Tag Archives: digital forensics

Detecting Rogue Virtual Machines On A Network


Today our topic is detecting rogue virtual machines. Rogue virtual machines can pose huge threat to your organization. Even with your managed machines, you might have unauthorized virtual machines. There are some ways to keep the number of rogue vm’s very low on your network such as using software policy, restricting admin accounts for those only need them etc..

What if your employees install virtual machines without your knowledge. How can you detect those virtual machines?

Detecting “evil” at rest

If you can identify all virtual machines that sits on your network, then you can compare them with the authorized virtual machines. In this way you can find rogue virtual machines.

There are two ways you can identify virtual machines. One way is checking MAC address, other is checking running process.

First way: Checking MAC address of remote system

MAC addresses are unique to each device. If you can get a mac address of a device then you can tell what company is made the device. Since virtual machines uses their virtual network adapter to connect a network and this virtual adapters are unique to each company, we can determine if mac address belong to a virtual machine company.

So how can we get mac addresses of other computers on a network?

The answer is easy. We can ping each devices on the network and then check our arp tables.

OR we can use nmap.

nmap -sP
Starting Nmap 5.35DC1 ( http://nmap.org ) at 2011-03-17 22:35 EDT
Nmap scan report for
Host is up (0.018s latency).
MAC Address: 00:24:A1:17:44:CD (Motorola CHS)
Nmap scan report for
Host is up (0.000094s latency).
MAC Address: 00:26:BB:07:17:DD (Apple)
Nmap scan report for
Host is up (0.014s latency).
MAC Address: 00:1B:77:CD:FF:CD (Intel Corporate)
Nmap scan report for
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 5.53 seconds

As you see nmap has predefined mac database so it can convert mac addresses to manufacturer’s name.

Second way: Checking Process Names

You can get mac address of the computers that sits on the same vlan/lan with you so first option is only good for you have only one lan. Moreover some virtual adapters can be on NAT mode so you cannot see their MAC address.  (On NAT mode they use same mac address with the physical machine.)

Each virtual machine software will have running processes. For example VM Fusion has vmware-vmx as running process on OSX. So you can login each machine to see if there is a running process related with a virtual machine software.

Nessus has a plugin for checking vm ware machines  by using this technique(http://blog.tenablesecurity.com/2007/04/i_was_speaking_.html) , you can write your own plugin to find other virtual instances.

The disadvantage of this method is you need to have admin credentials.


We can find rogue virtual machines on network by comparing all virtual machines with authorized virtual machines. We can identify all vms by using mac addresses or running processes. With the first method we can only identify virtual instances on the same LAN. With the second method we need to have admin credentials for the boxes we scan.

Update: Please check here for more info http://realinfosec.com/?p=678