Security Basics mailing list archives

RE: IPsec VPN question

From: "Lall, Navneet Singh" <nlall () ipolicynetworks com>
Date: Fri, 15 Dec 2006 09:40:36 +0530


There are many possibilities; it depends up the attacker's creativity, the role compromised machine is playing in the 
network and its trust relationship it has with other machines.

Attacker can intercept VPN traffic; he can do this in two ways. Firstly, by MITM. But this will introduce a lot of 
delay if he is geographically far from the targets. This can work very well for internal attacks (ARP poisoning). 
Secondly, as I said previously he can install root kit and get all the copies of the data exchanges unencrypted. This 
can be achieved in many ways from simple to very complicated to detect. My personal favorite is to send out data in tcp 
acks; using the unused places in the header. This can take long and may become useless for large amount of data. But it 
is extremely difficult to detect and even if you do it will be too late.

Other attacks could be exploiting the trust relationship which compromised machine enjoys. We have to keep in mind that 
this compromised machine is a server and workstations almost never have any reason to look at server suspiciously. 
Databases, product vobs etc could be stolen. Attacker can exploit the company's mail server too (and you can wonder 
what this can do!!).

And finally if it doesn't have trust relationship with some other machines then what? Let others suffer too, DOS. But 
this is not what an intelligent attacker will do. 

All in all attackers can bring down a company on its knees.

Although I have yet to see these attacks in action; but I don't have any reason to believe that no one has already 
trying to do this or may have done it.

One last comment I would like to make is internal attacks could prove more dangerous than external because when we 
think about attack we without giving a thought look outwards.

Navneet Singh
 
Time is what keeps everything from happening at once


________________________________________
From: Ankur Jindal [mailto:divinepresence () gmail com] 
Sent: Wednesday, December 13, 2006 3:35 PM
To: Lall, Navneet Singh
Cc: security-basics () securityfocus com
Subject: Re: IPsec VPN question

Thanks for your insights.
Are there any other sort of attacks that you can think of, since the attacker would have complete access via split 
tunneling. This would ensure that data from other applications would also use the VPN and may hit other devices in the 
network architecture thereby attacking them. 

-Ankur
On 12/12/06, Lall, Navneet Singh <nlall () ipolicynetworks com> wrote:
Hi,

It is possible (at least in theory) that an attacker can intercept the
packets before they are encrypted at IP. All application just passes the
data buffer to be transmitted on the network to OS kernel. A 
strategically placed root kit at tcp/ip stack can copy the buffer to
some other location. Then it can send out both buffers; one through VPN
as intended and other to attacker unencrypted. Root kits are increasing 
becoming popular and they are difficult to detect. Today almost no one
scan for root kits on their machines.

Trend is changing from User space exploitation Kernel space
exploitation.

Always remember after compromising a machine attacker can do any thing 
at his will.

Navneet Singh

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com ]
On Behalf Of divinepresence () gmail com
Sent: Wednesday, November 29, 2006 11:02 PM
To: security-basics () securityfocus com 
Subject: IPsec VPN question

Hi again,
I was just reading up about an application which used an IPsec VPN
connection, to connect to an application server. Now my question is that
if an attacker gets access to the machine hosting the client 
application, can he intercept and/or modify packets at the network stack
before it hits the IPsec ESP module (to view the communication mechanism
between the client and the server)? Is it really an issue or my doubt is 
unfounded?

Also what sort of attacks can then be carried out by that attacker using
another tool since that VPN connection would give him access to the
complete network at the app server's end?

Thanks 
Ankur Jindal


--ipolicy mail header
Content-Type: text/plain; charset="UTF-8"
Content-Disposition: attachment;
        filename="disclaimer_text"

"DISCLAIMER: This message is proprietary to iPolicy Networks Pvt. Ltd. and is intended solely for the use of the 
individuals to whom it is addressed. It may contain privileged or confidential information and should not be circulated 
or used for any purpose other than for what is intended. If you have received this message in error, please notify the 
originator immediately. If you are not the intended recipient, you are notified that you are strictly prohibited from 
using, copying, altering, or disclosing the contents of this message. iPolicy Networks accepts no responsibility for 
loss or damage arising from the use of the information transmitted by this email including damage from virus."


--ipolicy mail header
Content-Type: text/plain; charset=us-ascii

---------------------------------------------------------------------------
This list is sponsored by: ByteCrusher

Detect Malicious Web Content and Exploits in Real-Time.
Anti-Virus engines can't detect unknown or new threats.
LinkScanner can. Web surfing just became a whole lot safer.

http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect
---------------------------------------------------------------------------
--ipolicy mail header--
Current thread:

IPsec VPN question divinepresence (Dec 01)
- RE: IPsec VPN question David Gillett (Dec 04)
- RE: IPsec VPN question Lall, Navneet Singh (Dec 12)
- <Possible follow-ups>
- RE: IPsec VPN question Lall, Navneet Singh (Dec 15)