Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite?

Hi Alex,

Yes, I know the group name (well, I guess I know, since most companies
intend to use the own company name as group name).

What you mean by ike-scan is the right way to approach it? Can you
give me a example?


On Fri, Mar 13, 2009 at 3:08 PM, Alex Eden <Alex.Eden@xxxxxxxxxxxxx> wrote:
Do you have the group password?

Well, that's your first objective - to get the group password. Without the
group password the rest is meaningless. I assume you know the group name,
right? Ike-scan is the right way to approach it.

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On
Behalf Of Richard Miles
Sent: Tuesday, March 10, 2009 11:54 AM
To: aditya mukadam; derek.chamorro@xxxxxxxxx; David.Howe@xxxxxxxxxxxxxx
Cc: pen-test@xxxxxxxxxxxxxxxxx
Subject: Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy
header rewrite?

Hi aditya, Derek and David,

Thanks for all your reply.

Aditya, well, at the end, what I really need is a tool able to
brute-force user/password at this uncommon Cisco vpn concentrator.
Someone know a tool for that?

I'm thinking in look for a linux client and do a ugly shell-script to
connect and do a brute force, however it will be very slow. So if
there is a reliable solution, it should be much better. Also, I'm not
sure if this Cisco VPN by default lock accounts. Anyone have more

I did found a old message where someguys pointed a flaw where was
possible to enumerate usernames from this cisco vpn, but it for sure
was not encapsulated like mine. No results for me, and also, it had
been patched in the last 3 years.

Derek, thanks for the link, however the target do not have the web
interface and also I'm not allowed to do any DoS attack.

David, yes, I'm sure it's TCP.

Thank you all.

On Tue, Mar 10, 2009 at 6:57 AM, aditya mukadam
<aditya.mukadam@xxxxxxxxx> wrote:

Based on my personal experience with Cisco Concentrator, the result
you received is pretty much expected.

Quick Question: What are you exactly trying to achieve ? Brute force
to get what/which info ?

As you would know, Security Associations(SA) are created by the VPN
Gateway during  IPSec negotiation/connection. The Phase 1 SA is ISAKMP
while the Phase 2 SAs are IPSEC (bi-directional). The actual traffic
is encrypted with protocol ESP or encapsulated with AH ( not used
nowadays). Packet is encapsulated in TCP 10000 after the IPSec
connection successfully establishes.

Insight to Cisco Concentrator. Its capable of:
1) Site to site IPSec VPN
2) Remote Access IPSec VPN Gateway
Lemme know if you need more info.

Hope this helps.

Aditya Govind Mukadam

On Tue, Mar 10, 2009 at 3:00 AM, Richard Miles
<richard.k.miles@xxxxxxxxxxxxxx> wrote:

I'm doing a pen-test in a Cisco 3015 concentrator - ipsec connections
tunneled over TCP port 10000.

By the way, ike-scan do not work with this vpn. Also the common tools
to brute force like THC-pptp, THC-Hydra and Medusa do not work also.

Nmap neither regoganize the port as opened (but it doesn't matter), it
say filtered, but I can telnet and estabilish a connection to it.

Do you have some experience with this device? Can you give me some
hints? And point me to some tools for identify, enumerate and
brute-force this Cisco implementation?

A bit off-topic: Does anyone know a easy to install and configure web
proxy for windows which enable headers rewrite? I need to setup a fast
web proxy at my windows box to replace all headers (before they are
sent to the webserver) of the "Cookie" field and a proprietary header.

Thanks folks.

Relevant Pages