Pentesting with Linked Clones

If working with several customers at once, or in succession, it would be easy to lose track of whose data you’re looking at, or to include one customer’s information in another’s report. That would be bad. Using a separate virtual machine for each customer can help you avoid those mistakes, but virtual machines can get pretty big, and can take a long time to create. Having one per client wastes a lot of time and space. That’s not as bad as the other thing, but it’s not good, either.

Enter Linked Clones.

With Linked Clones, you can create a new VM very quickly, and they use much less disk space. You don’t have do anything unusual before you set up a linked clone, so if you’ve got a VM you like, you can start with that. If you want to be extra cautious, you might want to start with a clean one that has no customer data on it at all, since that’s what we’re trying to isolate, here.

I use a separate VM exclusively for writing reports, so I also create a temporary folder on my host for each test. I map that folder as a shared drive in my testing VM and in my reporting VM. I use that folder to store my screenshots, notes, and other artifacts as I test. This way I still have quick access to all of that when I’m writing the report, but I minimize the risk of keeping sensitive information around.

Once I’m done with the test, I can securely archive anything I may need to keep, then destroy the clone and the temporary shared folder. When I start the next test, I can create a fresh clone and know that no customer information will accidentally carry over.

In this article, I’m walking through the steps for VirtualBox, but the concept also works with VMWare products and others, so check the manual for whatever you’re using.

Create the Base.

First, create a VM with your base operating system and all the tools you need. Install all of the updates and patches available because your clone will inherit them.

Create the Clone.

First, right-click on the VM in VirtualBox Manager, and choose Clone… (or hit CMD-O).

 Make a new clone.

Give the new clone a useful name. If you’re doing an in-depth test where you’ll have a lot of data stored, you might want to name it after the specific customer and use it only for that. If you’re doing less intrusive work, maybe you’ll be comfortable naming it after the current month and using it for more than one customer. Remember what your goals are, and work towards those.

Check “Reinitialize the MAC address of all network cards” to avoid trouble if you ever end up running more than one of these at a time.

In the next step, choose “Linked clone” as the “Clone type”, click “Clone”, and in a few seconds your linked clone will be ready.

Benefits

  • Time: On my average-powered system, it takes just a few seconds to create a Linked Clone, and a few minutes to create a Full Clone. Creating a new VM from scratch can eat up the better part of a day once you account for installing OS updates and tools.

  • Space: The Linked Clones share resources with the Base, so each one is significantly smaller than it would otherwise be.

  • Isolation: Linked Clones allow you to have an isolated test environment for each customer or time period, which minimizes the risk of accidental information disclosure.

Notes and Tips:

  • Use a different desktop wallpaper or general windowing system appearance, so you can quickly tell which VM you’re in.

  • Updates to the Linked Base do not propagate to the Linked Clones after they’ve been created. Get your Linked Base up to date before creating a new clone.

  • Any time you find a new or updated tool, set it up on the Linked Base, so that future clones will inherit it.



We think BB is pretty cool …but we might be biased.

Why not find out for yourself and take a class with him?

Modern WebApp Pentesting

Available live/virtual and on-demand