One of the best ways to learn is to practice and practice and I do have to say that VMWare has played a very large role in my professional life since it allows me to test ideas, code, validate and practice against different versions of an OS, different patch levels and even different OS’s with out having to have a very large number of servers and routers to simulate environments. My current lab system is a PC running Windows 7 Enterprise with 8GB of RAM, 2 1TB 7200 SATA HD and a Intel Quad 8300, all of this running VMware Workstation 7. I have a collection of VM’s that I clone as needed, my collection of VM’s for cloning are:
For Database testing I have the following VM’s:
As it can be seen since most of my work is done with Meterpreter and post exploitation in Windows Systems the majority of my VM’s are Windows. I do have a lot of VM’s and to make matters a bit more complex when I’m testing something I use VMware Workstation feature of Teams where I create a complete isolated network of machines, this lets me test the machines behind a virtual firewall to see how well my code will work behind several configurations of firewalls and a very good feature of teams is that I can control the speed of a virtual network so I can test how will my attack or code will behave if the client has a 64kbps connection, a T-1 and many other types of speed, this really helps me tune and see how multithreading and moving large files behave thru this connections.
The team where I clone any of the VM’s you see above looks as follow:
In the configuration shown above I can play with the speed of the LAN1 network so as to simulate different environments, depending of where I want to simulate the attacker I will place the attacker machine in my home network or as a internal attacker I place an attacking VM inside LAN2.
As it can be seen my setup can become complicated very fast and doing changes to individual machines becomes a tedious job so what better way handle all of this VM’s that to automate it For this a simple tool that I like that can be used on Linux, OSX and Windows is the vmrun tool that is part of the VMware VIX kit, this kit is part of Fusion Full download and as a separate download for Linux. With this tool you can manage VM’s in:
Some of the stuff you can do with this tool are:
The list above is only a short list of what can be done, you can check the vmrun Documentation for more options.
One of the things I tend to do is do a snapshot to all running VM’s once I have the environment setup as I want so in case I mess up something I can revert the affected VM, so for this I wrote the following batch script to create a snapshot of all running VM’s
@echo off
setlocal
set Path=C:\Program Files (x86)\VMware\VMware VIX
set snapname=
set /p snapname=Enter the name for the snapshot:
for /F "skip=1 delims=," %%i in ('vmrun list') do (
echo Creating Snapshot for %%i and naming it %snapname%
vmrun -T ws snapshot "%%i" %snapname%
)
endlocal
set /p any=press any key ....
Here is a sample run of the script
As you can see you get prompted for the name to give to the snapshot, and we are doing a snapshot of only the running VM’s since those are the ones I’m working at the moment, I do not want to snapshot my master templates.
To revert to all running VM’s to a known snapshot the only thing I changed is the command to be revertToSnapshot
@echo off
setlocal
set Path=C:\Program Files (x86)\VMware\VMware VIX
set snapname=
set /p snapname=Enter the name for the snapshot:
for /F "skip=1 delims=," %%i in ('vmrun list') do (
echo Reverting snapshot for %%i
vmrun -T ws revertToSnapshot "%%i" %snapname% msg.autoAnswer = TRUE
vmrun start "%%i"
)
endlocal
set /p any=press any key ....
To delete I just changed the command to deleteSnapshot as you can see it is very simple to script this tool.
@echo off
setlocal
set Path=C:\Program Files (x86)\VMware\VMware VIX
set snapname=
set /p snapname=Enter the name for the snapshot:
for /F "skip=1 delims=," %%i in ('vmrun list') do (
echo Deleting snapshot for %%i
vmrun -T ws deleteSnapshot "%%i" %snapname% msg.autoAnswer = TRUE
vmrun start "%%i"
)
endlocal
set /p any=press any key ....
In the next example I just made the batch accept a variable of file to upload to all windows running hosts by looking at their names and looking for the string“win” and only to those copy the file, I can either drag and drop the file on top of the script or when I run it and the script asks I can just drag and drop the file to the CMD windows so as to copy the path to the executable, also you will see that I provide the guest username and password so it is a good idea to have the same username and password for you lab VM’s on you machine. All VM actions that interact with the OS of the VM require that VMware Tools are installed and that credentials are given to access the underlying OS.
@echo off
set Path=C:\Program Files (x86)\VMware\VMware VIX
if "%1"=="" (set /p file=Enter path of file to upload: ) else (set file="%1")
set /p target=Enter path and filename on VMs to upload:
for /F "delims=," %%i in ('vmrun list ^| %windir%\system32\find.exe "win"') do (
echo uploading file %file% to %%i
vmrun -T ws -gu administrator -gp Newsystem01 copyFileFromHostToGuest "%%i" "%file%" "%target%"
)
set /p any=press any key ....
Now you can use this other script to run the executable on all windows hosts, a similar one can be made for Linux if you follow a naming conversion for your VM’s.
@echo off
set /p file=Enter path and filename of program to run:
set /p options=Enter options for program:
for /F "skip=1 delims=," %%i in ('vmrun list ^| %windir%\system32\find.exe "win"') do (
echo uploading file %file% to %%i
vmrun -T ws -gu administrator -gp Newsystem01 runProgramInGuest "%%i" "%file%" "%options%" msg.autoAnswer = TRUE
)
set /p any=press any key ....
I just showed some simple examples on automating workstation but this can also be done with VMware Server and ESX/ESXi by just changing the type in the –T flag to server or esx depending the target and giving the address to connect to with –h for the web address and –u for the host user and –p for the host password. The tool simply executes XMLRPC calls thru SSL against the servers. I encourage that you read the rest of the short documentation on vmrun and modify and play with the scripts I here showed as examples, you can transform this same script to batch and use them in OSX or Linux if you like.