AWERProcedia

Information Technology
&
Computer Science
1 (2012) 73-78

2nd World Conference on Information Technology (WCIT-2011)

Using penetration testing to discover VPN security vulnerabilities

*
Defta (Ciobanu) Costinela - Luminit a
PhD student, Doctoral School, University of Pitesti, Department of Computer Science, Str. Targu din Vale, nr.1, Arges and Postcode 110040,
Romania

Abstract

A VPN is a private network constructed within a public network infrastructure, such as Internet. VPNs are widely used to
create wide area networks (WANs) that span large geographic areas, to provide site-to-site connections to branch offices and
to allow mobile users to dial up their company LANs. VPNs are generally considered to have strong protection for data
communications, but if they are incorrectly configured they are still vulnerable, just as any other Internet-facing system. In
the first part of this paper we will analyze and compare the key VPN security technologies, like IPsec and SSL. In the second
part we will describe a common penetration testing methodology for VPNs. The objective is to discover vulnerabilities in the
VPN implementation that an attacker may be able to exploit.

Keywords: VPN, SSL, IPSec, Penetration testing, Network;

Selection and peer review under responsibility of Prof. Dr. Hafize Keser.

©2012 Academic World Education & Research Center. All rights reserved.

1. Introduction

Virtual private networks extend the reach of LANs without requiring owned or leased private lines.
Companies can use VPNs to provide remote and mobile users with network access, connect geographically
separated branches into a unified network and enable the remote use of applications that rely on internal
servers. VPN can be used also on distributed systems. Distributed system model best suits on the organizational
structure of companies that,
because of their business needs, are geographically distributed.

*
ADDRESS FOR CORRESPONDENCE: Defta (Ciobanu) Costinela, Luminita. PhD student, Doctoral School, University of Pitesti, Department of
Computer Science, Str. Targu din Vale, nr.1, Arges and Postcode 110040, Romania.
E-mail address: [email protected]/ Tel.: +40-767-024-056
 Defta (Ciobanu) Costinela - Luminita / AWERProcedia Information Technology & Computer Science (2012) 73-78

VPNs can be divided into three categories, depending on the mechanisms that they use: Trusted VPNs, secure
VPNs, Hybrid VPNs.
Companies who use trusted VPNs do so because they want to know that their data is moving over a set of
paths that has specified properties and is controlled by one ISP or a trusted confederation of ISPs. This allows the
customer to use their own private IP addressing schemes, and possibly to handle their own routing. The major
technologies used for implementing trusted VPNs over IP networks are ATM circuits, frame-relay circuits and
Multiprotocol Label Switching (MPLS).
The main reason that companies use secure VPNs is so that they can transmit sensitive information over the
Internet without needing to worry about who might see it. Everything that goes over a secure VPN is encrypted
to such a level that even if someone captured a copy of the traffic, they could not read the traffic even if they
used hundreds of millions of dollars worth of computers. For the organizations that are expanding globally, the
data exchange between multiple databases and applications has become more important. Further, using a
secure VPN allows the company to know that an attacker cannot alter the contents of their transmissions, such
as by changing the value of financial transactions. Secure VPNs are particularly valuable for remote access where
a user is connected to the Internet at a location not controlled by the network administrator, such as from a
hotel room, airport kiosk, or home. Secure VPNs can use IPsec with encryption, IPsec inside of Layer 2 Tunnelling
Protocol (L2TP), SSL 3.0 or Transport Layer Security (TLS) with encryption, Layer Two Forwarding (L2F) or Point-
to-Point Tunnelling Protocol (PPTP).
It is clear that secure VPNs and trusted VPNs have very different properties. Secure VPNs provide security but
no assurance of paths. Trusted VPNs provide assurance of properties of paths such as QoS, but no security from
snooping or alternation. Because of these strengths and weaknesses, hybrid VPNs has started to appear,
although the list of scenarios where they are desired is still evolving. A typical situation for hybrid VPN
deployment is when a company already has a trusted VPN in place and some parts of the company also need
security over part of the VPN. Hybrid VPN uses both IPsec and Secure Sockets Layer (SSL).
In this paper we will present a common methodology for testing a VPN to discover security issues and also
we will outline a number of VPN technologies, among which IPsec and SSL VPN are the most common.

