Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite?

From: Marco Ivaldi <raptor () mediaservice net>
Date: Fri, 13 Mar 2009 11:17:33 +0100 (ora solare Europa occidentale)
On Tue, 10 Mar 2009, Richard Miles wrote:

[snip]
I'm thinking in look for a linux client and do a ugly shell-script to connect and do a brute force, however it will be very slow. So if there is a reliable solution, it should be much better. Also, I'm not sure if this Cisco VPN by default lock accounts. Anyone have more experience?
It depends on the configuration. If the VPN concentrator uses Active Directory as the autentication back-end, for instance, account locking policies may be in place. This, by the way, could be considered as a remote Denial of Service vector.
If you have no way of determining if such a configuration is in place, you should probably perform only 1-2 logon attempts for each username in your wordlist, just to be on the safe side. Also, try with some manual password guessing before. 


I did found a old message where someguys pointed a flaw where was
possible to enumerate usernames from this cisco vpn, but it for sure
was not encapsulated like mine. No results for me, and also, it had
been patched in the last 3 years.
I assume you're referring to this advisory by the fine folks at NTA Monitor: 

http://www.nta-monitor.com/posts/2005/06/cisco-concentrator-groupname-enumeration-vulnerability.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2025

Yeah, it's a pretty old vulnerability and most likely patched nowadays.

Cheers,

--
Marco Ivaldi, OPST
Lead Security Analyst     Data Security Division
@ Mediaservice.net Srl    http://mediaservice.net/
Previous By Date Next
Previous By Thread Next

Current thread: