Penetration Testing mailing list archives
Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite?
From: Marco Ivaldi <raptor () mediaservice net>
Date: Fri, 13 Mar 2009 11:17:33 +0100 (ora solare Europa occidentale)
On Tue, 10 Mar 2009, Richard Miles wrote: [snip]
I'm thinking in look for a linux client and do a ugly shell-script to connect and do a brute force, however it will be very slow. So if there is a reliable solution, it should be much better. Also, I'm not sure if this Cisco VPN by default lock accounts. Anyone have more experience?
It depends on the configuration. If the VPN concentrator uses Active Directory as the autentication back-end, for instance, account locking policies may be in place. This, by the way, could be considered as a remote Denial of Service vector.
If you have no way of determining if such a configuration is in place, you should probably perform only 1-2 logon attempts for each username in your wordlist, just to be on the safe side. Also, try with some manual password guessing before.
I did found a old message where someguys pointed a flaw where was possible to enumerate usernames from this cisco vpn, but it for sure was not encapsulated like mine. No results for me, and also, it had been patched in the last 3 years.
I assume you're referring to this advisory by the fine folks at NTA Monitor:
http://www.nta-monitor.com/posts/2005/06/cisco-concentrator-groupname-enumeration-vulnerability.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2025 Yeah, it's a pretty old vulnerability and most likely patched nowadays. Cheers, -- Marco Ivaldi, OPST Lead Security Analyst Data Security Division @ Mediaservice.net Srl http://mediaservice.net/
Current thread:
- Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite?, (continued)
- Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? Marco Ivaldi (Mar 15)
- Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? aditya mukadam (Mar 12)
- Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? Richard Miles (Mar 12)
- Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? aditya mukadam (Mar 12)
- Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? Adriel T. Desautels (Mar 15)
- Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? Richard Miles (Mar 15)
- Message not available
- Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? aditya mukadam (Mar 15)
- Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? Richard Miles (Mar 15)
- Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? aditya mukadam (Mar 15)
- Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? Richard Miles (Mar 15)
- Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? Richard Miles (Mar 12)
- Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? Marco Ivaldi (Mar 15)
- RE: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? Alex Eden (Mar 15)
- Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? Richard Miles (Mar 15)
- Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? Richard Miles (Mar 12)
- Message not available
- Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? Richard Miles (Mar 15)
- Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? Wasim Halani (Mar 15)
- Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? Richard Miles (Mar 15)