VMware vSphere

 View Only

  • 1.  File Transfer using vSphere

    Posted Nov 17, 2010 12:34 AM

    We have a VM that has been compromised with some malware and is now sitting with it's NIC cards disabled to cut it off from the network. We would like to get some log files off of it for analysis. Short of putting a USB key into the host itself, is there a way to use vSphere client to transfer files to a different location?

    Thanks for the help!



  • 2.  RE: File Transfer using vSphere
    Best Answer

    Posted Nov 17, 2010 02:12 AM

    if you are you esx 4.1 can you mapped a USB devices to virtual machine. the detailed steps are here: http://www.virtualizationadmin.com/articles-tutorials/general-virtualization-articles/using-usb-devices-vmware-vsphere-41.html






    iDLE-jAM | VCP 2, VCP 3 & VCP 4

    If you found this or any other answer useful please consider the use of the Helpful or correct buttons to award points



  • 3.  RE: File Transfer using vSphere

    Posted Nov 17, 2010 02:47 AM

    Install isocreator (http://www.minidvdsoft.com/isocreator/) or isorecorder (http://isorecorder.alexfeinman.com/isorecorder.htm) on your desktop.

    Now create an ISO of the install file you downloaded for either isocreator or isorecorder.

    Upload the install ISO you just created to your datastore.

    Connect the CD-ROM of the VM with malware to the uploaded install ISO on the datastore.

    Open the CD-ROM on the VM with malware and install either isocreator or isorecorder.

    Create an ISO of any log files (or other files) you want to move off the VM with malware.

    Upload the ISO to the datastore.

    Dowload the ISO you created with the log files to your desktop.

    Burn the log ISO to disk or mount it on your desktop. Free tool from Microsoft that is also handy to have: http://download.microsoft.com/download/7/b/6/7b6abd84-7841-4978-96f5-bd58df02efa2/winxpvirtualcdcontrolpanel_21.exe (additional instructions here if needed http://www.tech-recipes.com/rx/620/xp_small_free_way_to_use_and_mount_images_iso_files_without_burning_them/)

    Rich



  • 4.  RE: File Transfer using vSphere

    Posted Nov 17, 2010 12:50 PM

    I got a little crazy on my last post--let me try again with your NIC disconnected. I like idle-jam's approach better, but if you're not on 4.1 this will work, but you'll be without vCenter for awhile. The ISO stuff I mentioned is okay for some scenarios, but you don't really need to do all that (and you have some issues without being connected to the network) :smileywink:

    Make sure you can be without vCenter for a little while because you're going to abuse it a little.

    Put the VM with malware on the same host vCenter is on.

    At this point it's easiest to access vCenter by opening an infrastructure client session to the host that vCenter is running on (you're going to move vCenter off the network later so if you don't access this way now, you'll have to later anyway).

    Make a snapshot of vCenter.

    Create a vSwitch that's isolated (don't connect any physical NICs to it).

    Move vCenter to the isolated switch.

    Move the VM with malware to the isolated switch and connect it.

    Browse to vCenter from the VM with malware.

    Intall the infrastructure client on the VM with malware.

    Upload any logs you want from the VM with malware to a folder on the datastore.

    You can now browse the datastore from your desktop and download the folder with the logs or other files in it.

    You could also add in some steps if you prefer to make an ISO of any files you take off the VM with malware before you upload them to the datastore.

    Revert vCenter to the snapshot you created earlier so it's back on the real network. This way if it picked up any malware while communicating with the infected VM, the malware will be gone.

    Or just upgrade to 4.1 and follow idle-jam's link.

    Rich



  • 5.  RE: File Transfer using vSphere

    Posted Nov 17, 2010 01:09 PM

    Rich123, i salute on the above two posts. very well written. two thumbs up! =)




    iDLE-jAM | VCP 2, VCP 3 & VCP 4

    If you found this or any other answer useful please consider the use of the Helpful or correct buttons to award points



  • 6.  RE: File Transfer using vSphere

    Posted Nov 17, 2010 08:06 PM

    Awesome answers guys! A couple more tools to add to my bag of tricks!



  • 7.  RE: File Transfer using vSphere

    Posted Nov 17, 2010 09:35 PM

    Just a couple quick thoughts...

    Instead of messing with your vCenter VM, load up a real thin linux based VM (there's lots of options out there), running an FTP service. Create a VLAN on your vSwitch, and connect the compromised VM and the linux VM to it.

    FTP the files over to that VM. Now you can use that linux VM to zip up logs, package up the malware to ship off to an AV vendor, or whatever else you need to do...

    Another option is to create another vmdk and attach it to your compromised VM, mounting as another disk drive. Copy data over to this new disk, then disconnect and reattach to another VM. To protect your network, the second VM should also be detached initially, but with valid Malware/AntiVirus tools to verify you're not going to compromise your network. Assuming the data you've moved over is clean, reattach to your network and export the data where needed.

    Good luck.