PreprintPDF Available
Preprints and early-stage research may not have been peer reviewed yet.

Abstract

VMware guest machines are able to communicate with their host using a special kind of sockets called "vsockets". These sockets can be used even if the typical TCP/IP network protocols are not available at the guest. Since "vsockets" don't use the TCP/IP protocol stack, they are not "visible" to common network testing and penetration testing tools.In this paper we present a set of tools designed to provide a bridge between TCP/IP tools and the "vsockets". These tools can also be useful for learning "vsockets" behavior and concepts
VMware vsockets tools
Pedro Mendes da Silva
Independent Security Researcher
tagido@gmail.com
Abstract
VMware guest machines are able to communicate with their host using a special kind of
sockets called “vsockets”. These sockets can be used even if the typical TCP/IP network
protocols are not available at the guest. Since “vsockets” don't use the TCP/IP protocol
stack, they are not “visible” to common network testing and penetration testing tools.In
this paper we present a set of tools designed to provide a bridge between TCP/IP tools and
the “vsockets”. These tools can also be useful for learning “vsockets” behavior and
concepts
I.INTRODUCTION
VMware guest machines are able to communicate with their host using a special
kind of sockets called “vsockets” [1]. These sockets can be used even if the
typical TCP/IP network protocols are not available at the guest. “vsockets” can be
used much the same way as TCP/IP sockets but using a different address family.
“vsockets” can also be called “vmci sockets” because they use a “virtual vmci
device” in the lower level to communicate with the host. [2]
In older ESXi versions, prior to vSphere 5.1, it was also possible to use vsockets
to communicate between guests. This option was removed for security reasons.
Since “vsockets” don't use the TCP/IP protocol stack, they are not “visible” to
common network testing and penetration testing tools.
In this paper we present a set of new open-source tools designed to provide a
bridge between TCP/IP tools and the “vsockets”. Namely, vsockets_nc (similar
no “netcat” plus tunneling and port scanning capabilities) and
vsockets_hostname (similar to “hostname”). [3]
These tools can also be useful for learning “vsockets” behavior and concepts, as
they allow setting up test clients and servers easily, using “vsockets”.
II. VSOCKETS_HOSTNAME
vsockets_hostname is similar to the unix utility “hostname” and returns the guest
or host machine's CID (a network ID similar to the IP address, valid only for the
vsockets address family).
For example, running vsockets_hostname in a guest:
2 VMware vsockets tools
# vsockets_hostname
VMware vsockets environment properties
=======================================
VMware vmci address familly=40
VMware vmci is present
VMware vmci local CID=3669014335
Guest machine detected (CID=3669014335)
For example, running vsockets_hostname in a host:
# vsockets_hostname
VMware vsockets environment properties
=======================================
VMware vmci address familly=28
VMware vmci is present
VMware vmci local CID=2
VMware Hypervisor host machine detected (CID=2)
When the CID is 2 we know that it belongs to the Hypervisor.
Note that for connecting from a guest to the hypervisor we should use CID=0 and
not CID=2, which is a bit odd.
Connections from the hypervisor to the guest should use the CID returned by
vsockets_hostname in the guest.
III. VSOCKETS_NC
vsockets_nc is a simple utility which reads and writes data across network
connections, using vsockets connection-oriented protocol (VMware sockets for
host-guest communication, using the "vmci" device). It can run both at a guest
machine and at a host machine (i.e., the machine running the hypervisor).
It is designed to be a reliable "back-end" tool that can be used directly or
easily driven by other programs and scripts. At the same time, it is a feature-
rich vsockets network debugging and exploration tool, since it can create almost
any kind of connection you would need and has several interesting built-in
capabilities.
It is inspired in the "nc" TCP/IP utility and can be used in combination with it,
through the use of vsockets<=>TCP/IP tunelling built-in to the tool.
VMware vsockets tools 3
In the simplest usage,
vsockets_nc -c <connect to CID>] [-p <connect port>]
creates a vsockets connection to the given port on the given target host.
The standard input is then sent to the host, and anything that comes back across
the connection is sent to your standard output, much like the well-known “nc”
utility.
vsockets_nc can also function as a server, by listening for inbound connections
on arbitrary ports and then doing the same reading and writing.
vsockets_nc doesn't really care if it runs in "client" or "server" mode -- it
shovels data back and forth until there isn't any more left. In either mode,
shutdown can be forced by Ctrl-C.
vsockets_nc can tunnel (forward) connections from the TCP/IP address family to
the vsockets address family. This can be very useful to integrate with existing
TCP/IP tools, such as nmap, telnet, open-vas and so on.
vsockets_nc can perform basic port scanning for vsockets open ports.
Command line options
-c CID Remote CID (address) to connect to
-p port Remote port to connect to
-l port listen mode, for vsocket address family inbound
connects, in local port
-i port listen mode, for IPv4 address family
inbound connects, in local port
-t tunnel connections
connects inbound listen address => remote address
-n vsockets port scan mode,
performs a port scan over vsockets ports
-d print verbose debug information to stderr
Port scanning
It may be useful to know which ports are open and running services on a target
