PaulDotCom mailing list archives
Re: IPSec MitM
From: toomanysecrets <toomsec () gmail com>
Date: Fri, 22 Jun 2012 10:31:50 +0200
Hey, thanks for the hints. You mentioned "a MITM fake certificate".....that´s exactly what I´m trying now to do. I installed Openswan and xl2tp and I´m in the middle of getting it up and running. But to get this straight, the MITM part of it is basically, - issuing a fake aka: self signed certificate for my own IPSec gateway and playing around with different settings for CN, SubjectAltName , etc... - Redirecting the traffic from the client to my IPSec gateway (ARP poisoning, re-routing, DNS spoofing) - Checking if the client is accepting my fake IPSec gateway and especially the fake certificate .....right? Thanks! On Wed, Jun 20, 2012 at 7:48 PM, Matt Summers <matt () fireantsecurity co uk>wrote:
Howdy, I can't comment too much about IPSEC/IKE but I know my PKI and here is my 2c.... So the SubjectAltName attribute can be set to any name e.g. server1.domain.com or server1. The trick is whether the client supports it or the x509 component used by the client supports it. If it did it would more than likely work how SubjectAltName works in an SSL environment in that the CN is checked first and if that doesn't match only then will it check the SubjectAltName. You might be better off attacking the certificate chain validation such as using a self-singed cert does the client complain? Maybe also attacking the CRL or OCSP checking with a MITM fake cert. Matt On Wed 20/06/12 15:27 , toomanysecrets toomsec () gmail com sent: Hi, I´m currently looking into IPSec/IKE security assessments. The environment I´m testing on is using certificate based authentication. I wonder if there are tools available to handle MitM attacks e.g. to test if an IPSec client would accept a certificate with a "subjectAltName" different to the operator FQDN or what happens if the EKU check on the client is being disabled etc.. The only MitM attack tools I came across so far when it comes to IKE, are FakeIKEd (http://www.roe.ch/FakeIKEd), for handling VPN PSK+XAUTH based authentication, the ike-scan suite, ikeprober etc... but no tools to support certificate based attacks. The traffic redirection itself is not the issue (DNS spoofing / ARP poisoning...) Any ideas or experiences? Thanks! toomanysecrets _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom"> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com">http://pauldotcom.com _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- IPSec MitM toomanysecrets (Jun 20)
- <Possible follow-ups>
- Re: IPSec MitM Matt Summers (Jun 20)
- Re: IPSec MitM toomanysecrets (Jun 22)