Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Richard Miles (richard.k.milesgooglemail.com)
Date: Fri Mar 13 2009 - 14:05:28 CDT
Yes, I know the group name (well, I guess I know, since most companies
intend to use the own company name as group name).
What you mean by ike-scan is the right way to approach it? Can you
give me a example?
On Fri, Mar 13, 2009 at 3:08 PM, Alex Eden <Alex.Edensenet-int.com> wrote:
> Do you have the group password?
> Well, that's your first objective - to get the group password. Without the
> group password the rest is meaningless. I assume you know the group name,
> right? Ike-scan is the right way to approach it.
> -----Original Message-----
> From: listbouncesecurityfocus.com [mailto:listbouncesecurityfocus.com] On
> Behalf Of Richard Miles
> Sent: Tuesday, March 10, 2009 11:54 AM
> To: aditya mukadam; derek.chamorrogmail.com; David.Howeansgroup.co.uk
> Cc: pen-testsecurityfocus.com
> Subject: Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy
> header rewrite?
> Hi aditya, Derek and David,
> Thanks for all your reply.
> Aditya, well, at the end, what I really need is a tool able to
> brute-force user/password at this uncommon Cisco vpn concentrator.
> Someone know a tool for that?
> I'm thinking in look for a linux client and do a ugly shell-script to
> connect and do a brute force, however it will be very slow. So if
> there is a reliable solution, it should be much better. Also, I'm not
> sure if this Cisco VPN by default lock accounts. Anyone have more
> I did found a old message where someguys pointed a flaw where was
> possible to enumerate usernames from this cisco vpn, but it for sure
> was not encapsulated like mine. No results for me, and also, it had
> been patched in the last 3 years.
> Derek, thanks for the link, however the target do not have the web
> interface and also I'm not allowed to do any DoS attack.
> David, yes, I'm sure it's TCP.
> Thank you all.
> On Tue, Mar 10, 2009 at 6:57 AM, aditya mukadam
> <aditya.mukadamgmail.com> wrote:
>> Based on my personal experience with Cisco Concentrator, the result
>> you received is pretty much expected.
>> Quick Question: What are you exactly trying to achieve ? Brute force
>> to get what/which info ?
>> As you would know, Security Associations(SA) are created by the VPN
>> Gateway during IPSec negotiation/connection. The Phase 1 SA is ISAKMP
>> while the Phase 2 SAs are IPSEC (bi-directional). The actual traffic
>> is encrypted with protocol ESP or encapsulated with AH ( not used
>> nowadays). Packet is encapsulated in TCP 10000 after the IPSec
>> connection successfully establishes.
>> Insight to Cisco Concentrator. Its capable of:
>> 1) Site to site IPSec VPN
>> 2) Remote Access IPSec VPN Gateway
>> 3) WebVPN (SSL VPN)
>> Lemme know if you need more info.
>> Hope this helps.
>> Aditya Govind Mukadam
>> On Tue, Mar 10, 2009 at 3:00 AM, Richard Miles
>> <richard.k.milesgooglemail.com> wrote:
>>> I'm doing a pen-test in a Cisco 3015 concentrator - ipsec connections
>>> tunneled over TCP port 10000.
>>> By the way, ike-scan do not work with this vpn. Also the common tools
>>> to brute force like THC-pptp, THC-Hydra and Medusa do not work also.
>>> Nmap neither regoganize the port as opened (but it doesn't matter), it
>>> say filtered, but I can telnet and estabilish a connection to it.
>>> Do you have some experience with this device? Can you give me some
>>> hints? And point me to some tools for identify, enumerate and
>>> brute-force this Cisco implementation?
>>> A bit off-topic: Does anyone know a easy to install and configure web
>>> proxy for windows which enable headers rewrite? I need to setup a fast
>>> web proxy at my windows box to replace all headers (before they are
>>> sent to the webserver) of the "Cookie" field and a proprietary header.
>>> Thanks folks.