Re: Pen-testing remote VPN services over IP

From: Michael Thumann (mlthumann_at_ids-guide.de)
Date: 11/06/03

  • Next message: Robert E. Lee: "RE: CEH and Intense School"
    Date: Thu, 06 Nov 2003 23:55:19 +0100
    To: "Chris McNab" <chris.mcnab@trustmatta.com>, <pen-test@securityfocus.com>
    
    

    Hi,

    we just published a tool called ikeprobe that checks for devices that are
    vulnerable to the PSK Attack we've described in our paper 'PSK Cracking
    using IKE Aggressive Mode'.

    You can find the paper at www.ernw.de/download/pskattack.pdf and the tool
    ikeprobe at www.ernw.de/download/ikeprobe.zip.

    Using ikeprobe together with Cain & Abel (www.oxid.it) you can check for
    the vulnerability and capture the PSK hash with Cain & Abel in one step.
    Cain & Abel can crack both, MD5 and SHA1 based hashes.

    Hope that helps.
    Michael

    At 20:21 06.11.2003, Chris McNab wrote:
    >Hi,
    >
    >As part of some research I am undertaking recently, I'd like to know if any
    >of you have any decent information relating to the following areas of
    >_remote_ assessment of VPN services over IP.
    >
    >The topics I have covered and documented fully so far include:
    >
    >- IPsec enumeration, scanning for UDP/500 and using Roy Hills' tools
    >(ike-scan) to identify the gateway
    >- Various overflows relating to ISAKMP / IKE packets being sent to UDP/500,
    >as in MITRE CVE
    >- Offline aggressive mode IKE pre-shared key cracking, by sniffing VPN
    >traffic and using IKECrack
    >- Check Point aggressive mode IKE username enumeration (using Roy Hills'
    >fw1-ike-userguess over UDP/500)
    >- Check Point Telnet authentication service (TCP/259) user enumeration
    >- Check Point information leak attacks that reveal network interface
    >addresses, over both TCP/256 and TCP/264
    >- Check Point RDP encapsulation filter bypass techniques, using UDP/259
    >- Offline Microsoft PPTP (TCP/1723) MS-CHAP challenge-response cracking
    >
    >Two areas in which I've identified a need for tools are:
    >
    >- Check Point brute force password grinding tool for FWZ or IKE, to
    >compromise SecuRemote username/password combinations
    >- PPTP brute force tool, to compromise those user/password combinations also
    >
    >Does anyone know of such offensive brute force tools, or techniques I have
    >missed (against ISAKMP and Check Point)? if so, any input would be greatly
    >appreciated.
    >
    >Regards,
    >
    >Chris
    >
    >
    >Chris McNab
    >Technical Director
    >
    >Matta
    >18 Noel Street
    >London W1F 8GN
    >
    >http://www.trustmatta.com
    >
    >
    >---------------------------------------------------------------------------
    >Network with over 10,000 of the brightest minds in information security
    >at the largest, most highly-anticipated industry event of the year.
    >Don't miss RSA Conference 2004! Choose from over 200 class sessions and
    >see demos from more than 250 industry vendors. If your job touches
    >security, you need to be here. Learn more or register at
    >http://www.securityfocus.com/sponsor/RSA_pen-test_031023
    >and use priority code SF4.
    >----------------------------------------------------------------------------

    ----------------------------------------------------------------------------------------------------
    Michael Thumann mlthumann@ids-guide www.ids-guide.de
    Public Key available at http://www.ids-guide.de/MichaelThumann.asc
    ----------------------------------------------------------------------------------------------------
    PGP Fingerprint:
    8633 D9E3 E90E F18E A70A 6321 A8CF 6A87 EC79 7B59
    ----------------------------------------------------------------------------------------------------
    The only secure computer is one that's unplugged, locked in a safe,
    and buried 20 feet under the ground in a secret location...and i'm not
    even too sure about that one
                                                                        --Dennis
    Huges, FBI.

    ---------------------------------------------------------------------------
    Network with over 10,000 of the brightest minds in information security
    at the largest, most highly-anticipated industry event of the year.
    Don't miss RSA Conference 2004! Choose from over 200 class sessions and
    see demos from more than 250 industry vendors. If your job touches
    security, you need to be here. Learn more or register at
    http://www.securityfocus.com/sponsor/RSA_pen-test_031023
    and use priority code SF4.
    ----------------------------------------------------------------------------


  • Next message: Robert E. Lee: "RE: CEH and Intense School"