VPN Server

From: kapil assudani (kapil.assudani@yahoo.com)
Date: Thu Jan 25 2007 - 01:34:53 EST

• Next message: Javier Fernández-Sanguino: "Re: Privacy of ISP's customers"
• Previous message: Dario Ciccarone (dciccaro): "RE: VPN Server"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

I was pentesting a VPN server and could make an aggressive mode connection. The vulnerability associated with VPN Servers is a group enumeration vulnerability referred as below:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_security_notice09186a00804a7912.html

Now with the IKE Scan tool , I get the following response frm the vpn server using random ID= values for the group. However even though the results say its a vpn concentrator its actuall a cisco pix fw implementing a vpn server, which is fine just a fingerprinting flaw. On further digging it was found that the vpn server is at proper pacth levels and does not have any groups configured.
However according to vuln description , following handshake to the aggressive mode should not be returned, and as one can see the returned handshake is successful.
So i was wondering is having Aggressive mode configured is a problem here ? Do we recommend disabling agressive mode , if yes what could be the problem. Since no groups are configured , does it boil down to being a problem of fingerprinting the product used for vpn server?

As it seems it responds to below message for everything used.

thanks!

my-powerbook-g4-15:~/tools/ike-scan-1.8 $layer$ sudo
./ike-scan -A --idtype=11 -M --auth=65001 --id=tom
x.x.x.70
Starting ike-scan 1.8 with 1 hosts (
http://www.nta-monitor.com/ike-scan/)
x.x.x.70 Aggressive Mode Handshake returned
        HDR=(CKY-R=34b668433f0520cf)
        SA=(Enc=3DES Hash=MD5 Group=2:modp1024 Auth=XAUTH
LifeType=Seconds LifeDuration=28800)

        KeyExchange(128 bytes)
        Nonce(20 bytes)
        ID(Type=ID_IPV4_ADDR, Value=x.x.x.70)
        Hash(16 bytes)
        VID=12f5f28c457168a9702d9fe274cc0100 (Cisco Unity)
        VID=09002689dfd6b712 (XAUTH)

        VID=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation)
        VID=1f07f70eaa6514d3b0fa96542a500100 (Cisco VPN Concentrator)

Ending ike-scan 1.8: 1 hosts scanned in 0.786 seconds (1.27
hosts/sec). 1 returned handshake; 0 returned notify

 
____________________________________________________________________________________
Want to start your own business?
Learn how on Yahoo! Small Business.
http://smallbusiness.yahoo.com/r-index

 
____________________________________________________________________________________
Want to start your own business?
Learn how on Yahoo! Small Business.
http://smallbusiness.yahoo.com/r-index

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

• Next message: Javier Fernández-Sanguino: "Re: Privacy of ISP's customers"
• Previous message: Dario Ciccarone (dciccaro): "RE: VPN Server"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:33 EDT