主机安全研究系列-Linux虚机环境鉴别
|--企业蓝军定位到一台Linux服务器时,如何鉴别主机所处环境是安全攻防研究的第一步也是最重要的一步
背景知识:
- Linux主机操作指令
- KVM虚拟化
- Docker容器
- Hypervisor
- OpenStack
具备以上部分基础知识后,可以基于自身工作经验以及虚拟机特征进行Linux主机/云主机环境的鉴别
直接进入正题
命令1
cat /proc/cpuinfo
#该命令的结果包含了CPU相关属性,其属性中flag的值是研究者需要首先关注的
[root@ecm-0090 ~]# cat /proc/cpuinfo
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 85
model name : Intel Xeon Processor (Cascadelake)
stepping : 5
microcode : 0x1
cpu MHz : 2992.968
cache size : 16384 KB
physical id : 0
siblings : 1
core id : 0
cpu cores : 1
apicid : 0
initial apicid : 0
fpu : yes
fpu_exception : yes
cpuid level : 13
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss syscall nx pdpe1gb rdtscp lm constant_tsc rep_good nopl xtopology eagerfpu pni pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch ssbd ibrs ibpb stibp ibrs_enhanced fsgsbase tsc_adjust bmi1 avx2 smep bmi2 erms invpcid avx512f avx512dq rdseed adx smap clflushopt clwb avx512cd avx512bw avx512vl xsaveopt xsavec xgetbv1 arat umip pku ospke avx512_vnni spec_ctrl intel_stibp arch_capabilities
bogomips : 5985.93
clflush size : 64
cache_alignment : 64
address sizes : 46 bits physical, 48 bits virtual
power management:
其中Flag参数是cpu支持的功能;随后可直接检索Flag参数中是否包含hypervisor标志位
grep flags /proc/cpuinfo 2>/dev/null | grep --color=auto hypervisor
#检索关键字可帮助研究者节省时间,直接进行定位,如下命令会直接将"hypervisor"关键字标红
[root@ecm-0090 ~]# grep flags /proc/cpuinfo 2>/dev/null | grep --color=auto hypervisor
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss syscall nx pdpe1gb rdtscp lm constant_tsc rep_good nopl xtopology eagerfpu pni pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch ssbd ibrs ibpb stibp ibrs_enhanced fsgsbase tsc_adjust bmi1 avx2 smep bmi2 erms invpcid avx512f avx512dq rdseed adx smap clflushopt clwb avx512cd avx512bw avx512vl xsaveopt xsavec xgetbv1 arat umip pku ospke avx512_vnni spec_ctrl intel_stibp arch_capabilities
确定主机为虚拟机环境后,研究者可进一步进行识别虚机类型
systemd-detect-virt
”systemd-detect-virt 用于检测系统的运行环境是否为虚拟化环境,以及更进一步检测是哪种虚拟化环境,比如是哪种虚拟机或哪种容器。“
引用如下表格:
Type | ID | Product |
---|---|---|
虚拟机 | qemu |
QEMU 软件虚拟机(未使用KVM) |
kvm |
Linux 内核虚拟机(使用除 Oracle Virtualbox 之外的其他虚拟机管理程序) | |
zvm |
s390 z/VM | |
vmware |
VMware 虚拟机 | |
microsoft |
Hyper-V 虚拟机 | |
oracle |
Oracle VirtualBox 虚拟机 | |
xen |
Xen 虚拟机(仅 domU, 非 dom0) | |
bochs |
Bochs 模拟器 | |
uml |
User-mode Linux | |
parallels |
Parallels Desktop, Parallels Server | |
bhyve |
bhyve, FreeBSD hypervisor | |
qnx |
QNX hypervisor | |
容器 | openvz |
OpenVZ/Virtuozzo |
lxc |
LXC 容器 | |
lxc-libvirt |
通过 libvirt 实现的容器 | |
systemd-nspawn |
systemd 最简容器 | |
|
Docker 容器 | |
rkt |
rkt 应用容器 |
来源:https://www.wenjiangs.com/doc/systemd-systemd-detect-virt
[root@ecm-0090 ~]# systemd-detect-virt
kvm
研究者可基于上图引用的表格内容与实际测试内容进行判断
命令2
[root@ecm-0090 ~]# dmidecode
# dmidecode 3.1
Getting SMBIOS data from sysfs.
SMBIOS 2.8 present.
9 structures occupying 474 bytes.
Table at 0x000F5A70.
