Wednesday, March 28, 2007

Testing for Cisco VPNs


Note: image from ike-scan wiki

Ok guys, I know ike-scan is out there for some time, but still i would love to blog about this. Cisco VPNs runs on UDP port 500 and most of us knows that Cisco VPN Concentrator 3000 is vulnerable to multiple attacks like DoS and Buffer Overflow. ike-scan will actually test for the presence of VPNs and check if the VPN is able to be forced into the Aggressive mode for cracking later on. And once the PSK is cracked, connection to the vulnerable server should be no problem. Personally, i had tested multiple VPNs and only find a Cisco VPN Concentrator 3000 vulnerable. Well, if you would love to know how to pen-test VPN, check out the following articles below:

http://www.nta-monitor.com/wiki/index.php/Ike-scan_User_Guide
http://www.securityfocus.com/infocus/1821

It will be very useful if you can go through the whole article and understand how IPSec works. As a penetration tester, below are the few commands i always used in the command prompt:

C:\ikescan>ike-scan xx.xx.xx.xx
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

Ending ike-scan 1.9: 1 hosts scanned in 2.531 seconds (0.40 hosts/sec). 0 retur
ned handshake; 0 returned notify

C:\ikescan>ike-scan -auth=3 xx.xx.xx.xx
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

Ending ike-scan 1.9: 1 hosts scanned in 2.484 seconds (0.40 hosts/sec). 0 retur
ned handshake; 0 returned notify

C:\ikescan>ike-scan -auth=1 xx.xx.xx.xx
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

Ending ike-scan 1.9: 1 hosts scanned in 2.484 seconds (0.40 hosts/sec). 0 retur
ned handshake; 0 returned notify

C:\ikescan>ike-scan -auth=64221 xx.xx.xx.xx
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

Ending ike-scan 1.9: 1 hosts scanned in 2.484 seconds (0.40 hosts/sec). 0 retur
ned handshake; 0 returned notify

C:\ikescan>ike-scan -sport=0 -auth=64221 xx.xx.xx.xx
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

Ending ike-scan 1.9: 1 hosts scanned in 2.484 seconds (0.40 hosts/sec). 0 retur
ned handshake; 0 returned notify

C:\ikescan>ike-scan -multiline -sport=0 --trans=5,2,1,2 --aggressive xx.xx.xx.xx
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

Ending ike-scan 1.9: 1 hosts scanned in 2.468 seconds (0.41 hosts/sec). 0 retur
ned handshake; 0 returned notify

C:\ikescan>ike-scan -multiline -sport=0 --trans=5,2,1,2 --vendor=00 xx.xx.xx.xx
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

Ending ike-scan 1.9: 1 hosts scanned in 2.453 seconds (0.41 hosts/sec). 0 retur
ned handshake; 0 returned notify

C:\ikescan>ike-scan -multiline -sport=0 --trans=5,2,1,2 --vendor=f4ed19e0c114eb5
16faaac0ee37daf2807b4381f xx.xx.xx.xx
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

Ending ike-scan 1.9: 1 hosts scanned in 2.453 seconds (0.41 hosts/sec). 0 retur
ned handshake; 0 returned notify

C:\ikescan>ike-scan -multiline -sport=0 --trans=5,2,1,2 --aggressive xx.xx.xx.xx
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

Ending ike-scan 1.9: 1 hosts scanned in 2.468 seconds (0.41 hosts/sec). 0 retur
ned handshake; 0 returned notify

C:\ikescan>ike-scan -multiline -sport=0 --trans=5,2,1,2 --aggressive xx.xx.xx.xx
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

Ending ike-scan 1.9: 1 hosts scanned in 2.468 seconds (0.41 hosts/sec). 0 retur
ned handshake; 0 returned notify

C:\ikescan>ike-scan -multiline -sport=0 --trans=5,2,1,2 --aggressive xx.xx.xx.xx 443

As you can see the list goes on and on. In the last example highlighted in black, i specify the port to check if the VPN is running at port 443. I know Nortel can have VPN gateways running on SSL. The above results are from a Nortel VPN Gateway.

