Penetration Testing mailing list archives
Re: Cisco VPN Concentrator GUI
From: Stephen Hassard <steve () hassard net>
Date: Mon, 16 May 2005 07:32:15 -0700
Hi,Are you talking about the Cisco's administrative interface, or the WebVPN interface? WebVPN allows users to access network resources through a web client. While this is obviously a point of concern, ACLs can be configured to limit access to resources for users.
I don't believe that the Cisco VPN Concentrator will lockout admin accounts after invalid login attempts, so exposing the admin interface would be of great concern.
later, Steve kaps lock wrote:
hi all, i am pen-testing one of our clients and am seeing their web interface to the vpn concentrator (cisco) available publicly on the internet with the username /password page. How could i explain somebody tht it can be exploited...am sure this is not a good idea to hav ur vpn concnetrator interface on the public internet..but i cant find any vulenrabilites on the net ....to explain to the person....only thing i can think of is brute forcing the username pasword field...which is again a challenge for web vpn..any ideas?? thanks __________________________________________________ Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Current thread:
- Cisco VPN Concentrator GUI kaps lock (May 16)
- Re: Cisco VPN Concentrator GUI Stephen Hassard (May 16)
- Re: Cisco VPN Concentrator GUI Atte Peltomaki (May 17)
- Re: Cisco VPN Concentrator GUI Erik Kamerling (May 17)
- <Possible follow-ups>
- RE: Cisco VPN Concentrator GUI Todd Towles (May 16)
- RE: Cisco VPN Concentrator GUI James Williams (May 16)
- RE: Cisco VPN Concentrator GUI Johnson, Joey (May 17)
- RE: Cisco VPN Concentrator GUI kaps lock (May 18)
- Exchange mail server settings - easy dump possible? Petr . Kazil (May 23)
- RE: Exchange mail server settings - easy dump possible? Robert Strom (May 24)
- Exchange mail server settings - easy dump possible? Petr . Kazil (May 23)