One of the best ways to learn is to practice and practice and I do have to say that VMWare has played a very large role in my professional life since it allows me  to test ideas, code, validate and practice against different versions of an OS, different patch levels and even different OS’s with out having to have a very large number of servers and routers to simulate environments. My current lab system is a PC running Windows 7 Enterprise with 8GB of RAM, 2 1TB 7200 SATA HD and a Intel Quad 8300, all of this running VMware Workstation 7. I have a collection of VM’s that I clone as needed, my collection of VM’s for cloning are:

  1. (5) Windows 2008 Ent RTM 32bit
  2. (1) Windows 2008 Ent Core RTM 32bit
  3. (2) Windows Vista RTM 32bit
  4. (2) Windows 7 RTM 32bit
  5. (1) Windows XP SP2 32bit
  6. (1) Windows XP SP3 32Bit
  7. (1) Windows 2003 Ent SP2 32bit
  8. (1) Windows 2003 Ent SP1 32bit
  9. (1) Windows 2003 Ent R2 32bit
  10. (1) Windows 2000 Advanced SP3 32bit
  11. (1) Windows 2000 Advanced SP4 32bit
  12. (1) Pfsense 1.2.3 Appliance
  13. (1) BT4
  14. (1) Ubuntu 9.10 32bit

For Database testing I have the following VM’s:

  1. (1) MS SQL 2005 running on Windows 2003 32bit
  2. (1) MS SQL 2008 Running on Windows 2003 Ent 32bit
  3. (1) Oracle 9i Running on Windows 2003 Advanced 32bit
  4. (1) Oracle 10g Running on Windows 2003 Ent 32bit
  5. (1) Oracle 11g Running on Windows 2003 Ent 32bit

As it can be seen since most of my work is done with Meterpreter and post exploitation in Windows Systems the majority of my VM’s are Windows. As you can see I do have a lot of VM’s and to make matters a bit more complex when I’m testing something I use VMware Workstation feature of Teams where I create a complete isolated network of machines, this lets me test the machines behind a virtual firewall to see how well my code will work behind several configurations of firewalls and a very good feature of teams is that I can control the speed of a virtual network so I can test how will my attack or code will behave if the client has a 64kbps connection, a T-1 and many other types of speed, this really helps me tune and see how multithreading and moving large files behave thru this connections.

The team where I clone any of the VM’s you see above looks as follow:

teamacmeinc

In the configuration shown above I can play with the speed of the LAN1 network so as to simulate different environments, depending of where I want to simulate the attacker I will place the attacker machine in my home network or as a internal attacker I place an attacking  VM inside LAN2.

As it can be seen my setup can become complicated very fast and doing changes to individual machines becomes a tedious job so what better way  handle all of this VM’s that to automate it For this a simple tool that I like that can be used on Linux, OSX and Windows is the vmrun tool that is part of the VMware VIX kit, this kit is part of Fusion Full download and as a separate download for Linux. With this tool you can manage VM’s in:

  1. ESX and ESXi (Remotely)
  2. VMware Server (Remotely)
  3. VMware Player (Remotely)
  4. VMware Workstation (Locally)
  5. VMware Fusion (Locally)

Some of the stuff you can do with this tool are:

  1. Change state of VM’s(Start, Stop, Pause and Reset)
  2. Manage Snapshots (Creation, Deletion, Revert to Snapshot)
  3. Manage Processes to VM’s(List, Start and Kill)
  4. Upload Files to VM’s
  5. Run Scripts on VM’s

The list above is only a shot list you can check the vmrun Documentation

One of the things I tend to do is do a snapshot to all running VM’s once I have the environment setup as I want so in case I mess up something I can revert the affected VM, so for this I wrote the following batch script to create a snapshot of all running VM’s

@echo off

setlocal

set Path=C:\Program Files (x86)\VMware\VMware VIX

set snapname=

set /p snapname=Enter the name for the snapshot: 

for /F "skip=1 delims=," %%i in ('vmrun list') do (

echo Creating Snapshot for %%i and naming it %snapname%

vmrun -T ws snapshot "%%i" %snapname%

)

endlocal

set /p any=press any key ....

Here is a sample run of the script

image

As you can see you get prompted for the name to give to the snapshot, and we are doing a snapshot of only the running VM’s since those are the ones I’m working at the moment, I do not want to snapshot my master templates.

To revert to all running VM’s to a known snapshot the only thing I changed is the command to be revertToSnapshot

@echo off

setlocal

set Path=C:\Program Files (x86)\VMware\VMware VIX

set snapname=

set /p snapname=Enter the name for the snapshot:

for /F "skip=1 delims=," %%i in ('vmrun list') do (

echo Reverting snapshot for %%i

vmrun -T ws revertToSnapshot "%%i" %snapname% msg.autoAnswer = TRUE

vmrun start "%%i"

)

endlocal

set /p any=press any key ....

To delete I just changed the command to deleteSnapshot  as you can see it is very simple to script this tool.

@echo off

setlocal

set Path=C:\Program Files (x86)\VMware\VMware VIX

set snapname=

set /p snapname=Enter the name for the snapshot:

for /F "skip=1 delims=," %%i in ('vmrun list') do (

echo Deleting snapshot for %%i

vmrun -T ws deleteSnapshot "%%i" %snapname% msg.autoAnswer = TRUE

vmrun start "%%i"

)

endlocal

set /p any=press any key ....

In the next example I just made the batch accept a variable of file to upload to all windows running hosts by looking at their names and looking for the string“win” and only to those copy the file, I can either drag and drop the file on top of the script or when I run it and the script asks I can just drag and drop the file to the CMD windows so as to copy the path to the executable, also you will see that I provide the guest username and password so it is a good idea to have the same username and password for you lab VM’s on you machine. All VM actions that interact with the OS of the VM require that VMware Tools are installed and that credentials are given to access the underlying OS.

@echo off

set Path=C:\Program Files (x86)\VMware\VMware VIX

if "%1"=="" (set /p file=Enter path of file to upload: ) else (set file="%1")

set /p target=Enter path and filename on VMs to upload: 

for /F "delims=," %%i in ('vmrun list ^| %windir%\system32\find.exe "win"') do (

echo uploading file %file% to %%i

vmrun -T ws -gu administrator -gp Newsystem01 copyFileFromHostToGuest "%%i" "%file%" "%target%"

)

set /p any=press any key ....

Now you can use this other script to run the executable on all windows hosts, a similar one can be made for Linux if you follow a naming conversion for your VM’s.

@echo off

 

set /p file=Enter path and filename of program to run: 

set /p options=Enter options for program:  

for /F "skip=1 delims=," %%i in ('vmrun list ^| %windir%\system32\find.exe "win"') do (

echo uploading file %file% to %%i

vmrun -T ws -gu administrator -gp Newsystem01 runProgramInGuest "%%i" "%file%" "%options%" msg.autoAnswer = TRUE

)

 

set /p any=press any key ....

I just showed some simple examples on automating workstation but this can also be done with VMware Server and ESX/ESXi by just changing the type in the –T flag to server or esx depending the target and giving the address to connect to with –h for the web address and –u for the host user and –p for the host password. The tool simply executes XMLRPC calls thru SSL against the servers. I encourage that you read the rest of the short documentation on vmrun and modify and play with the scripts I here showed as examples, you can transform this same script to batch and use them in OSX or Linux if you like.

About the author

Leave a Reply