still
> occurs enough that we had to stop using a VM to make tests from.
>
> We have not done any further tests on this. Has anyone else seen this
> problem though? Anyone have more information on this?
>
> Sincerely,
> -pete.
>
> Pete Herzog, Managing Director
> Institute for Security and Open Methodologies
> www.isecom.org - www.osstmm.org
> www.hackerhighschool.org - www.isestorm.org
>
>
> --------------------------------------------------------------------------
-
> --------------------------------------------------------------------------
-- > --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:45 EDT