Sam - October 3, 2016
When penetration testing an organisation, after we have collected our open source intelligence regarding their websites, external facing hosts, e-mail addresses, Google results and social media accounts, one of the often overlooked attack vectors is the company VPN. A quick search on https://www.shodan.io – the self styled “Search Engine for the Internet of Things” – shows just how many systems are alive on the internet with the search term “VPN”:
So, with over 4 million IKE VPN’s discovered with this basic search alone, we get a quick idea of just how many end-points there are out there, and with this many there are bound to be those with misconfigurations, out of date software/firmware and weak credentials. These are what I consider to be the three main methods of compromising a VPN setup.
OK, you’ve discovered the target has a VPN service exposed to the internet, what next? Well luckily for us there are a few handy tools to enable us to progress our test, the first of these being “IKESCAN”. This is now an old and established tool included in Kali 1 and 2, used for discovery, fingerprinting, user-enumeration, key extraction and key-password cracking of vulnerable VPN’s. The first thing to check, does the VPN support the “aggressive” mode of negotiation that will allow us to grab a copy of the PSK or pre-shared-key which we can then crack offline. In the following example we target the local VPN server 192.168.0.7 with the following options:
-M multiline output
-A aggressive mode handshake
–id=blah a non-existent user id to attempt negoation with
-P returns response payload, including responder hash (HASH_R)
Now we have discovered that the target is running a vulnerable implementation of IKE, we can capture the PSK and crack it offline:
This will give us a dump of the PSK that we can crack using psk-crack:
If your wordlist or brute force finds a match on the hash then it just remains to connect to the VPN using an IPsec client and this cracked PSK password.
Another great tool that runs on Windows systems is “ikeprobe”. This tool will run through all the different negotiation methods and check for weak or poorly configured ciphers:
The next section of this article will focus on exploiting the infamous “HEARTBLEED” vulnerability in out of date SSL installs. If, during your reconnaissance phase, you happen to notice an SSL VPN in use by your target, the first thing to check is the version of SSL being used and whether the install is vulnerable to HEARTBLEED, among other SSL weaknesses. A study in February 2016 (https://www.htbridge.com/blog/90-percent-of-ssl-vpns-use-insecure-or-outdated-encryption.html) showed that some 10% of a sample of 10,000 random VPNs available on the internet were still vulnerable to heartbleed. This flaw is critical, rated as 10 on the CVSS scale and can lead to full compromise of the private keys of the VPN if a successful attack is performed.
First we need to check if the SSL implementation is vulnerable and for this we can use nmap with its built in scripting engine, and the heartbleed-ssl script. The following arguments are required:
-p 443 sets the port to 443
–script ssl-heartbleed tells nmap that we want to use the NMAP SCRIPTING ENGINE (NSE) with the heartbleed script
–script-args vulns.showall allows us to get a screen dump showing the details of whether or not the target is vulnerable
192.168.32.100 is our target
So we’ve hit the jackpot and found a SSL VPN that is vulnerable to heartbleed, what next? Exploitation and theft of data on the system of course!
To exploit this vulnerability, we turn to that pillar of penetration testing tools, metasploit! The framework contains a convenient scanner and data dump tool for heartbleed, and we can utilise that against our target for fast results. Fire up msfconsole on the Kali command line, and then load up the auxiliary/scanner/ssl/openssl_heartbleed module:
Set your RHOSTS variable to that of your target (192.168.32.100 in our case), then launch the attack:
Now we get the real juicy stuff, so juicy that I have had to remove some of the data dumped by my server! From this we can pull out private keys of the SSL install, any passwords that might be in memory, and all sorts of configuration and build data of the target. I once found a root password for a critical server using this exact vulnerability and tool.
So as you can see, an out of date SSL install on a VPN can potentially lead to full system compromise. Heartbleed is just one of (albeit the most critical) vulnerability in modern SSL that you should be aware of. See also BEAST and POODLE for examples of attacks on SSL.
We have covered direct compromise of poorly configured IKE VPN’s and attacks on out of date or unpatched SSL VPNs, the final type of attack that will be discussed is man-in-the-middle attacks on VPNs. This topic will be covered in theory only due to the nature of the setup required to perform this type of attack on users of a VPN. The basic concept is, if you can find a way of intercepting the traffic going between a VPN client and a VPN server then you can take a copy of the keys as they are transmitted and attempt to crack them offline, which will then allow you to decrypt the traffic that you capture between the two hosts.
There are various methods of creating a man-in-the-middle (MitM) condition, from getting onto the target network and using ARP poisoning, using a passive Ethernet wiretap, attacking HSRP or OSPF on an enterprise network or compromising the client itself and taking the traffic straight off the host. Of course all of these attacks (and the others discussed above) are illegal without prior written consent of the target person or organisation. If, however, you are a nation state wishing to compromise a VPN link between two parties you can simply take the data off the wire as it passes through a VPN, or one of the main internet backbones that you control! It has been revealed (thanks to the infamous Edward Snowden leaks) that this is exactly how the NSA/GCHQ performed this kind of attack. The following is a diagram taken from a leaked document, showing the intelligence agencies architecture for stealing VPN keys (HAMMERSTEIN) and passing them off to their cracking infrastructure:
• Use long passwords to secure your keys and user logins (25 characters or more)
• Use a separate trusted external CA to sign your keys
• Use two factor authentication (2FA) on your VPN (RSA secure keys, Google authenticator etc.)
• Avoid using your VPN on unsecure wireless network