ECSA/ LPT EC Council M odu l e XXXII EC - Council odu e VPN Penetration Testing Penetration Testing Roadmap Start Here Information Vulnerability External Gathering Analysis Penetration Testing Fi ll Router and Internal Fi rewa ll Penetration Testing Router and Switches Penetration Testing Internal Network Penetration Testing IDS Penetration Testing Wireless Network Penetration Testing Denial of Service Penetration Testing Password Cracking Stolen Laptop, PDAs and Cell Phones Social Engineering Application Cont’d EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Penetration Testing Penetration Testin g Penetration Testing Penetration Testin g Penetration Testing Roadmap (cont ’ d) (cont d) Cont’d Physical Security Database Pii VoIP PiTi Security Penetration Testing P enetrat i on test i ng P enetrat i on T est i n g Vi d Vi rus an d Trojan Detection War Dialing VPN Penetration Testing Log Management Penetration Testing File Integrity Checking Blue Tooth and Hand held Device Penetration Testing Telecommunication And Broadband Communication Email Security Penetration Testin g Security Patches Data Leakage Penetration Testing End Here EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Communication Penetration Testing g Penetration Testing Penetration Testing Virtual Private Network (VPN) A VPN is a network that uses Internet to provide secure access to A VPN is a network that uses Internet to provide secure access to distant offices or individual users with their enterprise’s network. IP VPN Types of VPN: • IP sec VPN • SSL VPN (web-based) EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited VPN Penetration Testing Steps Ste p 1: Scannin g : • 1.1. 500 UDP IPSEC • 1.2. 1723 TCP PPTP pg • 1.3. 443 TCP/SS L • 1.4. nmap -sU -P0 -p 500 • 1.5. ipsecscan xxx.xxx.xxx.xxx-255 Step 2: Fingerprinting: • 2.1. Get the IKE handshake • 2.2. UDP backoff fingerprinting • 2.3. Vendor ID fingerprinting Ch k f IKE i d EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited •2.4. Ch ec k f or IKE aggress i ve mo d e VPN Penetration Testing Steps (cont ’ d) (cont d) Step 3: PSK crack: • 3.1. ikeprobe xxx.xxx.xxx.xxx-255 • 3 .2. sniff for res p onses with C&A or ikecrac k Step 3: PSK crack: 3p Step 4: Test for default user accounts Step 5: Test for SSL VPN EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Ste p 1: Scannin g pg EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Step 1.1 Scanning: 500 UDP IPSEC IPSEC Findin g a ISAKMP service ( IPsec V PN Server ) lookin g for g( )g port 500 UDP EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Step 1.2 Scanning: 1723 TCP PPTP PPTP Scannin g : 1 7 2 3 TCP PPTP: • Fig: Finding a PPTP VPN Server for port 1723 TCP g73 EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Step 1.3 Scanning: 443 TCP/SSL Scanning: 443 TCP/SSL: • SSL is a TCP 443 default VPN type • SSL - based VPN uses standard web - based protocols Scanning: 443 TCP/SSL: • SSL based VPN uses standard web based protocols EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited [...]... PSK implementation of the VPN server It tries to find various combinations of ciphers, hashes, and Diffie-Helman groups It attempts to force the remote server into the aggressive p gg mode EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Tool: VPNmonitor VPNmonitor is a free Java tool for observing the network g traffic It can monitor VPN (PPTP and IPsec) and... Plain-Text Password: Screenshot EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Step 5 Test SSL VPN p 5: EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Step 5: Test for SSL VPN Scan SSL VPN using the following tools: • ike-scan • Ipsecscan Ipsecscan • IKEProbe EC-Council Copyright © by EC-Council All Rights Reserved Reproduction... Reserved Reproduction is Strictly Prohibited Step 2: Fingerprinting Fingerprinting: • Provides ample information of the VPN vulnerabilities to the attacker l bili i h k It provides the f ll i id h following: • Vendor and model of the VPN server server • Software version number • VPN vulnerabilities EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Step 2.1:... you can use PGPNet to connect to the vulnerable VPN server EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Step 4: Test Default User Accounts EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Step 4: Test for Default User Accounts Like any network devices, an IPsec VPN has default user accounts devices accounts The... the Registry: Screenshot EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Step 4.2: Test for Plain-Text Password VPN client programs store the plain-text password in memory plain text memory Establish the VPN client and use dumping tools such as pmdump to obtain the password password Crash the computer to get dump of physical memory EC-Council Copyright © by... Prohibited Step 1.5 Scanning: Ipsecscan xxx.xxx.xxx.xxx-255 xxx xxx xxx xxx-255 Ipsecscan: p • Scan either a single IP address or a range of IP addresses looking for systems that are IPsec enabled g y C: \VPN Security\tools>ipsecscan.exe 192.168.0.1 192.168.0.2 IPSecScan 1 1 - (c) 2001 Arne Vidstrom arne vidstrom@ntsecurity nu 1.1 2001, Vidstrom, arne.vidstrom@ntsecurity.nu - http://ntsecurity.nu/toolbox/ipsecscan/... EC-Council All Rights Reserved Reproduction is Strictly Prohibited Tool: IKE-scan IKE-scan IKE scan is a command line tool that uses the IKE protocol command-line to fingerprint, discover, and test IPsec VPN servers It supports th pre-shared key cracking for IKE aggressive t the h dk ki f i mode using the pre-shared key authentication EC-Council Copyright © by EC-Council All Rights Reserved Reproduction... aggressive mode pre-shared keys Use the k U th psk-crack t crack th prek to k the shared keys: • Y can use IKEP obe t d t You IKEProbe to determine vulnerabilities i i l biliti in the PSK implementation of the VPN server • IKEProbe tries various combinations of ciphers, g p hashes and Diffie-Helman groups • It attempts to force the remote server into aggressive mode EC-Council Copyright © by EC-Council All Rights... network g traffic It can monitor VPN (PPTP and IPsec) and SSL (HTTPS) connectivity of wireline/wireless networks EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited VPNmonitor: Screenshot EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Tool: IKECrack IKECrack is an IKE/IPsec crack tool designed to perform a preshared-key . Testing Router and Switches Penetration Testing Internal Network Penetration Testing IDS Penetration Testing Wireless Network Penetration Testing Denial of Service Penetration Testing Password Cracking Stolen. e VPN Penetration Testing Penetration Testing Roadmap Start Here Information Vulnerability External Gathering Analysis Penetration Testing Fi ll Router and Internal Fi rewa ll Penetration Testing Router . Communication Penetration Testing g Penetration Testing Penetration Testing Virtual Private Network (VPN) A VPN is a network that uses Internet to provide secure access to A VPN is a network