Saturday, October 13, 2007

Firewall & VPN Identification with Ike-Scan


Sometimes nmap will tell you what you exactly what you are up against...

cg@segfault:~$ nmap -A 192.168.1.15

Starting Nmap 4.20 ( http://insecure.org ) at 2007-10-13 14:58 MDT
Interesting ports on (192.168.1.15):
Not shown: 1694 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Cisco VPN Concentrator http config
443/tcp open ssl/http Cisco VPN Concentrator http config
10000/tcp open snet-sensor-mgmt?
Service Info: Device: terminal server

Sometimes it wont tell you crap... :-(

cg@segfault:~$ nmap -A 192.168.1.11 -P0 -p 1-65535

Starting Nmap 4.20 ( http://insecure.org ) at 2007-10-13 00:34 MDT
All 65535 scanned ports on depcon (192.168.1.11) are filtered

Nmap finished: 1 IP address (1 host up) scanned in 13122.065 seconds


If you suspect that its a firewall or VPN concentrator you can use ike-scan to help test your theory.

root@segfault:# ike-scan 192.168.1.11
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.1.11 Notify message 14 (NO-PROPOSAL-CHOSEN) HDR=(CKY-R=0000000000000000, msgid=05e350bc)


That notify message tells us that "something" is there but we still aren't any closer to ID'ing it. Lets throw some auth codes at it.

--auth= or -m   Set auth. method to , default=1 (PSK).
RFC defined values are 1 to 5. See RFC 2409 Appendix A.
Checkpoint hybrid mode is 64221.
GSS (Windows "Kerberos") is 65001.
XAUTH uses 65001 to 65010.
This is not applicable to IKEv2.

root@segfault:# ike-scan 192.168.1.11 --auth=3
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.1.11
Main Mode Handshake returned HDR=(CKY-R=42c304f9b0e011fd) SA=(Enc=3DES
Hash=SHA1 Auth=RSA_Sig Group=2:modp1024 LifeType=Seconds
LifeDuration(4)=0x00007080)


A little more info, a Main Mode Handshake returned, but no info on what device
it is.

root@segfault:# ike-scan 192.168.1.11 --auth=64221
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.1.11
Main Mode Handshake returned HDR=(CKY-R=ab8bd634493e304e) SA=(Enc=3DES
Hash=SHA1 Auth=Hybrid Group=2:modp1024 LifeType=Seconds
LifeDuration(4)=0x00007080)
VID=f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d4710496d0000000018000000
(Firewall-1 NGX)


Ok, we got a vendor ID and ike-scan tells us its a checkpoint firewall-1 NGX, it
sure would be nice to know what model.
root@segfault:# ike-scan 192.168.1.11 --auth=64221 --showbackoff
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.1.11 Main Mode Handshake returned HDR=(CKY-R=115ea42183f9da3d) SA=(Enc=3DES Hash=SHA1 Auth=Hybrid Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00007080) VID=f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d4710dde10000000018000000 (Firewall-1 NGX)

IKE Backoff Patterns:

IP Address No. Recv time Delta Time
192.168.1.11 1 1192287497.108277 0.000000
192.168.1.11 2 1192287499.144069 2.035792
192.168.1.11 3 1192287501.155070 2.011001
192.168.1.11 4 1192287503.123598 1.968528
192.168.1.11 5 1192287505.115728 1.992130
192.168.1.11 6 1192287507.162779 2.047051
192.168.1.11 7 1192287509.153315 1.990536
192.168.1.11 8 1192287513.177931 4.024616
192.168.1.11 9 1192287517.135372 3.957441
192.168.1.11 10 1192287521.162738 4.027366
192.168.1.11 11 1192287525.147460 3.984722
192.168.1.11 12 1192287529.183789 4.036329
192.168.1.11 Implementation guess: Firewall-1 4.1/NG/NGX


**Go read the UDP Backoff paper to understand the showbackoff stuff


We've go the VendorID of the firewall, lets see if we can narrow down to a model of Checkpoint Firewall

VID=f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d4710dde10000000018000000

Checkpoint VendorID: f4ed19e0c114eb516faaac0ee37daf2807b4381f

00000001 = Product Type(1=Firewall, 2=client)

0000138d = Version = NGX R60 because timestamp is non-zero

4710496d = Timestamp (NGX only) This timestamp shows the current time on the target firewall in seconds since Jan 1st 1970.

00000000 = Reserved (always zero)

18000000 = Features

I used to to figure the above out:
NGX R60 Vendor ID examples--> http://www.nta-monitor.com/wiki/index.php/Check_Point_Firewall-1#NGX_R60_Vendor_ID_examples

Links:
Ike-Scan site--> http://www.nta-monitor.com/tools/ike-scan/
Ike-Scan wiki--> http://www.nta-monitor.com/wiki/index.php/Ike-scan_Documentation
UDP Backoff Whitepaper--> http://www.nta-monitor.com/posts/2003/01/udp-backoff-whitepaper.pdf
Common VPN Security Flaws--> http://www.nta-monitor.com/posts/2005/01/VPN-Flaws-Whitepaper.pdf
Radarhack Ike-Scan paper--> http://www.radarhack.com/dir/papers/Scanning_ike_with_ikescan.pdf
CG

No comments: