Penetration Testing mailing list archives
VPN Server
From: kapil assudani <kapil.assudani () yahoo com>
Date: Wed, 24 Jan 2007 22:34:53 -0800 (PST)
Hi, I was pentesting a VPN server and could make an aggressive mode connection. The vulnerability associated with VPN Servers is a group enumeration vulnerability referred as below: http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_security_notice09186a00804a7912.html Now with the IKE Scan tool , I get the following response frm the vpn server using random ID= values for the group. However even though the results say its a vpn concentrator its actuall a cisco pix fw implementing a vpn server, which is fine just a fingerprinting flaw. On further digging it was found that the vpn server is at proper pacth levels and does not have any groups configured. However according to vuln description , following handshake to the aggressive mode should not be returned, and as one can see the returned handshake is successful. So i was wondering is having Aggressive mode configured is a problem here ? Do we recommend disabling agressive mode , if yes what could be the problem. Since no groups are configured , does it boil down to being a problem of fingerprinting the product used for vpn server? As it seems it responds to below message for everything used. thanks! my-powerbook-g4-15:~/tools/ike-scan-1.8 $layer$ sudo ./ike-scan -A --idtype=11 -M --auth=65001 --id=tom x.x.x.70 Starting ike-scan 1.8 with 1 hosts ( http://www.nta-monitor.com/ike-scan/) x.x.x.70 Aggressive Mode Handshake returned HDR=(CKY-R=34b668433f0520cf) SA=(Enc=3DES Hash=MD5 Group=2:modp1024 Auth=XAUTH LifeType=Seconds LifeDuration=28800) KeyExchange(128 bytes) Nonce(20 bytes) ID(Type=ID_IPV4_ADDR, Value=x.x.x.70) Hash(16 bytes) VID=12f5f28c457168a9702d9fe274cc0100 (Cisco Unity) VID=09002689dfd6b712 (XAUTH) VID=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation) VID=1f07f70eaa6514d3b0fa96542a500100 (Cisco VPN Concentrator) Ending ike-scan 1.8: 1 hosts scanned in 0.786 seconds (1.27 hosts/sec). 1 returned handshake; 0 returned notify ____________________________________________________________________________________ Want to start your own business? Learn how on Yahoo! Small Business. http://smallbusiness.yahoo.com/r-index ____________________________________________________________________________________ Want to start your own business? Learn how on Yahoo! Small Business. http://smallbusiness.yahoo.com/r-index ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- VPN Server kapil assudani (Jan 24)
- RE: VPN Server Dario Ciccarone (dciccaro) (Jan 26)
- <Possible follow-ups>
- VPN Server kapil assudani (Jan 26)