In association with heise online

Footprints

In preparing for an attack, hackers first collect all available information. A VPN gateway is relatively easy to identify. All you need is a port scanner like nmap, which will produce output such as the following:

# nmap -sSUV -O 10.1.1.254 
Starting nmap 3.70 (Interesting ports on 10.1.1.254:
PORT STATE SERVICE
256/tcp open fw1-secureremote
257/tcp open fw1-log service
259/udp open|filtered firewall1-rdp
500/udp open|filtered isakmp
1701/udp open|filtered L2TP
Device type: firewall
Running: Checkpoint Windows NT/2K/XP
OS details: Checkpoint SecurePlatform NG FP3

The characteristics of the port reached shows that the firewall is from Checkpoint. The fingerprinting that nmap uses and the service discovery (not shown above) also suggest that a Firewall-1 NG was just detected on the SecurePlatform. The UDP Port 500 is a clear sign that this firewall also runs as a VPN gateway. VPNs use this port to process the protected exchange of keys via IKE (Internet Key Exchange), an essential part of IPSec.

Fingerprints

Special tools can even detect the cryptographic methods and parameters that the gateway uses, providing even more indications of the vendor. The free program IKE-Scan [1] handles this task:

 
#ike-scan 10.1.1.254 --trans=5,2,1,5 -o
Starting ike-scan 1.2 with 1 hosts
10.1.1.254
IKE Main Mode Handshake returned (1 transforms)
 
IKE Backoff Patterns:
 
IP Address No. Recv time Delta Time
10.1.1.254 1 1092956328.817392 0.000000
10.1.1.254 2 1092956330.923392 2.106000
10.1.1.254 3 1092956332.885392 1.962000
10.1.1.254 4 1092956334.833392 1.948000
10.1.1.254 5 1092956336.836392 2.003000
10.1.1.254 6 1092956338.835392 1.999000
10.1.1.254 7 1092956340.844392 2.009000
10.1.1.254 8 1092956344.875392 4.031000
10.1.1.254 9 1092956348.882392 4.007000
10.1.1.254 10 1092956352.866392 3.984000
10.1.1.254 11 1092956356.902392 4.036000
10.1.1.254 12 1092956360.883392 3.981000
10.1.1.254 Implementation guess: Firewall-1 4.1/NG

The option "-trans=5,2,1,5 " indicates the parameters to be tested: 3DES, SHA, Preshared Key, Diffie Hellman group 5. The message "IKE Main Mode Handshake returned" indicates that the VPN gateway accepts these parameters, and the name of the vendor is displayed immediately. But these tools can only be used successfully if the VPN gateway is configured in a certain way and supports certain parameters. Here, it often helps to try out the IKE and IPSec parameters manually or by means of a script.

Print Version | Permalink: http://h-online.com/-747175
  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit
 


  • July's Community Calendar





The H Open

The H Security

The H Developer

The H Internet Toolkit