PaulDotCom mailing list archives

Re: IPSec MitM

From: Matt Summers <matt () fireantsecurity co uk>
Date: Wed, 20 Jun 2012 18:48:06 +0100

 Howdy,

 I can't comment too much about IPSEC/IKE but I know my PKI and here is my
2c....

 So the SubjectAltName attribute can be set to any name e.g.
server1.domain.com or server1. The trick is whether the client supports it
or the x509 component used by the client supports it. If it did it would
more than likely work how SubjectAltName works in an SSL environment in
that the CN is checked first and if that doesn't match only then will it
check the SubjectAltName. You might be better off attacking the
certificate chain validation such as using a self-singed cert does the
client complain? Maybe also attacking the CRL or OCSP checking with a MITM
fake cert.

 Matt

 On Wed 20/06/12 15:27 , toomanysecrets toomsec () gmail com sent:

 Hi,
 I´m currently looking into IPSec/IKE security assessments. The
environment I´m testing on is using certificate based authentication.
 I wonder if there are tools available to handle MitM attacks e.g. to test
if an IPSec client would accept a certificate with a "subjectAltName"
different to the operator FQDN or what happens if the EKU check on the
client is being disabled etc..

 The only MitM attack tools I came across so far when it comes to IKE, are
FakeIKEd (http://www.roe.ch/FakeIKEd [1]), for handling VPN PSK+XAUTH based
authentication, the ike-scan suite, ikeprober etc... but no tools to
support certificate based attacks.  The traffic redirection itself is not
the issue (DNS spoofing / ARP poisoning...)

 Any ideas or experiences?

 Thanks!

 toomanysecrets

 _______________________________________________
 Pauldotcom mailing list
 Pauldotcom () mail pauldotcom com [2]
 http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
[3]">http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
 Main Web Site: http://pauldotcom.com [4]">http://pauldotcom.com

 

Links:
------
[1] http://www.roe.ch/FakeIKEd
[2] mailto:Pauldotcom () mail pauldotcom com
[3] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
[4] http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

Current thread:

IPSec MitM toomanysecrets (Jun 20)
- <Possible follow-ups>
- Re: IPSec MitM Matt Summers (Jun 20)
  - Re: IPSec MitM toomanysecrets (Jun 22)