So there is a myth on everyone mind that VPN Provide Full Protection Against Hacker (Means no hacker can hack :P )...so its never like that if there exist some loop hole than any attacker can hack network against any high security but VPN Does ensure some level of protection..still we will discuss some good and bad point in VPN connection.
Penetration Testing A VPN Network Involves several phases those are :-
this first step you can easily do with tools like nmap
root@bt:~# nmap -sU -p 500 172.16.21.200Now as you now i have used -sU For Udp Scan And -p is for specifying port to be 500.
Starting Nmap 5.51 (http://nmap.org) at 2011-11-26 10:56 IST
Nmap scan report for 172.16.21.200
Host is up (0.00036s latency).
PORT STATE SERVICE
500/udp open isakmp
MAC Address: 00:1B:D5:54:4D:E4 (Cisco Systems)
Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds
IKE Scan Tool :-
Ike-scan is a simple but powerful command-line tool that is used to find and fingerprint VPN gateways. It sends specially crafted IKE packets to target gateways and enlists any IKE responses that are received. By default, Ike-scan works in main mode, and sends a packet to the gateway with an ISAKMP header and a single proposal with eight transforms inside it.
Each transform contains a number of attributes like DES or 3DES as the encryption algorithm, SHA or MD5 as the integrity algorithm, a pre-shared key as the authentication type, Diffie-Hellman 1 or 2 as the key distribution algorithm and 28800 seconds as the lifetime.
Initial VPN discovery with Ike-scan is as shown below:
root@bt:~# ike-scan -M 172.16.21.200The -M shows each payload in a line, so that the output will be neat and easy to understand. The output can be any of the following:
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
172.16.21.200 Main Mode Handshake returned
SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
VID=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation)
Ending ike-scan 1.9: 1 hosts scanned in 0.015 seconds (65.58 hosts/sec). 1 returned handshake; 0 returned notify
In the example shown, the VPN gateway replies with one returned handshake and the acceptable transform set has these parameters:
Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800where 1=Encryption Algorithm, 2=Hash Algorithm, 3=Authentication Method, 4=Group Description, and 5=Group Type.
Custom transform sets can be tried against the target with the
Kindly refer to RFC 2409 Appendix A for a complete understanding of transform set values. There are a number of other tools like ipsectrace, ipsecscan, etc., available for IPsec scanning, but undoubtedly Ike-scan is one of the best and a frequently updated tool.
Vulnerability assessment tools like Nessus, Nexpose, etc, can be used to identify the vulnerabilities of VPN implementations. A full security audit on the target gateway with such types of tools will generate a detailed report with all identified problems and the mitigation steps available.
Further penetration testing i will post on later tutorial plese leave your comment below if you have any query.