ClearNet Security

Even though this is not a new attack, it seems that the patch from Cisco has not gained a lot of attention. (The patch is from May 2005).

The following is a walk through of how to exploit this vulnerability in order to gain access to a network through an unpatched Cisco VPN Concentrator.

It should be noted that only Concentrators configured to use group names instead of certificates are vulnerable to this attack.

 

Walk through

The primary reason for this vulnerability is the use of bad security practice from Cisco – letting the device respond differently to valid and invalid usernames.

The exploit is based on sending packets to the Concentrator (see a follow-up post about detecting VPN Concentrators using IKEscan) in order to initiate an IKE session.

If we do not provide a group name, the Concentrator will drop the packets (which is why it will not show up on a port scan). If we provide a wrong group name, the Concentrator drops the packets as well. But if we provide the right group name, the Concentrator responds with this:

<EXTERNAL IP>  Aggressive Mode Handshake returned

       HDR=(CKY-R=1234567890abcdef)

SA=(Enc=3DES Hash=MD5 Group=2:modp1024 Auth=XAUTH LifeType=Seconds Life

Duration=1500)

       KeyExchange(128 bytes)

       Nonce(20 bytes)

       ID(Type=ID_IPV4_ADDR, Value=<INTERNAL IP>)

       Hash(16 bytes)

       VID=a0b9c8d7e6f5a4b3c2d1f0a9b8c7d6e5 (Cisco Unity)

       VID=123455668b3b3888 (XAUTH)

       VID=a0b9c8d7f6f5a4b3c3d1f0b9b8c7d6e5 (Dead Peer Detection)

VID=a0b9c8d7f6f5a4b3c3d1fa0b9c8d7f6f5a4b3c3 (IKE Fragmentation)

       VID=a6b9c6b7f6b5a4b3c3d1f1b9b8c7d6e5

       VID=f0c3d8b7f6f5a7c3c1e6f0c2d2d7f3e8 (Cisco VPN Concentrator)

Because of this, we can guess the group name, either by manually guessing or by doing a dictionary attack against the server. For this, IKEscan (http://www.nta-monitor.com/tools/ike-scan/) can be used.

Once the group name is obtained, the server can be forced to provide a HASH of the group name password in a modified MD5 format. Such a response from the IKE pre-shared key exchange with the Concentrator could look like this:

a60f86af35c2b771944ade9b2c5c3f5cc0a1fccee054184061202bf1c788be35999a5b3ea4b902ba209394b369060decfd1369f4f438b5721b597df859a529e71a2b530c555ddda7439c1c6c766a67b6817b9f14d40af8d365d07e4f8e56627bbb7d748361c05bb6dd562c92bfd873f6c1cf8a622ac7c79f8ca3e45516d4e8ea:77da26beecf8ecdc1eec2d8b46d4aecb6aff6bccdd943ad836fbdcd7af3dfd3a3b7f710a6619a84797d5ba9dbdf1cf80dcd1d8672c164983dc4798e96dc53d1f168701cc132a97855d1673984522625b368720625d782b2df62182a9eb377c72a5d01aa9765d072f347895dee4f11af172af3a706c636b97f376c5cc84a55831:0b79320bbb06bbbb:b0dd49295b043bfc:00000001000000010000009801010004030003240101000080010005800200028003000180140002800b0001000c00040000708003000240201000080010005800200018003000180040002800b0001000c0004000073480030000240301000080010001800200028003600180040002800b0001000c000403017080000000240401000080010001800200018003000180040002800b0001000c000400017080:121100000afe0617:c849c27485e3815eb786e1dd22ad028da3fab34d:5bdbd293c1d52d12b75dee547653269102acfcc8:564372d4715dd3e9ecf963571d4cb3a9

Once the hash is obtained, the password can be cracked offline using a dictionary, brute force, or rainbow table attack. A good program for this is Cain & Abel (www.oxid.it/cain.html). In the newest version this is integrated with Rainbow Crack Online (www.rainbowcrack-online.com), a subscription based rainbow crack service.

Now we have the group name and group name password. In a corporate environment the next step is the user authentication, normally based on some kind of token identification.

Let’s assume that a two-factor authentication system is in place for user authentication once the group name authentication is passed. If we assume that RSA SecurID tokens are used in their standard configuration, a 4 digit PIN and a 6 digit token code is used to authenticate the user. The username can most likely be obtained through the e-mail address or other means.

This means that the VPN access is now protected by a 4 digit PIN and 6 digit token code (combined also called a passcode). The token code will change every 60 seconds. However, because of time drifting, the window of opportunity for token codes is actually three minutes. That means that we need to crack the token code within 180 seconds.

If we assume the VPN server has a 100Mbit connection to the internet, we are able to try out approximately 2.3 million password combinations per minute. The token code represents 999.999 combinations. We can therefore try about 6 PINs per window (three minutes). With 9999 PIN codes this will take less than four days to complete. After that time we will be in possession of the PIN code of the user’s token as well as the group name and group password. We will still need to try up to 999.999 passcodes every time we wish to log on but this can be done within a minute (a mitigating factor here is that the RSA server can be set up to deny this sort of brute force attack).

It should be noted that this attack works on other systems than the Cisco Concentrator and that if authentication is based solely on usernames and passwords, what you are cracking and enumerating is not just group names and passwords, but actual end user names and passwords.

 

Conclusion

Nothing new – but as a pen tester, it is worth taking a shot at the VPN boxes out there. It seems that at least Cisco hasn’t been doing everything in their power to push these patches out to customers :)