7/18/13

Write For Us Submit Tips

IPsec VPN Penetration Testing with BackTrack Tools - LINUX For You
Subscribe to Print Edition Search

HOME

REVIEWS

HOW-TOS

CODING

INTERVIEWS

FEATURES

OVERVIEW

BLOGS

SERIES

IT ADMIN

IPsec VPN Penetration Testing with BackTrack Tools

By Arun Thomas on January 30, 2012 in How-Tos, Security, Sysadmins, Tools / Apps 4 Comments and 0 Reactions

Search for:

Search

This article outlines the value of penetration-testing VPN gateways for known vulnerabilities and also shows you how to prevent a breach into the internal network.
IPsec is the most commonly used technology for both gateway-to-gateway (LAN-to-LAN) and host to gateway (remote access) enterprise VPN solutions. It offers complete data protection for tunnelled traffic, with confidentiality, integrity, data origin authentication and anti-replay services. IPsec uses a lot of components to achieve high-level security. The major protocols that IPsec uses are: ESP (Encapsulation Security Payload): ESP can provide data confidentiality and integrity, but cannot protect the IP header. The IP protocol number of ESP is 50. AH (Authentication Header): AH can provide the integrity service to the data packet, but cannot offer confidentiality to data packets like ESP. The IP protocol number of AH is 51. IKE (Internet Key Exchange): IKE provides support for the negotiation of parameters between end points or VPN peers and thus establishes, maintains and terminates security associations (SA). The SA termination can be based on time (seconds) or transfer (kilobytes) rate. Actually, IKE is a type of ISAKMP (Internet Security Association Key Management Protocol) implementation, which is a framework for authentication and key exchange. IKE establishes the security association (SA) between two endpoints through a three-phase process. IKE Phase 1: IKE Phase 1 sets up a secure channel between two IPsec endpoints by the negotiation of parameters like the encryption algorithm, integrity algorithm, authentication type, key distribution mechanism, life time, etc. IKE Phase 1 can either use the main mode or aggressive mode to establish the bidirectional security association. Main mode negotiates SA through three pairs of messages, while aggressive mode offers faster operations through the exchange of three messages. IKE Phase 2: IKE Phase 2 is used for data protection. The VPN peers negotiate the IPsec parameters needed for data security with ESP and AH. Finally, a unidirectional SA is built between pairs with a special mode known as Quick Mode. The establishment of the Phase 2 security association can use an entirely different algorithm from whats used by Phase 1 the Diffie Hellman Algorithm for more security. This concept is known as Perfect Forward Secrecy (PFS). IKE Phase 1.5: IKE Phase 1.5 or the Extended Authentication Phase is an optional phase and is commonly used in remote access VPN solutions. IKE Phase 1.5 will enhance security by adding end-user-level authentication. Commercial VPN gateways from different manufacturers like Cisco, Checkpoint, Juniper, Microsoft, etc., are readily available. Some of those vendors offer both hardware- and softwarebased solutions for IPsec implementations. Quite a few robust open source solutions like Openswan, StrongVPN, etc., can also be used for IPsec implementations.

Get Connected RSS Feed Twitter

LINUX For You on

Follow

+2,394

Does your IPsec VPN solution offer complete

www.linuxforu.com/2012/01/ipsec-vpn-penetration-testing-backtrack-tools/ 1/6

7/18/13

IPsec VPN Penetration Testing with BackTrack Tools - LINUX For You
Find us on Facebook

protection?
VPN penetration testing will help the organisation to baseline (identify the loopholes that exist in the present implementation and modify the configuration accordingly to protect itself from known problems) its current VPN security posture, identify threats and weaknesses, and implement a new security policy that will mitigate risks.

Open Source For You

Like 250,975 people like Open Source For You.

Setting up the test lab for VPN pen-testing

GNS3 is a great tool for simulating Cisco devices (and other vendor devices like Juniper too). There are many tutorials on the Internet for IPsec remote access and site-to-VPN configurations using GNS3. One such tutorial is available here. By using a PC with a Core 2 Duo or higher processor with 2 GB RAM, you can completely simulate the test lab. Distros like Ubuntu now have GNS3 in their repository. Command-line installation in Ubuntu is as simple as s u d oa p t g e ti n s t a l lg n s 3 . A complete coverage of the GNS3 setup is beyond the scope of this article. So those who are new to GNS3, consult the project documentation. For this test lab, you need to simulate a router with IPsec support with two interfaces. Do not forget to add the BackTrack PC to the simulated Internet region of your test lab setup (external interface of router), as shown in the sample topology (Figure 1). All tests will be performed from the BackTrack PC.

F acebook social plugin

Popular

Comments

Tag cloud

April 4, 2013 4 Comments Aditya-Pareek

Crunchbang Linux Minimalist and Mac-Friendly

May 6, 2013 4 Comments Priyanka Sarkar

PHP Development: A Smart Career Move

April 1, 2013 2 Comments vinayak-pandey

Learn the Art of Linux Troubleshooting

April 4, 2013 2 Comments Claudia

Top 7 Linux Tips And Tricks For Beginners

June 20, 2013 2 Comments sophie-samuel

New and amazing features of Linux

Figure 1: Sample topology

The same test lab setup can also be arranged with other solutions like Checkpoint SPLAT (Secure Platform or SPLAT is a software-based gateway solution from Checkpoint Software), Microsoft Server 2003 or 2008 (configured as an IPsec VPN gateway), etc.

Penetration testing an IPsec VPN

Penetration testing an IPsec VPN includes several phases like: 1. Scanning or identifying the VPN gateway. 2. Fingerprinting the VPN gateway for guessing implementation. 3. PSK mode assessment and PSK sniffing. 4. Offline PSK cracking. 5. Checking for default user accounts. 6. Testing the VPN gateway for vendor specific vulnerabilities.

Scanning or identifying the VPN gateway

To determine the presence of an IPsec VPN gateway, the penetration tester needs to port-scan the target. Most IPsec implementations will be ISAKMP-based. ISAKMP is an application layer key-exchange protocol that provides mechanisms to establish, negotiate, modify and delete Security Associations. ISAKMP uses UDP port 500, so a direct UDP port-scan on the suspected VPN gateway may give you the results. You can use Nmap or Ike-scan for this.

Scanning with Nmap

www.linuxforu.com/2012/01/ipsec-vpn-penetration-testing-backtrack-tools/ 2/6

7/18/13

IPsec VPN Penetration Testing with BackTrack Tools - LINUX For You

A direct port-scan on the VPN gateway with this powerful open source scanner provides supplemental information on the presence of the VPN gateway. Nmap can later be used at the fingerprinting phase for version or OS identification.
r o o t @ b t : ~ #n m a ps Up5 0 01 7 2 . 1 6 . 2 1 . 2 0 0 S t a r t i n gN m a p5 . 5 1( h t t p : / / n m a p . o r g )a t2 0 1 1 1 1 2 61 0 : 5 6I S T N m a ps c a nr e p o r tf o r1 7 2 . 1 6 . 2 1 . 2 0 0 H o s ti su p( 0 . 0 0 0 3 6 sl a t e n c y ) . P O R T S T A T ES E R V I C E 5 0 0 / u d po p e n i s a k m p M A CA d d r e s s :0 0 : 1 B : D 5 : 5 4 : 4 D : E 4( C i s c oS y s t e m s ) N m a pd o n e :1I Pa d d r e s s( 1h o s tu p )s c a n n e di n0 . 1 7s e c o n d s

The options used were -sU for UDP scan, and -p to only scan the specified port. The scan output shows the ISAKMP port (UDP port 500) open.

