Tuesday, May 7, 2013

Setting up your Hacking Playground - Hyper-V Quick Use [Part 3]

By Tony Lee.

In first part of this series, we did a high-level comparison between free versions of VMWare ESXi and Microsoft’s Hyper-V. Next we highlighted the difficult challenge that exists when setting up Hyper-V to be a remotely managed, headless server. In this part of the series, we will give you the essentials needed to start using Hyper-V and the winner of our comparison.

Creating Virtual Networks

After connecting to your server with Hyper-V Manager, you will notice that you have no Virtual Networks when you select the Virtual Network Manager. If you want your virtual machines to have Internet access, you need to create a virtual network to provide it.

To create a new virtual network, click the hyperlink for “New virtual network”. Assign a name, select the Network Interface Card (NIC) to bind it to, and optionally assign a VLAN ID. Now when you are creating your virtual machines, you can assign them a network.

ISO Storage

If you are like me, you like to have an ISO drive so you don’t have to deal with physical media. One VERY useful feature that Hyper-V Manager lacks is the ability to upload and download files to the data stores. That may be a feature in the paid product, Microsoft System Center--but I wouldn’t know because I am trying to do this for free. There is a 180-day evaluation you can download, but that is your call. I don’t want to become dependent upon a very expensive crutch. To get around this, you can copy the files over the network via a net use and CIFS, or you can put them on a USB drive and do something similar to the commands below:

 c:\>wmic logicaldisk get name,description
Description       Name
Local Fixed Disk  C:
Local Fixed Disk  D:
Local Fixed Disk  E:
CD-ROM Disc       F:
CD-ROM Disc       G:
Local Fixed Disk  H:  <-- This is our USB drive with our ISOs

c:\> H:

H:> cd \virtual-machines\ISO

H:\virtual-machines\ISO>mkdir e:\ISO

H:\virtual-machines\ISO>copy * e:\ISO
BT5R3.iso
Fedora-18-x86_64-Live-Desktop.iso
linuxmint-13-mate-dvd-64bit.iso
--snip--

Now when you are creating VMs from scratch you can use the local ISOs. :)

Creating a VM

Speaking of creating a VM, this part is pretty easy and very similar to using VMWare vSphere client with ESXi.

To create a VM:

Click New -> Virtual Machine
Name the VM and select where you want the VM stored
Select the amount of memory
Select the network connection
Select the drive size
Installation media and finish
Connect to the VM
Power on and walk through the typical installation

The next four screenshots are what you should see:

Converting a VMWare VM

It would be far too easy if VMWare and Hyper-V used the same virtual machine format. We should all pray for quicker adoption of OVF… But, who doesn’t like a challenge?

So, what are the differences between the two preferred formats?

Category	VMWare	Hyper-V
Bootable Hard Drive	SCSI	IDE
File Type	`.vmdk`	VHD

This may not seem like substantial differences at first, but the hard drive controller is a major concern. So major that if your VMWare VM has a SCSI hard drive, you need to make sure you add an IDE drive of arbitrary size so the IDE drivers are loaded before conversion. Isn’t there an easier way?

Supposedly Microsoft System Center will do the conversion for you, but we have no monies...

Fortunately for us, Microsoft has also provided a free tool similar to the free stand-alone VMWare converter tool. Microsoft calls theirs: Microsoft Virtual Machine Converter (MVMC).

Microsoft converter

“The Microsoft Virtual Machine Converter (MVMC) Solution Accelerator is a Microsoft-supported, stand-alone solution for the IT pro or solution provider who wants to convert VMware-based virtual machines and disks to Hyper-V®-based virtual machines and disks.”
Source: http://www.microsoft.com/en-us/download/details.aspx?id=34591

Sounds great, but…

There are two MAJOR problems with Microsoft Virtual Machine Converter (MVMC):

It only converts Windows guest VMs (Huh? WTH?)
It only supports converting the VMs directly from a running vCenter, ESX, or ESXi (NOT from a powered down VM sitting on a hard drive!)

Note that the command line interface of this tool can convert a hard disk, but not a virtual machine. Meaning if you wanted to convert a .vmdk to a VHD in order to mount the drive in Windows (because Windows 7+ can mount VHDs) that is an option with this tool. But you will not be able to automagically convert the disk and then boot it in Hyper-V as an OS.

Manual VM Conversion

Looks like we have to do a manual conversion now--Ugh!!!

VMWare Files

The first thing we should know about VMWare virtual disks is that they end with .vmdk. However, sometimes there are many .vmdk files. If you are downloading a virtual appliance that has multiple disks or a snapshot already taken or both, you will end up with a few files. SIFT Workstation is such an appliance.

You will notice in the screenshot below that there are 4 vmdk files. The ones without the 6 #’s are the raw hard disks. The ones with the 6 #’s are for snapshots. We will attempt to convert the raw hard disks and start those in Hyper-V.

Terminology

Before we continue we should also discuss a little bit of virtual disk terminology. When creating virtual machines, you have a choice between pre-allocating the disk space or growable disk space. The advantage of pre-allocation is faster reads/writes and performance. The disadvantage is that it takes up all of the disk space on the host hard drive regardless of whether you are actually using the space in the guest OS. It appears that there is no standard term for these two options, thus I will list terminology below:

Vendor	Pre-Allocated	Growable
VMWare	Thick	Thin
StarWind	Pre-Allocated	Growable
Microsoft	Fixed/Static	Dynamic

When conducting my initial research in VMWare to Hyper-V conversion, I found a few resources that were either outdated or had little to no information on how to proceed. Nonetheless there were some that did *sort of* help out:

Blogs

SteenKirkby wrote a great detailed blog post, but most of the information was no longer current. The vmdk2vhd (vmtoolkit.com) no longer exists on any reputable sites that I could find, but at least the steps were sound so I used that method with another tool.

MVDC.exe

Microsoft Virtual Machine Converter comes with command line options to convert .vmdk files into .vhd files. The problem we had was that the dynamic disk flag appeared to be ineffective - resulting in a static disk each time. For VMWare virtual machines that use small hard drives, this may not be too big of a problem. However, let’s examine the scenario below (for our tests we will use the pre-built SANS Investigate Forensic Toolkit (SIFT) workstation):

We start by enumerating our options by running the binary with no parameters:

Does anyone else find the “TODO: add description” a little worrisome? :) Eh, let’s give it a go anyway!

First Attempt (Without the DYN Flag)

 "c:\Program Files (x86)\Microsoft Virtual Machine Converter Solution Accelerator\MVDC.exe" "SIFT Workstation 2.14-0.vmdk" "SIFT Workstation 2.14-0.vhd"

When we were trying to convert the SIFT Workstation, the VMWare appliance /dev/sdb disk was dynamically allocated consuming only 59MB of actual hard drive space. MVDC.exe does not convert disks dynamically without the use of the /Dyn flag, thus it proceeded to expand the disk to its full (static) size of 200GB!

The worst part is that nothing can stop MVDC once it has started the conversion without the /Dyn option. Control+c had no effect. Task manager could not kill MVDC.exe or the cmd.exe window. tasklist /f /im MVDC.exe was ineffective as well. A reboot was required to stop the madness.

Second Attempt (With the DYN Flag)

Even with the dynamic flag as shown below, the program still tried to create a 200GB disk. The difference was with the /Dyn flag, the operation could be killed with ctrl+c and MVDC was slowly creating the 200GB disk instead of allocating the 200GB up front and then populating the data.

 "c:\Program Files (x86)\Microsoft Virtual Machine Converter Solution Accelerator\MVDC.exe" "SIFT Workstation 2.14-0.vmdk" "SIFT Workstation 2.14-0.vhd" /Dyn

Ok, since the MVDC /Dyn flag seems to also create a static disk, we need another option.

StarWind

The registerware (but free) StarWind V2V Converter claims on its website that it can "Converts from VMDK to VHD and vice versa", perform sector by sector copies, it doesn't modify the source image, and its easy to install and use!. Right up my alley :)

The process was easy:

Select your source File (VMDK, VHD, IMG)
Choose a location to save the converted data file
Click 'convert' and let the converter run
Import the resulting file into VMware, Hyper V, or mount the resulting image using StarWind”

Remember to convert the base disk and not the snapshot files: Base files:

10/13/2012  06:05 PM     5,956,304,896 SIFT Workstation 2.14.vmdk
10/13/2012  06:05 PM        60,227,584 SIFT Workstation 2.14-0.vmdk

Snapshot files:

10/13/2012  06:06 PM        26,279,936 SIFT Workstation 2.14-0-000001.vmdk
10/13/2012  06:06 PM         3,997,696 SIFT Workstation 2.14-000001.vmdk

So just open StarWind and Click Next. Then select your source file (Remember not to choose the snapshot ####### files) for example, mine was SIFT Workstation 2.14.vmdk

Next Select destination format (if you pick pre-allocated it will allocate the entire disk--used or not), for example mine was a "MS Virtual PC Growable Image"

Select the destination location and just allow time for conversion

General Warnings

If you convert both the base and the snapshot files, they will result in the same size VHD, however, they are not the same file as they do not hash to the same value and both will not work.

$ ls -al
--snip--
-rwx------+ 1  mkgroup   472501760 Apr  7 23:00 SIFT Workstation 2.14-0.vhd
-rwx------+ 1  mkgroup   472501760 Apr  7 23:59 SIFT Workstation 2.14-0-000001.vhd

$ md5sum.exe SIFT\ Workstation\ 2.14-0.vhd
9a678f0e1350eaabfbae329272882c62 *SIFT Workstation 2.14-0.vhd

$ md5sum.exe SIFT\ Workstation\ 2.14-0-000001.vhd
c8c1505103dfbb70024f2279215b70b8 *SIFT Workstation 2.14-0-000001.vhd

Converting the snapshot files to VHD will not boot.
When finished converting, copy the base image VHD files to the Hyper-V server via SMB or USB.
Create a new Virtual Machine and select the converted SIFT image as the base disk

Finally after converting the first virtual disk and adding that to a new Hyper-V VM, we are able to boot the SIFT workstation.

Unfortunately, we only have /dev/sda right now and will have to convert the second disk /dev/sdb and add that as a secondary hard drive.

VM Size Comparison

File	Guest OS Info	VMDK Size	VHD Size
SIFT Workstation 2.14.vmdk	(/dev/sda 30GB guest OS)	5.8GB	18.9GB
SIFT Workstation 2.14-0.vmdk	(/dev/sdb 200GB guest OS)	58MB	461MB

Looking at these numbers, it appears that the VMWare vmdk’s are 30% and 12% the size of the Hyper-V images for /dev/sda and /dev/sdb respectively.

As a side note, Microsoft does have an OVA import tool, but it only links in with their paid System Center application.

Conclusion

Obviously Microsoft is looking to take away virtualization market share from VMWare and VMWare is trying to maintain that market share and ideally expand their footprint. The problem is, neither solution is perfect (or anywhere near it). Thus there is no clear winner as both companies and products have substantial limitations for the free at-home hacker.

There are plenty of lessons learned if these companies would like to woo the nerds of the world which will ultimately help influence corporate purchasing.

Microsoft:

Continue innovating
Clean up the remote management process - Very nice of John Howard to create the hvremote.wsf script, however it should not be necessary. Kudos to John though.
Enable file transfer through Hyper-V manager
Become more flexible to allow users to convert operating systems other than a Microsoft OS (yes, they do exist)
Import OVA files directly within Hyper-V manager
Better promote adoption with the nerds - more instructional videos - better, more consolidated help and resources - Have official advice instead of relying on blogs and user base to provide support.

VMWare:

Start innovating again
Increase memory limits of ESXi
Improve critical items on the Hardware Compatibility List (HCL). Support the most common devices.

Feedback welcome

In the meantime, we would love to hear your feedback. Have you been experiencing similar issues with these products? Do you have any free Type 1 hypervisors that you would recommend? Are you a fan of XenServer, KVM, or something else? Please chime in with your favorites.

Tuesday, April 30, 2013

Setting up your Hacking Playground - Hyper-V Quick Setup [Part 2]

By Tony Lee.

In first part of this series, we did a high-level comparison between free versions of VMWare ESXi and Microsoft’s Hyper-V. In this part, we will explore the insane (and absurd) challenge that exists when setting up Hyper-V to be a remotely managed, headless server. Finally, in the last part of the series, we will give you the essentials needed to start using Hyper-V and present the winner of our Geek Playground comparison.

Hyper-V manager installation

Hyper-V Server 2012 installation was smooth--maybe a little too smooth… There has to be a catch, right? Of course there is! The remote management setup is extremely frustrating and unpolished. In fact, I am a little surprised Microsoft released a product that has so many issues. All I want to do is connect to the server from my laptop and manage the VMs! Fortunately, since I had to struggle through the setup, I figured I would document the process to hopefully save you some sleepless nights.

Here comes the ugly so hold on to your knickers!

Downloading and installing the client

Windows 7 Hyper-V Manager can be downloaded as part of Remote Server Administration Tools for Windows 7

Caveat: “**Remote Server Administration Tools for Windows 7 with SP1 can be installed ONLY on computers that are running the Enterprise, Professional, or Ultimate editions of Windows 7 or Windows 7 with SP1.*” -- So no Home Edition… Sorry folks.

Ironically, the Remote Server Administration Tools (RSAT) client took longer to install than the Hyper-V server. Crazy!

Enabling Hyper-V tools

After install, if you are like me, you are wondering why you cannot locate Hyper-V Manager in the start menu. Then it dawns on you that you have to enable that as a Windows feature shown in the screenshot below:

Microsoft’s obfuscation skills increase by 10

Enabling Remote Management

Whew! So, all is good right? We can open Hyper-V manager client and click "Connect" to Server… But when we enter the IP of the remote server we get an error message:

“An error occurred while attempting to connect to server [HOSTNAME]. Check that the Virtual Machine Management service is running and that you are authorized to connect to the server. You do not have the required permission to complete this task. Contact the administrator of the authorization policy for the computer [HOSTNAME].”

Huh?

After Googling around, I found a series of posts by John Howard, a Senior Program Manager in the Hyper-V team. This series of posts included a very detailed, but lengthy, explanation on how to fix this issue. Not placing fault on John here, but in my opinion, maybe Microsoft should just fix the issue? It is hard to imagine that the product would be released with this frustrating limitation. When using VMWare vSphere client, you just enter the IP/Hostname and some credentials--what is so difficult about that?

Fortunately, John Howard was nice enough to also create a tool to do all of this configuration magic for us, the "Hyper-V Remote Management Configuration Utility". However, this is not just any tool, I was amazed to see that it is a 6,300 line VB script! John must be a wizard or something. :)

Hyper-V Remote Management Configuration Utility

Download from:

http://code.msdn.microsoft.com/windowsdesktop/Hyper-V-Remote-Management-26d127c6

Copy the hvremote.wsf script to the server - From the server, map the C drive of your client laptop:

 net use * \\laptop\C$ “password” /U:local\[user]

copy z:\users\[user]\Desktop\hvremote.wsd c:\

Setting up Accounts

Since my laptop was already a member of a domain and the server is a member of a workgroup, I used the provided “10 second guide” instructions:

Server Side

Add user syntax:

 net user [username] “[password]” /add

ex:
net user tony “SecretPassword” /add

Grant user access syntax:

 cscript hvremote.wsf /add:[username]

ex:
cscript hvremote.wsf /add:tony

Client Side

 cmdkey /add:[servername] /user:[servername]\[accountname] /pass

ex:
cmdkey /add:VMServer /user:VMServer\tony /pass

Enabling Ping on Hyper-V

On your Hyper-V host, in the blue configuration command prompt (sconfig.cmd):

Select #4: Configure Remote Management -> #3 Configure Server Response to Ping

Added server name to client’s hosts file

From elevated command prompt on client (start -> cmd -> right click -> Run as Administrator):

 write c:\windows\system32\drivers\etc\hosts
[IP address]  [Hostname]

ex:
192.168.2.130   VMServer

Reboot server!

Verify proper functionality

Run the following command on both computers:

 cscript hvremote.wsf /show /target:othercomputername

ex from laptop:
cscript hvremote.wsf /show /target:VMServer

ex from server:
cscript hvremote.wsf /show /target:laptop

You should now be able to bring up Hyper-V Manager and connect to the server

Disk management

Now that we can access the Hyper-V server through Hyper-V Manager, we may need to make our extra disk drives in the server usable. Most people point and click via the GUI, but you can also manage the disks via the command line interface as well. CLI knowledge is critical for the free version of Hyper-V.

To list the logical drive letters, we can use:

 wmic logicaldisk get name,description
Description       Name
Local Fixed Disk  C:
CD-ROM Disc       D:
CD-ROM Disc       E:

We have two extra hard drives (2x2TB) that do not show up as usable. We will fix that with Diskpart.

Diskpart foo

 C:\Users\Administrator>diskpart

Microsoft DiskPart version 6.2.9200

Copyright (C) 1999-2012 Microsoft Corporation.
On computer: VMSERVER

DISKPART> list letter

Microsoft DiskPart version 6.2.9200

DISK        - Display a list of disks. For example, LIST DISK.
PARTITION   - Display a list of partitions on the selected disk.
              For example, LIST PARTITION.
VOLUME      - Display a list of volumes. For example, LIST VOLUME.
VDISK       - Displays a list of virtual disks.

DISKPART> list volume

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
  Volume 0     D                       DVD-ROM         0 B  No Media
  Volume 1     E                       DVD-ROM         0 B  No Media
  Volume 2         System Rese  NTFS   Partition    350 MB  Healthy    System
  Volume 3                      NTFS   Partition   1862 GB  Healthy
  Volume 4     C                NTFS   Partition    167 GB  Healthy    Boot

So, we have confirmed that my two DVD burners are D and E… I wanted to change that to F and G and then assign drive letters D and E to my other hard drives.

 DISKPART> select volume 0

Volume 0 is the selected volume.

DISKPART> assign letter=F

DiskPart successfully assigned the drive letter or mount point.

DISKPART> list volume

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 0     F                       DVD-ROM         0 B  No Media
  Volume 1     E                       DVD-ROM         0 B  No Media
  Volume 2         System Rese  NTFS   Partition    350 MB  Healthy    System
  Volume 4     C                NTFS   Partition    167 GB  Healthy    Boot

Now, for the other one:

 DISKPART> select volume 1

Volume 1 is the selected volume.

DISKPART> assign letter=G

DiskPart successfully assigned the drive letter or mount point.

DISKPART> list volume

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
  Volume 0     F                       DVD-ROM         0 B  No Media
* Volume 1     G                       DVD-ROM         0 B  No Media
  Volume 2         System Rese  NTFS   Partition    350 MB  Healthy    System
  Volume 4     C                NTFS   Partition    167 GB  Healthy    Boot

Now, to partition, format and assign drive letters to the other disks:

 DISKPART> list disk

  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online         1863 GB  1862 GB
  Disk 1    Online         1863 GB  1863 GB        *
* Disk 2    Online          167 GB      0 B

DISKPART> select disk 0

Disk 0 is now the selected disk.

DISKPART> list partition

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary            350 MB  1024 KB

DISKPART> create partition primary

DiskPart succeeded in creating the specified partition.

DISKPART> list partition

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary            350 MB  1024 KB
* Partition 2    Primary           1862 GB   351 MB

DISKPART> format fs=ntfs quick

  100 percent completed

DiskPart successfully formatted the volume.

DISKPART> assign letter=D

DiskPart successfully assigned the drive letter or mount point.

DISKPART> list volume

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
  Volume 0     F                       DVD-ROM         0 B  No Media
  Volume 1     G                       DVD-ROM         0 B  No Media
  Volume 2         System Rese  NTFS   Partition    350 MB  Healthy    System
* Volume 3     D                NTFS   Partition   1862 GB  Healthy
  Volume 4     C                NTFS   Partition    167 GB  Healthy    Boot

Now, for the last drive:

 DISKPART> list disk

  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
* Disk 0    Online         1863 GB      0 B
  Disk 1    Online         1863 GB  1863 GB        *
  Disk 2    Online          167 GB      0 B

DISKPART> select disk 1

Disk 1 is now the selected disk.

DISKPART> list partition

There are no partitions on this disk to show.

DISKPART> create partition primary

DiskPart succeeded in creating the specified partition.

DISKPART> list partition

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
* Partition 1    Primary           1863 GB  1024 KB

DISKPART> format fs=ntfs quick

  100 percent completed

DiskPart successfully formatted the volume.

DISKPART> assign letter=E

DiskPart successfully assigned the drive letter or mount point.

DISKPART> list volume

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
  Volume 0     F                       DVD-ROM         0 B  No Media
  Volume 1     G                       DVD-ROM         0 B  No Media
  Volume 2         System Rese  NTFS   Partition    350 MB  Healthy    System
  Volume 3     D                NTFS   Partition   1862 GB  Healthy
  Volume 4     C                NTFS   Partition    167 GB  Healthy    Boot
* Volume 5     E                NTFS   Partition   1863 GB  Healthy

DISKPART> exit

Leaving DiskPart...

C:\Users\Administrator>e:

E:\>dir
 Volume in drive E has no label.
 Volume Serial Number is 2015-54E4

 Directory of E:\

File Not Found

E:\>d:

D:\>dir
 Volume in drive D has no label.
 Volume Serial Number is 5CC4-3887

 Directory of D:\

File Not Found

Finally! We can use all of the hard drives:

Final thoughts

Wow, that was painful. And we did not even do the hard work. Fortunately, John Howard did the heavy lifting and then made things relatively easy with his awesome script. I still cannot believe Microsoft would release a product that requires that much configuration for something that should be so simple. Stay tuned for our next article on actually using Microsoft’s Hyper-V and of course the conclusion of our comparison between VMWare ESXi and Hyper-V 2012.

Tuesday, April 23, 2013

Setting up your Hacking Playground - VMWare vs HyperV

By Tony Lee.

I am beginning to think that it is a universal truth that geeks love to build some sort of playground or work area for their experiments. Whether that is physical or digital, it becomes a sort of escape--a place to try out new ideas without destroying something of value. If you are nodding your head in agreement then you know what I am talking about.

Before virtualization, we had computers stacked on top of computers just to run a digital playground. After all, what fun is a single host network? Then came the prevalence of virtualization and the market was easily dominated by the trailblazing VMWare. Virtualization not only helped me save on hardware, but also power, space, and cooling. Matter of fact, I think this was about this time that I discovered that HVAC was required to heat the house during the winter months. ;)

In the past, I have exclusively used VMWare for my at-home virtual environment. Starting way back with VMWare Server for Linux (a type 2 aka a hosted hypervisor) and eventually moving to ESXi (a type 1 aka native or bare metal hypervisor). However, I recently built a new rig and had to make a decision of whether to go back to VMWare ESXi or try out Microsoft’s Hyper-V Server 2012 (both type 1). I took a little bit of time to document my experiences and I think you will be as surprised as I was with the results. Hopefully this will save you a few sleepless nights that I lost along the way.

**Keep in mind, most hackers are not independently wealthy and thus we will be using FREE PRODUCTS ONLY! Sure, our employers can drop 10k or even 60k on all the bells and whistles, but we are trying to build a production-like environment for our at-home use.**

On with the geek holy war! (Maybe for the next set of articles, we will throw in XenServer to really spice things up).

Comparison

For a quick summary, I threw everything together in the below table. Read on for more details:

Category	VMWare	Hyper-V	Winner
Hardware Compatibility	Horrible - NIC driver missing on my setup	Excellent - no issues	Hyper-V
RAM supported	32 GB	All 64 GB - up to 4TB	Hyper-V
Stability	Bad - Purple screen of death	Excellent - no issues so far	Hyper-V (in my case - most likely due to HW compatibility)
Boot speed	Slow - minutes to complete	Fast - 30 seconds or less	Hyper-V
Features	More developed and refined features	Free Hyper-V is missing File transfer to datastores and Free robust virtual machine converter	VMWare - Mainly due to Linux OS support, more robust management and conversion clients
Management	vSpere client, Workstation, SSH	RDP, Hyper-V Manager	Tie - VMware wins in VM management and conversion, however Microsoft wins in hypervisor management
Size of hypervisor	4GB	8GB	VMWare

Hardware

The hardware for this hacker playground is as follows:

Cooler Master 932 High Air Flow (HAF) full tower chassis
Intel i7-3930K processor - Liquid cooled
ASRock X79 Extreme6 motherboard
64 GB Corsair RAM
180 GB Intel SSD hard drive
2 x 2 GB Western Digital Hard Drives
2 x ASUS DVD Burners

Note the amount of RAM, it becomes important later.

Playground requirements

When designing the virtual arena, I had a few requirements in mind:

Utilize the hardware above
Ease of installation
Stable environment
Fast VM provisioning
Quick snapshot recovery
Ability to share VM access

Marketing

Both VMWare and Microsoft obviously spend money on professional marketing and comparisons. Depending on who you listen to--each will claim that they are cheaper than the other:

"VMware (finally) admits that its costs are higher than Microsoft’s" - From Microsoft

VMWare Responds: “Flawed Logic Behind Microsoft’s Virtualization and Private Cloud Cost Comparisons”

And third parties chime in: “HYPER-V VS. VMWARE COMPARISON”

However, for my hacker playground, I won’t need platinum support. Ultimately, it will come down to how many features I can get for the low, low price of free. On paper, it appears that Microsoft steals the show.

In fact, here is a competitive feature comparison from Microsoft. This comparative analysis paper points out VMWare’s greatest limitation of the free ESXi product. ESXi has a hard limit of 32GB of RAM unless you license the product. Remembering back to the hardware statistics stated earlier, my rig has 64GB of RAM. A few years ago that amount of RAM would have been out of the price range for the average consumer--however, now it is only $300! Wake up VMWare! We can build home boxes that exceed what you support in the free ESXi. How about Microsoft Hyper-V Server 2012? Do they have this limitation? Not even close! Check out the graphic below, they support up to 4TB!

Well, this cannot be true. Can we find something from VMWare that confirms this 32GB limit for free ESXi? Sure can, see the image below from VMWare:

Wow. That is a tough obstacle for VMWare to overcome. That leaves me three options:

Stay with their product and disable half of my memory
Pay thousands to license it for my house
Adopt Microsoft’s Hyper-V or another virtualization product

Ok, this crippling limitation aside, let’s see how they compare in overall experience.

ESXi experience

To describe my personal ESXi experiences, I grouped the experiences into a handful of categories below.

