Hi,
I was pentesting a VPN server and could make an aggressive mode connection.
The vulnerability associated with VPN Servers is a group enumeration
vulnerability referred as below:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_security_notice09186a00804a7912.html
Now with the IKE Scan tool , I get the following response frm the vpn server
using random ID= values for the group. However even though the results say its
a vpn concentrator its actuall a cisco pix fw implementing a vpn server, which
is fine just a fingerprinting flaw. On further digging it was found that the
vpn server is at proper pacth levels and does not have any groups configured.
However according to vuln description , following handshake to the aggressive
mode should not be returned, and as one can see the returned handshake is
successful.
So i was wondering is having Aggressive mode configured is a problem here ? Do
we recommend disabling agressive mode , if yes what could be the problem. Since
no groups are configured , does it boil down to being a problem of
fingerprinting the product used for vpn server?
As it seems it responds to below message for everything used.
thanks!
my-powerbook-g4-15:~/tools/ike-scan-1.8 $layer$ sudo
./ike-scan -A --idtype=11 -M --auth=65001 --id=tom
x.x.x.70
Starting ike-scan 1.8 with 1 hosts (
http://www.nta-monitor.com/ike-scan/)
x.x.x.70 Aggressive Mode Handshake returned
HDR=(CKY-R=34b668433f0520cf)
SA=(Enc=3DES Hash=MD5 Group=2:modp1024 Auth=XAUTH
LifeType=Seconds LifeDuration=28800)
KeyExchange(128 bytes)
Nonce(20 bytes)
ID(Type=ID_IPV4_ADDR, Value=x.x.x.70)
Hash(16 bytes)
VID=12f5f28c457168a9702d9fe274cc0100 (Cisco Unity)
VID=09002689dfd6b712 (XAUTH)
VID=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation)
VID=1f07f70eaa6514d3b0fa96542a500100 (Cisco VPN Concentrator)
Ending ike-scan 1.8: 1 hosts scanned in 0.786 seconds (1.27
hosts/sec). 1 returned handshake; 0 returned notify
____________________________________________________________________________________
Want to start your own business?
Learn how on Yahoo! Small Business.
http://smallbusiness.yahoo.com/r-index
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
|