Externally Detecting VirtualBox

I use VirtualBox. While I know which systems on my LAN are virtual, for scripting I wanted to programmatically detect this information without logging into the system.

There are many online discussions and tutorials about detecting virtualization from inside a virtual machine (VM). There are few discussions about detecting from outside the machine.

Digging round the web revealed that external detection is possible. Apparently virtual machine vendors use unique MAC address prefixes. In the case of VirtualBox, while easily changeable, the default prefix is always 08:00:27. VirtualBox MAC addresses also are stamped as Cadmus Computer Systems.

Running an nmap -sP scan as root against the entire subnet or just a specific IP address will detect this information.

I use Bridged networking for the specific VMs I am interested in querying on my LAN. That is, the VM is configured to be a member of the same subnet and is considered a trusted system. This nmap trick does not seem to succeed when using NAT networking. I have not tested with other VirtualBox networking modes.

While the nmap trick discovers Bridged VMs, the results do not reveal where the VM is running. The nmap scan discovers VMs running on other physical computers too.

Posted: Category: Tutorial Tagged: General, Virtual Machines

Next: Being Infected With Malware

Previous: Updating the Ubuntu MATE Kernel