Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite?



Richard,

On Mon, 9 Mar 2009, Richard Miles wrote:

Hello

I'm doing a pen-test in a Cisco 3015 concentrator - ipsec connections
tunneled over TCP port 10000.

By the way, ike-scan do not work with this vpn. Also the common tools
to brute force like THC-pptp, THC-Hydra and Medusa do not work also.

Is 10000/tcp the only open port on your target concentrator? If 500/udp is also open, ike-scan should work just fine. Alternatively, try running it with --tcp=2 --dport=10000 command line switches [1].

Nmap neither regoganize the port as opened (but it doesn't matter), it
say filtered, but I can telnet and estabilish a connection to it.

That's weird. Did you try running nmap with --reason and/or --packet-trace command line switches [2] to see what's actually happening?

Do you have some experience with this device? Can you give me some hints? And point me to some tools for identify, enumerate and brute-force this Cisco implementation?

You should probably use the Cisco VPN Client [3], together with some scripting to automate the brute forcing process (expect [4] sounds good).

A bit off-topic: Does anyone know a easy to install and configure web proxy for windows which enable headers rewrite? I need to setup a fast web proxy at my windows box to replace all headers (before they are sent to the webserver) of the "Cookie" field and a proprietary header.

Just pick up your favorite:

http://portswigger.net/proxy/
http://www.parosproxy.org/
http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project

Thanks folks.

Hope this helps.

[1]. http://www.nta-monitor.com/wiki/index.php/Ike-scan_help_output
[2]. http://nmap.org/book/output-formats-commandline-flags.html
[3]. http://projects.tuxx-home.at/?id=cisco_vpn_client
[4]. http://expect.nist.gov/

--
Marco Ivaldi, OPST
Lead Security Analyst Data Security Division
@ Mediaservice.net Srl http://mediaservice.net/



Relevant Pages

  • Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite?
    ... I'm doing a pen-test in a Cisco 3015 concentrator - ipsec connections ... tunneled over TCP port 10000. ... web proxy at my windows box to replace all headers (before they are ...
    (Pen-Test)
  • RE: [SLE] PPTP Client Connection to a Cisco VPN
    ... The Cisco client, on the other hand, has always worked well for me. ... > We are trying to use PPTP Client to connect to a Cisco VPN. ... Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com ...
    (SuSE)
  • Re: [SLE] WRT54G wireless woes
    ... Cisco is trying to be the Microsoft of Routers & Switches... ... > Check the headers for your unsubscription address ... > Also check the archives at http://lists.suse.com ...
    (SuSE)