2. VPN Protocols

The most used VPN protocols are: PPTP, L2TP, IPSec, SSL.
PPTP (Point-to-Point Tunneling Protocol) it’s the most widely supported VPN method among Windows users
and it was created by Microsoft in association with other technology companies. The disadvantage of PPTP is
that it does not provide encryption and it relies on the PPP (Point-to-Point Protocol) protocol to implement
security measures. But compared to other methods, PPTP is faster and it is also available for Linux and Mac
users.
L2TP (Layer 2 Tunneling Protocol) it’s another tunneling protocol that supports VPNs. Like PPTP, L2TP does
not provide encryption and it relies on PPP protocol to do this. The difference between PPTP and L2TP is that the
second one provides not only data confidentiality but also data integrity. L2TP was developed by Microsoft and
Cisco as a combination between PPTP and L2F(Layer 2 Forwarding)., Dos (Denial of Service).
IPsec protocol can be used for encryption in correlation with L2TP tunneling protocol. It is used as a “protocol
suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a
data stream”. IPSec requires expensive, time consuming client installations and this can be considered an
important disadvantage.
SSL (Secure Socket Layer) is a VPN accessible via https over web browser. The advantage of this SSL VPN is
that it doesn’t need any software installed because it uses the web browser as the client application. Through
SSL VPNs the user’s access can be restrict to specific applications instead of allowing access to the whole
network.

74
 Defta (Ciobanu) Costinela - Luminita / AWERProcedia Information Technology & Computer Science (2012) 73-78

3. IPSec vs. SSL

IPSec VPNs are best suited for point-to-point access. Open tunneling protects data between two private
networks or between IT-managed machines and a private network. IPSec is a perfectly viable solution when a
permanent connection is required between two specific locations, for example between a branch or remote
office and a corporate headquarters. It can also be used successfully to provide access to a small finite number
of remote workers using tightly-controlled corporate-issued laptops.
At one time, a traditional Internet Protocol Security (IPSec) virtual private network (VPN) was the only option
for secure remote access. However, because IPSec solutions were designed for trusted site-to-site connectivity
and not with a highly-mobile workforce in mind, IPSec solutions had limitations for supporting untrusted end
point locations that were not directly managed by IT.
In response to increasing user demands for remote access, a new kind of VPN emerged - SSL VPNs. These new
VPNs, based on the Secure Sockets Layer (SSL) protocol that safeguards the world of e-commerce, quickly
became the leading option for remote access.
As organizations grow and become more mobile, many are shifting to SSL VPNs, as they offer “everywhere”
access while retaining complete control and security. Recent advances in SSL VPN technology offer many
benefits for both users and companies. When compared to IPSec, SSL VPNs are typically less costly to manage,
eliminate concerns related to open-by-default tunnels and offer a more flexible experience for employees and
business partners using untrusted end point environments.
Many existing IPSec implementations can continue to work well for these use cases for which they were
originally deployed. IT might consider keeping IPSec in these limited areas and extend remote access to other
areas, such as trusted partners or extranet users, via a parallel SSL VPN solution. While a parallel VPN
implementation is a viable choice for some enterprises, transitioning all access use cases through a single SSL
VPN gateway might ultimately cost less and be easier to manage.
In the following table we compare the advantages and disadvantages of each protocol:

Table 1. IPSec vs SSL

Advantages Disadvantages
SSL Ubiquity of web browsers enables nearly universal access. Users may come in from unknow untrusted
Allow granular access control to applications. machines.
Easy access to Web-enabled applications. Tokens or digital certificates required for
Lower ownership costs than IPSec. authentication stronger than user
Easier scalability than IPSec. name/password.
Sensitive information may be left on public
terminals.
Demands some amount of integration for
legacy applications.
IPSec Client software provides strong device authentication. Ties user to a single machine.
Remote machines easily augmented with AV & policy enforcement Requires deployment and configuration to
software. every user you want to give remote access.
Network layer connection provides complete application access. Support services may be costly.
Firewalls and NAT may interfere with
access.

4. VPN security testing

Like any other gateway, your VPN needs to go through a thorough penetration test to check for
vulnerabilities. It's easy to overlook VPNs when administering a network penetration test, as it's often assumed
that they're the most secure part of it. But, they're not and they're a magnet for hackers. IPSec VPN is a network-

75
 Defta (Ciobanu) Costinela - Luminita / AWERProcedia Information Technology & Computer Science (2012) 73-78

based VNP, while SSL is a web-based, so each of them should be tested as such. But, regardless the type, there
are three steps to penetration testing a VPN:
- scanning open ports and fingerprinting
- exploitation of known vulnerabilities and assessing PSK
- exploitation of default user accounts

4.1. Scanning open ports and fingerprinting

We need to determine the type of VPN implementation (IPsec, PPTP, or SSL), the VPN vendor information and
corresponding version numbers. This is necessary to execute a focused attack against the target VPN
environment. The first step entails port scanning the VPN server to make an educated guess on the type of VPN
implementation. The following table provides a mapping of open ports to VPN type, using default ports:

Table 2. VPN default ports

Port Type of VPN

UDP 500 IPSec
TCP 1723 PPTP/L2TP
TCP 443 SSL

A port scan can easily be made with free tools, such as Nmap, ScanLine and SuperScan. Scan the network
where the VPN may be located. If the scan shows that port 500 is open, the VPN is IPSec.
Port 500 is the standard port for the Internet Key Exchange (IKE) protocol used for the key exchange required
in IPSec. IKE protocol provides a means to securely exchange the secret key, which is essential for the effective
operation of the Authentication Header (AH) and Encapsulating Security Payload (ESP) between the
communicating subjects.
If the scan shows port 443 to be open, the standard port for SSL, then the VPN is SSL. An SSL VPN uses the
same port as any other SSL communication. It is possible that the scan may have false positives. This is most
likely to happen if the subject of the scan is a firewall-VPN combination device. In such cases, the firewall is likely
to drop packets targeted to it, resulting in false positives.
Next we need to determine what we are up against by finding out the vendor and version of the VPN server.
The IKE Scan tool (developed by NTA Monitor) can be used to fingerprint many VPN vendors and models.
With that information, hacker can search the Web for details of attacks against specific vendors. The tool can't
fingerprint every VPN model, but it can reveal the type of authentication used in the VPN – useful information
for a cracker.
For example, in the case of IPSec VPNs, we can use IKE Scan to provide a reasonably accurate fingerprint of
the VPN server vendor and the version number. This tool performs the fingerprinting by checking the values of
specific variables in the IPsec packets being exchanged, and compares these against its signature database.
The IKE scan execution output may look like this:

ike-scan 192.168.16.93 --auth=1 -A

Starting ike-scan 1.6 with 1 hosts (http://www.nta-monitor.com/ike-scan/)
192.168.16.93 Aggressive Mode Handshake returned SA=(Enc=3DES Hash=MD5 Auth=PSK
Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00007080) KeyExchange(128
bytes) Nonce(20 bytes) ID(Type=ID_IPV4_ADDR, Value=192.168.10.46) Hash(16 bytes)
Ending ike-scan 1.6: 1 hosts scanned in 15.058 seconds (0.07 hosts/sec). 1 returned
handshake; 0 returned notify

76
 Defta (Ciobanu) Costinela - Luminita / AWERProcedia Information Technology & Computer Science (2012) 73-78

If the packet exchange patterns observed by ike-scan match any of those within its signature database, it
provides a best guess of the VPN server platform and outputs the data as follows:

Implementation guess: Netscreen Or Implementation guess: Cisco IOS/PIX.

The fingerprint information allows a potential attacker the ability to execute a more focused attack against
the VPN. With this knowledge, the attacker may not only attempt platform specific exploits against the system,
but may also attempt a brute-force attack using the appropriate client software.

4.2. Exploitation of known vulnerabilities and assessing PSK

Other tools, like IKEProbe and IKECrack, take advantage of weaknesses in the pre-shared key (PSK)
authentication used in IPSec VPNs. The hashes captured by these tools can then be run through ordinary
password crackers, such as Cain and Abel, to steal passwords for malicious access to the VPN and, of course, the
corporate network. IKEProbe can be used to determine vulnerabilities in the PSK implementation of the VPN
server. It tries out various combinations of ciphers, hashes and Diffie-Helman groups and attempts to force the
remote server into aggressive mode.
IKEProbe output may look like this:

ikeprobe 192.168.16.93
IKEProbe 0.1beta (c) 2003 Michael Thumann (www.ernw.de)
Portions Copyright (c) 2003 Cipherica Labs (www.cipherica.com)
Read license-cipherica.txt for LibIKE License Information
IKE Aggressive Mode PSK Vulnerability Scanner (Bugtraq ID 7423)
Supported Attributes
Ciphers : DES, 3DES, AES-128, CAST
Hashes : MD5, SHA1
Diffie Hellman Groups: DH Groups 1,2 and 5
IKE Proposal for Peer: 192.168.16.93
Aggressive Mode activated ...

Once the PSK has been cracked, software such as PGPNet can be used to connect to the vulnerable VPN
server. An attacker may also attempt to exploit vulnerabilities in the vendor's implementation of the specific
protocols.
For SSL VPNs, the same tools for scanning a web application can be used. Tools, such as Webinspect and
Watchfire, can check for web threats like cross-site scripting (XSS), SQL injection, buffer overflows, weak
authentication and old-fashioned parameter manipulation. The scan results can be followed by either automatic
or manual tests to verify the vulnerabilities.

4.3. Exploitation of default user accounts

The default user accounts (with default passwords) is a common vulnerability in VPN systems (and in many
others). These accounts are used for initial installation and aren't needed after that. They should be either
removed or changed, where possible. The same goes for any administrative accounts used for routine
maintenance.
In addition to blind penetration testing (without a valid user account), assessing the VPN using a valid user
account ID provides added value. This normally yields a larger number of critical vulnerabilities than the blind
penetration testing phase. This can be attributed to the added VPN functionality and attack surface exposed to
an authenticated user as compared to a zero-knowledge attacker.

77
 Defta (Ciobanu) Costinela - Luminita / AWERProcedia Information Technology & Computer Science (2012) 73-78

5. Conclusion

Even if VPNs provides a secure way of communication, if they are incorrectly configured they are still
vulnerable. The compromise of a VPN server may have an extremely negative impact on the organization's
business as it may provide unauthorized access to internal company resources. Thus, organizations should pay
special attention to the implementation, configuration and ensure a proper penetration test has been
completed in a VPN system.
Also, whether an IPSec or SSL VPN is the right choice ultimately depends on the extent of the company’s secure
remote access needs:
- IPSec VPN technology is designed for site-to-site VPNs or for remote access from a small finite number
of tightly-controlled corporate assets
- SSL VPN technology, on the other hand, works much better for secure remote access. SSL VPN
technology is an ideal replacement for - or adjunct to - PSec, because it increases productivity by
allowing access to more resources from more end points.

References

[1]. A. Conry-Murray, SSL VPN Basics. Network Magazine, 2003.

[2]. M. Heller, Whay you need to know about VPN technologies. Computerworld, 2006.
[3]. ComputerWeekly.com, VPN security: testing, troubleshooting and deploying. 2007.
[4]. IbVPN.com, Types of VPN protocols. 2010.
[5]. R. Belani and K.K. Mookhley, Penetration Testing IPSec VPNs. Symantec, 2010.
[6]. N. Iacob, Data Replication in Distributed Environments. Proceedings of International Scientific Conference ECO-TREND: Brancusi
University Targu Jiu, 629-634.

78