Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7
  include Msf::Post::File
8
  include Msf::Post::Linux::Priv
9
  include Msf::Post::Linux::System
10
  include Msf::Post::Process
11

12
  def initialize(info = {})
13
    super(
14
      update_info(
15
        info,
16
        'Name' => 'Linux Gather Virtual Environment Detection',
17
        'Description' => %q{
18
          This module attempts to determine whether the system is running
19
          inside of a virtual environment and if so, which one. This
20
          module supports detection of Hyper-V, VMWare, VirtualBox, Xen,
21
          Bhyve and QEMU/KVM.
22
        },
23
        'License' => MSF_LICENSE,
24
        'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>'],
25
        'Platform' => [ 'linux' ],
26
        'SessionTypes' => [ 'shell', 'meterpreter' ]
27
      )
28
    )
29
  end
30

31
  # Run Method for when run command is issued
32
  def run
33
    print_status('Gathering System info ....')
34
    vm = nil
35
    dmi_info = nil
36

37
    if is_root?
38
      dmi_info = cmd_exec('/usr/sbin/dmidecode')
39
    end
40

41
    # Check DMi Info
42
    if dmi_info
43
      case dmi_info
44
      when /microsoft corporation/i
45
        vm = 'MS Hyper-V'
46
      when /vmware/i
47
        vm = 'VMware'
48
      when /virtualbox/i
49
        vm = 'VirtualBox'
50
      when /qemu/i
51
        vm = 'Qemu/KVM'
52
      when /domu/i
53
        vm = 'Xen'
54
      end
55
    end
56

57
    # Check kernel modules
58
    if !vm
59
      loaded_modules = read_file('/proc/modules')
60
      if !loaded_modules
61
        loaded_modules = cmd_exec('/sbin/lsmod').to_s
62
      end
63

64
      case loaded_modules.gsub("\n", ' ')
65
      when /vboxsf|vboxguest|vboxvideo|vboxvideo_drv|vboxdrv/i
66
        vm = 'VirtualBox'
67
      when /vmw_ballon|vmxnet|vmw/i
68
        vm = 'VMware'
69
      when /xen-vbd|xen-vnif|xen_netfront|xen_blkfront/
70
        vm = 'Xen'
71
      when /virtio_pci|virtio_net|virtio_blk|virtio_console|virtio_scsi|virtio_balloon|virtio_input|virtio-gpu|virtio-rng|virtio_dma_buf|virtio_mmio|virtio_pmem|virtio_snd/
72
        vm = 'Qemu/KVM'
73
      when /hv_vmbus|hv_blkvsc|hv_netvsc|hv_utils|hv_storvsc|hv_boot|hv_balloon|hyperv_keyboard|hid_hyperv|hyperv_fb/
74
        vm = 'MS Hyper-V'
75
      end
76
    end
77

78
    # Check SCSI Driver
79
    if !vm
80
      proc_scsi = read_file('/proc/scsi/scsi')
81
      if proc_scsi
82
        case proc_scsi.gsub("\n", ' ')
83
        when /vmware/i
84
          vm = 'VMware'
85
        when /vbox/i
86
          vm = 'VirtualBox'
87
        end
88
      end
89
    end
90

91
    # Check IDE Devices
92
    if !vm
93
      case cmd_exec('cat /proc/ide/hd*/model')
94
      when /vbox/i
95
        vm = 'VirtualBox'
96
      when /vmware/i
97
        vm = 'VMware'
98
      when /qemu/i
99
        vm = 'Qemu/KVM'
100
      when /virtual [vc]d/i
101
        vm = 'Hyper-V/Virtual PC'
102
      end
103
    end
104

105
    # identity Xen block Device Root
106
    if !vm
107
      proc_mounts = read_file('/proc/mounts')
108
      if proc_mounts
109
        case proc_mounts
110
        when %r{/dev/xvd.* / }
111
          vm = 'Xen'
112
        end
113
      end
114
    end
115

116
    # Check system vendor
117
    if !vm
118
      sys_vendor = read_file('/sys/class/dmi/id/sys_vendor')
119
      if sys_vendor
120
        case sys_vendor.gsub("\n", ' ')
121
        when /qemu/i
122
          vm = 'Qemu'
123
        when /vmware/i
124
          vm = 'VMWare'
125
        when /xen/i
126
          vm = 'Xen'
127
        when /microsoft/i
128
          vm = 'Hyper-V'
129
        end
130
      end
131
    end
132

