RE: pen test VPN

[Eric Hines <eric3+ () pitt edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I concur with David. I have been pen-testing VPN appliances for about
two years now. I wrote several controversial advisories under the
alias Loki on circumventing VPNet VPN appliances (now Avaya) and
gaining remote root shells to RapidStream VPN's. You should most
DEFINITELY PEN-TEST any VPN appliance you wish to purchase or use on
your network. My feeling is that if I can break it, why should I use
it? 

Don't be intimidated by VPN's. Just because they encrypt traffic does
not mean they are fail proof. When attacking VPN appliances, it's not
the encryption that is the weakest link, it's the design. Case in
point, VPNet built their VPN appliances and configured them as
bridges. Therefore, spoofing your SOURCE IP Address as being part of
the private VPN network and sending it to the public Interface caused
the VPN's to forward those packets over to the private side. This was
a flaw that has yet to be explained by the vendor.

With the RapidStream VPN devices I found that they were using
SSHD(exec) for secure remote access to the VPN devices. After poking
at the VPN, I noticed that they hard coded the root account into the
SSHD binary with a NULL passwd. A simple line in Linux would yield
you a rootshell to the remote VPN device:
E.g. ssh -l rsadmin 192.168.0.1 "/bin/sh -i"

This would open an interactive shell to the Rapidstream VPN device. I
guess they didn't account for the fact that Linux/Unix command line
users of SSH could append "commands" at the end of the ssh string.
They also foolishly relied on their VPN manager to handle the passwd
authentication.

I would suggest you look at other problems identified in VPN
appliances. You can read my advisories on these at
http://online.securityfocus.com/advisories/2946

RapidStream SSHD Remote Root Compromise
http://online.securityfocus.com/archive/1/76197


Loki
www.fatelabs.com




- -----Original Message-----
From: DABDELMO () bouyguestelecom fr
[mailto:DABDELMO () bouyguestelecom fr] 
Sent: Monday, February 25, 2002 9:55 AM
To: crbyme () writeme com; pen-test () securityfocus com
Subject: RE: pen test VPN


It perfectly makes sense to pen-test VPN access. Traffic may
eventually be encrypted, and then confidential datas going over
untrusted network could not be sniffed. But beyond that a VPN gateway
is often a direct entry point to the internal network. Starting from
here, all of your security relies on the the authentication used by
the VPN gateway. If this one is not good enough, you might be in
trouble. This is where the VPN pen-testing come. As for tools I don't
really know any specific one. To me the steps for pen-testing would
be quite classical, identifying the type of VPN that can be done with
gateway (ie IKE/IPSec, PPTP, L2TP/IPSec...), finding what is exactly
the type of the VPN gateway, then do specific vulnerability research
on this gateway type, and start with the associated VPN client.
Indeed various things can be done as a start depending of the
solution, for example with Checkpoint VPN-1, you should be able to
get the topology file... BR

David

> -----Message d'origine-----
> De:   Carl Bysen [SMTP:crbyme () writeme com]
> Date: samedi 23 février 2002 17:25
> À:    pen-test () securityfocus com
> Objet:        pen test VPN
>
> Hi,
>
> what can be done to pen test a VPN setup? Which tools are
> available,  additionally does it make sense to pen-test a VPN setup
> (traffic is  encrypted)?
>
>
> Regards,
> --egonle
> --
>
> _______________________________________________
>
> Sign-up for your own FREE Personalized E-mail at Mail.com
>
> http://www.mail.com/?sr=signup
>
>
>
>
>
> 1 cent a minute calls anywhere in the U.S.!
>
>
>
> http://www.getpennytalk.com/cgi-bin/adforward.cgi?p_key=RG9853KJ&url
> =h ttp:
> //www.getpennytalk.com
>
>
>
>
>
> --------------------------------------------------------------------
> -- ----
> --
> This list is provided by the SecurityFocus Security Intelligence
> Alert (SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities
> please see:
> https://alerts.securityfocus.com/

- ----------------------------------------------------------------------
- ------
This list is provided by the SecurityFocus Security Intelligence
Alert (SIA) Service. For more information on SecurityFocus' SIA
service which automatically alerts you to the latest security
vulnerabilities please see: https://alerts.securityfocus.com/


-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBPHuG9z4GESb0uqLMEQL9BgCg2SYg7Jxlv8kzzt/94Lj2JmmUqwcAoNa6
8TlT7r6zs3CK7TRcw+SCTv2E
=30po
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/