Penetration Testing mailing list archives
Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite?
From: Richard Miles <richard.k.miles () googlemail com>
Date: Fri, 13 Mar 2009 13:47:49 -0300
Hi zer0x90 It really work. Thanks a lot folk. Is a bit slow, but work very well, good point. :) On Fri, Mar 13, 2009 at 7:52 AM, 0 0 <wikid88 () hotmail com> wrote:
Richard, When using Burpsuite, and after you have created the "Cookie: " header that you wish to match and replace, you will need to change some settings to automate the process. Typically, as it was previously mentioned, you will manually trap HTTP REQUEST and forward it onto the server. However, if you change your proxy settings by clicking the button under the "proxy" tab to "intercept is off", then all requests will still be subject to your match and replace while automated and completely transparent to the user. Regarding the "Content-Length: " header, this will be automatically calculated based on the client request. For instance, a POST request will only need those prior steps that I have identified for header rewrites. Once automated, the Content-Length: fixup will be transparent and won't need any manual intervention from the attacker's perspective as Burp will handle this for you. -zer0x90Date: Tue, 10 Mar 2009 12:46:22 -0300 Subject: Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? From: richard.k.miles () googlemail com To: pen-test () securityfocus com CC: Amardeep_Singh () symantec com; austindad () gmail com Hi Amardeep and Rchard Thomas, Thank you for the input. Well, I did look at the Paros for example and BurpSuite, however I only found a way to do it manualy (request by request), and I need a way to do it transparent - without user interaction (in the case, I), like a header rewrite on the fly. Ex.: Find header "Cookie: user=XXXXXXXXccxcxscscs; tamp=23434732674272" and replace it on the fly with "Cookie: user=YYYYYYYccxcxscscs; tamp=111111111111111111; admin=1", and we can't forget that the proxy have to deal and fix the size of the content-lenght - so just send the packet to the webserver. Not so easy, ahn? Check for example the manual of Paros, it only explain a manual section named: Trapping HTTP requests and responses. Thanks for the input. On Tue, Mar 10, 2009 at 6:50 AM, Amardeep Singh <Amardeep_Singh () symantec com> wrote:Paros, Burp, WebScrab are some of the really god options you can try. I know Paros is the easiest to install and get going. Amardeep Singh -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Richard Miles Sent: Tuesday, March 10, 2009 3:01 AM To: pen-test () securityfocus com Subject: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? Hello I'm doing a pen-test in a Cisco 3015 concentrator - ipsec connections tunneled over TCP port 10000. By the way, ike-scan do not work with this vpn. Also the common tools to brute force like THC-pptp, THC-Hydra and Medusa do not work also. Nmap neither regoganize the port as opened (but it doesn't matter), it say filtered, but I can telnet and estabilish a connection to it. Do you have some experience with this device? Can you give me some hints? And point me to some tools for identify, enumerate and brute-force this Cisco implementation? A bit off-topic: Does anyone know a easy to install and configure web proxy for windows which enable headers rewrite? I need to setup a fast web proxy at my windows box to replace all headers (before they are sent to the webserver) of the "Cookie" field and a proprietary header. Thanks folks.________________________________ Get news, entertainment and everything you care about at Live.com. Check it out!
Current thread:
- Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite?, (continued)
- Message not available
- Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? aditya mukadam (Mar 15)
- Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? Richard Miles (Mar 15)
- Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? aditya mukadam (Mar 15)
- Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? Richard Miles (Mar 15)
- Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? Marco Ivaldi (Mar 15)
- RE: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? Alex Eden (Mar 15)
- Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? Richard Miles (Mar 15)
- Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? Richard Miles (Mar 12)
- Message not available
- Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? Richard Miles (Mar 15)
- Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? Wasim Halani (Mar 15)
- Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite? Richard Miles (Mar 15)