NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Pen-test> 2009-03

Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy header rewrite?

From: Marco Ivaldi (raptormediaservice.net)
Date: Tue Mar 10 2009 - 06:43:06 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Richard,

On Mon, 9 Mar 2009, Richard Miles wrote:

> Hello
>
> I'm doing a pen-test in a Cisco 3015 concentrator - ipsec connections
> tunneled over TCP port 10000.
>
> By the way, ike-scan do not work with this vpn. Also the common tools
> to brute force like THC-pptp, THC-Hydra and Medusa do not work also.

Is 10000/tcp the only open port on your target concentrator? If 500/udp is
also open, ike-scan should work just fine. Alternatively, try running it
with --tcp=2 --dport=10000 command line switches [1].

> Nmap neither regoganize the port as opened (but it doesn't matter), it
> say filtered, but I can telnet and estabilish a connection to it.

That's weird. Did you try running nmap with --reason and/or --packet-trace
command line switches [2] to see what's actually happening?

> Do you have some experience with this device? Can you give me some
> hints? And point me to some tools for identify, enumerate and
> brute-force this Cisco implementation?

You should probably use the Cisco VPN Client [3], together with some
scripting to automate the brute forcing process (expect [4] sounds good).

> A bit off-topic: Does anyone know a easy to install and configure web
> proxy for windows which enable headers rewrite? I need to setup a fast
> web proxy at my windows box to replace all headers (before they are sent
> to the webserver) of the "Cookie" field and a proprietary header.

Just pick up your favorite:

http://portswigger.net/proxy/
http://www.parosproxy.org/
http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project

> Thanks folks.

Hope this helps.

[1]. http://www.nta-monitor.com/wiki/index.php/Ike-scan_help_output
[2]. http://nmap.org/book/output-formats-commandline-flags.html
[3]. http://projects.tuxx-home.at/?id=cisco_vpn_client
[4]. http://expect.nist.gov/

--
Marco Ivaldi, OPST
Lead Security Analyst Data Security Division
Mediaservice.net Srl http://mediaservice.net/

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]