Hey VM, What's Your Hypervisor?
Querying a VM's MAC address can help you determine its host hypervisor.
I have often wondered if there is an easy way to tell what
hypervisor type a VM is running on when I remotely connect to a VM. Do
you have any suggestions on how to determine this information?
Good question, Andy. The easiest way that I have found to profile a VM
thus far is by querying its virtual MAC address. You can do this by running
ipconfig /all when connected to any Windows VM.
While it's true that anyone could assign an arbitrary MAC address to
any VM, most users and administrators create VMs using the default assigned
addresses. Assuming that a VM is using an assigned MAC address that was
set at the time the VM was created, the MAC address will be in the hypervisor
vendor's assigned organizationally unique identifier (OUI) range as set
by the IEEE. An OUI is a unique MAC address prefix that is assigned to
all NIC vendors and you can view each vendors OUI assignment at
Registration Authority -- IEEE OUI and Company_id Assignments site.
To save you the step of looking up the vendor OUI prefixes, here are
the OUIs of the most popular virtualization platforms:
- Microsoft: 00-03-FF
- SWsoft: 00-18-51
- Virtual Iron: 00-0F-4B
- VMware: 00-0C-29 and 00-50-56
- XenSource: 00-16-3E
So once you connect to a remote system, you just need to open the command
prompt and run ipconfig /all. You'll then see
the configuration information for each of the system's NICs, along with
their physical (MAC) address. For example, when I ran ipconfig
/all on a test VM, the command returned a physical address value
of 00-0C-29-86-F1-BC. The 00-0C-29 prefix tells me that the system is
a VMware VM. If the physical address started as 00-03-FF, I would know
that the system was either a Microsoft Virtual Server or Virtual PC VM.
Of course, the crafty administrator could use custom MAC addresses to
hide a VM's hypervisor identity. So using a MAC address to determine if
a system is a VM and the type of virtualization platform that hosts it
should not be considered 100 percent accurate. However, it's still the
most reliable method that I know of for profiling a system to determine
if it is virtual and also the type of VM that it is.
I hope that helps.