Security Basics mailing list archives
Re: Open VPN for PEN testing
From: Luis Lezcano Airaldi <luislezcair () gmail com>
Date: Wed, 18 Sep 2013 10:05:33 -0300
On Tue, Sep 17, 2013 at 11:07:06AM -0700, ToddAndMargo wrote:
Hi All, I have heard several folks say that they use Open VPN for human penetration testing. Reference: https://www.pcisecuritystandards.org/pdfs/infosupp_11_3_penetration_testing.pdf I apparently did not pay close enough attention. I figured that Open VPN would get you past the firewall and the multilayer switch. Which sounded right to me. Use Open VPN to create a connection to the computer and/or network to be tested. Then test the computer/network with nmap, Metasploit, etc. But, if I remember correctly, they also said they used Open VPN as a direct attack mechanism to try to break into ports. Not as a mechanism to gain access to the computer/network. Am I missing something? Can Open VPN actually be used as an attack mechanism (nmap, metasploit) to test a computer/network?
Hi! Sometimes, enterprises use VPN to let employees connect to the local network from their homes. So it is logical to try to break into the local network using their credentials. Also, VPNs are used as a way to gain certain degree of anonimity. So your connection cannot be easyly tracked back to you, if there's some sysadmin vigilant. Hope this helps. Regards.
Attachment:
_bin
Description:
Current thread:
- Open VPN for PEN testing ToddAndMargo (Sep 18)
- Re: Open VPN for PEN testing Luis Lezcano Airaldi (Sep 18)