Ike-scan
Ike-scan is a simple but powerful command-line tool that is used to find and fingerprint VPN gateways. It sends specially crafted IKE packets to target gateways and enlists any IKE responses that are received. By default, Ike-scan works in main mode, and sends a packet to the gateway with an ISAKMP header and a single proposal with eight transforms inside it. Each transform contains a number of attributes like DES or 3DES as the encryption algorithm, SHA or MD5 as the integrity algorithm, a pre-shared key as the authentication type, DiffieHellman 1 or 2 as the key distribution algorithm and 28800 seconds as the lifetime. Initial IPsec VPN discovery with Ike-scan is as shown below:
r o o t @ b t : ~ #i k e s c a nM1 7 2 . 1 6 . 2 1 . 2 0 0 S t a r t i n gi k e s c a n1 . 9w i t h1h o s t s( h t t p : / / w w w . n t a m o n i t o r . c o m / t o o l s / i k e s c a n / ) 1 7 2 . 1 6 . 2 1 . 2 0 0 M a i nM o d eH a n d s h a k er e t u r n e d H D R = ( C K Y R = d 9 0 b f 0 5 4 d 6 b 7 6 4 0 1 ) S A = ( E n c = 3 D E SH a s h = S H A 1G r o u p = 2 : m o d p 1 0 2 4A u t h = P S KL i f e T y p e = S e c o n d sL i f e D u r a t i o n = 2 8 8 0 0 ) V I D = 4 0 4 8 b 7 d 5 6 e b c e 8 8 5 2 5 e 7 d e 7 f 0 0 d 6 c 2 d 3 c 0 0 0 0 0 0 0( I K EF r a g m e n t a t i o n ) E n d i n gi k e s c a n1 . 9 :1h o s t ss c a n n e di n0 . 0 1 5s e c o n d s( 6 5 . 5 8h o s t s / s e c ) .1r e t u r n e dh a n d s h a k e ;0r e t u r n e dn o t i f y

The Mshows each payload in a line, so that the output will be neat and easy to understand. The output can be any of the following: 0 returned handshake; 0 returned notify: This means the target is not an IPsec gateway. 1 returned handshake; 0 returned notify: This means the target is configured for IPsec and is willing to perform IKE negotiation, and either one or more of the transforms you proposed are acceptable. 0 returned handshake; 1 returned notify: VPN gateways respond with a notify message when none of the transforms are acceptable (though some gateways do not, in which case further analysis and a revised proposal should be tried). In the example shown, the VPN gateway replies with one returned handshake and the acceptable transform set has these parameters:
E n c = 3 D E SH a s h = S H A 1G r o u p = 2 : m o d p 1 0 2 4A u t h = P S KL i f e T y p e = S e c o n d sL i f e D u r a t i o n = 2 8 8 0 0 C u s t o mt r a n s f o r ms e t sc a nb et r i e da g a i n s tt h et a r g e tw i t ht h e " t r a n s "s w i t c h : t r a n s = ( 1 = 1 , 2 = 2 , 3 = 1 , 4 = 2 )

where 1=Encryption Algorithm, 2=Hash Algorithm, 3=Authentication Method, 4=Group Description, and 5=Group Type. Kindly refer to RFC 2409 Appendix A for a complete understanding of transform set values. There are a number of other tools like i p s e c t r a c e ,i p s e c s c a n , etc., available for IPsec scanning, but undoubtedly Ike-scan is one of the best and a frequently updated tool. Vulnerability assessment tools like Nessus, Nexpose, etc, can be used to identify the vulnerabilities of VPN implementations. A full security audit on the target gateway with such types of tools will generate a detailed report with all identified problems and the mitigation steps available.

Fingerprinting the VPN gateway for guessing implementation

Vendor identification and software detection of the gateway is achieved in the fingerprinting phase. To proceed with fingerprinting, you need to get a handshake message from the gateway,

