Penetration Testing mailing list archives
Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite?
From: Marco Ivaldi <raptor () mediaservice net>
Date: Tue, 10 Mar 2009 12:43:06 +0100 (ora solare Europa occidentale)
Richard, On Mon, 9 Mar 2009, Richard Miles wrote:
Hello I'm doing a pen-test in a Cisco 3015 concentrator - ipsec connections tunneled over TCP port 10000. By the way, ike-scan do not work with this vpn. Also the common tools to brute force like THC-pptp, THC-Hydra and Medusa do not work also.
Is 10000/tcp the only open port on your target concentrator? If 500/udp is also open, ike-scan should work just fine. Alternatively, try running it with --tcp=2 --dport=10000 command line switches [1].
Nmap neither regoganize the port as opened (but it doesn't matter), it say filtered, but I can telnet and estabilish a connection to it.
That's weird. Did you try running nmap with --reason and/or --packet-trace command line switches [2] to see what's actually happening?
Do you have some experience with this device? Can you give me some hints? And point me to some tools for identify, enumerate and brute-force this Cisco implementation?
You should probably use the Cisco VPN Client [3], together with some scripting to automate the brute forcing process (expect [4] sounds good).
A bit off-topic: Does anyone know a easy to install and configure web proxy for windows which enable headers rewrite? I need to setup a fast web proxy at my windows box to replace all headers (before they are sent to the webserver) of the "Cookie" field and a proprietary header.
Just pick up your favorite: http://portswigger.net/proxy/ http://www.parosproxy.org/ http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
Thanks folks.
Hope this helps. [1]. http://www.nta-monitor.com/wiki/index.php/Ike-scan_help_output [2]. http://nmap.org/book/output-formats-commandline-flags.html [3]. http://projects.tuxx-home.at/?id=cisco_vpn_client [4]. http://expect.nist.gov/ -- Marco Ivaldi, OPST Lead Security Analyst Data Security Division @ Mediaservice.net Srl http://mediaservice.net/
Current thread:
- Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? Richard Miles (Mar 10)
- Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? Marco Ivaldi (Mar 12)
- Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? R. DuFresne (Mar 15)
- Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? Richard Miles (Mar 15)
- Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? Marco Ivaldi (Mar 15)
- Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? aditya mukadam (Mar 12)
- Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? Richard Miles (Mar 12)
- Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? aditya mukadam (Mar 12)
- Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? Adriel T. Desautels (Mar 15)
- Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? Richard Miles (Mar 15)
- Message not available
- Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? aditya mukadam (Mar 15)
- Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? Richard Miles (Mar 15)
- Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? Richard Miles (Mar 12)
- Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? Marco Ivaldi (Mar 12)