Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite?

From: Marco Ivaldi <raptor@xxxxxxxxxxxxxxxx>
Date: Tue, 10 Mar 2009 12:43:06 +0100 (ora solare Europa occidentale)

Richard,

On Mon, 9 Mar 2009, Richard Miles wrote:

Hello

I'm doing a pen-test in a Cisco 3015 concentrator - ipsec connections
tunneled over TCP port 10000.

By the way, ike-scan do not work with this vpn. Also the common tools
to brute force like THC-pptp, THC-Hydra and Medusa do not work also.

Is 10000/tcp the only open port on your target concentrator? If 500/udp is also open, ike-scan should work just fine. Alternatively, try running it with --tcp=2 --dport=10000 command line switches [1].

Nmap neither regoganize the port as opened (but it doesn't matter), it
say filtered, but I can telnet and estabilish a connection to it.

That's weird. Did you try running nmap with --reason and/or --packet-trace command line switches [2] to see what's actually happening?

Do you have some experience with this device? Can you give me some hints? And point me to some tools for identify, enumerate and brute-force this Cisco implementation?

You should probably use the Cisco VPN Client [3], together with some scripting to automate the brute forcing process (expect [4] sounds good).

A bit off-topic: Does anyone know a easy to install and configure web proxy for windows which enable headers rewrite? I need to setup a fast web proxy at my windows box to replace all headers (before they are sent to the webserver) of the "Cookie" field and a proprietary header.

Just pick up your favorite:

http://portswigger.net/proxy/
http://www.parosproxy.org/
http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project

Thanks folks.

Hope this helps.

[1]. http://www.nta-monitor.com/wiki/index.php/Ike-scan_help_output
[2]. http://nmap.org/book/output-formats-commandline-flags.html
[3]. http://projects.tuxx-home.at/?id=cisco_vpn_client
[4]. http://expect.nist.gov/

--
Marco Ivaldi, OPST
Lead Security Analyst Data Security Division
@ Mediaservice.net Srl http://mediaservice.net/

Follow-Ups:
- Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite?
  - From: Richard Miles
- Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite?
  - From: R. DuFresne

References:
- Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite?
  - From: Richard Miles

Prev by Date: Re: Facebook from a hackers perspective
Next by Date: Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite?
Previous by thread: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite?
Next by thread: Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite?
Index(es):
- Date
- Thread

Relevant Pages

Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite?
... I'm doing a pen-test in a Cisco 3015 concentrator - ipsec connections ... tunneled over TCP port 10000. ... web proxy at my windows box to replace all headers (before they are ...
(Pen-Test)
RE: [SLE] PPTP Client Connection to a Cisco VPN
... The Cisco client, on the other hand, has always worked well for me. ... > We are trying to use PPTP Client to connect to a Cisco VPN. ... Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com ...
(SuSE)
Re: [SLE] WRT54G wireless woes
... Cisco is trying to be the Microsoft of Routers & Switches... ... > Check the headers for your unsubscription address ... > Also check the archives at http://lists.suse.com ...
(SuSE)