LPTv4 module 32 VPN penetration testing

Penetration Testing RoadmapPenetration Testing Internal Network Penetration Testing IDS Penetration Testing Wireless Network Penetration Testing Denial of Service Penetration Testing Pas

ECSA/ LPT

Penetration Testing Roadmap

Penetration Testing

Internal Network

Penetration Testing

IDS

Penetration Testing

Wireless Network

Penetration Testing

Denial of Service

Penetration Testing

Password Cracking

Stolen Laptop, PDAs and Cell Phones

Social Engineering Application

Cont’d

Penetration Testing Roadmap

(cont’d)

Cont’d

Physical Security Database

War Dialing VPN

Penetration Testing

Log Management

Penetration Testing

File Integrity Checking

Blue Tooth and Hand held Device

Penetration Testing

End Here

Virtual Private Network (VPN)

A VPN is a network that uses Internet to provide secure access to

distant offices or individual users with their enterprise’s network.

Types of VPN:

• IPsec VPN

• SSL VPN (web-based)

VPN Penetration Testing Steps

VPN Penetration Testing Steps

Step 4: Test for default user accounts

Step 5: Test for SSL VPN

Step 1: Scanning p g

Step 1.1 Scanning: 500 UDP

IPSEC

Finding a ISAKMP service (IPsec VPN Server) looking for g ( ) g

port 500 UDP

Step 1.4 Scanning: nmap -sU -P0

-p 500 p 500

Options in nmap:

• -sU: UDP Scan

• -P0: Treat all hosts as online skip host discovery

• -p <port ranges>: Only scan specified ports

nmap -sU -P0 -p 500 < IP address

• Performs UDP scan for port 500 on xxx.xxx.xxx.xxx-255 considering all hosts online between xxx xxx xxx xxx to

range>:

considering all hosts online between xxx.xxx.xxx.xxx to xxx.xxx.xxx.255

Step 1.5 Scanning: Ipsecscan

IPSecScan 1 1 - (c) 2001 Arne Vidstrom arne vidstrom@ntsecurity nu

- http://ntsecurity.nu/toolbox/ipsecscan/

192.168.0.1 IPSec status: Enabled

192.168.0.2 IPSec status: Indeterminable

192.168.0.2 IPSec status: Indeterminable

Step 2: Fingerprinting p g p g

• Vendor and model of the VPN server

It provides the following:

• Vendor and model of the VPN server.

• Software version number.

• VPN vulnerabilities.

Step 2.1: Get the IKE Handshake

Get the IKE handshake from every system that has to be fingerprinted

Note the acceptable transform attributes from the Security Association

(SA) payload

Try with all the combinations of transform attributes

Step 2.2: UDP Backoff

Fingerprinting

The use showbackoff option that enables ike-scan to record the response time of all

packets and delays of 60 seconds after the last packet is received to ensure all the packets

are received before displaying the number of times the pattern matching has been tried.

ike scan in backoff fingerprinting mode will not respond to the packets from the server

and the server retransmits the packets.

Step 2.3: Vendor ID

Fingerprinting

A vendor ID payload contains arbitrary data and payload data

th t l i th f t f MD h h f t t t i

that are always in the format of MD5 hash of a text string.

Use the Ike-scan command to display vendor ID payload.

Use –vend0r option of ike-scan to add payload to the outgoing

packet.

p

Step 2.4: Check for IKE

Aggressive Mode

Check the aggressive mode of ike-scan tool to get additional

information.

Sometimes it is very difficult to handshake with an aggressive mode of

server because they do not respond until valid ID is supplied in the

identification payload.

Step 3: PSK Crack p 3

Step 3.1: PSK Crack: ikeprobe

xxx xxx xxx xxx-255

You can use the ike-scan with the –pskcrack option to obtain

U th k k t k th the IKE aggressive mode pre-shared keys.

Use the psk-crack to crack the shared keys:

pre-• You can use IKEProbe to determine vulnerabilities in

the PSK implementation of the VPN server.

• IKEProbe tries various combinations of ciphers,

hashes and Diffie-Helman groups g p

• It attempts to force the remote server into aggressive mode.

Step 3.2 PSK Crack: Sniff for Responses with C&A or IKECrack

You can crack the sniffed PSK using Cain & Abel or

IKECrack.

After cracking the PSK, you can use PGPNet to connect to

the vulnerable VPN server.

Step 4: Test Default User

Accounts

Step 4: Test for Default User

Accounts

Like any network devices an IPsec VPN has default user accounts

The default user account name and password can be obtained from

various websites on the Internet that hosts such kind of database.

Step 4.1: Check for Unencrypted Username in a File or the Registry

Username is generally stored in the unencrypted file or the

registry.

Glean the username from the registry and use aggressive

mode of the ike-scan to get the password.

Check for Unencrypted Username in

a File or the Registry: Screenshot

Step 4.2: Test for Plain-Text

Password

VPN client programs store the plain-text password in memory

VPN client programs store the plain text password in memory.

Establish the VPN client and use dumping tools such as pmdump to

obtain the password

obtain the password.

Crash the computer to get dump of physical memory.

Test for Cracking Plain-Text

Password: Screenshot

Step 5: Test SSL VPN p 5

Step 5: Test for SSL VPN

Scan SSL VPN using the following tools:

Tool: IKE-scan

IKE scan is a command line tool that uses the IKE protocol

to fingerprint, discover, and test IPsec VPN servers.

It supports the pre-shared key cracking for IKE aggressive

mode using the pre-shared key authentication.

IKE-scan: Screenshot

IKE-scan: Screenshot

Tool: IKEProbe

IKEProbe is used to determine the vulnerabilities in the

PSK implementation of the VPN server.

It tries to find various combinations of ciphers, hashes, and

Diffie-Helman groups.

It attempts to force the remote server into the aggressive p gg

mode.

Tool: VPNmonitor

VPNmonitor is a free Java tool for observing the network g

traffic.

It can monitor VPN (PPTP and IPsec) and SSL (HTTPS)

connectivity of wireline/wireless networks.

VPNmonitor: Screenshot

IKECrack: Screenshot

We have scanned the default VPN port

We have done the fingerprinting on VPN

We have performed a PSK Crack on VPN

We have performed a PSK Crack on VPN.