|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Richard Miles (richard.k.miles
googlemail.com)
Date: Thu Mar 12 2009 - 21:39:20 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi Adriel
There is no web interface, so I believe there is no way to do phishing scam.
Also, the contract do not allow SE attacks.
Thanks for input.
On Thu, Mar 12, 2009 at 8:52 PM, Adriel T. Desautels
<ad_listsnetragard.com> wrote:
> There are probably other much easier ways in... what about phishing?
>
>
> On Mar 11, 2009, at 2:59 AM, aditya mukadam wrote:
>
>> Richard,
>>
>> Well, you are trying to bruteforce to find the admin username/password
>> .Below is some info about admin username/password configuration.
>>
>> Admin username password can be authenticated
>> 1) Locally
>> 2) AAA TACACS+ administrator authentication servers
>>
>> Other options:
>> 1)Session Idle Timeout
>> 2)Session Limit
>> 3)Access List:Only those IP addresses listed will have access to
>> manage this VPN 3000 Concentrator
>>
>> There is no option for account lock up for local authentication.
>> However if the admin authentication is done via AAA, TACACS+ it can be
>> configured for account lock up.
>>
>>> Derek, thanks for the link, however the target do not have the web
>>> interface
>>
>> Correction: If Target = concentrator then there is web interface for
>> admin access !
>>
>> Let me know if any questions. Im still trying to figure out what
>> exactly are you trying to achieve.
>>
>> Thanks,
>> Aditya Govind Mukadam
>>
>> On Tue, Mar 10, 2009 at 9:24 PM, Richard Miles
>> <richard.k.milesgooglemail.com> wrote:
>>>
>>> Hi aditya, Derek and David,
>>>
>>> Thanks for all your reply.
>>>
>>> Aditya, well, at the end, what I really need is a tool able to
>>> brute-force user/password at this uncommon Cisco vpn concentrator.
>>> Someone know a tool for that?
>>>
>>> I'm thinking in look for a linux client and do a ugly shell-script to
>>> connect and do a brute force, however it will be very slow. So if
>>> there is a reliable solution, it should be much better. Also, I'm not
>>> sure if this Cisco VPN by default lock accounts. Anyone have more
>>> experience?
>>>
>>> I did found a old message where someguys pointed a flaw where was
>>> possible to enumerate usernames from this cisco vpn, but it for sure
>>> was not encapsulated like mine. No results for me, and also, it had
>>> been patched in the last 3 years.
>>>
>>> Derek, thanks for the link, however the target do not have the web
>>> interface and also I'm not allowed to do any DoS attack.
>>>
>>> David, yes, I'm sure it's TCP.
>>>
>>> Thank you all.
>>>
>>> On Tue, Mar 10, 2009 at 6:57 AM, aditya mukadam
>>> <aditya.mukadamgmail.com> wrote:
>>>>
>>>> Richard,
>>>>
>>>> Based on my personal experience with Cisco Concentrator, the result
>>>> you received is pretty much expected.
>>>>
>>>> Quick Question: What are you exactly trying to achieve ? Brute force
>>>> to get what/which info ?
>>>>
>>>> As you would know, Security Associations(SA) are created by the VPN
>>>> Gateway during IPSec negotiation/connection. The Phase 1 SA is ISAKMP
>>>> while the Phase 2 SAs are IPSEC (bi-directional). The actual traffic
>>>> is encrypted with protocol ESP or encapsulated with AH ( not used
>>>> nowadays). Packet is encapsulated in TCP 10000 after the IPSec
>>>> connection successfully establishes.
>>>>
>>>> Insight to Cisco Concentrator. Its capable of:
>>>> 1) Site to site IPSec VPN
>>>> 2) Remote Access IPSec VPN Gateway
>>>> 3) WebVPN (SSL VPN)
>>>> Lemme know if you need more info.
>>>>
>>>> Hope this helps.
>>>>
>>>> Thanks,
>>>> Aditya Govind Mukadam
>>>>
>>>>
>>>>
>>>> On Tue, Mar 10, 2009 at 3:00 AM, Richard Miles
>>>> <richard.k.milesgooglemail.com> wrote:
>>>>>
>>>>> Hello
>>>>>
>>>>> I'm doing a pen-test in a Cisco 3015 concentrator - ipsec connections
>>>>> tunneled over TCP port 10000.
>>>>>
>>>>> By the way, ike-scan do not work with this vpn. Also the common tools
>>>>> to brute force like THC-pptp, THC-Hydra and Medusa do not work also.
>>>>>
>>>>> Nmap neither regoganize the port as opened (but it doesn't matter), it
>>>>> say filtered, but I can telnet and estabilish a connection to it.
>>>>>
>>>>> Do you have some experience with this device? Can you give me some
>>>>> hints? And point me to some tools for identify, enumerate and
>>>>> brute-force this Cisco implementation?
>>>>>
>>>>> A bit off-topic: Does anyone know a easy to install and configure web
>>>>> proxy for windows which enable headers rewrite? I need to setup a fast
>>>>> web proxy at my windows box to replace all headers (before they are
>>>>> sent to the webserver) of the "Cookie" field and a proprietary header.
>>>>>
>>>>> Thanks folks.
>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>>
>
>
>
> Adriel T. Desautels
> ad_listsnetragard.com
> --------------------------------------
>
> Subscribe to our blog
> http://snosoft.blogspot.com
>
>
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]