Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite?

[Richard Miles <richard.k.miles () googlemail com>]

Hi Marco,

Nice to see your reply.

On Tue, Mar 10, 2009 at 8:43 AM, Marco Ivaldi <raptor () mediaservice net> wrote:
> Is 10000/tcp the only open port on your target concentrator? If 500/udp is
> also open, ike-scan should work just fine. Alternatively, try running it
> with --tcp=2 --dport=10000 command line switches [1].

Yes, the 10000/tcp port is the unique opened. One of my first tries
was the ike-scan at port 500/udp and --tcp=2 --dport=10000, both
failed.

> > Do you have some experience with this device? Can you give me some hints?
> > And point me to some tools for identify, enumerate and brute-force this
> > Cisco implementation?

Yes, it say OPEN|FILTERED as all other ports at this host.

> You should probably use the Cisco VPN Client [3], together with some
> scripting to automate the brute forcing process (expect [4] sounds good).

I'm doing it, but it work very slowww, the client is very slow to
load. And the worst, from time to time, I start to get some connection
timed-out. I did try to increase the timeout, but do not solve. I
believe there is some anti-bruteforce feature at this vpn....

> Just pick up your favorite:
>
> http://portswigger.net/proxy/
> http://www.parosproxy.org/
> http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project

I did tested Paros and it is not able to do it. I'm testing Burp and
it appear to work well.  Thanks for the help.

> Hope this helps.

For sure it help. Is always good to get some points from other folks
in the security industry. Also if you can, take a look at my recent
post called "Someone with experience in CDP / STP attacks?" maybe you
can be intrested and have some hint.

> --
> Marco Ivaldi, OPST
> Lead Security Analyst     Data Security Division
> @ Mediaservice.net Srl    http://mediaservice.net/

Thanks folk