If you successfully found a vulnerable VPN server, the response would be as shown below:

C:\ikescan>ike-scan -v -s 0 xx.xx.xx.xx
Starting ike-scan 1.8 with 1 hosts (http://www.nta-monitor.com/ike-scan/)
xx.xx.xx.xx Main Mode Handshake returned HDR=(CKY-R=fb07f15c64c1fef9) SA=(En
c=DES Hash=MD5 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) VI
D=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation)

Ending ike-scan 1.8: 1 hosts scanned in 0.114 seconds (8.77 hosts/sec). 1 retur
ned handshake; 0 returned notify

--------------------------------------------------------------------------------------------------


C:\ikeprobe>ikeprobe xx.xx.xx.xx
IKEProbe 0.1beta (c) 2003 Michael Thumann (www.ernw.de)
Portions Copyright (c) 2003 Cipherica Labs (www.cipherica.com)
Read license-cipherica.txt for LibIKE License Information
IKE Aggressive Mode PSK Vulnerability Scanner (Bugtraq ID 7423)

Supported Attributes
Ciphers : DES, 3DES, AES-128, CAST
Hashes : MD5, SHA1
Diffie Hellman Groups: DH Groups 1,2 and 5

IKE Proposal for Peer: xx.xx.xx.xx
Aggressive Mode activated ...

Attribute Settings:
Cipher DES
Hash SHA1
Diffie Hellman Group 1

0.000 3: ph1_initiated(00443ee0, 003b4760)
0.016 3: << ph1 (00443ee0, 244)
0.016 3: >> 84
0.016 3: sx_recv_notify: error 14
0.016 3: sx_purge_spi: implement me - 0
2.516 3: << ph1 (00443ee0, 244)
2.516 3: >> 84
2.516 3: sx_recv_notify: error 14
2.516 3: sx_purge_spi: implement me - 0
5.531 3: << ph1 (00443ee0, 244)
16.047 3: >> 84
16.047 3: sx_recv_notify: error 14
16.047 3: sx_purge_spi: implement me - 0
19.547 3: ph1_disposed(00443ee0)

Attribute Settings:
Cipher DES
Hash SHA1
Diffie Hellman Group 2

19.547 3: ph1_initiated(00443ee0, 003b4c08)
19.578 3: << ph1 (00443ee0, 276)
19.578 3: >> 437
19.625 3: ph1_get_psk(00443ee0)

*****************************************************************************
* System is vulnerable!! See http://www.securityfocus/bid/7423/ for details *
*****************************************************************************

8 comments:

Anonymous said...

Can anyone recommend the well-priced Remote Desktop system for a small IT service company like mine? Does anyone use Kaseya.com or GFI.com? How do they compare to these guys I found recently: N-able N-central inventory management
? What is your best take in cost vs performance among those three? I need a good advice please... Thanks in advance!

Unknown said...

The holidays are a time ed hardy of getting together with friends ed hardy shoes and family, attending elaborate ed hardy clothing parties, and other exciting events ed hardy clothes that involves dressing up in stunning ed hardy store wardrobes. If you ed hardy Bikini are pregnant during ed hardy swimsuits the holidays, it does not ed hardy Caps mean that you are unable buy ed hardy to look fabulous and ed hardy swimwear stylish. Now, an expectant ed hardy sale mother has many styles of chic ed hardy glasses maternity clothing that allows cheap ed hardy her to show off her baby bump Christian audigier while looking spectacular.

Anonymous said...

KhnGxy [url=http://www.bootsshowjp.com/]アグ ブーツ [/url] SavAdu http://www.bootsshowjp.com/ KmsOoq [url=http://www.mutonbu-tsu.com/]UGG AUSTRALIA[/url] FwmVkl http://www.mutonbu-tsu.com/ GqiOzz [url=http://www.australiabestboots.com/]ugg[/url] VktFmo http://www.australiabestboots.com/ UmhIxu[url=http://www.bestbootsjapan.com/]ugg[/url] ZzoFrf http://www.bestbootsjapan.com/ HwcKhr [url=http://www.bootshotsales.com/]ugg ブーツ[/url] LsmHmf http://www.bootshotsales.com/ EnyCqz [url=http://www.bootssaletojp.com/]ugg ブーツ[/url] TrvLna http://www.bootssaletojp.com/ OhmJie

Anonymous said...

