searchusermenu
  • 发布文章
  • 消息中心
点赞
收藏
评论
分享
原创

主机安全研究系列-Linux虚机环境鉴别

2023-06-14 06:01:46
70
0

主机安全研究系列-Linux虚机环境鉴别
|--企业蓝军定位到一台Linux服务器时,如何鉴别主机所处环境是安全攻防研究的第一步也是最重要的一步

背景知识:

  • Linux主机操作指令
  • KVM虚拟化
  • Docker容器
  • Hypervisor
  • OpenStack


具备以上部分基础知识后,可以基于自身工作经验以及虚拟机特征进行Linux主机/云主机环境的鉴别

直接进入正题

命令1

cat /proc/cpuinfo


  #该命令的结果包含了CPU相关属性,其属性中flag的值是研究者需要首先关注的
   

[root@ecm-0090 ~]# cat /proc/cpuinfo
      processor       : 0
      vendor_id       : GenuineIntel
      cpu family      : 6
      model           : 85
      model name      : Intel Xeon Processor (Cascadelake)
      stepping        : 5
      microcode       : 0x1
      cpu MHz         : 2992.968
      cache size      : 16384 KB
      physical id     : 0
      siblings        : 1
      core id         : 0
      cpu cores       : 1
      apicid          : 0
      initial apicid  : 0
      fpu             : yes
      fpu_exception   : yes
      cpuid level     : 13
      wp              : yes
      flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss syscall nx pdpe1gb rdtscp lm constant_tsc rep_good nopl xtopology eagerfpu pni pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch ssbd ibrs ibpb stibp ibrs_enhanced fsgsbase tsc_adjust bmi1 avx2 smep bmi2 erms invpcid avx512f avx512dq rdseed adx smap clflushopt clwb avx512cd avx512bw avx512vl xsaveopt xsavec xgetbv1 arat umip pku ospke avx512_vnni spec_ctrl intel_stibp arch_capabilities
      bogomips        : 5985.93
      clflush size    : 64
      cache_alignment : 64
      address sizes   : 46 bits physical, 48 bits virtual
      power management:


    其中Flag参数是cpu支持的功能;随后可直接检索Flag参数中是否包含hypervisor标志位

grep flags /proc/cpuinfo 2>/dev/null | grep --color=auto hypervisor


    #检索关键字可帮助研究者节省时间,直接进行定位,如下命令会直接将"hypervisor"关键字标红

[root@ecm-0090 ~]# grep flags /proc/cpuinfo 2>/dev/null | grep --color=auto hypervisor
flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss syscall nx pdpe1gb rdtscp lm constant_tsc rep_good nopl xtopology eagerfpu pni pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch ssbd ibrs ibpb stibp ibrs_enhanced fsgsbase tsc_adjust bmi1 avx2 smep bmi2 erms invpcid avx512f avx512dq rdseed adx smap clflushopt clwb avx512cd avx512bw avx512vl xsaveopt xsavec xgetbv1 arat umip pku ospke avx512_vnni spec_ctrl intel_stibp arch_capabilities

 

确定主机为虚拟机环境后,研究者可进一步进行识别虚机类型
    

systemd-detect-virt

”systemd-detect-virt 用于检测系统的运行环境是否为虚拟化环境,以及更进一步检测是哪种虚拟化环境,比如是哪种虚拟机或哪种容器。“

引用如下表格:

Type ID Product
虚拟机 qemu QEMU 软件虚拟机(未使用KVM)
kvm Linux 内核虚拟机(使用除 Oracle Virtualbox 之外的其他虚拟机管理程序)
zvm s390 z/VM
vmware VMware 虚拟机
microsoft Hyper-V 虚拟机
oracle Oracle VirtualBox 虚拟机
xen Xen 虚拟机(仅 domU, 非 dom0)
bochs Bochs 模拟器
uml User-mode Linux
parallels Parallels Desktop, Parallels Server
bhyve bhyve, FreeBSD hypervisor
qnx QNX hypervisor
容器 openvz OpenVZ/Virtuozzo
lxc LXC 容器
lxc-libvirt 通过 libvirt 实现的容器
systemd-nspawn systemd 最简容器

docker

Docker 容器
rkt rkt 应用容器

来源:https://www.wenjiangs.com/doc/systemd-systemd-detect-virt

  [root@ecm-0090 ~]# systemd-detect-virt
  kvm

研究者可基于上图引用的表格内容与实际测试内容进行判断

命令2

[root@ecm-0090 ~]# dmidecode
        # dmidecode 3.1
        Getting SMBIOS data from sysfs.
        SMBIOS 2.8 present.
        9 structures occupying 474 bytes.
        Table at 0x000F5A70.

        Handle 0x0000, DMI type 0, 24 bytes
        BIOS Information
                Vendor: SeaBIOS
                Version: 1.13.0-2.ctl2
                Release Date: 04/01/2014
                Address: 0xE8000
                Runtime Size: 96 kB
                ROM Size: 64 kB
                Characteristics:
                        BIOS characteristics not supported
                        Targeted content distribution is supported
                BIOS Revision: 0.0

        Handle 0x0100, DMI type 1, 27 bytes
        System Information
                Manufacturer: %{distro}
                Product Name: OpenStack Compute
                Version: 17.0.3-1.ctl2
                Serial Number: c7bcb18b-642f-0496-e611-b8cf62e64dcb
                UUID: af19741c-f634-4d92-9f7e-8dabcf558ee3
                Wake-up Type: Power Switch
                SKU Number: Not Specified
                Family: Virtual Machine

        Handle 0x0300, DMI type 3, 22 bytes
        Chassis Information
                Manufacturer: Red Hat
                Type: Other
                Lock: Not Present
                Version: RHEL 7.6.0 PC (i440FX + PIIX, 1996)
                Serial Number: Not Specified
                Asset Tag: Not Specified
                Boot-up State: Safe
                Power Supply State: Safe
                Thermal State: Safe
                Security Status: Unknown
                OEM Information: 0x00000000
                Height: Unspecified
                Number Of Power Cords: Unspecified
                Contained Elements: 0
                SKU Number: Not Specified

        Handle 0x0400, DMI type 4, 42 bytes
        Processor Information
                Socket Designation: CPU 0
                Type: Central Processor
                Family: Other
                Manufacturer: Red Hat
                ID: 55 06 05 00 FF FB 8B 0F
                Version: RHEL 7.6.0 PC (i440FX + PIIX, 1996)
                Voltage: Unknown
                External Clock: Unknown
                Max Speed: 2000 MHz
                Current Speed: 2000 MHz
                Status: Populated, Enabled
                Upgrade: Other
                L1 Cache Handle: Not Provided
                L2 Cache Handle: Not Provided
                L3 Cache Handle: Not Provided
                Serial Number: Not Specified
                Asset Tag: Not Specified
                Part Number: Not Specified
                Core Count: 1
                Core Enabled: 1
                Thread Count: 1
                Characteristics: None

        Handle 0x1000, DMI type 16, 23 bytes
        Physical Memory Array
                Location: Other
                Use: System Memory
                Error Correction Type: Multi-bit ECC
                Maximum Capacity: 2 GB
                Error Information Handle: Not Provided
                Number Of Devices: 1

        Handle 0x1100, DMI type 17, 40 bytes
        Memory Device
                Array Handle: 0x1000
                Error Information Handle: Not Provided
                Total Width: Unknown
                Data Width: Unknown
                Size: 2048 MB
                Form Factor: DIMM
                Set: None
                Locator: DIMM 0
                Bank Locator: Not Specified
                Type: RAM
                Type Detail: Other
                Speed: Unknown
                Manufacturer: Red Hat
                Serial Number: Not Specified
                Asset Tag: Not Specified
                Part Number: Not Specified
                Rank: Unknown
                Configured Clock Speed: Unknown
                Minimum Voltage: Unknown
                Maximum Voltage: Unknown
                Configured Voltage: Unknown

        Handle 0x1300, DMI type 19, 31 bytes
        Memory Array Mapped Address
                Starting Address: 0x00000000000
                Ending Address: 0x0007FFFFFFF
                Range Size: 2 GB
                Physical Array Handle: 0x1000
                Partition Width: 1

        Handle 0x2000, DMI type 32, 11 bytes
        System Boot Information
                Status: No errors detected

        Handle 0x7F00, DMI type 127, 4 bytes
        End Of Table

        #dmidecode -s system-product-name 支持带参数输出,会直接在终端输出其中system-product-name项的值

[root@ecm-0090 ~]# dmidecode -s system-product-name
OpenStack Compute
[root@ecm-0090 ~]# dmidecode -s
dmidecode: option requires an argument -- 's'
String keyword expected
Valid string keywords are:
  bios-vendor
  bios-version
  bios-release-date
  system-manufacturer
  system-product-name
  system-version
  system-serial-number
  system-uuid
  system-family
  baseboard-manufacturer
  baseboard-product-name
  baseboard-version
  baseboard-serial-number
  baseboard-asset-tag
  chassis-manufacturer
  chassis-type
  chassis-version
  chassis-serial-number
  chassis-asset-tag
  processor-family
  processor-manufacturer
  processor-version
  processor-frequency

以上参数为可选参数,对定位虚机环境来说system-product-name是非常关键的

命令3

  command -v docker
  command -v lxc
  command -v rkt
  command -v kubectl
  command -v podman
  command -v runc


  以上命令均为容器相关elf的简单判断,若存在对应输出,则可以判断为对应容器

  #容器特征相对较多,既可以从特殊进程名判断,也可以从特征文件例如.dockerenv判断,若经验相对丰富甚至可以直接查看文件分区系统overlay或检索docketSocket连接

 

本文只作研究性内容参考,不指导实战。

0条评论
0 / 1000
S4nM1
3文章数
0粉丝数
S4nM1
3 文章 | 0 粉丝
原创

主机安全研究系列-Linux虚机环境鉴别

2023-06-14 06:01:46
70
0

主机安全研究系列-Linux虚机环境鉴别
|--企业蓝军定位到一台Linux服务器时,如何鉴别主机所处环境是安全攻防研究的第一步也是最重要的一步

背景知识:

  • Linux主机操作指令
  • KVM虚拟化
  • Docker容器
  • Hypervisor
  • OpenStack


具备以上部分基础知识后,可以基于自身工作经验以及虚拟机特征进行Linux主机/云主机环境的鉴别

直接进入正题

命令1

cat /proc/cpuinfo


  #该命令的结果包含了CPU相关属性,其属性中flag的值是研究者需要首先关注的
   

[root@ecm-0090 ~]# cat /proc/cpuinfo
      processor       : 0
      vendor_id       : GenuineIntel
      cpu family      : 6
      model           : 85
      model name      : Intel Xeon Processor (Cascadelake)
      stepping        : 5
      microcode       : 0x1
      cpu MHz         : 2992.968
      cache size      : 16384 KB
      physical id     : 0
      siblings        : 1
      core id         : 0
      cpu cores       : 1
      apicid          : 0
      initial apicid  : 0
      fpu             : yes
      fpu_exception   : yes
      cpuid level     : 13
      wp              : yes
      flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss syscall nx pdpe1gb rdtscp lm constant_tsc rep_good nopl xtopology eagerfpu pni pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch ssbd ibrs ibpb stibp ibrs_enhanced fsgsbase tsc_adjust bmi1 avx2 smep bmi2 erms invpcid avx512f avx512dq rdseed adx smap clflushopt clwb avx512cd avx512bw avx512vl xsaveopt xsavec xgetbv1 arat umip pku ospke avx512_vnni spec_ctrl intel_stibp arch_capabilities
      bogomips        : 5985.93
      clflush size    : 64
      cache_alignment : 64
      address sizes   : 46 bits physical, 48 bits virtual
      power management:


    其中Flag参数是cpu支持的功能;随后可直接检索Flag参数中是否包含hypervisor标志位

grep flags /proc/cpuinfo 2>/dev/null | grep --color=auto hypervisor


    #检索关键字可帮助研究者节省时间,直接进行定位,如下命令会直接将"hypervisor"关键字标红

[root@ecm-0090 ~]# grep flags /proc/cpuinfo 2>/dev/null | grep --color=auto hypervisor
flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss syscall nx pdpe1gb rdtscp lm constant_tsc rep_good nopl xtopology eagerfpu pni pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch ssbd ibrs ibpb stibp ibrs_enhanced fsgsbase tsc_adjust bmi1 avx2 smep bmi2 erms invpcid avx512f avx512dq rdseed adx smap clflushopt clwb avx512cd avx512bw avx512vl xsaveopt xsavec xgetbv1 arat umip pku ospke avx512_vnni spec_ctrl intel_stibp arch_capabilities

 

确定主机为虚拟机环境后,研究者可进一步进行识别虚机类型
    

systemd-detect-virt

”systemd-detect-virt 用于检测系统的运行环境是否为虚拟化环境,以及更进一步检测是哪种虚拟化环境,比如是哪种虚拟机或哪种容器。“

引用如下表格:

Type ID Product
虚拟机 qemu QEMU 软件虚拟机(未使用KVM)
kvm Linux 内核虚拟机(使用除 Oracle Virtualbox 之外的其他虚拟机管理程序)
zvm s390 z/VM
vmware VMware 虚拟机
microsoft Hyper-V 虚拟机
oracle Oracle VirtualBox 虚拟机
xen Xen 虚拟机(仅 domU, 非 dom0)
bochs Bochs 模拟器
uml User-mode Linux
parallels Parallels Desktop, Parallels Server
bhyve bhyve, FreeBSD hypervisor
qnx QNX hypervisor
容器 openvz OpenVZ/Virtuozzo
lxc LXC 容器
lxc-libvirt 通过 libvirt 实现的容器
systemd-nspawn systemd 最简容器

docker

Docker 容器
rkt rkt 应用容器

来源:https://www.wenjiangs.com/doc/systemd-systemd-detect-virt

  [root@ecm-0090 ~]# systemd-detect-virt
  kvm

研究者可基于上图引用的表格内容与实际测试内容进行判断

命令2

[root@ecm-0090 ~]# dmidecode
        # dmidecode 3.1
        Getting SMBIOS data from sysfs.
        SMBIOS 2.8 present.
        9 structures occupying 474 bytes.
        Table at 0x000F5A70.

        Handle 0x0000, DMI type 0, 24 bytes
        BIOS Information
                Vendor: SeaBIOS
                Version: 1.13.0-2.ctl2
                Release Date: 04/01/2014
                Address: 0xE8000
                Runtime Size: 96 kB
                ROM Size: 64 kB
                Characteristics:
                        BIOS characteristics not supported
                        Targeted content distribution is supported
                BIOS Revision: 0.0

        Handle 0x0100, DMI type 1, 27 bytes
        System Information
                Manufacturer: %{distro}
                Product Name: OpenStack Compute
                Version: 17.0.3-1.ctl2
                Serial Number: c7bcb18b-642f-0496-e611-b8cf62e64dcb
                UUID: af19741c-f634-4d92-9f7e-8dabcf558ee3
                Wake-up Type: Power Switch
                SKU Number: Not Specified
                Family: Virtual Machine

        Handle 0x0300, DMI type 3, 22 bytes
        Chassis Information
                Manufacturer: Red Hat
                Type: Other
                Lock: Not Present
                Version: RHEL 7.6.0 PC (i440FX + PIIX, 1996)
                Serial Number: Not Specified
                Asset Tag: Not Specified
                Boot-up State: Safe
                Power Supply State: Safe
                Thermal State: Safe
                Security Status: Unknown
                OEM Information: 0x00000000
                Height: Unspecified
                Number Of Power Cords: Unspecified
                Contained Elements: 0
                SKU Number: Not Specified

