Even though this is not a new attack, it seems that the
patch from Cisco has not gained a lot of attention. (The patch is from May
2005).
The following is a walk through of how to exploit this
vulnerability in order to gain access to a network through an unpatched Cisco
VPN Concentrator.
It should be noted that only Concentrators configured to use
group names instead of certificates are vulnerable to this attack.
Walk through
The primary reason for this vulnerability is the use of bad
security practice from Cisco – letting the device respond differently to valid
and invalid usernames.
The exploit is based on sending packets to the Concentrator
(see a follow-up post about detecting VPN Concentrators using IKEscan) in order
to initiate an IKE session.
If we do not provide a group name, the Concentrator will
drop the packets (which is why it will not show up on a port scan). If we
provide a wrong group name, the Concentrator drops the packets as well. But if
we provide the right group name, the Concentrator responds with this:
<EXTERNAL IP>
Aggressive Mode Handshake returned
HDR=(CKY-R=1234567890abcdef)
SA=(Enc=3DES
Hash=MD5 Group=2:modp1024 Auth=XAUTH LifeType=Seconds Life
Duration=1500)
KeyExchange(128 bytes)
Nonce(20
bytes)
ID(Type=ID_IPV4_ADDR, Value=<INTERNAL IP>)
Hash(16
bytes)
VID=a0b9c8d7e6f5a4b3c2d1f0a9b8c7d6e5
(Cisco Unity)
VID=123455668b3b3888
(XAUTH)
VID=a0b9c8d7f6f5a4b3c3d1f0b9b8c7d6e5
(Dead Peer Detection)
VID=a0b9c8d7f6f5a4b3c3d1fa0b9c8d7f6f5a4b3c3
(IKE Fragmentation)
VID=a6b9c6b7f6b5a4b3c3d1f1b9b8c7d6e5
VID=f0c3d8b7f6f5a7c3c1e6f0c2d2d7f3e8
(Cisco VPN Concentrator)
Because of this, we can guess the group name, either by
manually guessing or by doing a dictionary attack against the server. For this,
IKEscan (http://www.nta-monitor.com/tools/ike-scan/) can be used.
Once the group name is obtained, the server can be forced to
provide a HASH of the group name password in a modified MD5 format. Such a
response from the IKE pre-shared key exchange with the Concentrator could look
like this:
a60f86af35c2b771944ade9b2c5c3f5cc0a1fccee054184061202bf1c788be35999a5b3ea4b902ba209394b369060decfd1369f4f438b5721b597df859a529e71a2b530c555ddda7439c1c6c766a67b6817b9f14d40af8d365d07e4f8e56627bbb7d748361c05bb6dd562c92bfd873f6c1cf8a622ac7c79f8ca3e45516d4e8ea:77da26beecf8ecdc1eec2d8b46d4aecb6aff6bccdd943ad836fbdcd7af3dfd3a3b7f710a6619a84797d5ba9dbdf1cf80dcd1d8672c164983dc4798e96dc53d1f168701cc132a97855d1673984522625b368720625d782b2df62182a9eb377c72a5d01aa9765d072f347895dee4f11af172af3a706c636b97f376c5cc84a55831:0b79320bbb06bbbb:b0dd49295b043bfc:00000001000000010000009801010004030003240101000080010005800200028003000180140002800b0001000c00040000708003000240201000080010005800200018003000180040002800b0001000c0004000073480030000240301000080010001800200028003600180040002800b0001000c000403017080000000240401000080010001800200018003000180040002800b0001000c000400017080:121100000afe0617:c849c27485e3815eb786e1dd22ad028da3fab34d:5bdbd293c1d52d12b75dee547653269102acfcc8:564372d4715dd3e9ecf963571d4cb3a9
Once the hash is obtained, the password can be cracked offline
using a dictionary, brute force, or rainbow table attack. A good program for
this is Cain & Abel (www.oxid.it/cain.html). In the newest version this is
integrated with Rainbow Crack Online (www.rainbowcrack-online.com), a
subscription based rainbow crack service.
Now we have the group name and group name password. In a
corporate environment the next step is the user authentication, normally based
on some kind of token identification.
Let’s assume that a two-factor authentication system is in
place for user authentication once the group name authentication is passed. If
we assume that RSA SecurID tokens are used in their standard configuration, a 4
digit PIN and a 6 digit token code is used to authenticate the user. The
username can most likely be obtained through the e-mail address or other means.
This means that the VPN access is now protected by a 4 digit
PIN and 6 digit token code (combined also called a passcode). The token code
will change every 60 seconds. However, because of time drifting, the window of
opportunity for token codes is actually three minutes. That means that we need
to crack the token code within 180 seconds.
If we assume the VPN server has a 100Mbit connection to the
internet, we are able to try out approximately 2.3 million password
combinations per minute. The token code represents 999.999 combinations. We can
therefore try about 6 PINs per window (three minutes). With 9999 PIN codes this
will take less than four days to complete. After that time we will be in possession
of the PIN code of the user’s token as well as the group name and group password.
We will still need to try up to 999.999 passcodes every time we wish to log on
but this can be done within a minute (a mitigating factor here is that the RSA
server can be set up to deny this sort of brute force attack).
It should be noted that this attack works on other systems
than the Cisco Concentrator and that if authentication is based solely on
usernames and passwords, what you are cracking and enumerating is not just
group names and passwords, but actual end user names and passwords.
Conclusion
Nothing new – but as a pen tester, it is worth taking a shot
at the VPN boxes out there. It seems that at least Cisco hasn’t been doing
everything in their power to push these patches out to customers :)
