Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite?

[aditya mukadam <aditya.mukadam () gmail com>]

Richard,

Based on my personal experience with Cisco Concentrator, the result
you received is pretty much expected.

Quick Question: What are you exactly trying to achieve ? Brute force
to get what/which info ?

As you would know, Security Associations(SA) are created by the VPN
Gateway during  IPSec negotiation/connection. The Phase 1 SA is ISAKMP
while the Phase 2 SAs are IPSEC (bi-directional). The actual traffic
is encrypted with protocol ESP or encapsulated with AH ( not used
nowadays). Packet is encapsulated in TCP 10000 after the IPSec
connection successfully establishes.

Insight to Cisco Concentrator. Its capable of:
1) Site to site IPSec VPN
2) Remote Access IPSec VPN Gateway
3) WebVPN (SSL VPN)
Lemme know if you need more info.

Hope this helps.

Thanks,
Aditya Govind Mukadam



On Tue, Mar 10, 2009 at 3:00 AM, Richard Miles
<richard.k.miles () googlemail com> wrote:
> Hello
>
> I'm doing a pen-test in a Cisco 3015 concentrator - ipsec connections
> tunneled over TCP port 10000.
>
> By the way, ike-scan do not work with this vpn. Also the common tools
> to brute force like THC-pptp, THC-Hydra and Medusa do not work also.
>
> Nmap neither regoganize the port as opened (but it doesn't matter), it
> say filtered, but I can telnet and estabilish a connection to it.
>
> Do you have some experience with this device? Can you give me some
> hints? And point me to some tools for identify, enumerate and
> brute-force this Cisco implementation?
>
> A bit off-topic: Does anyone know a easy to install and configure web
> proxy for windows which enable headers rewrite? I need to setup a fast
> web proxy at my windows box to replace all headers (before they are
> sent to the webserver) of the "Cookie" field and a proprietary header.
>
> Thanks folks.