Re: [PEN-TEST] VPN Detector

[Chris Winter <cwinter () MENTORTECH COM>]

> How do you recognize VPN devices?

Ivan,

One way to do this is to use a newer version of NMAP that supports the -sO
IP protocol scanning switch (>= 2.54 if memory serves.)  This sends raw IP
packets to a host, with the Type of Service bit changed with each successive
packet.  If a protocol is not present on a host, then an ICMP Protocol
Unreachable message is sent back (type 3.2.)  This can of course be defeated
by a firewall/packetfilter, that blocks ICMP (specifically type 3.2.)
However if this is not blocked (if the VPN device is in the DMZ or an
unprotected net, and the up stream router is not blocking ICMP), then
finding hosts that have Protocol 47 (GRE, used to tunnel), and/or protocol
50 (IPSEC-ESP), and/or protocol 51 (IPSEC-AH) is a pretty good indication
that some kind of IPSEC/Tunneling/VPN foolery is going on.  just remember
that if ICMP is being blocked you will get false positives, showing all the
different IP protocols as open.

HTH,

Chris
-------------------------------------------------------------------
  Chris Winter
  Consultant
  Security Practice
  cwinter () mentortech com
  Cell: 410 258-4817

  Mentor Technologies-- innovators of vLab(r) technology, provides:
   ** high-end internetworking, skills-based learning services and
      solutions.
   ** high-end internetworking design, management, and security
      consulting.
  We're high tech, high touch, high performance; the total
  internetworking solutions company.  Visit us at www.mentortech.com