In this article we are going to discuss Penetration Testing IPSec VPN (Virtual Private Network). VPN provide secure (encrypted) communications between remote locations or users within the same network through internet. Basically there are two types of VPNs: IPSec VPN and SSL VPN. IPSec is widely used protocol to establish secure connections between networks and connect hosts in virtual private networks.
Within IPSec VPN, there are many subsidiary protocols are responsible to perform specific tasks or functions, I have described them below:
- Authentication Header (AH): The function of AH is to provide proof of origin for IP packets, protecting them against replay attacks.
- Encapsulation Security Protocol (ESP): Task of ESP is to provide the origin authenticity, integrity, and confidentiality of the transmitted data.
- Security Association (SA): Basically SA is the set of algorithms which is used to encrypt and authenticate the transmitted data. Because SA is associated with data transmission in one direction, two-way communications are secured by a pair of security associations. Security associations are established using Internet Security Association and Key Management Protocol (ISAKMP), this can be applied through many ways. When testing the security of VPN (Penetration Testing IPSec VPN), one of the most vulnerable configurations relies on preshared secrets, Internet Key Exchange (IKE).
To assess the security of VPN (Penetration Testing IPSec VPN), Penetration testers should follow the following basic steps:
- Scanning VPN gateways.
- Fingerprinting VPN gateways (determine vendor and configuration details).
- Finding vulnerabilities associated with the VPN vendor or related products.
- Capturing preshared keys.
- PSK cracking (offline).
- Checking for default user accounts.
2Fingerprinting the VPN gateway – Penetration Testing IPSec VPN
If you can establish a handshake with the VPN gateway, you can conduct the fingerprinting of the device to return the following information:
- vendor/manufacturer and model
- software version
Information obtained used to identify a vendor-specific attack or fine tune a generic attack. If VPN is hosted by a firewall, the fingerprinting will also identify the firewall in use.
The main reason is IKE does not guarantee the reliability for packets transmitted, most VPN gateway vendors use a proprietary protocol to deal with traffic that appears to be lost. This tool sends IKE probe packets to the VPN gateway, but it does not reply to the response that it receives. The server responds as if the packets have been lost and implements its backoff strategy to resend the packets. By analyzing the time difference between the packets and the amount of retries, ike-scan can fingerprint the vendor.
Following screenshot explains the process, the -M option causes each payload to be shown on a separate line, making the output easier to read. -showbackoff option (as shown in the following screenshot) of ike-scan records the response time of all the packets that were sent and received and then records the delays for 60 seconds before displaying the results:
This tool can also be used to determine whether the gateway supports the aggressive mode. If it does, it can be difficult to establish the handshake with the server, because it will not respond until a valid ID is supplied as part of the identification payload.