In this book, we show how to determine hypervisor properties by running commands in the guest operating system, without any special privileges in the host machine running the hypervisor. This can be useful for penetration testing, information gathering, determining the best software configuration for virtualization-sensitive and virtualization-aware software. Finally, we present a reporting tool that unifies all the presented methods, by running them all in sequence and gathering the information in a useful report that can be run from any guest system. Some of the described methods can be used even if the VMwareTM Tools are disabled or not installed, or if some of the methods are disabled by host configuration. Some of the methods require “root” privileges, while others do not need it. As we will see, host properties can be extracted from virtual hardware properties and from network services running in the host. These properties include: Virtualization Product and Version, CPU Reservation, Memory Reservation, Ballooning amount, as well as many others. The concept of Nested Virtualization is also analyzed. Finally, we present a reporting tool that unifies all the presented methods, by running them all in sequence and gathering the information in a useful report that can be run from any guest system. Disclaimer 13 I.INTRODUCTION 15 II. Virtual HARDWARE CLUES 19 Determining if the Guest OS is running over a VMware hypervisor 19 Determining Hypervisor Product & Version 22 BIOS Release Date/Address/Size 23 Guest SDK ( for vSphere >= 6.0 ) 25 vmware-checkvm 27 Backdoor command (0Ah - Get VMware version) 29 dmidecode 33 Virtual Devices list (Guest API) 37 Other Stats and Properties 39 Physical CPU Speed 41 Ballooning information 41 Raw information 42 Kernel Modules (vsock, vmw_vsock_vmci, vmwgfx, vmw_vmci) 44 PCI information 45 CPU INFO 50 Advanced low-level tools: VMW 55 Advanced low-level tools: VM_BACKDUMP 62 Other tools: VSOCKETS_NC 96 Disabling some clues 101 III. Networking Clues 108 ESXi MAC addresses 108 NMAP Service Scans 112 NMAP scan for a host running Windows 7 with VMware Player 113 NMAP scan for a system with a VMware MAC address 116 NMAP scan for a Kali Linux Guest OS (running over VMware Player) 117 NMAP scan for a Nested ESXi Host (running over VMware Player) 118 NMAP scan for a VMware Network Device (running over VMware Player) 121 NMAP scan for a Kali Linux Guest OS (running over VMware ESXi 6.0) 123 NMAP scan for a VMware ESXi Host (checking for “VMware Authentication Daemon”) 124 NMAP scan for a VMware ESXi Host (checking for “VMware ESXi Server httpd”) 126 NMAP scan for a VMware “dnsmasq 2.51” Network Device (running over VMware Player) 128 NMAP scan VMware workstation/PLAYER @ MICROSOFT WINDOWS 133 ESXi Web Servers Scans 136 ESXi Web Server SHA1 fingerprint [36] 137 ESXi Web Server Certificate Details [36] 138 ESXi Web Services (VIM API) 141 VMware Workstation/Player services 143 vmauthd ( VMware Authentication Daemon, VMware Player or ESXi Server) 143 IV. Nested virtualization 147 V. Guest-side reporting about Hypervisor 154 Report example - Kali Linux Guest (over ESXi 6.0 hypervisor) 155 VI. Future Work 231 References 234 Annex A – More report examples 250 Report example - Kali Linux Guest (over VMware Player 7 hypervisor) 250 Report example – ESXi 6.0 Guest Hypervisor (Nested over VMware Player 7 hypervisor) 346 About the author 429 Virtualization