CytLnb [url=http://www.bu-tsujapan.com/]アグ ブーツ[/url] KzdSkz http://www.bu-tsujapan.com/ QtbKph [url=http://www.bu-tsujp.com/]アグ ブーツ[/url] MroKis http://www.bu-tsujp.com/ KbbEiu [url=http://www.newbootstojp.com/]アグ[/url] SirDwn http://www.newbootstojp.com/ RriUzt [url=http://www.kutsujp.com/]UGG 通販[/url] XnuKep http://www.kutsujp.com/ SjgYej [url=http://www.bootsladiesnew.com/]ugg 販売[/url] MqbMge http://www.bootsladiesnew.com/ PixEtl [url=http://www.bu-tsugekiyasu.com/]アグ[/url] WizOns http://www.bu-tsugekiyasu.com/ OhoPeg

Anonymous said...

ZozMlg [url=http://www.bootsshowjp.com/]アグ [/url] DbtEno http://www.bootsshowjp.com/ OvgSwj [url=http://www.mutonbu-tsu.com/]UGG ムートン[/url] CexUlx http://www.mutonbu-tsu.com/ OxpMkl [url=http://www.australiabestboots.com/]アグ ブーツ[/url] NkoVxm http://www.australiabestboots.com/ NnjRfr[url=http://www.bestbootsjapan.com/]ugg ムートンブーツ[/url] PafNyz http://www.bestbootsjapan.com/ EdsGdp [url=http://www.bootshotsales.com/]ugg ブーツ[/url] NphPmo http://www.bootshotsales.com/ ThkNdz [url=http://www.bootssaletojp.com/]ugg ブーツ[/url] GjnFbh http://www.bootssaletojp.com/ EuhSwg

Anonymous said...

YeqAsx [url=http://www.bu-tsujapan.com/]ugg アウトレット[/url] KxpSfu http://www.bu-tsujapan.com/ DhaLdb [url=http://www.bu-tsujp.com/]ugg 激安[/url] SitWgm http://www.bu-tsujp.com/ BvpDvn [url=http://www.newbootstojp.com/]ugg メンズ[/url] XyjPgk http://www.newbootstojp.com/ MapHkp [url=http://www.kutsujp.com/]ugg[/url] TatRfv http://www.kutsujp.com/ AkkFae [url=http://www.bootsladiesnew.com/]UGG メンズ激安[/url] NsgVnr http://www.bootsladiesnew.com/ NssVuw [url=http://www.bu-tsugekiyasu.com/]ugg ブーツ[/url] DimUxv http://www.bu-tsugekiyasu.com/ ZioLga

Anonymous said...

Se la densità di esso è troppo alto, è più difficile fare il piumino moncleroutletsalevip.com pulito. Una volta che si utilizza detersivi di base e non può rimuovere il residuaal sufficientemente, il residuo può danneggiare la superficie del vostro piumino. Se si desidera rimuovere i residui di detergente alcalino, si può lavare due volte in acqua tiepida dopo, aggiungere due cucchiaini di aceto, e renderlo a bagno per un po non si può strizzare..
Fifty year ago, three Italian persons, including a skiing equipments manufacture, a skiing champion and a skiing coach, established deep friendship with each other. They all liked skiing. The friendship became deeper and deeper during their outdoor activities.
Fortunately, it is a lot more variety in existence concerning a lot of women of any age synthetic imitation leather apparel in comparison with fellas. It's possible you'll discover behaviours simillar to sexy dresses, sheets, outerwear; you can discover undoable spencer, suede choices, and even more. Models come moncler jackets in midsection, complete, 3/4 period of moncler jacket time, bit of, significant, xs, xl.
moncler pick your self

Anonymous said...

When we finally go through the concept of the word love, not just in terms of an enchanting relationship along with another, however , as being a experience that's engendered should you have miltchmonkey a more rewarding connection with yourself way too - or maybe to be a a feeling of higher unity household or perhaps humankind -- that will become a lot more really clear that every one any individual wants in your daily course is actually adore.