Authentication and Tunnel Establishment in IPSec VPNs in Software

Maker QR Code ISO/IEC18004 in Software Authentication and Tunnel Establishment in IPSec VPNs

IPSec employs the Internet Key Exchange (IKE) protocol for authentication as well as key and tunnel establishment IKE is split into two phases, each of which has its own distinct purpose IKE Phase 1 IKE Phase 1 s main purpose is to authenticate the two communicating parties with each other and then set up a secure channel for IKE Phase 2 This can be done in one of two ways: Main mode or Aggressive mode Main mode In three two-way handshakes (a total of 6 messages), Main mode authenticates both parties to each other This process rst establishes a secure channel in which authentication information is then exchanged securely between the two parties Aggressive mode In only three messages, Aggressive mode accomplishes the same overall goal of main mode but in a faster, notably less secure fashion Aggressive mode does not provide a secure channel to protect authentication information which ultimately exposes it to eavesdropping attacks IKE Phase 2 IKE Phase 2 s final aim is to establish the IPSec tunnel, which it does with the help of IKE Phase 1

6:

Popularity: Simplicity: Impact: Risk Rating: 8 6 8 7

As demonstrated in the footprinting and information gathering sections of this book, Google hacking can be a simple attack vector that has potential to provide devastating results One particular VPN related Google hack is filetype:pcf The PCF file extension is commonly used to store profile settings for the Cisco VPN client, an extremely popular client used in enterprise deployments These configuration files can contain sensitive information such as the IP address of the VPN gateway, usernames, and passwords Using filetype:pcf site:elec0necom, we can run a focused search for all PCF files stored on our target domain (Figure 6-8)

With this information, an attacker can download the Cisco VPN Client, import the PCF, connect to the target network via VPN, and launch further attacks on the internal network! The passwords stored within the PCF file can also be used for password reuse attacks It should be noted that the passwords are obfuscated using the Cisco password 7 type encoding; however, this mechanism is easily defeated using a number of tools such as Cain (as shown in Figure 6-9)

The best mechanism to defend against Google hacking is user awareness Those in charge of publishing web content should understand the risks associated with putting any item of information on the Internet With proper awareness in place, an organization can do annual checkups to search for sensitive information on their websites Targeted searches can be performed using the "site:" operator; however, that may cloud your view

6:

pertaining to the disclosure of information about your organization on other sites Google also has Google Alerts, which will send you an e-mail every time a new item is added to Google s cache which matches your search criteria See http://wwwgooglecom/ alerts for more information on Google Alerts

Popularity: Simplicity: Impact: Risk Rating: 5 5 3 4

When targeting any specific technology, the very first item on the list is to see if its service s corresponding port is available In the case of IPSec VPNs, we re looking for UDP 500 This is a simple task with nmap:

# nmap sU p 500 vpnelec0necom Starting Nmap 468 ( http://nmaporg ) at 2008-08-16 14:08 PDT Interesting ports on 19216811: PORT STATE SERVICE 500/udp open|filtered isakmp Nmap done: 1 IP address (1 host up) scanned in 1811 seconds

An alternate but more IPSec-focused tool is ike-scan by NTA Monitor (http:// wwwnta-monitorcom/tools/ike-scan/) This tool is available for all operating systems and performs IPSec VPN identification and gateway fingerprinting with a variety of configurable options

# /ike-scan vpnelec0necom Starting ike-scan 19 with 1 hosts (http://wwwnta-monitorcom/tools/ike-scan/) 19216811 Main Mode Handshake returned HDR=(CKY-R=5625e24b343ce106) SA=(Enc=3DES Hash=MD5 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) VID=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation) Implementation guess: Cisco IOS/PIX Ending ike-scan 19: 1 hosts scanned in 0164 seconds (609 hosts/sec) handshake; 0 returned notify 1 returned

ike-scan not only tells us that the host is listening for IPSec VPN connections, but it also identifies the IKE Phase 1 mode supported and indicates what hardware the remote server is running The last probing tool, IKEProber (http://ikecracksourceforgenet/IKEProberpl), is an older tool that allows an attacker to create arbitrary IKE initiator packets for testing