Penetration Testing mailing list archives

Re: Cisco VPN Concentrator GUI

From: Stephen Hassard <steve () hassard net>
Date: Mon, 16 May 2005 07:32:15 -0700

Hi,

Are you talking about the Cisco's administrative interface, or theWebVPN interface? WebVPN allows users to access network resourcesthrough a web client. While this is obviously a point of concern, ACLscan be configured to limit access to resources for users.

I don't believe that the Cisco VPN Concentrator will lockout adminaccounts after invalid login attempts, so exposing the admin interfacewould be of great concern.


later,
Steve

kaps lock wrote:

hi all,
i am pen-testing one of our clients and am seeing
their web interface to the vpn concentrator (cisco)
available publicly on the internet with the username
/password page.
How could i explain somebody tht it can be
exploited...am sure this is not a good idea to hav ur
vpn concnetrator interface on the public internet..but
i cant find any vulenrabilites on the net ....to
explain to the person....only thing i can think of is
brute forcing the username pasword field...which is
again a challenge for web vpn..any ideas??
thanks

__________________________________________________
Do You Yahoo!?

Tired of spam? Yahoo! Mail has the best spam protection aroundhttp://mail.yahoo.com

Current thread:

Cisco VPN Concentrator GUI kaps lock (May 16)
- Re: Cisco VPN Concentrator GUI Stephen Hassard (May 16)
- Re: Cisco VPN Concentrator GUI Atte Peltomaki (May 17)
- Re: Cisco VPN Concentrator GUI Erik Kamerling (May 17)
- <Possible follow-ups>
- RE: Cisco VPN Concentrator GUI Todd Towles (May 16)
- RE: Cisco VPN Concentrator GUI James Williams (May 16)
- RE: Cisco VPN Concentrator GUI Johnson, Joey (May 17)
- RE: Cisco VPN Concentrator GUI kaps lock (May 18)
  - Exchange mail server settings - easy dump possible? Petr . Kazil (May 23)
    - RE: Exchange mail server settings - easy dump possible? Robert Strom (May 24)