Penetration Testing mailing list archives
Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite?
From: Richard Miles <richard.k.miles () googlemail com>
Date: Fri, 13 Mar 2009 02:06:57 -0300
Hi Aditya, Thank you a lot, it did clarify a lot. By the way, I will need 2 brute forces to get access, so my changes are really low. Too bad! thanks folk On Fri, Mar 13, 2009 at 1:47 AM, aditya mukadam <aditya.mukadam () gmail com> wrote:
On Thu, Mar 12, 2009 at 12:15 AM, Richard Miles <richard.k.miles () googlemail com> wrote:No, my goal is not guess the admin credential to manage this vpn (but for sure it would be great), my goal is do a basic brute force to try guess a common user vpn account, to be able to connect to the vpn.We need to get to basics here to get more clarity.VPN Client is configured with VPN Group name/password, which is checked by the Concentrator. If correct, it will prompt for user name/password prompt (X Auth). So, variables to authenticate and create successful connection: 1) VPN Group name 2) VPN Group password 3) User name/password ( X Auth ) Cisco IPSec Client connection process order: 1) client authenticates vpn group/password against the group/key in Cisco Concentrator config 2) phase 1 (isakmp)authentication occurs. 3) user auth occurs against radius (there are other ways but this is our primary auth method.) 4) phase 2 (ipsec) occurs. 5) relevant routing info is passed to client, client instantiates virtual adaptor and edits routing table, (hosts file). 6) traffic is passed. i.e The connection uses ISAKMP (UDP 500) ,if NAT-T : UDP 4500. For you to guess VPN Group name /password, you would need to craft/send UDP 500/4500 packet with VPN Group name / Password. If you get another prompt for user name/password that would mean you have successfully guessed vpn group name/password. You should also take a look at the .pcf ( configuration file ) for the Cisco IPSec Client to understand the parameters to craft the packet. Thanks, Aditya Govind Mukadam On Thu, Mar 12, 2009 at 12:15 AM, Richard Miles <richard.k.miles () googlemail com> wrote:Hi aditya, Thank you so much for the reply. :) No, my goal is not guess the admin credential to manage this vpn (but for sure it would be great), my goal is do a basic brute force to try guess a common user vpn account, to be able to connect to the vpn. Strange, so in my case it should be filtered, because i can't reach port 80 and 443. In average, this VPN have a web interface to connect? At what port? Do you remember the path (like: http://server.com:8080/vpncisco/client.html) ? Also, this web interface have by default lockouts of clients? Yes, it's not my case, but can be useful in the future. Thank you, Best regards, On Wed, Mar 11, 2009 at 3:59 AM, aditya mukadam <aditya.mukadam () gmail com> wrote:Richard, Well, you are trying to bruteforce to find the admin username/password .Below is some info about admin username/password configuration. Admin username password can be authenticated 1) Locally 2) AAA TACACS+ administrator authentication servers Other options: 1)Session Idle Timeout 2)Session Limit 3)Access List:Only those IP addresses listed will have access to manage this VPN 3000 Concentrator There is no option for account lock up for local authentication. However if the admin authentication is done via AAA, TACACS+ it can be configured for account lock up.Derek, thanks for the link, however the target do not have the web interfaceCorrection: If Target = concentrator then there is web interface for admin access ! Let me know if any questions. Im still trying to figure out what exactly are you trying to achieve. Thanks, Aditya Govind Mukadam On Tue, Mar 10, 2009 at 9:24 PM, Richard Miles <richard.k.miles () googlemail com> wrote:Hi aditya, Derek and David, Thanks for all your reply. Aditya, well, at the end, what I really need is a tool able to brute-force user/password at this uncommon Cisco vpn concentrator. Someone know a tool for that? I'm thinking in look for a linux client and do a ugly shell-script to connect and do a brute force, however it will be very slow. So if there is a reliable solution, it should be much better. Also, I'm not sure if this Cisco VPN by default lock accounts. Anyone have more experience? I did found a old message where someguys pointed a flaw where was possible to enumerate usernames from this cisco vpn, but it for sure was not encapsulated like mine. No results for me, and also, it had been patched in the last 3 years. Derek, thanks for the link, however the target do not have the web interface and also I'm not allowed to do any DoS attack. David, yes, I'm sure it's TCP. Thank you all. On Tue, Mar 10, 2009 at 6:57 AM, aditya mukadam <aditya.mukadam () gmail com> wrote:Richard, Based on my personal experience with Cisco Concentrator, the result you received is pretty much expected. Quick Question: What are you exactly trying to achieve ? Brute force to get what/which info ? As you would know, Security Associations(SA) are created by the VPN Gateway during IPSec negotiation/connection. The Phase 1 SA is ISAKMP while the Phase 2 SAs are IPSEC (bi-directional). The actual traffic is encrypted with protocol ESP or encapsulated with AH ( not used nowadays). Packet is encapsulated in TCP 10000 after the IPSec connection successfully establishes. Insight to Cisco Concentrator. Its capable of: 1) Site to site IPSec VPN 2) Remote Access IPSec VPN Gateway 3) WebVPN (SSL VPN) Lemme know if you need more info. Hope this helps. Thanks, Aditya Govind Mukadam On Tue, Mar 10, 2009 at 3:00 AM, Richard Miles <richard.k.miles () googlemail com> wrote:Hello I'm doing a pen-test in a Cisco 3015 concentrator - ipsec connections tunneled over TCP port 10000. By the way, ike-scan do not work with this vpn. Also the common tools to brute force like THC-pptp, THC-Hydra and Medusa do not work also. Nmap neither regoganize the port as opened (but it doesn't matter), it say filtered, but I can telnet and estabilish a connection to it. Do you have some experience with this device? Can you give me some hints? And point me to some tools for identify, enumerate and brute-force this Cisco implementation? A bit off-topic: Does anyone know a easy to install and configure web proxy for windows which enable headers rewrite? I need to setup a fast web proxy at my windows box to replace all headers (before they are sent to the webserver) of the "Cookie" field and a proprietary header. Thanks folks.
Current thread:
- Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite?, (continued)
- Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? Marco Ivaldi (Mar 12)
- Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? R. DuFresne (Mar 15)
- Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? Richard Miles (Mar 15)
- Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? Marco Ivaldi (Mar 15)
- Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? aditya mukadam (Mar 12)
- Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? Richard Miles (Mar 12)
- Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? aditya mukadam (Mar 12)
- Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? Adriel T. Desautels (Mar 15)
- Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? Richard Miles (Mar 15)
- Message not available
- Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? aditya mukadam (Mar 15)
- Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? Richard Miles (Mar 15)
- Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? aditya mukadam (Mar 15)
- Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? Richard Miles (Mar 15)
- Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? Richard Miles (Mar 12)
- Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? Marco Ivaldi (Mar 12)
- Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? Marco Ivaldi (Mar 15)
- RE: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? Alex Eden (Mar 15)
- Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? Richard Miles (Mar 15)
- Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? Richard Miles (Mar 12)
- Message not available
- Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? Richard Miles (Mar 15)
- Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? Wasim Halani (Mar 15)