Re: IPSec MitM

[toomanysecrets <toomsec () gmail com>]

Hey,
thanks for the hints.
You mentioned "a MITM fake certificate".....that´s exactly what I´m trying
now to do. I installed Openswan and xl2tp and I´m in the middle of getting
it up and running.

But to get this straight, the MITM part of it is basically,
-  issuing a fake aka: self signed certificate for my own IPSec gateway and
playing around with different settings for CN, SubjectAltName , etc...
-  Redirecting the traffic from the client to my IPSec gateway (ARP
poisoning, re-routing, DNS spoofing)
- Checking if the client is accepting my fake IPSec gateway and especially
the fake certificate

.....right?

Thanks!



On Wed, Jun 20, 2012 at 7:48 PM, Matt Summers <matt () fireantsecurity co uk>wrote:

> Howdy,
>
> I can't comment too much about IPSEC/IKE but I know my PKI and here is my
> 2c....
>
> So the SubjectAltName attribute can be set to any name e.g.
> server1.domain.com or server1. The trick is whether the client supports
> it or the x509 component used by the client supports it. If it did it would
> more than likely work how SubjectAltName works in an SSL environment in
> that the CN is checked first and if that doesn't match only then will it
> check the SubjectAltName. You might be better off attacking the certificate
> chain validation such as using a self-singed cert does the client complain?
> Maybe also attacking the CRL or OCSP checking with a MITM fake cert.
>
> Matt
>
>
> On Wed 20/06/12 15:27 , toomanysecrets toomsec () gmail com sent:
>
>
> Hi,
> I´m currently looking into IPSec/IKE security assessments. The environment
> I´m testing on is using certificate based authentication.
> I wonder if there are tools available to handle MitM attacks e.g. to test
> if an IPSec client would accept a certificate with a "subjectAltName"
> different to the operator FQDN or what happens if the EKU check on the
> client is being disabled etc..
>
> The only MitM attack tools I came across so far when it comes to IKE, are
> FakeIKEd (http://www.roe.ch/FakeIKEd), for handling VPN PSK+XAUTH based
> authentication, the ike-scan suite, ikeprober etc... but no tools to
> support certificate based attacks.  The traffic redirection itself is not
> the issue (DNS spoofing / ARP poisoning...)
>
> Any ideas or experiences?
>
> Thanks!
>
> toomanysecrets
>
>
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail pauldotcom com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom";>
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com";>http://pauldotcom.com
>
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail pauldotcom com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com