RE: Pen-testing remote VPN services over IP

From: Rob Shein (shoten_at_starpower.net)
Date: 11/07/03

  • Next message: guy d: "RE : CEH and Intense School" 
    To: <pete@isecom.org>, <pen-test@securityfocus.com>
Date: Thu, 6 Nov 2003 19:20:38 -0500

    This is a good point; there are many kinds of VPNs. Not all use IPSEC
    either, and a big new trend is the "SSL VPN" where SSL support is integral
    to a product, and TCP connections are tunneled inside SSL. Kind of like
    Stunnel, only native in the app. Is there a particular VPN you're looking
    at, or are you asking in general?

    > -----Original Message-----
    > From: Pete Herzog [mailto:pete@isecom.org]
    > Sent: Thursday, November 06, 2003 5:41 PM
    > To: pen-test@securityfocus.com
    > Subject: RE: Pen-testing remote VPN services over IP
    >
    >
    > Chris,
    >
    > In the OSSTMM 2.5 we have included the following as well:
    >
    > -Enumerate the VPN servers using TCP/UDP scans.
    > -Use scans searching for response to different IP Types Packets.
    > -Use ike scans to fingerprint the VPN server
    > implementation and version.
    >
    > -Protocol Responses
    > PPTP : IP Type: 47 (GRE) TCP: 1723
    > IPSec:1. UDP: 500 (IKE)
    > IP Type: 50 (ESP)
    > IP Type: 51 (AH)
    > L2TP:1. UDP : 1701
    > L2F:1. UDP: 1701
    >
    > -Outline the VPN security policy using different
    > authentication / encryption algorithms.
    > -Verify the existence of mechanism to control the
    > client machine misconfiguration and unfiltered ports
    > -Check the ability of the client software to allow
    > split tunneling (default route to internet and static routes
    > to the corporate network)
    >
    > Sincerely,
    > -pete
    >
    > Pete Herzog, Managing Director
    > Institute for Security and Open Methodologies
    > __________________________________________
    > ISECOM is the accreditation authority for the
    > OPST - OSSTMM Professional Security Tester and
    > OPSA - OSSTMM Professional Security Analyst
    >
    >
    > > -----Original Message-----
    > > From: Chris McNab [mailto:chris.mcnab@trustmatta.com]
    > > Sent: Thursday, November 06, 2003 20:22 PM
    > > To: pen-test@securityfocus.com
    > > Subject: Pen-testing remote VPN services over IP
    > >
    > >
    > > Hi,
    > >
    > > As part of some research I am undertaking recently, I'd
    > like to know
    > > if any of you have any decent information relating to the following
    > > areas of _remote_ assessment of VPN services over IP.
    > >
    > > The topics I have covered and documented fully so far include:
    > >
    > > - IPsec enumeration, scanning for UDP/500 and using Roy Hills' tools
    > > (ike-scan) to identify the gateway
    > > - Various overflows relating to ISAKMP / IKE packets being sent to
    > > UDP/500, as in MITRE CVE
    > > - Offline aggressive mode IKE pre-shared key cracking, by
    > sniffing VPN
    > > traffic and using IKECrack
    > > - Check Point aggressive mode IKE username enumeration
    > (using Roy Hills'
    > > fw1-ike-userguess over UDP/500)
    > > - Check Point Telnet authentication service (TCP/259) user
    > enumeration
    > > - Check Point information leak attacks that reveal network interface
    > > addresses, over both TCP/256 and TCP/264
    > > - Check Point RDP encapsulation filter bypass techniques,
    > using UDP/259
    > > - Offline Microsoft PPTP (TCP/1723) MS-CHAP
    > challenge-response cracking
    > >
    > > Two areas in which I've identified a need for tools are:
    > >
    > > - Check Point brute force password grinding tool for FWZ or IKE, to
    > > compromise SecuRemote username/password combinations
    > > - PPTP brute force tool, to compromise those user/password
    > > combinations also
    > >
    > > Does anyone know of such offensive brute force tools, or
    > techniques I
    > > have missed (against ISAKMP and Check Point)? if so, any
    > input would
    > > be greatly appreciated.
    > >
    > > Regards,
    > >
    > > Chris
    > >
    > >
    > > Chris McNab
    > > Technical Director
    > >
    > > Matta
    > > 18 Noel Street
    > > London W1F 8GN
    > >
    > > http://www.trustmatta.com
    > >
    > >
    > > ------------------------------------------------------------------
    > > ---------
    > > Network with over 10,000 of the brightest minds in information
    > > security at the largest, most highly-anticipated industry
    > event of the
    > > year. Don't miss RSA Conference 2004! Choose from over 200 class
    > > sessions and see demos from more than 250 industry vendors. If your
    > > job touches security, you need to be here. Learn more or
    > register at
    > > http://www.securityfocus.com/sponsor/RSA_pen-test_031023
    > > and use priority code SF4.
    > > ------------------------------------------------------------------
    > > ----------
    > >
    > >
    > >
    >
    >
    > --------------------------------------------------------------
    > -------------
    > Network with over 10,000 of the brightest minds in
    > information security at the largest, most highly-anticipated
    > industry event of the year. Don't miss RSA Conference 2004!
    > Choose from over 200 class sessions and see demos from more
    > than 250 industry vendors. If your job touches security, you
    > need to be here. Learn more or register at
    > http://www.securityfocus.com/sponsor/RSA_pen-> test_031023
    > and
    > use priority code SF4.
    >
    > --------------------------------------------------------------
    > --------------
    >
    >
    >

    ---------------------------------------------------------------------------
    Network with over 10,000 of the brightest minds in information security
    at the largest, most highly-anticipated industry event of the year.
    Don't miss RSA Conference 2004! Choose from over 200 class sessions and
    see demos from more than 250 industry vendors. If your job touches
    security, you need to be here. Learn more or register at
    http://www.securityfocus.com/sponsor/RSA_pen-test_031023
    and use priority code SF4.
    ----------------------------------------------------------------------------

  • Next message: guy d: "RE : CEH and Intense School"

    Relevant Pages

    • Re: SSL VPN
      ... V/TCP secure is a layer 4 VPN. ... Theory is in line with SSL, ... package and they cover security from several different perspectives. ... Relay servers will remain ...
      (Security-Basics)
    • Re: [Full-disclosure] Remote Desktop Command Fixation Attacks
      ... This set of steps is redundant in many places, and it's also enormously expensive, since you're using no less than three different expensive bits of networking hardware (AP, PIX, VPN Concentrator), in addition to a bunch of x86 server hardware, windows server licenses, and at least one ISA license. ... Your computers necessarily don't have full access to your network infrastructure when they aren't logged on, so GPOs, software updates, etc can't be applied at the times you want them to be applied. ... Turning on, enabling, and implementing every possible security setting and device you think of is not defence in depth, and will probably only have two effects - your users won't use your wireless network, and you'll burn so much cash you won't have any left to spend on *useful* security measures. ...
      (Full-Disclosure)
    • [NT] Microsoft SSL Library Remote Compromise Vulnerability (MS04-011, Exploit)
      ... Get your security news from a reliable source. ... condition in the Microsoft Secure Sockets Layer (SSL) library. ... the PCT 1.0 protocol is disabled by default. ...
      (Securiteam)
    • Re: Firewall advice required please
      ... 2./ How do you provide "SECURE" access without a VPN? ... suggesting you are achieving as-good-as security using a standard SSL, ... > and air-gap is the only product we carry. ... > no other firewall can touch. ...
      (comp.security.firewalls)
    • RE: Re: Secure Intranet?
      ... need to have a minimum level of security that is in line with your policies. ... Sygate has a product that does security policy enforcement for VPN called ... Sygate Secure Enterprise. ... Sygate Secure Enterprise Data Sheet ...
      (Security-Basics)