Many people believe that IPsec VPN systems are invisible and inherently secure. However, in reality most implementations can be easily detected and fingerprinted. Once this step is achieved, a successful attack is only a matter of time.

 

Many people believe that IPsec VPN systems are invisible and inherently secure. However, in reality most implementations can be easily detected and fingerprinted. Once this step is achieved, a successful attack is only a matter of time.

VPN security is often overlooked during a penetration test. There are several reasons for this: VPNs are often considered inherently secure because they employ strong cryptography, IPsec VPNs don't normally get picked up by a port scan, and many people are intimidated by the complexity of the protocol. However, given the correct tools and techniques, it is relatively straightforward to discover and fingerprint these systems.

We will show how it is possible to discover IPsec VPNs (see Inset Introduction to IPsec), and then determine what equipment is being used and find other useful information. We will see that the complexity of the IPsec protocol actually makes fingerprinting VPNs easier, because every manufacturer interprets the standards in a slightly different way.

 

IPsec VPN detection

IPsec VPN servers generally will not be detected by a port scan. This is because they don't listen on any TCP ports, so a TCP port scan won't find them. What is more, they don't normally send ICMP unreachable messages, so a UDP port scan won't pick up IKE on port 500 (a standard port for such connections) and a raw IP scan won't pick up ESP or AH with IP protocols 50 and 51. In addition, the IPsec RFCs specify that incorrectly formatted packets should be ignored, so sending random garbage to UDP port 500 or IP protocols 50 and 51 will not normally elicit any response either.

 

Figure 1. Overview of the IPsec protocol framework

 

sum:

0 €