Penetration Testing mailing list archives

Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite?

From: Marco Ivaldi <raptor () mediaservice net>
Date: Tue, 10 Mar 2009 12:43:06 +0100 (ora solare Europa occidentale)

Richard,

On Mon, 9 Mar 2009, Richard Miles wrote:

Hello

I'm doing a pen-test in a Cisco 3015 concentrator - ipsec connections
tunneled over TCP port 10000.

By the way, ike-scan do not work with this vpn. Also the common tools
to brute force like THC-pptp, THC-Hydra and Medusa do not work also.

Is 10000/tcp the only open port on your target concentrator? If 500/udp isalso open, ike-scan should work just fine. Alternatively, try running itwith --tcp=2 --dport=10000 command line switches [1].

Nmap neither regoganize the port as opened (but it doesn't matter), it
say filtered, but I can telnet and estabilish a connection to it.

That's weird. Did you try running nmap with --reason and/or --packet-tracecommand line switches [2] to see what's actually happening?

Do you have some experience with this device? Can you give me somehints? And point me to some tools for identify, enumerate andbrute-force this Cisco implementation?

You should probably use the Cisco VPN Client [3], together with somescripting to automate the brute forcing process (expect [4] sounds good).

A bit off-topic: Does anyone know a easy to install and configure webproxy for windows which enable headers rewrite? I need to setup a fastweb proxy at my windows box to replace all headers (before they are sentto the webserver) of the "Cookie" field and a proprietary header.


Just pick up your favorite:

http://portswigger.net/proxy/
http://www.parosproxy.org/
http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project

Thanks folks.


Hope this helps.

[1]. http://www.nta-monitor.com/wiki/index.php/Ike-scan_help_output
[2]. http://nmap.org/book/output-formats-commandline-flags.html
[3]. http://projects.tuxx-home.at/?id=cisco_vpn_client
[4]. http://expect.nist.gov/

--
Marco Ivaldi, OPST
Lead Security Analyst     Data Security Division
@ Mediaservice.net Srl    http://mediaservice.net/

Current thread:

Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? Richard Miles (Mar 10)
- Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? Marco Ivaldi (Mar 12)
  - Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? R. DuFresne (Mar 15)
  - Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? Richard Miles (Mar 15)
    - Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? Marco Ivaldi (Mar 15)
- Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? aditya mukadam (Mar 12)
  - Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? Richard Miles (Mar 12)
    - Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? aditya mukadam (Mar 12)
    - Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? Adriel T. Desautels (Mar 15)
    - Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? Richard Miles (Mar 15)
    - Message not available
    - Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? aditya mukadam (Mar 15)
    - Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? Richard Miles (Mar 15)

(Thread continues...)