Home page logo
/

pen-test logo Penetration Testing mailing list archives

RE: Pen-testing remote VPN services over IP
From: "Rob Shein" <shoten () starpower net>
Date: Thu, 6 Nov 2003 19:20:38 -0500

This is a good point; there are many kinds of VPNs.  Not all use IPSEC
either, and a big new trend is the "SSL VPN" where SSL support is integral
to a product, and TCP connections are tunneled inside SSL.  Kind of like
Stunnel, only native in the app.  Is there a particular VPN you're looking
at, or are you asking in general?

-----Original Message-----
From: Pete Herzog [mailto:pete () isecom org] 
Sent: Thursday, November 06, 2003 5:41 PM
To: pen-test () securityfocus com
Subject: RE: Pen-testing remote VPN services over IP


Chris,

In the OSSTMM 2.5 we have included the following as well:

      -Enumerate the VPN servers using TCP/UDP scans.
      -Use scans searching for response to different IP Types Packets.
      -Use ike scans to fingerprint the VPN server 
implementation and version.

-Protocol Responses
      PPTP :  IP Type: 47 (GRE)       TCP: 1723
      IPSec:1.        UDP: 500 (IKE)
      IP Type: 50 (ESP)
      IP Type: 51 (AH)
      L2TP:1. UDP : 1701
      L2F:1.  UDP: 1701

      -Outline the VPN security policy using different 
authentication / encryption algorithms.
      -Verify the existence of mechanism to control the 
client machine misconfiguration and unfiltered ports
      -Check the ability of the client software to allow 
split tunneling (default route to internet and static routes 
to the corporate network)

Sincerely,
-pete

Pete Herzog, Managing Director
Institute for Security and Open Methodologies 
__________________________________________
ISECOM is the accreditation authority for the
OPST - OSSTMM Professional Security Tester and
OPSA - OSSTMM Professional Security Analyst


-----Original Message-----
From: Chris McNab [mailto:chris.mcnab () trustmatta com]
Sent: Thursday, November 06, 2003 20:22 PM
To: pen-test () securityfocus com
Subject: Pen-testing remote VPN services over IP


Hi,

As part of some research I am undertaking recently, I'd 
like to know 
if any of you have any decent information relating to the following 
areas of _remote_ assessment of VPN services over IP.

The topics I have covered and documented fully so far include:

- IPsec enumeration, scanning for UDP/500 and using Roy Hills' tools
(ike-scan) to identify the gateway
- Various overflows relating to ISAKMP / IKE packets being sent to 
UDP/500, as in MITRE CVE
- Offline aggressive mode IKE pre-shared key cracking, by 
sniffing VPN
traffic and using IKECrack
- Check Point aggressive mode IKE username enumeration 
(using Roy Hills'
fw1-ike-userguess over UDP/500)
- Check Point Telnet authentication service (TCP/259) user 
enumeration
- Check Point information leak attacks that reveal network interface
addresses, over both TCP/256 and TCP/264
- Check Point RDP encapsulation filter bypass techniques, 
using UDP/259
- Offline Microsoft PPTP (TCP/1723) MS-CHAP 
challenge-response cracking

Two areas in which I've identified a need for tools are:

- Check Point brute force password grinding tool for FWZ or IKE, to 
compromise SecuRemote username/password combinations
- PPTP brute force tool, to compromise those user/password 
combinations also

Does anyone know of such offensive brute force tools, or 
techniques I 
have missed (against ISAKMP and Check Point)? if so, any 
input would 
be greatly appreciated.

Regards,

Chris


Chris McNab
Technical Director

Matta
18 Noel Street
London W1F 8GN

http://www.trustmatta.com


------------------------------------------------------------------
---------
Network with over 10,000 of the brightest minds in information 
security at the largest, most highly-anticipated industry 
event of the 
year. Don't miss RSA Conference 2004! Choose from over 200 class 
sessions and see demos from more than 250 industry vendors. If your 
job touches security, you need to be here. Learn more or 
register at 
http://www.securityfocus.com/sponsor/RSA_pen-test_031023
and use priority code SF4.
------------------------------------------------------------------
----------





--------------------------------------------------------------
-------------
Network with over 10,000 of the brightest minds in 
information security at the largest, most highly-anticipated 
industry event of the year. Don't miss RSA Conference 2004! 
Choose from over 200 class sessions and see demos from more 
than 250 industry vendors. If your job touches security, you 
need to be here. Learn more or register at 
http://www.securityfocus.com/sponsor/RSA_pen-> test_031023
and 
use priority code SF4.

--------------------------------------------------------------
--------------





---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_pen-test_031023
and use priority code SF4.
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault