Discovering what VMware is
VMware was founded in 1998, launching their first product, VMware workstation, in 1999. 3 years after the company was founded, they released GSX and ESX into the server market. Elastic Sky X (ESX) retained the name until 2010. The "i" was added after VMware invested time and money into upgrading the OS and modernizing the user interface. The product is now dubbed ESX integrated (ESXi). If you are reading this, I think it is safe for me to assume that you have perused a few books on related topics, since most books cover Desktop Hypervisors such as Player, Workstation, and/or Fusion. I want to take this a step further and provide some hands-on exposure and practice with ESXi in the next section.
OK, maybe that was a slightly sales-y pitch, but I can honestly say that I have never worked for VMware and do not get any royalties for plugging their technology. However, I feel it would do you a disservice to not take you through a hands-on practical experience with technology that you will most certainly discover out there in the field. I have personally encountered VMware in the verticals of oil and gas, energy, chemical, pharma, consumer product production, discrete manufacturing, and amusement parks, to name a few.
A typical production solution consists of the following:
- Distributed Resource Scheduler (DRS)
- High Availability (HA)
- Consolidated Backup
- VCenter
- Virtual machines
- ESXi servers
- Virtual Machine File System (VMFS)
- Virtual symmetric multi-processing (SMP)
For a better overview of these specific components, please reference the following web page: https://www.vmware.com/pdf/vi_architecture_wp.pdf.
I do not want to deep dive into VMware; instead, I simply want to make you aware of some of the pieces of technology that will be encountered when you're on an engagement. I do, however, want to call out the core stack, which consists of vCenter, ESXi servers, and VMs. These are the building blocks of almost all virtualization implementations in large organizations. vCenters control ESXi servers, and ESXi servers are where VMs live. Knowing this will help you understand the path of Privilege Escalation once you get a foothold of a VM inside the operational layer of the company. I have had many of conversations with security personnel over the years around Separation of Duties (SoD), and teams dedicated to their applications are more than happy to explain the great pain and lengths they have gone through to adhere to Confidentiality, Integrity, and Availability (CIA). When performing tabletop exercises with these same teams and asking them "Who controls the ESXi server your app lives on?" and then continuing with, "What is your total exposure if your vCenter is compromised?" you'll find that the answers, in most cases, will shock you, if not terrify you to the bone. I challenge you to ask your IT/OT team – or whoever is managing your virtual infrastructure – how many VMs are running per server. Then, follow that up with, "When is the last time you performed a Disaster Recovery (DR) failover test?" Knowing if a piece of the critical control is running inside an over-taxed server with minimal resources is quite useful from a risk mitigation point of view, but for the purpose of this book, we need to exploit a weakness in an overlooked component in the system.
The following diagram shows the relationship between the different components we mentioned previously and how they integrate with each other:
I performed some work for a Steam Assisted Gravity Drainage (SAGD) heavy oil company, and part of their claim was the virtualization of the Rockwell PlantPAX DCS. This was all on top of an ESXi cluster inside a robust vSphere platform. The biggest takeaway from understanding VMware is that, at an enterprise level, vSphere is the platform, and ESXi is the hypervisor. In this book, I will be posting screenshots of VMware Fusion, which is the macOS-specific desktop platform and that of ESXi. If you are using Windows, you have two options – VMPlayer or VMWorkstation. I will focus most of my time and demos on ESXi as I feel that understanding this technology is the most important task for proceeding down the yellow brick road of industrial pentesting.
In this section, we touched on what VMware is, called out the core components that make up a virtual stack, and shared some real-world examples of what you will find out there in the wild. Now, the next step is diving right into it and turning it all on. We will start by walking through the installation processes for VMware Fusion, VMware ESXi, and VMs in order to create a virtual Supervisory Control and Data Acquisition (SCADA) environment for our testing in further chapters.