Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: VPN Server

from [Dario Ciccarone (dciccaro)] Network Security [Permanent Link]
Subject: RE: VPN Server
Date: Thu, 25 Jan 2007 01:02:54 -0500 
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Kapil:



Now with the IKE Scan tool , I get the following response frm 
the vpn server using random ID= values for the group. However 
 


Which is the expected outcome.


even though the results say its a vpn concentrator its 
actuall a cisco pix fw implementing a vpn server, which is 
fine just a fingerprinting flaw.  On further digging it was 
found that the vpn server is at proper pacth levels and does 
not have any groups configured.
However according to vuln description , following handshake 
to the aggressive mode should not be returned, and as one can 
see the returned handshake is successful.  


Nope, it doesn't say that. The Security Notice reads:

"The vulnerability resides in the way those products listed as
affected respond to IKE Phase I messages in Aggressive Mode. If
the group name in the IKE message was a valid group name, the
affected device would reply to the IKE negotiation, while an
invalid group name will not elicit a response."

An attacker wants to know which groups are defined and valid -
so he uses the ike-scan producto to send AM packets to the
device. If he gets an answer, the group is valid. If not, the
group is not valid. What we did was to deny the attacker that
information by replying to the AM message in both cases - if the
group is invalid and also if it is invalid. In that way, there's
no way for the attacker to determine which ones are valid and
which ones aren't.


So i was wondering is having Aggressive mode configured is a 
problem here ? Do we recommend disabling agressive mode , if 
yes what could be the problem. Since no groups are configured 
, does it boil down to being a problem of fingerprinting the 
product used for vpn server?

As it seems it responds to below message for everything used.



Again, which is exactly what you want :)

Thanks,
Dario

Dario Ciccarone <dciccaro@cisco.com>
Incident Manager - CCIE #10395 
Product Security Incident Response Team (PSIRT)
Cisco Systems, Inc.
PGP Key ID: 0xBA1AE0F0
http://www.cisco.com/go/psirt

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBRbhIDoyVGB+6GuDwEQKkvACdFZh69lOiywj5hXjAXyAkcXz3D3QAn2O0
6E60omLb9oBEo6ArQrQiFPxW
=dgR9
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • VPN Server, kapil assudani
    • RE: VPN Server, Dario Ciccarone (dciccaro) <=
Previous by Date:  VPN Server, kapil assudani
Next by Date:  VPN Server, kapil assudani
Previous by Thread:  VPN Server, kapil assudani
Next by Thread:  VPN Server, kapil assudani
Indexes:  [Date] [Thread] [Top] [All Lists]