Handle 0x0000, DMI type 0, 24 bytes
BIOS Information
Vendor: SeaBIOS
Version: 1.13.0-2.ctl2
Release Date: 04/01/2014
Address: 0xE8000
Runtime Size: 96 kB
ROM Size: 64 kB
Characteristics:
BIOS characteristics not supported
Targeted content distribution is supported
BIOS Revision: 0.0
Handle 0x0100, DMI type 1, 27 bytes
System Information
Manufacturer: %{distro}
Product Name: OpenStack Compute
Version: 17.0.3-1.ctl2
Serial Number: c7bcb18b-642f-0496-e611-b8cf62e64dcb
UUID: af19741c-f634-4d92-9f7e-8dabcf558ee3
Wake-up Type: Power Switch
SKU Number: Not Specified
Family: Virtual Machine
Handle 0x0300, DMI type 3, 22 bytes
Chassis Information
Manufacturer: Red Hat
Type: Other
Lock: Not Present
Version: RHEL 7.6.0 PC (i440FX + PIIX, 1996)
Serial Number: Not Specified
Asset Tag: Not Specified
Boot-up State: Safe
Power Supply State: Safe
Thermal State: Safe
Security Status: Unknown
OEM Information: 0x00000000
Height: Unspecified
Number Of Power Cords: Unspecified
Contained Elements: 0
SKU Number: Not Specified
Handle 0x0400, DMI type 4, 42 bytes
Processor Information
Socket Designation: CPU 0
Type: Central Processor
Family: Other
Manufacturer: Red Hat
ID: 55 06 05 00 FF FB 8B 0F
Version: RHEL 7.6.0 PC (i440FX + PIIX, 1996)
Voltage: Unknown
External Clock: Unknown
Max Speed: 2000 MHz
Current Speed: 2000 MHz
Status: Populated, Enabled
Upgrade: Other
L1 Cache Handle: Not Provided
L2 Cache Handle: Not Provided
L3 Cache Handle: Not Provided
Serial Number: Not Specified
Asset Tag: Not Specified
Part Number: Not Specified
Core Count: 1
Core Enabled: 1
Thread Count: 1
Characteristics: None
Handle 0x1000, DMI type 16, 23 bytes
Physical Memory Array
Location: Other
Use: System Memory
Error Correction Type: Multi-bit ECC
Maximum Capacity: 2 GB
Error Information Handle: Not Provided
Number Of Devices: 1
Handle 0x1100, DMI type 17, 40 bytes
Memory Device
Array Handle: 0x1000
Error Information Handle: Not Provided
Total Width: Unknown
Data Width: Unknown
Size: 2048 MB
Form Factor: DIMM
Set: None
Locator: DIMM 0
Bank Locator: Not Specified
Type: RAM
Type Detail: Other
Speed: Unknown
Manufacturer: Red Hat
Serial Number: Not Specified
Asset Tag: Not Specified
Part Number: Not Specified
Rank: Unknown
Configured Clock Speed: Unknown
Minimum Voltage: Unknown
Maximum Voltage: Unknown
Configured Voltage: Unknown
Handle 0x1300, DMI type 19, 31 bytes
Memory Array Mapped Address
Starting Address: 0x00000000000
Ending Address: 0x0007FFFFFFF
Range Size: 2 GB
Physical Array Handle: 0x1000
Partition Width: 1
Handle 0x2000, DMI type 32, 11 bytes
System Boot Information
Status: No errors detected
Handle 0x7F00, DMI type 127, 4 bytes
End Of Table
#dmidecode -s system-product-name 支持带参数输出,会直接在终端输出其中system-product-name项的值
[root@ecm-0090 ~]# dmidecode -s system-product-name
OpenStack Compute
[root@ecm-0090 ~]# dmidecode -s
dmidecode: option requires an argument -- 's'
String keyword expected
Valid string keywords are:
bios-vendor
bios-version
bios-release-date
system-manufacturer
system-product-name
system-version
system-serial-number
system-uuid
system-family
baseboard-manufacturer
baseboard-product-name
baseboard-version
baseboard-serial-number
baseboard-asset-tag
chassis-manufacturer
chassis-type
chassis-version
chassis-serial-number
chassis-asset-tag
processor-family
processor-manufacturer
processor-version
processor-frequency
以上参数为可选参数,对定位虚机环境来说system-product-name是非常关键的
命令3
command -v docker
command -v lxc
command -v rkt
command -v kubectl
command -v podman
command -v runc
以上命令均为容器相关elf的简单判断,若存在对应输出,则可以判断为对应容器
#容器特征相对较多,既可以从特殊进程名判断,也可以从特征文件例如.dockerenv判断,若经验相对丰富甚至可以直接查看文件分区系统overlay或检索docketSocket连接
本文只作研究性内容参考,不指导实战。