Say I opened an ssh session to an IP address. Can I tell, from within the ssh session, if that ssh session is running on a VirtualBox guest VM, or on a non-VM machine?
Notes:
- OS Host/Guest: CentOS 7
- Virtualbox: 6.0
Add a comment
|
3 Answers
Yes, you can use dmidecode to accomplish this:
sudo yum install dmidecode
sudo dmidecode -s system-manufacturer
For example, in my VMware Workstation CentOS VM it returned this:
VMware, Inc.
In your VirtualBox VM it would return:
innotek GmbH
Source: https://www.ostechnix.com/check-linux-system-physical-virtual-machine/
answered Jun 27, 2019 at 22:57
The below is based on an answer I received on another forum.
One quick way would be to query the NIC maker. The VM has to have a NIC, since we're connecting via SSH.
Here's what I get from a VM that has 4 NICs:
$ ifconfig | grep ether
ether 08:00:27:ae:2c:b5 txqueuelen 1000 (Ethernet)
ether 08:00:27:1d:8b:9f txqueuelen 1000 (Ethernet)
ether 08:00:27:15:c6:f7 txqueuelen 1000 (Ethernet)
ether 08:00:27:64:bd:3b txqueuelen 1000 (Ethernet)
That 08:00:27 part shows that the NIC manufacturer is VirtualBox (i.e., we're in a VM).
Other ways could be getting information of our hardware from the OS, for example:
$ lshw | grep -i virtualbox
WARNING: you should run this program as super-user.
WARNING: output may be incomplete or inaccurate, you should run this program as super-user.
product: VirtualBox Graphics Adapter
product: VirtualBox Guest Service
We can have further evidence in case the Guest Additions are installed:
$ VBoxControl -version
6.0.0r127566
But I think the first trick (with the MAC addresses) should be the one to use.
Edit 1:
Run these to get the ssh environment:
if [[ $(ifconfig | grep '08:00:27') ]] ; then echo "We're in Virtualbox VM" ; filshw | grep -i virtualboxVBoxControl -versionif [[ "innotek GmbH" == "$( sudo dmidecode -s system-manufacturer)" ]] ; then echo "We're in Virtualbox VM" ; fi
answered Jun 28, 2019 at 17:19
If the VM is not configured to lie to you, then the techniques presented in other answers here are fine.
But if the VM is configured to lie to you (e.g. MAC addresses can be arbitrary) then you would need to work harder. You may be able to find inconsistencies in /proc/* (e.g. different number of cores available than would be expected for the CPU model).
-
I could see why one would do that (like for scam-baiting), but other than just making up a MAC address, how can one hide the "hardware" manufacturer in a VM (say for instance, VMware)? I can of course research this myself, but I'm just curious. Commented Jun 28, 2019 at 19:09
-
1@SamAndrew81, the first 24 bits of a MAC address are the OUI (Organizationally Unique Identifier) so you could impersonate any hardware manufacturer, but you should not do that..– mlpCommented Jun 28, 2019 at 19:14
-
People do MAC spoofing for Pen-Testing all the time. </shrug> Commented Jun 28, 2019 at 19:19