lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 23 Apr 2003 11:35:15 +0100
From: Michael Thumann <mthumann@...w.de>
To: bugtraq@...urityfocus.com;, vulnwatch@...nwatch.org,
	cert@...t.org
Subject: Cracking preshared keys


Hi,

we would like to announce the publication of a proof of concept paper 'PSK 
cracking using IKE Aggressive Mode'. Paper can be downloaded from 
www.ernw.de/download/pskattack.pdf .

The theoretical vulnerability about this topic is not new. While we were 
preparing a talk about VPN hacking we configured the lab that is described 
in the paper to do some kind of demonstration. We were able to capture and 
crack successfully PSKs of a cisco router due to the issue that the cisco 
router switches automatically to aggressive mode if the initiating clients 
demands it.

This attack depends on some conditions on the vpn gateway.

1. Preshared keys are use for authentication
2. The vpn gateway must allow any ip address to establish a vpn connection
3. The vpn gateway must support aggressive mode
4. Of course the psk must be weak to crack it in an acceptable amount of time

Under these circimstances it's possible to capture and crack the preshared 
key of a vpn gateway and gain unauthorized access to private networks.

To prevent your vpn gateways from being compromised we suggest the 
following actions:
- Don't use preshared key for authentication, if its possible. Otherwise 
ensure that you use very strong keys.
- If possible, don't allow vpn connections from any ip address (difficult, 
I know).
- Disable aggressive mode, if it's supported (for example in Checkpoint 
Firewall-1 where it's disabled per default).

cheers
Michael




ERNW Enno Rey Netzwerke GmbH - Zaehringerstr. 46 - 69115 Heidelberg
Tel. +49 6221 480390 - Fax +49 6221 419008 - Mobil +49 173 6745903

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