Penetration Testing mailing list archives
RE: Pen-testing remote VPN services over IP
From: "Rob Shein" <shoten () starpower net>
Date: Thu, 6 Nov 2003 19:20:38 -0500
This is a good point; there are many kinds of VPNs. Not all use IPSEC either, and a big new trend is the "SSL VPN" where SSL support is integral to a product, and TCP connections are tunneled inside SSL. Kind of like Stunnel, only native in the app. Is there a particular VPN you're looking at, or are you asking in general?
-----Original Message----- From: Pete Herzog [mailto:pete () isecom org] Sent: Thursday, November 06, 2003 5:41 PM To: pen-test () securityfocus com Subject: RE: Pen-testing remote VPN services over IP Chris, In the OSSTMM 2.5 we have included the following as well: -Enumerate the VPN servers using TCP/UDP scans. -Use scans searching for response to different IP Types Packets. -Use ike scans to fingerprint the VPN server implementation and version. -Protocol Responses PPTP : IP Type: 47 (GRE) TCP: 1723 IPSec:1. UDP: 500 (IKE) IP Type: 50 (ESP) IP Type: 51 (AH) L2TP:1. UDP : 1701 L2F:1. UDP: 1701 -Outline the VPN security policy using different authentication / encryption algorithms. -Verify the existence of mechanism to control the client machine misconfiguration and unfiltered ports -Check the ability of the client software to allow split tunneling (default route to internet and static routes to the corporate network) Sincerely, -pete Pete Herzog, Managing Director Institute for Security and Open Methodologies __________________________________________ ISECOM is the accreditation authority for the OPST - OSSTMM Professional Security Tester and OPSA - OSSTMM Professional Security Analyst-----Original Message----- From: Chris McNab [mailto:chris.mcnab () trustmatta com] Sent: Thursday, November 06, 2003 20:22 PM To: pen-test () securityfocus com Subject: Pen-testing remote VPN services over IP Hi, As part of some research I am undertaking recently, I'dlike to knowif any of you have any decent information relating to the following areas of _remote_ assessment of VPN services over IP. The topics I have covered and documented fully so far include: - IPsec enumeration, scanning for UDP/500 and using Roy Hills' tools (ike-scan) to identify the gateway - Various overflows relating to ISAKMP / IKE packets being sent to UDP/500, as in MITRE CVE - Offline aggressive mode IKE pre-shared key cracking, bysniffing VPNtraffic and using IKECrack - Check Point aggressive mode IKE username enumeration(using Roy Hills'fw1-ike-userguess over UDP/500) - Check Point Telnet authentication service (TCP/259) userenumeration- Check Point information leak attacks that reveal network interface addresses, over both TCP/256 and TCP/264 - Check Point RDP encapsulation filter bypass techniques,using UDP/259- Offline Microsoft PPTP (TCP/1723) MS-CHAPchallenge-response crackingTwo areas in which I've identified a need for tools are: - Check Point brute force password grinding tool for FWZ or IKE, to compromise SecuRemote username/password combinations - PPTP brute force tool, to compromise those user/password combinations also Does anyone know of such offensive brute force tools, ortechniques Ihave missed (against ISAKMP and Check Point)? if so, anyinput wouldbe greatly appreciated. Regards, Chris Chris McNab Technical Director Matta 18 Noel Street London W1F 8GN http://www.trustmatta.com ------------------------------------------------------------------ --------- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industryevent of theyear. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more orregister athttp://www.securityfocus.com/sponsor/RSA_pen-test_031023 and use priority code SF4. ------------------------------------------------------------------ ------------------------------------------------------------------------ ------------- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_pen-> test_031023 and use priority code SF4. -------------------------------------------------------------- --------------
--------------------------------------------------------------------------- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_pen-test_031023 and use priority code SF4. ----------------------------------------------------------------------------
Current thread:
- Pen-testing remote VPN services over IP Chris McNab (Nov 06)
- RE: Pen-testing remote VPN services over IP Pete Herzog (Nov 06)
- RE: Pen-testing remote VPN services over IP Rob Shein (Nov 07)
- Re: Pen-testing remote VPN services over IP Michael Thumann (Nov 06)
- <Possible follow-ups>
- Re: Pen-testing remote VPN services over IP Travis Schack (Nov 07)
- RE: Pen-testing remote VPN services over IP Pete Herzog (Nov 06)