Hi All As you all know these days many organisation using VPN Quite Actively so we will take a quick look on penetration testing Virtual Private Network Using Ike Scanner On Backtrack.
So there is a myth on everyone mind that VPN Provide Full Protection Against Hacker (Means no hacker can hack :P ) its never like that if there exist some loop hole than any attacker can hack network against any high security but VPN Does ensure some level of protection..still we will discuss some good and bad point in VPN connection.
Penetration Testing VPN Network
The meaning of doing VPN penetration testing because it help the organisation to baseline (identify the loopholes that exist in the present implementation and modify the configuration accordingly to protect itself from known problems) its current VPN security posture, identify threats and weaknesses, and implement a new security policy that will mitigate risks.

Penetration Testing A VPN Network Involves several phases those are :-

  • Scanning or identifying the VPN gateway.
  • Fingerprinting the VPN gateway for guessing implementation.
  • PSK mode assessment and PSK sniffing.
  • Offline PSK cracking.
  • Checking for default user accounts.
  • Testing the VPN gateway for vendor specific vulnerabilities.

    this first step you can easily do with tools like nmap
    Example :-
    root@bt:~# nmap -sU -p 500
    Starting Nmap 5.51 ( at 2011-11-26 10:56 IST
    Nmap scan report for
    Host is up (0.00036s latency).
    500/udp open isakmp
    MAC Address: 00:1B:D5:54:4D:E4 (Cisco Systems)

    Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds
    Now as you now i have used -sU For Udp Scan And -p is for specifying port to be 500.

    IKE Scan Tool :-
    Ike-scan is a simple but powerful command-line tool that is used to find and fingerprint VPN gateways. It sends specially crafted IKE packets to target gateways and enlists any IKE responses that are received. By default, Ike-scan works in main mode, and sends a packet to the gateway with an ISAKMP header and a single proposal with eight transforms inside it.

    Each transform contains a number of attributes like DES or 3DES as the encryption algorithm, SHA or MD5 as the integrity algorithm, a pre-shared key as the authentication type, Diffie-Hellman 1 or 2 as the key distribution algorithm and 28800 seconds as the lifetime.

    Initial VPN discovery with Ike-scan is as shown below:
    root@bt:~# ike-scan -M
    Starting ike-scan 1.9 with 1 hosts ( Main Mode Handshake returned
    SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
    VID=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation)

    Ending ike-scan 1.9: 1 hosts scanned in 0.015 seconds (65.58 hosts/sec). 1 returned handshake; 0 returned notify
    The -M shows each payload in a line, so that the output will be neat and easy to understand. The output can be any of the following:

  • 0 returned handshake; 0 returned notify: This means the target is not an IPsec gateway.
  • 1 returned handshake; 0 returned notify: This means the target is configured for IPsec and is willing to perform IKE negotiation, and either one or more of the transforms you proposed are acceptable.
  • 0 returned handshake; 1 returned notify: VPN gateways respond with a notify message when none of the transforms are acceptable (though some gateways do not, in which case further analysis and a revised proposal should be tried).
    In the example shown, the VPN gateway replies with one returned handshake and the acceptable transform set has these parameters:
    Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800

    Custom transform sets can be tried against the target with the
    "--trans" switch:

    where 1=Encryption Algorithm, 2=Hash Algorithm, 3=Authentication Method, 4=Group Description, and 5=Group Type.

    Kindly refer to RFC 2409 Appendix A for a complete understanding of transform set values. There are a number of other tools like ipsectrace, ipsecscan, etc., available for IPsec scanning, but undoubtedly Ike-scan is one of the best and a frequently updated tool.

    Vulnerability assessment tools like Nessus, Nexpose, etc, can be used to identify the vulnerabilities of VPN implementations. A full security audit on the target gateway with such types of tools will generate a detailed report with all identified problems and the mitigation steps available.

    Further penetration testing i will post on later tutorial plese leave your comment below if you have any query.
  • Post a Comment

    1. That is a great tip especially to those new to the blogosphere.

      Brief but very accurate information… Thank you for sharing this one.
      A must read article!

      My webpage: sex after pregnancy


    Feel Free To Ask Your Query we Love To Answer