133
    # Check using lspci
134
    if !vm
135
      case get_sysinfo[:distro]
136
      when /oracle|centos|suse|redhat|mandrake|slackware|fedora/i
137
        lspci_data = cmd_exec('/sbin/lspci')
138
      when /debian|ubuntu/
139
        lspci_data = cmd_exec('/usr/bin/lspci')
140
      else
141
        lspci_data = cmd_exec('lspci')
142
      end
143

144
      case lspci_data.to_s.gsub("\n", ' ')
145
      when /vmware/i
146
        vm = 'VMware'
147
      when /virtualbox/i
148
        vm = 'VirtualBox'
149
      end
150
    end
151

152
    # Check Product Name
153
    if !vm
154
      product_name = read_file('/sys/class/dmi/id/product_name')
155
      if product_name
156
        case product_name.gsub("\n", ' ')
157
        when /bhyve/i
158
          vm = 'Bhyve'
159
        when /qemu/i
160
          vm = 'Qemu'
161
        when /vmware/i
162
          vm = 'VMware'
163
        when /virtualbox/i
164
          vm = 'VirtualBox'
165
        when /xen/i
166
          vm = 'Xen'
167
        when /KVM/i
168
          vm = 'KVM'
169
        when /oracle/i
170
          vm = 'Oracle Corporation'
171
        end
172
      end
173
    end
174

175
    # Check BIOS Name
176
    if !vm
177
      bios_vendor = read_file('/sys/devices/virtual/dmi/id/bios_vendor')
178
      if bios_vendor
179
        case bios_vendor.gsub("\n", ' ')
180
        when /^xen/i
181
          vm = 'Xen'
182
        when /innotek GmbH/i
183
          vm = 'VirtualBox'
184
        end
185
      end
186
    end
187

188
    # Check cpuinfo
189
    if !vm
190
      cpuinfo = read_file('/proc/cpuinfo')
191
      if cpuinfo
192
        case cpuinfo.gsub("\n", ' ')
193
        when /qemu virtual cpu|emulated by qemu|KVM processor/i
194
          vm = 'Qemu/KVM'
195
        end
196
      end
197
    end
198

199
    # Check Xen devices
200
    if !vm
201
      xen_capabilities = read_file('/sys/hypervisor/uuid')
202
      if xen_capabilities
203
        if ! xen_capabilities.include? '00000000-0000-0000-0000-000000000000'
204
          vm = 'Xen'
205
        end
206
      end
207
    end
208
    if !vm
209
      xen_type = read_file('/sys/hypervisor/type')
210
      if xen_type
211
        if xen_type == 'xen'
212
          vm = 'Xen'
213
        end
214
      end
215
    end
216

217
    # Check device tree
218
    if !vm
219
      compatible = read_file('/proc/device-tree/compatible')
220
      if compatible
221
        if compatible.include? 'qemu'
222
          vm = 'Qemu/KVM'
223
        end
224
      end
225
    end
226
    if !vm
227
      compatible = read_file('/proc/device-tree/hypervisor/compatible')
228
      if compatible
229
        case compatible
230
        when /linux,kvm/i
231
          vm = 'Qemu/KVM'
232
        when /xen/i
233
          vm = 'Xen'
234
        when /vmware/i
235
          vm = 'VMware'
236
        end
237
      end
238
    end
239

240
    # Check Processes
241
    if !vm
242
      get_processes do |process|
243
        case process['name']
244
        when /hv_vss_daemon|hv_kvp_daemon|hv_fcopy_daemon/i
245
          vm = 'MS Hyper-V'
246
        end
247
      end
248
    end
249

250
    # Check dmesg Output
251
    if !vm
252
      dmesg = cmd_exec('dmesg')
253
      case dmesg
254
      when /vboxbios|vboxcput|vboxfacp|vboxxsdt|vbox cd-rom|vbox harddisk/i
255
        vm = 'VirtualBox'
256
      when /vmware virtual ide|vmware pvscsi|vmware virtual platform/i
257
        vm = 'VMware'
258
      when /xen_mem|xen-vbd/i
259
        vm = 'Xen'
260
      when /qemu virtual cpu version/i
261
        vm = 'Qemu/KVM'
262
      when %r{/dev/vmnet}
263
        vm = 'VMware'
264
      end
265
    end
266

267
    if vm
268
      print_good("This appears to be a '#{vm}' virtual machine")
269
      report_virtualization(vm)
270
    else
271
      print_status('This does not appear to be a virtual machine')
272
    end
273
  end
274
end
275

276