Penetration Testing mailing list archives
Re: [PEN-TEST] VPN Detector
From: Chris Winter <cwinter () MENTORTECH COM>
Date: Thu, 22 Feb 2001 15:05:00 -0500
How do you recognize VPN devices?
Ivan, One way to do this is to use a newer version of NMAP that supports the -sO IP protocol scanning switch (>= 2.54 if memory serves.) This sends raw IP packets to a host, with the Type of Service bit changed with each successive packet. If a protocol is not present on a host, then an ICMP Protocol Unreachable message is sent back (type 3.2.) This can of course be defeated by a firewall/packetfilter, that blocks ICMP (specifically type 3.2.) However if this is not blocked (if the VPN device is in the DMZ or an unprotected net, and the up stream router is not blocking ICMP), then finding hosts that have Protocol 47 (GRE, used to tunnel), and/or protocol 50 (IPSEC-ESP), and/or protocol 51 (IPSEC-AH) is a pretty good indication that some kind of IPSEC/Tunneling/VPN foolery is going on. just remember that if ICMP is being blocked you will get false positives, showing all the different IP protocols as open. HTH, Chris ------------------------------------------------------------------- Chris Winter Consultant Security Practice cwinter () mentortech com Cell: 410 258-4817 Mentor Technologies-- innovators of vLab(r) technology, provides: ** high-end internetworking, skills-based learning services and solutions. ** high-end internetworking design, management, and security consulting. We're high tech, high touch, high performance; the total internetworking solutions company. Visit us at www.mentortech.com
Current thread:
- [PEN-TEST] VPN Detector Ivan Buetler (Feb 22)
- Re: [PEN-TEST] VPN Detector Chris Winter (Feb 22)
- Re: [PEN-TEST] VPN Detector Emre Yildirim (Feb 22)