Hardware compatibility

I must be honest in saying that my most recent overall ESXi experience has been horrible--mainly due to the very limited hardware compatibility list (HCL) and the 32GB limit on the RAM. If your hard drive controller is on the list, your NIC isn’t or vice versa. The average home system running a reasonably priced motherboard is most likely not going to be 100% compliant with the HCL which means building your own custom image with added drivers. I had to hunt around to find an article that explained how to create a custom USB ESXi image with extra drivers for the components I was missing. On top of that, the version of ESXi that I could get the drivers loaded on was very unstable. Overall, it was the RAM limitation and the hardware compatibility issues that prompted me to look at other virtualization solutions--the hardware compatibility list for VMWare is horrid.

RAM supported

Did I mention ESXi embarrassingly only supports 32GB of RAM.

Stability

The next category of importance was stability. With VMWare ESXi, I would get a purple screen of death--yes, that’s right, purple. After much research I find lots of other people with the same problem, but no real solution other than upgrade the version of the image which would cause me to lose my drivers. I would just purchase another NIC (that is on the HCL) in order to overcome the stability and driver issues, but I still have the RAM limitation to deal with.

Boot speed

VMWare ESXi takes forever to boot/reboot. Minutes. Sometimes as long as 5 minutes to completely start all of the services. I hated rebooting ESXi and avoided it when possible.

Features

VMware is great about supporting ALL operating systems--including Linux. The data store management is a breeze with included file transfer capabilities. Included performance meters are useful and sometimes necessary for a bit of troubleshooting. Resource pools are very handy in provisioning. Free stand-alone VMWare converter is also a very useful and flexible tool.

Management

vSphere Client as well as VMWare Workstation can both be used to manage your virtual machines. Management of the server itself is either done at the console or via SSH. I feel like Microsoft edges out VMWare here by providing RDP to the Hyper-V server.

Size of hypervisor

VMWare has Hyper-V beat here. My guess is that VMWare has a smaller footprint because it has less hardware support (since it didn't support mine). As a result, ESXi can be installed on a 4GB thumb drive instead of an 8GB. Is it really that big of a deal? Probably not.

Hyper-V experience

Here's my experience with Hyper-V in the same categories:

Hardware compatibility

No compatibility issues here! I did not have to build a custom image with third party drivers. Download the ISO, burn it, install and done.

RAM Supported

My entire 64GB of RAM is utilized. In fact, if I could afford 4TB of RAM, free Hyper-V would support that too. No competition here.

Stability

So far, this has been rock solid. Even with multiple VMs running and really stressing the box, I have had no issues.

Boot speed

Wow is Hyper-V reboots fast. Not only did it install in less than 10 minutes, but it reboots in 30 seconds! Moreover, 20 of those seconds are spent during the POST of my computer. (64GB of RAM takes a little bit of time to check). So, really Hyper-V was booting in 10 seconds.

Features

Here is one category where Microsoft falls short. Keep in mind, I am purely going off of what is available for free (Microsoft System Center is not free)--but I miss being able to upload and download files to the datastore. With ESXi, we could use vSphere to upload and download ISOs or even VMs. With Hyper-V Manger, you have no file transfer capability. FREE stand-alone VMWare converter could convert many types of VMs into other VMWare VM’s--including Hyper-V virtual machines. Microsoft’s converter tool is much more limited. This will be discussed in Part III of this series.

Management

One added bonus in Hyper-V is the ability to remotely administer your VMServer using RDP with Hyper-V as opposed to command line over SSH with VMWare. This is a really nice convenience when you don’t want to get up off the couch to go into the office.

To manage the virtual machines, you can use Hyper-V Manager. This tool even looks similar to vSphere client which helps to reduce the learning curve.

But before we even get to being able to use Hyper-V manager, stay tuned for Part II of this series detailing my experience plus tips and tricks on how to do some under the hood work to get remote management working. This is BY FAR Microsoft’s biggest shortcoming on this product--closely followed by its lack of support for Linux and very limited conversion tool. To be honest, the difficulty with enabling remote management almost made me give up on it before even installing the first virtualized OS.

Size of hypervisor

As mentioned before, VMWare has a smaller footprint, but I would take a larger footprint combined with an easier install and more stability any day of the week.

Final Thoughts

I have been a long-time adopter and advocate of VMWare, however I feel that they may have been riding on the waves of their success for too long. Unfortunately, in the absence of real competition, they could afford to do so. Now that Microsoft (and others) have moved into this arena and become a major threat--especially with Hyper-V 2012, I am looking forward to seeing both companies continue to innovate new features and enhance the end-user’s experience in the near future. I am very impressed with Hyper-V (after remote management is setup), but I still virtualize both Linux and Windows, plus I consume virtual appliances which are almost always created as VMWare images--both of these issues may be a problem with Hyper-V. However at this time, it appears the Hyper-V has the edge, but you won’t know the real winner until the final article.

Stay tuned for part II of this series which outlines the painful steps in setting up remote management. There may be tips and tricks that will hopefully save you lots of time. Thanks for reading. :)

Tuesday, April 16, 2013

Creating, Extracting, and Signing JARs

By Raakesh T.

Java Archive (JAR) is a cross-platform archive file format used to compress and bundle multiple files (e.g. Java class files), metadata and resources into a single file with the .jar file extension. It is the preferred way for packaging Java applets or applications into a single archive, so that they may be downloaded by a browser with only a single request and response.

JAR files are built on the ZIP file format algorithm and are similar to UNIX’s tape archive format (TAR) and can be signed using digital signature to ensure authenticity.

Users can create or extract JAR files using the jar command that comes with a Java Development Kit (JDK). They can also use zip tools to do so; however when compressing, it’s important to note that the MANIFEST must first within the ZIP file order entries.

Creating JAR Files

To create a JAR file using the JDK jar utility:

 C:\Java> jar cf Name.jar  *.class

c - Creates a new archive.
f - Specifies the JAR file to be created.

In the above example all the class files in the present directory will be bundled into the file called Name.jar file.

To include a subdirectory in the JAR file:

 C:\Java> jar cf Name.jar  *.class SubDirectory

The above example would bundle all the class files in the present directory and the all the contents in the subdirectory SubDirectory into a JAR file name Name.jar.

The MANIFEST

The manifest file, META-INF/MANIFEST.MF, is automatically generated by the jar tool and is always the first entry in the JAR file. The manifest file has meta-information about the archive is stored as name: value pairs.

If you have a preexisting manifest file and want to included specific name: value pairs, you can specify the with the m option:

 C:\Java> jar cmf myManifestFile Name.jar *.class

Be sure that any pre-existing manifest file that you use ends with a new line. Note that the order of the commands should be considered. For example using cfm results in a different structured command from cmf:

 C:\Java> jar cfm Name.jar myManifestFile *.class

Now the MANIFEST.MF has the following:

 Manifest-Version: 1.0
 Created-By: 1.7.0_17 (Oracle Corporation)

Signing JAR Files

The jarsigner utility within the JDK can sign and verify JAR files. JAR files are signed using PKI (Public Key Infrastructure). PKI uses a public and private key pair - the private key should be kept with the owner privately and securely and the public key can made available publicly. Here the private is used to encrypt the file’s hash value and the public key will be used to decrypt the encrypted file’s hash value. Also to make the certificate genuine it has to be in the known Certificate Authority (CA) Chain. (The whole discussion on CA is out of scope).

When you sign the JAR file, the certificate containing the public key is created in the META-INF directory. The digest (or hash) is computed for all files in the JAR and is also included in the manifest.

 Name: Name.class
SHA-256-Digest: (a 256-bit hash value for the file)

A signature file with extension ".SF" is created in the META-INF directory. The digest of each file is signed (or encrypted) using the signer's private key:

 Signature-Version: 1.0
SHA-256-Digest-Manifest-Main-Attributes: (base64 form of SHA-256 digest)
SHA-256-Digest-Manifest: (base64 form of SHA-256 digest)
Created-By: 1.7.0_17 (Oracle Corporation)

Name: Name.class
SHA-256-Digest: (base64 form of SHA-256 digest)

A signature block file with extension ".DSA" (Digital Signature Algorithm) is also created in META-INF directory. This file includes the digital signature for the JAR file, the digital certificate and the public key of the signer.

The signature related files are:

META-INF/MANIFEST.MF
META-INF/*.SF
META-INF/*.DSA
META-INF/*.RSA
META-INF/SIG-*

Note that if such files are located in META-INF subdirectories, they are not considered signature-related.

Before we sign the JAR file, we need to create private and public file required for encrypting and decrypting the JAR hash or digest value. JDK provides the keytool utility for managing public/private keys and digital certificates. The jarsigner utility can be used for signing the JAR files.

Generating keys

First you must create a pair of keys (private-public) which is used to sign the JAR and authenticate you. These keys can be generated using the keytool command. The generated keys are stored in a keystore file. Each set of keys is associated with a unique name, known as its alias. To generate the keys:

 C:\Java> keytool -genkey -alias alias-name -keystore keystore-name

Following the above command you will be asked for the keystore password or to create one if the keystore does not yet exist and then, you will have to answer seven questions to record your identity. Then you will be asked to choose a password for the keys you just created.

To list the contents of keystore:

 C:\Java>keytool –keystore keystore-name –list

Now the key pair is generated which will be used to sign the JAR.

Signing

To sign the JAR file, use the following command

 C:\Java>jarsigner -keystore keystore-name -storepass keystore-password -keypass key-password jar-file alias-name

Note: Including the passwords on the command line is usually a bad idea – if you leave out the values then jarsigner will prompt you for them.

Check if a JAR is Signed

Your browser will automatically verify signed applets, if it can’t, it would throw a warning similar to the below:

Download the JAR file and verify. You can extract the downloaded JAR file and manually parse the MANIFEST and .SF file data in the META-INF sub-directory.

The above option will not give any certificate information like Owner, Issuer or validity.

The JAR file can be verified using jarsigner. The basic command to use for verifying a signed JAR file is:

 C:\Java>jarsigner -verify jar-file

If the JAR is unsigned, the response would be:

 jar is unsigned. (signatures missing or not acessible)

If the JAR is signed but the certificate is expired, the utility would give a warning that certificate is expired:

 jar verified.
Warning:
This jar contains entries whose signer certificate has expired.
This jar contains entries whose certificate chain is not validate

When you get the certificate expired message, you can read the certificate information using the keytool:

 C:\Java>keytool -list -printcert -jarfile jar-file.jar

The above output would reveal the Owner, Issuer and Validity Information of the certificate.

It is also possible to read the certificate information from the .DSA file. To do so, extract the JAR file using a ZIP utility and then use openssl:

  C:\>openssl pkcs7 -in signature-file.DSA -inform DER -print_certs -text

Conclusion

Signing the JAR with valid signature would help the users to identify malicious component publishers and modification of the components after publishing.

For more information - check out our whitepaper here:

http://www.mcafee.com/us/resources/white-papers/foundstone/wp-java-client-side-app-basics.pdf

References:

Tuesday, April 9, 2013

Hacking EAP-FAST Phase 0 with hostapd-wpe

By Brad Antoniewicz.

EAP-FAST (Flexible Authentication via Secure Tunneling) [RFC 4851] is an EAP-Type developed by Cisco "to support customers that cannot enforce a strong password policy and want to deploy an 802.1x EAP type that does not require digital certificates". While this article will focus on its use in 802.11 networks, mostly everything below is still applicable to wired networks.

PAC Files

EAP-FAST is very similar to EAP-TTLS and PEAP in that it first establishes a TLS tunnel from the client to the authentication server, then passes client credentials through it via a "less secure inner authentication protocol". The defining factor of EAP-FAST is client side file called a Protected Access Credential (PAC). The PAC aids in the initial tunnel set up by acting sort of like a mix between a client certificate and a session identifier. To understand it, you have to have knowledge of RFC4507, which outlines TLS session resumption. Long story short: the client gets a session ticket, which allows it to reestablish a TLS tunnel without performing the full TLS handshake.

Phases

EAP-FAST has specific terminology for each of steps in a connection, named phases 0 - 2. Phase 1 is the TLS tunnel establishment, and Phase 2 corresponds to user authentication via the inner authentication protocol. Phase 0, however, is something new.

Phase 0: Provisioning

The EAP-FAST RFC doesn't specifically touch on the provisioning of the PAC files, instead there is another entire RFC dedicated to it. Probably because this is one of the most difficult issues to deal with. EAP-TTLS and PEAP support client certificates however since the user has to first make a wired connection to retrieve the certificate (or the certificate has to be loaded manually) they're hardly ever used. So EAP-FAST's defining factor is the PAC which faces the same problem.

You have the traditional modes of installation (e.g. sneakernet) or you can choose "Automatic PAC Provisioning". This is the real downfall of most deployments. Automatic PAC Provisioning establishing an anonymous Diffie Helman tunnel between the client and the authentication server. Since its anonymous, the client can't validate the identity of the authentication server, and, bam, AP Impersonation Attack.

hostapd-wpe

A little awhile ago Josh Wright and I teamed up on patch for FreeRADIUS called FreeRADIUS-WPE (Wireless Pwnage Edition). The patch modifies FreeRADIUS to output additional debugging information, including the inner authentication credentials of the connecting client. Since FreeRADIUS doesn't support EAP-FAST, I followed JoMo-Kun's lead and modified hostapd.

With hostapd-wpe you can launch impersonation attacks against EAP-FAST Phase 0 and PEAP! Just compile and run :)

Tuesday, March 12, 2013

Sniffing Traffic on the Wire with a Hardware Tap

By JP Dunning.

