ECSA/ LPT
EC
Council
M
odu
l
e
XXXII
EC
-
Council
odu e
VPN Penetration Testing
Penetration Testing Roadmap
Start Here
Information
Vulnerability External
Gathering
Analysis Penetration Testing
Fi ll
Router and
Internal
Fi
rewa
ll
Penetration Testing
Router

and

Switches

Penetration Testing
Internal

Network
Penetration Testing
IDS
Penetration Testing
Wireless
Network
Penetration Testing
Denial of
Service
Penetration Testing
Password
Cracking
Stolen Laptop, PDAs
and Cell Phones
Social
Engineering
Application
Cont’d
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Penetration Testing
Penetration Testin
g
Penetration Testing
Penetration Testin
g

Penetration Testing Roadmap

(cont
’
d)
(cont d)
Cont’d
Physical
Security
Database
Pii
VoIP
PiTi
Security
Penetration Testing
P
enetrat
i
on test
i
ng
P
enetrat
i
on
T
est
i
n
g

Vi d
Vi
rus an
d

Trojan
Detection
War Dialing
VPN
Penetration Testing
Log
Management
Penetration Testing
File Integrity
Checking
Blue Tooth and
Hand held
Device
Penetration Testing
Telecommunication
And Broadband
Communication
Email Security
Penetration Testin
g
Security
Patches
Data Leakage
Penetration Testing
End Here

EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Communication

Penetration Testing
g
Penetration Testing
Penetration

Testing
Virtual Private Network (VPN)
A VPN is a network that uses Internet to provide secure access to
A VPN is a network that uses Internet to provide secure access to
distant offices or individual users with their enterprise’s network.
IP
VPN
Types of VPN:
•
IP
sec
VPN
• SSL VPN (web-based)
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
VPN Penetration Testing Steps
Ste
p
1: Scannin

g
:
• 1.1. 500 UDP IPSEC
• 1.2. 1723 TCP PPTP
pg
• 1.3. 443 TCP/SS
L
• 1.4. nmap -sU -P0 -p 500
• 1.5. ipsecscan xxx.xxx.xxx.xxx-255
Step 2: Fingerprinting:
• 2.1. Get the IKE handshake
• 2.2. UDP backoff fingerprinting
• 2.3. Vendor ID fingerprinting
Ch k f IKE i d
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
•2.4.
Ch
ec
k f
or
IKE
aggress
i
ve

mo
d
e

VPN Penetration Testing Steps
(cont
’
d)
(cont d)
Step 3: PSK crack:
• 3.1. ikeprobe xxx.xxx.xxx.xxx-255
•
3
.2. sniff for res
p
onses with C&A or ikecrac
k
Step 3: PSK crack:
3p
Step 4: Test for default user accounts
Step 5: Test for SSL VPN
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Ste
p
1: Scannin
g
pg
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 1.1 Scanning: 500 UDP
IPSEC

IPSEC
Findin
g
a ISAKMP service
(
IPsec
V
PN Server
)
lookin
g
for
g(
)g
port 500 UDP
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 1.2 Scanning: 1723 TCP
PPTP
PPTP
Scannin
g
: 1
7
2
3
TCP PPTP:

• Fig: Finding a PPTP VPN Server for port 1723 TCP

g73
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 1.3 Scanning: 443 TCP/SSL
Scanning: 443 TCP/SSL:
• SSL is a TCP 443 default VPN type
•
SSL
-
based VPN uses standard web
-
based protocols
Scanning: 443 TCP/SSL:
•
SSL
based VPN uses standard web
based protocols
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 1.4 Scanning: nmap -sU -P0
-
p 500
p 500
O
p
tions in nma
p
:

•-sU:UDPScan
• -P0: Treat all hosts as online ski
p
host discover
y
pp
p
y
• -p <port ranges>: Only scan specified ports
nma
p
-sU -P0 -
p

5
00 < IP address
• Performs UDP scan for port 500 on xxx.xxx.xxx.xxx-255
considering all hosts online between xxx xxx xxx xxx to
p
p5
range>:
considering all hosts online between xxx
.
xxx
.
xxx
.
xxx to
xxx.xxx.xxx.255
EC-Council

Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 1.5 Scanning: Ipsecscan
xxx xxx xxx xxx
-
255
xxx
.
xxx
.
xxx
.
xxx
-
255
I
p
secscan:
• Scan either a single IP address or a range of IP addresses
lookin
g
for s
y
stems that are IPsec enabled
p
gy
C:\VPN Security\tools>ipsecscan.exe 192.168.0.1 192.168.0.2
IPSecScan
1
1

-
(c)
2001
Arne
Vidstrom
arne
vidstrom@ntsecurity
nu
IPSecScan
1
.
1
(c)
2001
,
Arne
Vidstrom
,
arne
.
vidstrom@ntsecurity
.
nu
- />192.168.0.1 IPSec status: Enabled
192
.
168
.
0
.

