Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite?

From: Richard Miles <richard.k.miles () googlemail com>
Date: Fri, 13 Mar 2009 13:47:49 -0300
Hi zer0x90

It really work. Thanks a lot folk.

Is a bit slow, but work very well, good point.

:)

On Fri, Mar 13, 2009 at 7:52 AM, 0 0 <wikid88 () hotmail com> wrote:

Richard,
     When using Burpsuite, and after you have created the "Cookie: " header
that you wish to match and replace, you will need to change some settings to
automate the process. Typically, as it was previously mentioned, you will
manually trap HTTP REQUEST and forward it onto the server. However, if you
change your proxy settings by clicking the button under the "proxy" tab to
"intercept is off", then all requests will still be subject to your match
and replace while automated and completely transparent to the user.

Regarding the "Content-Length: " header, this will be automatically
calculated based on the client request. For instance, a POST request will
only need those prior steps that I have identified for header rewrites. Once
automated, the Content-Length: fixup will be transparent and won't need any
manual intervention from the attacker's perspective as Burp will handle this
for you.

-zer0x90






Date: Tue, 10 Mar 2009 12:46:22 -0300
Subject: Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy
header rewrite?
From: richard.k.miles () googlemail com
To: pen-test () securityfocus com
CC: Amardeep_Singh () symantec com; austindad () gmail com

Hi Amardeep and Rchard Thomas,

Thank you for the input. Well, I did look at the Paros for example and
BurpSuite, however I only found a way to do it manualy (request by
request), and I need a way to do it transparent - without user
interaction (in the case, I), like a header rewrite on the fly. Ex.:
Find header "Cookie: user=XXXXXXXXccxcxscscs; tamp=23434732674272" and
replace it on the fly with "Cookie: user=YYYYYYYccxcxscscs;
tamp=111111111111111111; admin=1", and we can't forget that the proxy
have to deal and fix the size of the content-lenght - so just send the
packet to the webserver.

Not so easy, ahn?

Check for example the manual of Paros, it only explain a manual
section named: Trapping HTTP requests and responses.

Thanks for the input.

On Tue, Mar 10, 2009 at 6:50 AM, Amardeep Singh
<Amardeep_Singh () symantec com> wrote:

Paros, Burp, WebScrab are some of the really god options you can try. I
know Paros is the easiest to install and get going.

Amardeep Singh



-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Richard Miles
Sent: Tuesday, March 10, 2009 3:01 AM
To: pen-test () securityfocus com
Subject: Cisco 3015 concentrator VPN bruteforce? And proxy with easy
header rewrite?

Hello

I'm doing a pen-test in a Cisco 3015 concentrator - ipsec connections
tunneled over TCP port 10000.

By the way, ike-scan do not work with this vpn. Also the common tools
to brute force like THC-pptp, THC-Hydra and Medusa do not work also.

Nmap neither regoganize the port as opened (but it doesn't matter), it
say filtered, but I can telnet and estabilish a connection to it.

Do you have some experience with this device? Can you give me some
hints? And point me to some tools for identify, enumerate and
brute-force this Cisco implementation?

A bit off-topic: Does anyone know a easy to install and configure web
proxy for windows which enable headers rewrite? I need to setup a fast
web proxy at my windows box to replace all headers (before they are
sent to the webserver) of the "Cookie" field and a proprietary header.

Thanks folks.








________________________________
Get news, entertainment and everything you care about at Live.com. Check it
out!
Previous By Date Next
Previous By Thread Next

Current thread: