Vmware is a poor choice for hosting a pen/recon toolset. I suspect that to be
true of anything like QEMU or Virtual PC, too.
Tools like nmap and hping give misleading results and horrible response, when
piped through a virtual adaptor. In the case of Vmware, there are between 10
and 15 messages passed from the vm to the host and back - just to transmit a
single packet/datagram.
The vnetworking stack also works like a transparent layer 2 proxy - altering,
normalising and 'optimising' network behavior for the expected workloads I
have wasted hours of mapping time this way in the past, and would save you the
trouble of trying it...
Also, Vista as a host needs to have the firewall and IPsec filtering disabled.
The OS is also subject to the connetion and pacet rate filtering that was
introduced for XP SP2. There are unauthorized binary patches that must be made
to TCPIP.SYS, for either OS to function as a testers platform. Otherwise scans
crawl to zero, and usefull open SYN traffic waits for timeouts in a limiting
queue, before new SYNs are sent. Add the message-passing latency of your VM
stack, and this is intolerable.
This is one case where the addage "right tool for the right job" applies.
Vmware and Vista may have merits for certain applications. In the pentest
environment, these should remain as targets - where they will not impede the
investigator, nor obscure meaningful network information from examination.
Jeremiah
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