2
IPSec
status
:
Indeterminable
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
192
.
168
.
0
.
2
IPSec
status
:
Indeterminable
Ste
p
2: Fin
g
er
p
rintin
g
p
gp g
EC-Council

Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 2: Fingerprinting
Fingerprinting:
• Provides ample information of the VPN
lbilii h k
Fingerprinting:
v
u
l
nera
bili
t
i
es to t
h
e attac
k
er.
id h f ll i
•
Vendor and model of the VPN server
It

prov
id
es

t
h

e
f
o
ll
ow
i
ng:
•
Vendor and model of the VPN server
.
• Software version number.
• VPN vulnerabilities.
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 2.1: Get the IKE Handshake
Get the IKE handshake from every system that has to be fingerprinted
Get the IKE handshake from every system that has to be fingerprinted
Note the acceptable transform attributes from the Security Association
(SA) payload
(SA) payload
Try with all the combinations of transform attributes
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 2.2: UDP Backoff
Fingerprinting
Fingerprinting
The use showbackoff option that enables ike-scan to record the response time of all
packets and delays of 60 seconds after the last packet is received to ensure all the packets

packets and delays of 60 seconds after the last packet is received to ensure all the packets
are received before displaying the number of times the pattern matching has been tried.
ike
scan in backoff fingerprinting mode will not respond to the packets from the server
ike
-
scan in backoff fingerprinting mode will not respond to the packets from the server
,

and the server retransmits the packets.
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 2.3: Vendor ID
Fingerprinting
Fingerprinting
A vendor ID payload contains arbitrary data and payload data
th t l i th f t f MD h h f t t t i
th
a
t
are

a
l
ways
i
n
th
e

f
orma
t
o
f MD
5
h
as
h
o
f
a
t
ex
t
s
t
r
i
ng.
Use the Ike-scan command to display vendor ID payload.
Use –vend0r option of ike-scan to add payload to the outgoing
p
acket.
p
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 2.4: Check for IKE
Aggressive Mode

Aggressive Mode
Check the aggressive mode of ike
-
scan tool to get additional
Check the aggressive mode of ike
scan tool to get additional
information.
Sometimes it is very difficult to handshake with an aggressive mode of
Sometimes it is very difficult to handshake with an aggressive mode of
server because they do not respond until valid ID is supplied in the
identification payload.
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Ste
p

3
: PSK Crack
p3
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 3.1: PSK Crack: ikeprobe
xxx xxx xxx xxx
-
255
xxx
.
xxx

.
xxx
.
xxx
255
You can use the ike-scan with the –pskcrack option to obtain
U th k
k t k th
the IKE aggressive mode pre-shared keys.
Y
IKEP obe
t d t i l biliti i
U
se
th
e

ps
k
-crac
k t
o

crac
k th
e

pre-
shared keys:
•

Y
ou

can

use

IKEP
r
obe
t
o
d
e
t
erm
i
ne

vu
l
nera
biliti
es
i
n

the PSK implementation of the VPN server.
• IKEProbe tries various combinations of ciphers,
hashes and Diffie-Helman

g
rou
p
s.
gp
• It attempts to force the remote server into aggressive
mode.
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 3.2 PSK Crack: Sniff for
Responses with C&A or IKECrack
Responses with C&A or IKECrack
You can crack the sniffed PSK using Cain & Abel or
You can crack the sniffed PSK using Cain & Abel or
IKECrack.
A
fter cracking the PSK, you can use PGPNet to connect to
the vulnerable VPN server.
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 4: Test Default User
Accounts
Accounts
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 4: Test for Default User
Accounts

Accounts
Like any network devices an
IPsec
VPN has default user accounts
Like any network devices
,
an
IPsec
VPN has default user accounts
.

The default user account name and password can be obtained from
i b it th I t t th t h t h ki d f d t b
v
ar
i
ous

we
b
s
it
es

on
th
e
I
n
t

erne
t th
a
t h
os
t
s

suc
h ki
n
d
o
f d
a
t
a
b
ase.
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 4.1: Check for Unencrypted
Username in a File or the Registry
Username in a File or the Registry
Username is generally stored in the unencrypted file or the
registry.
Glean
the
username

from
the
registry
and
use
aggressive
Glean
the
username
from
the
registry
and
use
aggressive
mode of the ike-scan to get the password.
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Check for Unencrypted Username in
a File or the Registry: Screenshot
a File or the Registry: Screenshot
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited