One of the best ways to learn is to practice and practice and I do have to say that VMWare has played a very large role in my professional life since it allows me to test ideas, code, validate and practice against different versions of an OS, different patch levels and even different OSâs with out having to have a very large number of servers and routers to simulate environments. My current lab system is a PC running Windows 7 Enterprise with 8GB of RAM, 2 1TB 7200 SATA HD and a Intel Quad 8300, all of this running VMware Workstation 7. I have a collection of VMâs that I clone as needed, my collection of VMâs for cloning are:
- (5) Windows 2008 Ent RTM 32bit
- (1) Windows 2008 Ent Core RTM 32bit
- (2) Windows Vista RTM 32bit
- (2) Windows 7 RTM 32bit
- (1) Windows XP SP2 32bit
- (1) Windows XP SP3 32Bit
- (1) Windows 2003 Ent SP2 32bit
- (1) Windows 2003 Ent SP1 32bit
- (1) Windows 2003 Ent R2 32bit
- (1) Windows 2000 Advanced SP3 32bit
- (1) Windows 2000 Advanced SP4 32bit
- (1) Pfsense 1.2.3 Appliance
- (1) BT4
- (1) Ubuntu 9.10 32bit
For Database testing I have the following VMâs:
- (1) MS SQL 2005 running on Windows 2003 32bit
- (1) MS SQL 2008 Running on Windows 2003 Ent 32bit
- (1) Oracle 9i Running on Windows 2003 Advanced 32bit
- (1) Oracle 10g Running on Windows 2003 Ent 32bit
- (1) Oracle 11g Running on Windows 2003 Ent 32bit
As it can be seen since most of my work is done with Meterpreter and post exploitation in Windows Systems the majority of my VMâs are Windows. As you can see I do have a lot of VMâs and to make matters a bit more complex when Iâm testing something I use VMware Workstation feature of Teams where I create a complete isolated network of machines, this lets me test the machines behind a virtual firewall to see how well my code will work behind several configurations of firewalls and a very good feature of teams is that I can control the speed of a virtual network so I can test how will my attack or code will behave if the client has a 64kbps connection, a T-1 and many other types of speed, this really helps me tune and see how multithreading and moving large files behave thru this connections.
The team where I clone any of the VMâs you see above looks as follow:
In the configuration shown above I can play with the speed of the LAN1 network so as to simulate different environments, depending of where I want to simulate the attacker I will place the attacker machine in my home network or as a internal attacker I place an attacking VM inside LAN2.
As it can be seen my setup can become complicated very fast and doing changes to individual machines becomes a tedious job so what better way handle all of this VMâs that to automate it For this a simple tool that I like that can be used on Linux, OSX and Windows is the vmrun tool that is part of the VMware VIX kit, this kit is part of Fusion Full download and as a separate download for Linux. With this tool you can manage VMâs in:
- ESX and ESXi (Remotely)
- VMware Server (Remotely)
- VMware Player (Remotely)
- VMware Workstation (Locally)
- VMware Fusion (Locally)
Some of the stuff you can do with this tool are:
- Change state of VMâs(Start, Stop, Pause and Reset)
- Manage Snapshots (Creation, Deletion, Revert to Snapshot)
- Manage Processes to VMâs(List, Start and Kill)
- Upload Files to VMâs
- Run Scripts on VMâs
The list above is only a shot list you can check the vmrun Documentation
One of the things I tend to do is do a snapshot to all running VMâs once I have the environment setup as I want so in case I mess up something I can revert the affected VM, so for this I wrote the following batch script to create a snapshot of all running VMâs
@echo off
setlocal
set Path=C:Program Files (x86)VMwareVMware VIX
set snapname=
set /p snapname=Enter the name for the snapshot:
for /F "skip=1 delims=," %%i in ('vmrun list') do (
echo Creating Snapshot for %%i and naming it %snapname%
vmrun -T ws snapshot "%%i" %snapname%
)
endlocal
set /p any=press any key ....
Here is a sample run of the script
As you can see you get prompted for the name to give to the snapshot, and we are doing a snapshot of only the running VMâs since those are the ones Iâm working at the moment, I do not want to snapshot my master templates.
To revert to all running VMâs to a known snapshot the only thing I changed is the command to be revertToSnapshot
@echo off
setlocal
set Path=C:Program Files (x86)VMwareVMware VIX
set snapname=
set /p snapname=Enter the name for the snapshot:
for /F "skip=1 delims=," %%i in ('vmrun list') do (
echo Reverting snapshot for %%i
vmrun -T ws revertToSnapshot "%%i" %snapname% msg.autoAnswer = TRUE
vmrun start "%%i"
)
endlocal
set /p any=press any key ....
To delete I just changed the command to deleteSnapshot as you can see it is very simple to script this tool.
@echo off
setlocal
set Path=C:Program Files (x86)VMwareVMware VIX
set snapname=
set /p snapname=Enter the name for the snapshot:
for /F "skip=1 delims=," %%i in ('vmrun list') do (
echo Deleting snapshot for %%i
vmrun -T ws deleteSnapshot "%%i" %snapname% msg.autoAnswer = TRUE
vmrun start "%%i"
)
endlocal
set /p any=press any key ....
In the next example I just made the batch accept a variable of file to upload to all windows running hosts by looking at their names and looking for the stringâwinâ and only to those copy the file, I can either drag and drop the file on top of the script or when I run it and the script asks I can just drag and drop the file to the CMD windows so as to copy the path to the executable, also you will see that I provide the guest username and password so it is a good idea to have the same username and password for you lab VMâs on you machine. All VM actions that interact with the OS of the VM require that VMware Tools are installed and that credentials are given to access the underlying OS.
@echo off
set Path=C:Program Files (x86)VMwareVMware VIX
if "%1"=="" (set /p file=Enter path of file to upload: ) else (set file="%1")
set /p target=Enter path and filename on VMs to upload:
for /F "delims=," %%i in ('vmrun list ^| %windir%system32find.exe "win"') do (
echo uploading file %file% to %%i
vmrun -T ws -gu administrator -gp Newsystem01 copyFileFromHostToGuest "%%i" "%file%" "%target%"
)
set /p any=press any key ....
Now you can use this other script to run the executable on all windows hosts, a similar one can be made for Linux if you follow a naming conversion for your VMâs.
@echo off
set /p file=Enter path and filename of program to run:
set /p options=Enter options for program:
for /F "skip=1 delims=," %%i in ('vmrun list ^| %windir%system32find.exe "win"') do (
echo uploading file %file% to %%i
vmrun -T ws -gu administrator -gp Newsystem01 runProgramInGuest "%%i" "%file%" "%options%" msg.autoAnswer = TRUE
)
set /p any=press any key ....
I just showed some simple examples on automating workstation but this can also be done with VMware Server and ESX/ESXi by just changing the type in the âT flag to server or esx depending the target and giving the address to connect to with âh for the web address and âu for the host user and âp for the host password. The tool simply executes XMLRPC calls thru SSL against the servers. I encourage that you read the rest of the short documentation on vmrun and modify and play with the scripts I here showed as examples, you can transform this same script to batch and use them in OSX or Linux if you like.