machine. The -n flag can be used to tell vsockets_nc to report open ports, rather
than initiate a connection.
4 VMware vsockets tools
For example
$ vsockets_nc -c 2 -n
VMware vsockets environment properties
=======================================
VMware vmci address familly=28
VMware vmci is present
VMware vmci local CID=2
VMware Hypervisor host machine detected (CID=2)
Scanning vsocket ports for CID=3669014335...
-+-host port 4000 open
Tunneling
It may be useful to tunnel connections while inspecting the connection contents.
The -t flag can be used to tell vsockets_nc to tunnel connections, rather than use
stdin and stdout.
Multiple tunneled connections for the same host at the same time are supported.
Example 1 ( vsockets to vsockets tunneling )
$ vsockets_nc -c 2 -p 976 -l 4000
In this example, vsockets_nc waits for vsockets connections in port 4000.
When a connection arrives, it connects to CID 2, port 976 and forwards data in
both ways.
Example 2 ( TCP/IP to vsockets tunneling )
$ vsockets_nc -c 2 -p 976 -i 4000
In this example, vsockets_nc waits for TCP/IP connections in port 4000.
When a connection arrives, it connects to CID 2, port 976 and forwards data in
both ways.
Any TCP/IP tool or application can connect to the TCP/IP port and be “virtually
connected” to the vsockets connection-oriented port, without needing to be ported
to “vsockets”.
For example, “nmap” can be used in such scenario.
VMware vsockets tools 5
IV. PENETRATION TESTING
These tools can be used for penetration testing, as described in this section.
vsockets_nc port scanning
As described in the previous section, a penetration tester can use this tool to
check which ports are open on the guest or on the host.
# ./vsockets_nc -n -c 0
VMware vsockets environment properties
=======================================
VMware vmci address familly=40
VMware vmci is present
VMware vmci local CID=3669014335
Guest machine detected (CID=3669014335)
Scanning vsocket ports for CID=0...
-+-host port 976 open
# ./vsockets_nc -n -c 2
VMware vsockets environment properties
=======================================
VMware vmci address familly=40
VMware vmci is present
VMware vmci local CID=3669014335
Guest machine detected (CID=3669014335)
Scanning vsocket ports for CID=2...
# ./vsockets_nc -n -c 3669014335VMware vsockets environment
properties
=======================================
VMware vmci address familly=40
VMware vmci is present
VMware vmci local CID=3669014335
Guest machine detected (CID=3669014335)
Scanning vsocket ports for CID=3669014335...
#
After running this sequence, we would have found that the host as its port 976
open. We could then proceed to further investigations.
6 VMware vsockets tools
NMAP + vsockets_nc tunnelling
After discovering which ports are open on the host or guest, a penetration tester
can setup TCP/IP to vsocket tunnels to those ports and then run NMAP to check if
the service is known.
For example:
1) Creating the TCP/IP => vsocket tunnel (from TCP/IP 976 port to
vsockets port 976)
# ./vsockets_nc -i 976 -c 0 -p 976 -t
VMware vsockets environment properties
=======================================
VMware vmci address familly=40
VMware vmci is present
VMware vmci local CID=3669014335
Guest machine detected (CID=3669014335)
2) Run nmap (or any other TCP/IP-based tool)
# nmap localhost -p 976 --version-all -sV
Starting Nmap 6.47 ( http://nmap.org ) at 2016-05-10 11:11
EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (-720s latency).
Other addresses for localhost (not scanned): 127.0.0.1
PORT STATE SERVICE VERSION
976/tcp open vmware-guest-rpc VMware Guest RPC
Read from .: nmap-service-probes.
Read from /usr/bin/../share/nmap: nmap-payloads nmap-
services.
Service detection performed. Please report any incorrect
results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 178.46 seconds
VMware vsockets tools 7
NMAP signature for VMware Guest RPC
As some VMware specific services based on vsockets may not be known to
NMAP, we have determined a signature that can be appened to the NMAP probe
list for detecting the “VMware Guest RPC service”. This signature could be
included in a future NMAP version.
Probe TCP VMwareGuestRPC
q|\x00\x00\x00\x2D\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\
x00\x02\x00\x00\x00\x02\x00\x00\x00\x11\x64\x69\x73\x6B\x2E\x77\x69\x70\x65\x72\x2E\x65\x6E
\x61\x62\x6C\x65|
# Wait for at least 5 seconds for data. Otherwise an Nmap default is used.
totalwaitms 5000
match vmware-guest-rpc
m|\x00\x00\x00\x0F\x00\x00\x00\x02\x00\x00\x00\x02\x00\x00\x00\x03\x31\x20\x31|s p/VMware
Guest RPC/
V. CONCLUSION & FUTURE WORK
Some interesting future enhancements could include:
Support for datagram vsockets (connectionless) – currently only
connection-oriented sockets are supported by the tool
Support for IPv6 – currently only IPv4 is supported
Port for MacOS X – currently only Linux and Windows are supported
vsockets performance testing
deeper integration with NMAP
ACKNOWLEDGMENTS
The manual page was written by Pedro Mendes da Silva, based on the man page
for "nc" written by Joey Hess <joeyh@debian.org> and Robert Woodcock
<rcw@debian.org>, cribbing heavily from Netcat's README file.
"vsockets_nc" was written by Pedro Mendes da Silva <tagido@gmail.com>.
REFERENCES
[1] vSockets Programming Guide, Vmware, Inc,
http://pubs.vmware.com/vsphere-
60/topic/com.vmware.ICbase/PDF/ws9_esx60_vmci_sockets.pdf
[2] VMCI Socket Performance,Performance Study, VMware, Inc,
http://www.vmware.com/pdf/vsp_4_VMCI_socket_perf.pdf
[3] vsockets tools repository - https://bitbucket.org/tagido/vsockets-
tools/downloads
[4] NMAP Docs, https://nmap.org/docs.html

Supplementary resource (1)

ResearchGate has not been able to resolve any citations for this publication.
ResearchGate has not been able to resolve any references for this publication.