From: Pete Herzog (pete@isecom.org)
Date: Thu Nov 06 2003 - 17:40:35 EST
Chris,
In the OSSTMM 2.5 we have included the following as well:
-Enumerate the VPN servers using TCP/UDP scans.
-Use scans searching for response to different IP Types Packets.
-Use ike scans to fingerprint the VPN server implementation and version.
-Protocol Responses
PPTP : IP Type: 47 (GRE) TCP: 1723
IPSec:1. UDP: 500 (IKE)
IP Type: 50 (ESP)
IP Type: 51 (AH)
L2TP:1. UDP : 1701
L2F:1. UDP: 1701
-Outline the VPN security policy using different authentication /
encryption algorithms.
-Verify the existence of mechanism to control the client machine
misconfiguration and unfiltered ports
-Check the ability of the client software to allow split tunneling (default
route to internet and static routes to the corporate network)
Sincerely,
-pete
Pete Herzog, Managing Director
Institute for Security and Open Methodologies
__________________________________________
ISECOM is the accreditation authority for the
OPST - OSSTMM Professional Security Tester and
OPSA - OSSTMM Professional Security Analyst
> -----Original Message-----
> From: Chris McNab [mailto:chris.mcnab@trustmatta.com]
> Sent: Thursday, November 06, 2003 20:22 PM
> To: pen-test@securityfocus.com
> Subject: Pen-testing remote VPN services over IP
>
>
> Hi,
>
> As part of some research I am undertaking recently, I'd like to
> know if any
> of you have any decent information relating to the following areas of
> _remote_ assessment of VPN services over IP.
>
> The topics I have covered and documented fully so far include:
>
> - IPsec enumeration, scanning for UDP/500 and using Roy Hills' tools
> (ike-scan) to identify the gateway
> - Various overflows relating to ISAKMP / IKE packets being sent
> to UDP/500,
> as in MITRE CVE
> - Offline aggressive mode IKE pre-shared key cracking, by sniffing VPN
> traffic and using IKECrack
> - Check Point aggressive mode IKE username enumeration (using Roy Hills'
> fw1-ike-userguess over UDP/500)
> - Check Point Telnet authentication service (TCP/259) user enumeration
> - Check Point information leak attacks that reveal network interface
> addresses, over both TCP/256 and TCP/264
> - Check Point RDP encapsulation filter bypass techniques, using UDP/259
> - Offline Microsoft PPTP (TCP/1723) MS-CHAP challenge-response cracking
>
> Two areas in which I've identified a need for tools are:
>
> - Check Point brute force password grinding tool for FWZ or IKE, to
> compromise SecuRemote username/password combinations
> - PPTP brute force tool, to compromise those user/password
> combinations also
>
> Does anyone know of such offensive brute force tools, or techniques I have
> missed (against ISAKMP and Check Point)? if so, any input would be greatly
> appreciated.
>
> Regards,
>
> Chris
>
>
> Chris McNab
> Technical Director
>
> Matta
> 18 Noel Street
> London W1F 8GN
>
> http://www.trustmatta.com
>
>
> ------------------------------------------------------------------
> ---------
> Network with over 10,000 of the brightest minds in information security
> at the largest, most highly-anticipated industry event of the year.
> Don't miss RSA Conference 2004! Choose from over 200 class sessions and
> see demos from more than 250 industry vendors. If your job touches
> security, you need to be here. Learn more or register at
> http://www.securityfocus.com/sponsor/RSA_pen-test_031023
> and use priority code SF4.
> ------------------------------------------------------------------
> ----------
>
>
>
---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_pen-test_031023
and use priority code SF4.
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:42 EDT