ClearNet Security: Tag Penetration Testing

True penetration testing?

tate@ClearNetSec.com (Tate Hansen) — Sun, 04 May 2008 22:45:00 -0600

This from the new PCI information supplement: (regarding the required annual penetration testing for compliance)

The penetration tests should attempt to exploit vulnerabilities […] attempting to penetrate both at the network level and key applications

Really? I laughed when I read this, seriously. It made me think for a second about how many consultants really have the skills to chef-boy-ar-dee exploits under pressure. It’s clear too; this is not about a vulnerability sweep, they want you to bust in.

Penetration testing [..] should occur from both outside the network trying to come in (external testing) and from inside the network.

Wow. True penetration testing from inside the network? How many internal networks have you seen that would survive a blitzkrieg attack from a good penetration test team?

PCI states:

“resources must be experienced penetration testers”

What does that mean?

I’m sure the PCI council is of compos mentis, and I’m not trying to rain on the PCI council or ASVs or QSAs, though it’s funny the council points out that “The PCI DSS does not require that a QSA or ASV perform the penetration test”. That statement wouldn’t be because most of them couldn’t penetration test there way out of a paper bag even if they were handed a loaded metasploit gun, right?

With the huge number of companies bemoaning PCI compliance, I just don’t see most getting a true penetration test. I guess I could be reading too much into this. Maybe the skills bar level I consider for experienced penetration testers is way higher than what the PCI council considers experienced or what others consider experienced or good?

Do you have penetration testing skills? What does that mean to you? Do you think most of the companies that buy a penetration test actually get one?

Rogue modems are still plentiful?

tate@ClearNetSec.com (Tate Hansen) — Fri, 15 Feb 2008 22:18:00 -0700

I was doing a scope call for a large grocery chain recently when they mentioned they discover around 20 rogue modems per quarter per division (and they have more than 12 divisions). That number is way higher than I would've guessed, though maybe lots of the modems are legitimate but not on their official roster.

Whatever the case may be, wardialing is not a moribund activity, or as close to it as I thought.

“Big money! Big prizes! I love it!”

tate@ClearNetSec.com (Tate Hansen) — Fri, 28 Dec 2007 08:57:00 -0700

Smash TV quotes. Love ‘em.

Speaking of big money, the commercial exploit market’s growth isn’t making it any easier to bid on penetration test gigs. If you want to provide the highest assurance you’re capable of to clients, then of course you would like to have your hands on all the exploits out there, both public and private.

product	to start	quarterly	total
d2	$1,950	$850	$5,350
gleg	$1,400	$700	$4,200
argeniss	$1,000	$500	$3,000
canvas	$1,450	$730	$4,370

And the crème of the crop:
Immunity Sec’s Vulnerability Sharing Club $50,000 - $100,000 per year

Attacking with anything less in hand tends toward negligence, especially if you do so without disclosing what you’re missing. Pay to have all and you’ve likely priced yourself out of competitive bids.

The winners here, again, are the attackers.

“Good Luck… you’ll need it!”

Cisco VPN group name and password testing

soren@maigaard.com (Søren Maigaard) — Mon, 18 Sep 2006 01:31:00 -0600

Cisco VPN group name and password

Even though this is not a new attack, it seems that the patch from Cisco has not gained a lot of attention. (The patch is from May 2005).

The following is a walk through of how to exploit this vulnerability in order to gain access to a network through an unpatched Cisco VPN Concentrator.

It should be noted that only Concentrators configured to use group names instead of certificates are vulnerable to this attack.

Walk through

The primary reason for this vulnerability is the use of bad security practice from Cisco – letting the device respond differently to valid and invalid usernames.

The exploit is based on sending packets to the Concentrator (see a follow-up post about detecting VPN Concentrators using IKEscan) in order to initiate an IKE session.

If we do not provide a group name, the Concentrator will drop the packets (which is why it will not show up on a port scan). If we provide a wrong group name, the Concentrator drops the packets as well. But if we provide the right group name, the Concentrator responds with this:

<EXTERNAL IP> Aggressive Mode Handshake returned

HDR=(CKY-R=1234567890abcdef)

SA=(Enc=3DES Hash=MD5 Group=2:modp1024 Auth=XAUTH LifeType=Seconds Life

Duration=1500)

KeyExchange(128 bytes)

Nonce(20 bytes)

ID(Type=ID_IPV4_ADDR, Value=<INTERNAL IP>)

Hash(16 bytes)

VID=a0b9c8d7e6f5a4b3c2d1f0a9b8c7d6e5 (Cisco Unity)

VID=123455668b3b3888 (XAUTH)

VID=a0b9c8d7f6f5a4b3c3d1f0b9b8c7d6e5 (Dead Peer Detection)

VID=a0b9c8d7f6f5a4b3c3d1fa0b9c8d7f6f5a4b3c3 (IKE Fragmentation)

VID=a6b9c6b7f6b5a4b3c3d1f1b9b8c7d6e5

VID=f0c3d8b7f6f5a7c3c1e6f0c2d2d7f3e8 (Cisco VPN Concentrator)

Because of this, we can guess the group name, either by manually guessing or by doing a dictionary attack against the server. For this, IKEscan (http://www.nta-monitor.com/tools/ike-scan/) can be used.

Once the group name is obtained, the server can be forced to provide a HASH of the group name password in a modified MD5 format. Such a response from the IKE pre-shared key exchange with the Concentrator could look like this:

a60f86af35c2b771944ade9b2c5c3f5cc0a1fccee054184061202bf1c788be35999a5b3ea4b902ba209394b369060decfd1369f4f438b5721b597df859a529e71a2b530c555ddda7439c1c6c766a67b6817b9f14d40af8d365d07e4f8e56627bbb7d748361c05bb6dd562c92bfd873f6c1cf8a622ac7c79f8ca3e45516d4e8ea:77da26beecf8ecdc1eec2d8b46d4aecb6aff6bccdd943ad836fbdcd7af3dfd3a3b7f710a6619a84797d5ba9dbdf1cf80dcd1d8672c164983dc4798e96dc53d1f168701cc132a97855d1673984522625b368720625d782b2df62182a9eb377c72a5d01aa9765d072f347895dee4f11af172af3a706c636b97f376c5cc84a55831:0b79320bbb06bbbb:b0dd49295b043bfc:00000001000000010000009801010004030003240101000080010005800200028003000180140002800b0001000c00040000708003000240201000080010005800200018003000180040002800b0001000c0004000073480030000240301000080010001800200028003600180040002800b0001000c000403017080000000240401000080010001800200018003000180040002800b0001000c000400017080:121100000afe0617:c849c27485e3815eb786e1dd22ad028da3fab34d:5bdbd293c1d52d12b75dee547653269102acfcc8:564372d4715dd3e9ecf963571d4cb3a9

Once the hash is obtained, the password can be cracked offline using a dictionary, brute force, or rainbow table attack. A good program for this is Cain & Abel (www.oxid.it/cain.html). In the newest version this is integrated with Rainbow Crack Online (www.rainbowcrack-online.com), a subscription based rainbow crack service.

Now we have the group name and group name password. In a corporate environment the next step is the user authentication, normally based on some kind of token identification.

Let’s assume that a two-factor authentication system is in place for user authentication once the group name authentication is passed. If we assume that RSA SecurID tokens are used in their standard configuration, a 4 digit PIN and a 6 digit token code is used to authenticate the user. The username can most likely be obtained through the e-mail address or other means.

This means that the VPN access is now protected by a 4 digit PIN and 6 digit token code (combined also called a passcode). The token code will change every 60 seconds. However, because of time drifting, the window of opportunity for token codes is actually three minutes. That means that we need to crack the token code within 180 seconds.

If we assume the VPN server has a 100Mbit connection to the internet, we are able to try out approximately 2.3 million password combinations per minute. The token code represents 999.999 combinations. We can therefore try about 6 PINs per window (three minutes). With 9999 PIN codes this will take less than four days to complete. After that time we will be in possession of the PIN code of the user’s token as well as the group name and group password. We will still need to try up to 999.999 passcodes every time we wish to log on but this can be done within a minute (a mitigating factor here is that the RSA server can be set up to deny this sort of brute force attack).

It should be noted that this attack works on other systems than the Cisco Concentrator and that if authentication is based solely on usernames and passwords, what you are cracking and enumerating is not just group names and passwords, but actual end user names and passwords.

Conclusion

Nothing new – but as a pen tester, it is worth taking a shot at the VPN boxes out there. It seems that at least Cisco hasn’t been doing everything in their power to push these patches out to customers :)