About The Paper
Title:Detecting Vmwares Remotely
Author:Aditya K Sood
Summary:We know vmwares are the best choice of hackers and security professionals now a days. Its very necessary to hit a difference between a normal operating system or a VMware Machine. Its very crucial to emanicipate the barriers between the Real Operating systems and virtual ones. Here I am presenting you with a way out to remotely distinguish between machines.
Source
EOP
Full Version: Detecting Vmwares Remotely
QUOTE(expaethitec @ Aug 1 2007, 10:35 AM) 
About The Paper
Title:Detecting Vmwares Remotely
Author:Aditya K Sood
Summary:We know vmwares are the best choice of hackers and security professionals now a days. Its very necessary to hit a difference between a normal operating system or a VMware Machine. Its very crucial to emanicipate the barriers between the Real Operating systems and virtual ones. Here I am presenting you with a way out to remotely distinguish between machines.
Source
EOP
Title:Detecting Vmwares Remotely
Author:Aditya K Sood
Summary:We know vmwares are the best choice of hackers and security professionals now a days. Its very necessary to hit a difference between a normal operating system or a VMware Machine. Its very crucial to emanicipate the barriers between the Real Operating systems and virtual ones. Here I am presenting you with a way out to remotely distinguish between machines.
Source
EOP
This is possibly one way of detecting it without throwing a lot of flags, but I've also found that a vuln scan will tell you also. Again, it comes down to potentially throwing flags. Either way, nice paper. I'm going to give it a try this weekend I think.
So you don't have to read the paper if you know how to obtain a remote box's MAC:
The VmWare MAC Address Range starts from this three defined Addresses as:
0x01) Mac[A] -------> 00-05-69-xx-xx-xx
0x02) Mac[B] -------> 00-0c-29-xx-xx-xx
0x03) Mac[C] -------> 00-50-56-xx-xx-xx
The VmWare MAC Address Range starts from this three defined Addresses as:
0x01) Mac[A] -------> 00-05-69-xx-xx-xx
0x02) Mac[B] -------> 00-0c-29-xx-xx-xx
0x03) Mac[C] -------> 00-50-56-xx-xx-xx
I Think if you use nmap it says if it is a vmware
Also you can look for vmware drivers that have been installed
I thought it was obvious... and i'm a n00b.
Would it not be easier to code a scanner which scans for port 902? I mean i can try and make a quick one in C++ if there is a demand for it. 
Nice article though anyway thanks.
Nice article though anyway thanks.
thanx
Jeffrey: NO THANK YOU POSTS ALLOWED. READ THE RULES!!!
Jeffrey: NO THANK YOU POSTS ALLOWED. READ THE RULES!!!
QUOTE (Blake @ Nov 6 2007, 08:19 AM)
Also you can look for vmware drivers that have been installed
It's optional to use the drivers, but yea talk about a dead give away...
Remotely here means on a LAN, the MAC address won't appear on the net.
Moreover the Mac address can be easily spoofed but the emulated hardware cannot. If you can access the system a probe to the bios, network card ID and the video card ID (anounce itself a VMWare Video card iirc) will tell 100% sure that you are inside VMWare. Method applies also to Parallel, Qemu, ... No real hardware will ever match the combinaison of such particular hardware!
Moreover the Mac address can be easily spoofed but the emulated hardware cannot. If you can access the system a probe to the bios, network card ID and the video card ID (anounce itself a VMWare Video card iirc) will tell 100% sure that you are inside VMWare. Method applies also to Parallel, Qemu, ... No real hardware will ever match the combinaison of such particular hardware!
the cheapest giveaway is VMWare Tools being installed...
like,
VMwareuser.exe
VMwaretray.exe
VMwareservice.exe
once you got the shell, one simple ipconfig /all will tell you the mac adress, in my case "Physical Address. . . . . . . . . : 00-0C-29-8A-97-63"
what does it matter though, if you got a stable running VMWare box, use it while you can
like,
VMwareuser.exe
VMwaretray.exe
VMwareservice.exe
once you got the shell, one simple ipconfig /all will tell you the mac adress, in my case "Physical Address. . . . . . . . . : 00-0C-29-8A-97-63"
what does it matter though, if you got a stable running VMWare box, use it while you can
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.