Capturing network traffic is a great way to learn more about a target network, harvest credentials, and even monitor user habits. In the Wi-Fi world, it’s easy: simply specify a channel and set the wireless card to monitor mode (assuming driver support). However, capturing traffic on a wired network is a little trickier. In this article we’ll walk through setting up a LAN tap and capturing traffic with it.

Software Taps

There are a variety of options for sniffing traffic via software on a wired network - Wireshark is probably the most common choice for a free and powerful network sniffer. If you are logged onto the computer, install Wireshark and select a capture interface.

If the target has been exploited remotely with Metasploit, Meterpreter can capture local traffic with the sniffer script. Though, there is a chance it may be picked up by Anti-Virus and it will most likely also be capturing Meterpreter’s traffic. In addition, sniffing network traffic on most Operating Systems requires Administrative privileges. So, how else can the network traffic be captured?

Hardware Taps

How about instead of using the host computers software, we tap directly into hardware. A Network Tap is hardware which taps into the physical connection between devices on a network. Taps are sometimes used by network engineers when debugging network issues. Some professional Port Mirroring TAPs can be fairly expensive.

Thowing Star LAN Tap

A cheaper alternative is to use a basic LAN tap, like the Throwing Star LAN Tap. When in place on the network, the LAN tap passively allows traffic to pass though unaltered. Think of it as a standard Ethernet coupler. What differentiates the LAN tap from a normal coupler are the two additional ports which tap the inbound and outbound traffic on the network cable.

NOTE: This hardware is designed to be used on 10BASET and 100BASET networks (which are still in use in the vast majority of networks).

Setting up Hardware

The setup requires the following:

1 LAN tap
1 computer to sniff the traffic
4 network cables (including the one is already connected to the target computer)
2 network interfaces (for sniffing)

The LAN tap is not a complex machine, in fact it is essential just a few wires and jacks. A computer needs to be in place to capture from the LAN tap. (I recommend something small like a plug computer, UMPC, or ultabook). Since most laptops do not come with more than one Ethernet interface, pick up a few USB Ethernet adapters to use for capturing.

There are four ports on the LAN tap. Two ports (J1 and J2) pass traffic unaltered two devices on the network. The other two ports (J3 and J4) are the monitoring ports. These ports physically connect to the inbound and outbound traffic wires of the network cable, but do not allow traffic to be transmitted on the network. Tapping passively keeps a misconfiguring interface on the sniffing computer from accidentally sending traffic on the network.

Connecting Components

Setting up the LAN tap should only take a few minutes once all the equipment is on hand. If you move quickly, the target computer should only have a few seconds of interruption from the network. Most operating systems and services should handle a temporary network outage with little issue. (Though it may cause issues with some real time network services).

For a quick installation:

Connect an Ethernet cable to each of the 2 monitoring ports (J3 and J4) and 1 LAN port (J1). This leaves one port (J2) open.
Connect the network cables from J3 and J4 to Ethernet jacks on the sniffing computer. These will be the Ethernet USB adapters (or any space Ethernet jacks) mentioned earlier.
Disconnect the network cable from the target computer. (It does not really matter at which end of the network cable the tap is placed. If it is more convenient to place the tap closer to the router, then unplug the cable from the router instead.)
Connect the cable plugged into J1 to the now open port on the target computer (or router). Then, connect the network cable (previously connected to the target computer) to J2.

Now all the hardware is in place to start capturing. The connection to the network should be restored. (If the connection is still down, make sure all the cables are plugged into the correct ports.) From this point on, the presence of the LAN tap will not be detectable by the target computer or network (other than a slight loss in power).

Unlike monitoring traffic on local network ports, the LAN tap requires capturing inbound and outbound traffic on two separate ports. Sniffing this traffic will create two separate capture file, one for each interface.

Capturing Traffic

After you are done sniffing, the two captures can be combined into one network flow. mergecap is a tool which can combine two captures according to the frame timestamps of each packet. This means that packets from both capture files will be placed in order according to the time at which they appeared on the network. mergecap is a part of Wireshark, but may need to be manually installed from a repository.

 root@bt:~# sudo apt-get install mergecap

I put together the lantapcap.sh script to automate the capture and merging process. It configures two interfaces to capture passive traffic from the LAN tap, and then combine the two captures into a single net flow. Copy and paste the following into your favorite text editor and save as lantapcap.sh.

I've also uploaded a copy here:

https://github.com/OpenSecurityResearch/LANTapCap

 #!/bin/bash
#
# lantapcap.sh
#

NET0=eth0
NET1=eth1
CAPNAME=name
CONTINUE=go

printf "\nUse LanTapCap for capturing network traffic with a LAN Tap\n"
printf "\nInterfaces:\n\n"
ifconfig -a | grep "Link encap:" | awk '{print $1}'

printf "\nSpecify interfaces for sniffing."
printf "\nInterface 1 of 2 [eth0]: "
read NET0

printf "Interface 2 of 2 [eth1]: "
read NET1

printf "Packet capture name [Capture]: "
read CAPNAME

printf "\nDisable interfaces ...\n\n"
ifconfig $NET0 down
ifconfig $NET1 down                                                                                                                                                                             

printf "Enable interfaces ...\n\n"
ifconfig $NET0 up
ifconfig $NET1 up

printf "Set interfaces to promiscuous mode ...\n\n"
ifconfig $NET0 promisc
ifconfig $NET1 promisc

sleep 1

printf "Starting capturing ...\n\n"

sleep 1

xterm -bg blue -fg white -geometry 90x10-0+0 -T "Capturing on $NET0" -e tcpdump -i $NET0 -w $CAPNAME-$NET0.pcap -v &

sleep 2

xterm -bg blue -fg white -geometry 90x10-0+120 -T "Capturing on $NET1" -e tcpdump -i $NET1 -w $CAPNAME-$NET1.pcap -v &

sleep 2

printf "\n\nPress ANY KEY to end capturing.\n\n"
read CONTINUE

printf "Produced capture file $CAPNAME-$NET0.pcap from $NET0\n\n"
printf "Produced capture file $CAPNAME-$NET1.pcap from $NET1\n\n"

printf "Halting captures ...\n\n"

if [[ ! -z $(pidof tcpdump) ]]; then kill $(pidof tcpdump); fi

printf "Merging captures ...\n\n"
mergecap $CAPNAME-$NET0.pcap $CAPNAME-$NET1.pcap -w $CAPNAME-Full.pcap

printf "Disable interfaces ...\n\n"
ifconfig $NET0 down
ifconfig $NET1 down

printf "Produced capture file $CAPNAME-$NET0.pcap from $NET0\n\n"
printf "Produced capture file $CAPNAME-$NET1.pcap from $NET1\n\n"
printf "Produced capture file $CAPNAME-Full.pcap from merging captures\n\n"
printf "... done\n"

Run the script with root privileges. Provide the two sniffing Ethernet interfaces when prompted.

 root@bt:~# ./lantapcap.sh

Click back into the main terminal.

When you are done capturing traffic, hit any key in the original terminal. This will stop the capturing and merge the capture files.

Unplug cables from the LAN tap and plug the original network cable back into the target computer. Again, this will cause a momentary drop in network connectivity.

Now, feel free to examine the traffic any way you like. All three capture files can be parsed by network analysis tools like Wireshark.

References

Tuesday, March 5, 2013

Unreal Tournament 99 Server On Ubuntu 12.04 (AWS)

By Brad Antoniewicz.

We do a lot of "team building" at Foundstone - it comes in all varieties. This week's activity was an Unreal Tournament LAN Party, and I figured I'd share the setup in case anyone else wanted to do the same - not particularly security related but still fun :)

Initially I created a dedicated Ubuntu VM however it didn't scale well over our internal VPN with various users, so instead I opt'ed for an Amazon Web Services based system.

Keep in mind this configuration is intended to use on a temporary, as needed, basis. Also this is a non-critical server on an open network. If your situation is different or you intend to host a game for not so trusted people, you might want to check out some UT99 Admin forums for additional anti-cheating and general security protections for dedicated UT servers.

Creating the Instance

The EC2 instance configuration is pretty straightforward. Use the Classic Wizard:

Select "Ubuntu Server 12.04.1 (LTS)", be sure to select 32-bit or you'll run into some problems later on.

I selected "No preference" for the geographic region in which the instance resides since we'll be having users join globally.

Also set any advanced preferences, which I left default.

The storage configuration doesn't really matter since it's just a temporary use server.

Set tags if you wish, since I dont have many AWS instances, I don't have much use for them so I left blank:

Create your SSH keys so you can remotely connect or use existing ones. I created a special key pair for this server:

Firewall Rules

The next thing you'll need to do is set up firewall rules. The default requirement is UDP 7777, which may work for you. In the end, I used a different port to help us get around any outbound filtering that might be in place on the various networks our players would be originating from. You'll also need to allow TCP22 for management.

Elastic IP

Finally, reserve and associate an Elastic IP to the instance so that your users don't have to use a long hostname when defining your server (within "Open Location" in the game).

Ubuntu Configuration

For the most part will be following the configuration detailed on the Ubuntu help pages. With the instance created, you'll need to SSH into it to perform additional configuration. Using you SSH key (I named mine utt9.pem) connect the provided in the details of your newly created instance:

 user@somehost:~$ mv ut99.pem ~/.ssh/
 user@somehost:~$ chmod 400 ~/.ssh/ut99.pem
 user@somehost:~$ ssh -i ~/.ssh/ut99.pem ubuntu@your.amazon.instance.host.com

Once connected, you'll need to install some packages so that everything runs smoothly:

 ubuntu@aws:~$ sudo apt-get update
 ubuntu@aws:~$ sudo apt-get install unrar-free libsm-dev libxi6

Also the installation requires libgtk-1.2 which is long outdated. You can use older binary packages to get things working:

 ubuntu@aws:~$ wget https://launchpad.net/ubuntu/+source/glib1.2/1.2.10-19build1/+build/462715/+files/libglib1.2ldbl_1.2.10-19build1_i386.deb
 ubuntu@aws:~$ wget https://launchpad.net/ubuntu/+source/gtk+1.2/1.2.10-18.1build2/+build/484191/+files/libgtk1.2_1.2.10-18.1build2_i386.deb
 ubuntu@aws:~$ wget https://launchpad.net/ubuntu/+source/gtk+1.2/1.2.10-18.1build2/+build/484191/+files/libgtk1.2-common_1.2.10-18.1build2_all.deb
 ubuntu@aws:~$ sudo dpkg -i libglib1.2ldbl_1.2.10-19build1_i386.deb
 ubuntu@aws:~$ sudo dpkg -i libgtk1.2-common_1.2.10-18.1build2_all.deb
 ubuntu@aws:~$ sudo dpkg -i libgtk1.2_1.2.10-18.1build2_i386.deb
 ubuntu@aws:~$ sudo ldconfig

Installation CDs

If you don't have your original installation ISOs, life will be painful until you find them. However once you do, mount them both at the same time (the installation will automatically detect them or prompt you to mount):

 ubuntu@aws:~$ mkdir m1 m2
 ubuntu@aws:~$ sudo mount -o loop UT-GOTY-CD1.iso m1
 ubuntu@aws:~$ sudo mount -o loop UT-GOTY-CD2.iso m2

The Linux Installers for Linux Gamers project offers tons of ways to play older OpenGL based games on Linux. They have a specific page dedicated to UT99. Go there and download the multilanguage installer and the bonus pack. Even if you're using the GOTY (Game of the Year) edition, don't use the GOTY specific installer because it doesn't ever seem to work. Download the following:

With your ISOs mounted and the installers downloaded, start the installation. You can take all of the default options and be fine:

 ubuntu@aws:~$ chmod +x unreal.tournament_436-multilanguage.run
 ubuntu@aws:~$ sudo ./unreal.tournament_436-multilanguage.run

Also install the bonus pack and use its default options:

 ubuntu@aws:~$ chmod +x unreal.tournament.official.bonus.pack.collection.run
 ubuntu@aws:~$ sudo ./unreal.tournament.official.bonus.pack.collection.run

For whatever reason the maps are all compressed and won't work until you decompress them. To do so just:

 ubuntu@aws:~$ cd /usr/local/games/ut/System
 ubuntu@aws:/usr/local/games/ut/System$ for i in ../Maps/*.uz ; do sudo ./ucc-bin decompress $i -nohomedir ; done
 ubuntu@aws:/usr/local/games/ut/System$ sudo mv *.unr ../Maps

You're Done! Now you can start the game:

 ubuntu@aws:~$ cd /usr/local/games/ut/System
 ubuntu@aws:/usr/local/games/ut/System$ ./ucc-bin server DM-Turbine

Alternatively, you can use the ucc binary that gets installed as part of the Loki installer.

 ubuntu@aws:~/$ ucc server

UnrealTournament.ini

The /usr/local/games/ut/System/UnrealTournament.ini file contains all of the server configuration. When you run it as a non-root user (preferred) it'll use the one within ~/.loki/ut/System/UnrealTournament.ini. The easy items you'll want to set are:

 [Engine.GameReplicationInfo]
ServerName=Foundstone Server
ShortName=URMOM
AdminName=Brad
MOTDLine1=Your Mom is So Hawt!

I've also set the following to hopefully speed up connections:

 [IpDrv.TcpNetDriver]
MaxClientRate=5000

And finally, i set up some initial bots to keep the game interesting plus some frag/time limits:

 [Botpack.DeathMatchPlus]
MinPlayers=6
FragLimit=15
TimeLimit=10
InitialBots=1

Enjoy!