        Handle 0x0400, DMI type 4, 42 bytes
        Processor Information
                Socket Designation: CPU 0
                Type: Central Processor
                Family: Other
                Manufacturer: Red Hat
                ID: 55 06 05 00 FF FB 8B 0F
                Version: RHEL 7.6.0 PC (i440FX + PIIX, 1996)
                Voltage: Unknown
                External Clock: Unknown
                Max Speed: 2000 MHz
                Current Speed: 2000 MHz
                Status: Populated, Enabled
                Upgrade: Other
                L1 Cache Handle: Not Provided
                L2 Cache Handle: Not Provided
                L3 Cache Handle: Not Provided
                Serial Number: Not Specified
                Asset Tag: Not Specified
                Part Number: Not Specified
                Core Count: 1
                Core Enabled: 1
                Thread Count: 1
                Characteristics: None

        Handle 0x1000, DMI type 16, 23 bytes
        Physical Memory Array
                Location: Other
                Use: System Memory
                Error Correction Type: Multi-bit ECC
                Maximum Capacity: 2 GB
                Error Information Handle: Not Provided
                Number Of Devices: 1

        Handle 0x1100, DMI type 17, 40 bytes
        Memory Device
                Array Handle: 0x1000
                Error Information Handle: Not Provided
                Total Width: Unknown
                Data Width: Unknown
                Size: 2048 MB
                Form Factor: DIMM
                Set: None
                Locator: DIMM 0
                Bank Locator: Not Specified
                Type: RAM
                Type Detail: Other
                Speed: Unknown
                Manufacturer: Red Hat
                Serial Number: Not Specified
                Asset Tag: Not Specified
                Part Number: Not Specified
                Rank: Unknown
                Configured Clock Speed: Unknown
                Minimum Voltage: Unknown
                Maximum Voltage: Unknown
                Configured Voltage: Unknown

        Handle 0x1300, DMI type 19, 31 bytes
        Memory Array Mapped Address
                Starting Address: 0x00000000000
                Ending Address: 0x0007FFFFFFF
                Range Size: 2 GB
                Physical Array Handle: 0x1000
                Partition Width: 1

        Handle 0x2000, DMI type 32, 11 bytes
        System Boot Information
                Status: No errors detected

        Handle 0x7F00, DMI type 127, 4 bytes
        End Of Table

        #dmidecode -s system-product-name 支持带参数输出,会直接在终端输出其中system-product-name项的值

[root@ecm-0090 ~]# dmidecode -s system-product-name
OpenStack Compute
[root@ecm-0090 ~]# dmidecode -s
dmidecode: option requires an argument -- 's'
String keyword expected
Valid string keywords are:
  bios-vendor
  bios-version
  bios-release-date
  system-manufacturer
  system-product-name
  system-version
  system-serial-number
  system-uuid
  system-family
  baseboard-manufacturer
  baseboard-product-name
  baseboard-version
  baseboard-serial-number
  baseboard-asset-tag
  chassis-manufacturer
  chassis-type
  chassis-version
  chassis-serial-number
  chassis-asset-tag
  processor-family
  processor-manufacturer
  processor-version
  processor-frequency

以上参数为可选参数,对定位虚机环境来说system-product-name是非常关键的

命令3

  command -v docker
  command -v lxc
  command -v rkt
  command -v kubectl
  command -v podman
  command -v runc


  以上命令均为容器相关elf的简单判断,若存在对应输出,则可以判断为对应容器

  #容器特征相对较多,既可以从特殊进程名判断,也可以从特征文件例如.dockerenv判断,若经验相对丰富甚至可以直接查看文件分区系统overlay或检索docketSocket连接

 

本文只作研究性内容参考,不指导实战。

文章来自个人专栏
安全技术研究
1 文章 | 1 订阅
0条评论
0 / 1000
请输入你的评论
1
1