www.linuxforu.com/2012/01/ipsec-vpn-penetration-testing-backtrack-tools/

3/6

7/18/13

IPsec VPN Penetration Testing with BackTrack Tools - LINUX For You

containing the acceptable transform set details. As the default IKE doesnt offer reliability for transmitted packets, VPN gateway vendors will use their own back-off algorithm to deal with the lost in transit traffic. The attacker sends an initial IKE proposal to the VPN gateway with an acceptable transform set. The attacker doesnt reply and carefully analyses the server response messages for some time. (The default time Ike-scan waits for back-off fingerprinting is 60 seconds.) By analysing the time difference between the received messages from the server and the matching response pattern, the pen tester can successfully fingerprint the VPN gateway vendor. Some VPN servers will use the optional Vendor ID (VID) payload with IKE to carry some proprietary extensions. This will really make fingerprinting easy for the attacker. Most of the time, VID is a hashed text string. Ike-scan can use the v e n d o rswitch to add the VID payload to outbound packets. The received VID payload can be displayed by Ike-scan directly, as shown below:
r o o t @ b t : ~ #i k e s c a nMs h o w b a c k o f f1 7 2 . 1 6 . 2 1 . 2 0 0 S t a r t i n gi k e s c a n1 . 9w i t h1h o s t s( h t t p : / / w w w . n t a m o n i t o r . c o m / t o o l s / i k e s c a n / ) 1 7 2 . 1 6 . 2 1 . 2 0 0 M a i nM o d eH a n d s h a k er e t u r n e d H D R = ( C K Y R = 4 f 3 e c 8 4 7 3 1 e 2 2 1 4 a ) S A = ( E n c = 3 D E SH a s h = S H A 1G r o u p = 2 : m o d p 1 0 2 4A u t h = P S KL i f e T y p e = S e c o n d sL i f e D u r a t i o n = 2 8 8 0 0 ) V I D = 4 0 4 8 b 7 d 5 6 e b c e 8 8 5 2 5 e 7 d e 7 f 0 0 d 6 c 2 d 3 c 0 0 0 0 0 0 0( I K EF r a g m e n t a t i o n ) I K EB a c k o f fP a t t e r n s : I PA d d r e s s 1 7 2 . 1 6 . 2 1 . 2 0 0 1 7 2 . 1 6 . 2 1 . 2 0 0 1 7 2 . 1 6 . 2 1 . 2 0 0 1 7 2 . 1 6 . 2 1 . 2 0 0 1 7 2 . 1 6 . 2 1 . 2 0 0 N o . R e c vt i m e D e l t aT i m e 1 1 3 2 2 2 8 6 0 3 1 . 7 4 4 9 0 4 0 . 0 0 0 0 0 0 2 1 3 2 2 2 8 6 0 3 9 . 7 4 5 0 8 1 8 . 0 0 0 1 7 7 3 1 3 2 2 2 8 6 0 4 7 . 7 4 5 9 8 9 8 . 0 0 0 9 0 8 4 1 3 2 2 2 8 6 0 5 5 . 7 4 6 9 7 2 8 . 0 0 0 9 8 3 I m p l e m e n t a t i o ng u e s s :C i s c oV P NC o n c e n t r a t o r

E n d i n gi k e s c a n1 . 9 :1h o s t ss c a n n e di n8 4 . 0 8 0s e c o n d s( 0 . 0 1h o s t s / s e c ) .1r e t u r n e dh a n d s h a k e ;0r e t u r n e dn o t i f y

Note that the Ike-scan fingerprinting can be done without even using the t r a n soption, but adding it will make the process faster. So you have been successful in fingerprinting the vendor of the VPN gateway; in this case, it is a Cisco VPN Server like ASA or PIX.

PSK mode assessment and PSK sniffing

The aggressive mode of IPsec does not use a key distribution algorithm like Diffie-Hellman to protect the authentication data exchange. This makes it possible for the attacker to capture the authentication data. A server that works with aggressive mode will send the authentication hash in clear-text mode, which can be captured and cracked offline by tools like i k e c r a c k . In the following example, the penetration tester sniffs the PSK hash and saves it into a file for offline cracking:
r o o t @ b t : ~ #i k e s c a np s k c r a c ka g g r e s s i v ei d = p e e r1 7 2 . 1 6 . 2 1 . 2 0 0>p s k . t x t

Ike-probe or Ike-scan can be used to capture authentication data, as the following example shows:
r o o t @ b t : ~ #i k e s c a np s k c r a c ka g g r e s s i v ei d = p e e r1 7 2 . 1 6 . 2 1 . 2 0 0

S t a r t i n gi k e s c a n1 . 9w i t h1h o s t s( h t t p : / / w w w . n t a m o n i t o r . c o m / t o o l s / i k e s c a n / ) 1 7 2 . 1 6 . 2 1 . 2 0 0 A g g r e s s i v eM o d eH a n d s h a k er e t u r n e dH D R = ( C K Y R = 7 e b 5 9 f 4 3 7 b b c 5 4 4 5 )S A = ( E n c = 3 D E SH a s h = S H A 1G r o u p = 2 : m o d p 1 0 2 4A u t h = P S KL i f e T y p e = S e c o n

I K EP S Kp a r a m e t e r s( g _ x r : g _ x i : c k y _ r : c k y _ i : s a i _ b : i d i r _ b : n i _ b : n r _ b : h a s h _ r ) : 4 1 3 9 1 d 8 4 d d 4 7 3 6 7 e 7 f 3 1 8 2 b 0 7 c c f 3 b c f 4 8 e 0 d 8 c 9 1 7 4 5 2 a c 0 7 1 b c e 3 6 7 3 c 4 3 5 2 5 8 3 7 5 9 e 5 0 8 6 a 9 8 0 6 a b 7 c 5 5 3 1 9 4 4 2 7 3 c 2 5 a 8 7 2 2 c 2 5 9 c 7 6 e 5 e 3 9 3 a 2 e 4 8 c 3 6 b f 2 0 5 d 5 7 1 c f d 0 e b a 3 6 c 5 7 3 f E n d i n gi k e s c a n1 . 9 :1h o s t ss c a n n e di n0 . 0 1 8s e c o n d s( 5 5 . 1 9h o s t s / s e c ) .1r e t u r n e dh a n d s h a k e ;0r e t u r n e dn o t i f y

Offline PSK cracking

Before cracking the captured hashed authentication string offline, edit the output file to include only the hash value. (It should only include 9 colon-separated values.) The offline cracking in Backtrack is done with p s k c r a c k , which supports the dictionary, brute-force and hybrid mode cracking. There are a number of other tools like Cain and Abel available for the offline PSK hash cracking. The following example shows the dictionary mode of p s k c r a c k :
r o o t @ b t : ~ #p s k c r a c kd/ u s r / l o c a l / s h a r e / i k e s c a n / p s k c r a c k d i c t i o n a r yp s k . t x t S t a r t i n gp s k c r a c k[ i k e s c a n1 . 9 ]( h t t p : / / w w w . n t a m o n i t o r . c o m / t o o l s / i k e s c a n / ) R u n n i n gi nd i c t i o n a r yc r a c k i n gm o d e k e y" A D M I N "m a t c h e sS H A 1h a s hc 1 d c 5 2 b b b 8 8 d 4 b 4 3 4 c 1 0 5 0 a 6 e 7 7 e 9 2 3 f 0 3 a f b c 8 2 E n d i n gp s k c r a c k :1 3 6i t e r a t i o n si n0 . 0 0 1s e c o n d s( 1 5 3 1 5 3 . 1 5i t e r a t i o n s / s e c )

So the VPN gateway is configured with a simple pre-shared key A D M I N !

www.linuxforu.com/2012/01/ipsec-vpn-penetration-testing-backtrack-tools/

4/6

7/18/13

IPsec VPN Penetration Testing with BackTrack Tools - LINUX For You

Checking for default user accounts

Most VPN solutions have the end-user-level authentication Xauth (Phase 1.5 of IKE) or Extended Authentication enabled by default. So with the p s k c r a c koutput alone, it will not be possible to get into the internal network. After the initial peer authentication, Xauth is required before the VPN gateway grants access. Xauth login credentials can be captured by using f i k e d , a command-line tool that impersonates the VPN gateways IKE responder and sniffs the authentication data by intercepting the IKE traffic. You need to redirect IKE traffic to f i k e dfor sniffing, which can be done with the help of ARP spoofing. Given below is a simple example of f i k e d . The gswitch specifies the IP address of the gateway, captured data is written to a file with the lswitch, dis used to run it in daemon mode, and kis for group id: shared key representation:
r o o t @ b t : ~ #f i k e dg1 9 2 . 1 6 8 . 1 . 5 0kt e s t g r o u p : s e c r e t k e ylo u t p u t . t x td

In some cases, the VPN gateway will have default user accounts, which the pen-tester can use for Xauth. If not, extensive social engineering or information gathering will do the trick. You may use a proper IPsec VPN client like the Cisco EasyVPN client for the final verification.

Testing the VPN gateway for vendor specific vulnerabilities

There are hundreds of known IPsec/IKE vulnerabilities. Exploitation of these can cause disruption of VPN gateway services, so testing the gateway for these is very important. The following three websites are very useful; they list the known vulnerabilities of different VPN solutions: 1. National Vulnerability Database 2. Secunia 3. SecurityFocus Sophisticated vulnerability assessment tools like MetaSploit Framework Pro, Qualys, Core Impact, etc., can be used to test the VPN gateway against known vulnerabilities, along with custom-created exploit scripts. Security patches, OS upgradation or additional configuration may be needed to mitigate these threats, as guided by the vendor. By compromising a VPN gateway server, the attacker can gain access to valuable internal resources, so organisations need to make sure that VPN gateways are hardened against these threats. Vulnerability assessment and penetration-testing of the VPN gateway, along with periodic reviews of configured security policies, can help organisations to tighten up overall security.
Feature image courtesy: Walter Logeman. Reused under the terms of CC-BY-NC-ND 2.0 License.

Related Posts:
Advanced Nmap: Scanning Firewalls Continued Advanced Nmap: Scanning Techniques Continued Advanced Nmap: FIN Scan & OS Detection Advanced NMap: Some Scan Types Advanced Nmap: A Recap
Tags: ARP spoofing, authentication header, authentication type, Backtrack, Cisco, data packets, encryption algorithm, enterprise VPN, IKE, Internet Key Exchange, IP addresses, IP header, IPsec, isakmp, Juniper, LFY January 2012, MAC address, Metasploit, metasploit framework, Nessus, NMap, origin authentication, Penetration testing, Perfect Forward Secrecy, protocol implementation, secure channel, VPN

Article written by:

Arun Thomas
The author is an information security specialist with 8 years of experience in information and network security domains. His qualifications include more than 30 information and network security certifications like CISSP, and expertise in security tools, methods, technologies and best practices. He is the co-founder and CTO of Netsentries, an information security consulting company. Connect with him: Website

www.linuxforu.com/2012/01/ipsec-vpn-penetration-testing-backtrack-tools/

5/6

7/18/13
Previous Post

IPsec VPN Penetration Testing with BackTrack Tools - LINUX For You
Next Post

Guard Your Network with IPCop, Part 2: Add-ons

Building Image Processing Embedded Systems using Python, Part 1

ALSO ON LINUX FOR YOU

AROUND THE WEB

What's this?

New and amazing features of Linux

2 comments

Don't Get Prostate Cancer: Know These Early Warning Newsmax Health Canada Turns to Temporary Foreign Workers Kelly OCG Roommates from Hell: Watch The Dead Kevin Show Comedy Central Morning Swim: Heidi Klum's unfortunate sunburn Sports Illustrated

What it Takes to be an Open Source Expert 1 comment PHP Development: A Smart Career Move 4 comments A Simple guide to building your own Linux Kernel 1 comment

4 comments Leave a message...

Newest Community A s eem

Share

2 months ago

can u just elaborate this part "edit the output file to include only the hash value. (It should only include 9 colon-separated values.)"...in the psk offline cracking...any link to do this..or any method...i m facing extreme difficulty in this part...thnks in advance...
Reply Share

V INA Y GA MB HIR

a year ago

Please share the contact details of ARUN THOMAS , we are looking for an expert like him...
Reply

Share
a year ago

Mahat A garwal

Admin , please share the contact details of the author , we are looking for the services of an experienced penetration tester like this.
Reply dgfdg Share

> Mahat Agarwal

7 days ago

@f2f74378649d2fc27a3e465f04f29954

r
C o m m e n t fe e d

Penetration tester 9600627234

Reply Share

Su b s cri b e vi a e m a i l

Reviews

How-Tos

Coding

Interviews

Features

Overview

Blogs

Search
Popular tags
Linux , ubuntu, Java, MySQL, Google, python, Fedora, Android, PHP, C, html, w eb applications , India, Microsoft, unix , Window s , Red Hat, Oracle, Security , Apache, xml, LFY April 2012, FOSS, GNOME, http, JavaScript, LFY June 2011, open source, RAM, operating systems

For You & Me Developers Sysadmins Open Gurus CXOs Columns

All published articles are released under Creative Commons Attribution-NonCommercial 3.0 Unported License, unless otherw ise noted. LINUX For You is pow ered by WordPress, w hich gladly sits on top of a CentOS-based LEMP stack.

www.linuxforu.com/2012/01/ipsec-vpn-penetration-testing-backtrack-tools/

6/6