Re: Open VPN for PEN testing

[Luis Lezcano Airaldi <luislezcair () gmail com>]

On Tue, Sep 17, 2013 at 11:07:06AM -0700, ToddAndMargo wrote:
> Hi All,
>
> I have heard several folks say that they use Open VPN for human
> penetration testing.
> Reference: https://www.pcisecuritystandards.org/pdfs/infosupp_11_3_penetration_testing.pdf
>
> I apparently did not pay close enough attention. I figured that Open
> VPN would get you past the firewall and the multilayer switch. Which
> sounded right to me.  Use Open VPN to create a connection to the
> computer and/or network to be tested.  Then test the
> computer/network with nmap, Metasploit, etc.
>
> But, if I remember correctly, they also said they used Open VPN
> as a direct attack mechanism to try to break into ports. Not as
> a mechanism to gain access to the computer/network.
>
> Am I missing something?  Can Open VPN actually be used as an attack
> mechanism (nmap, metasploit) to test a computer/network?

Hi! Sometimes, enterprises use VPN to let employees connect to the local
network from their homes. So it is logical to try to break into the local
network using their credentials.

Also, VPNs are used as a way to gain certain degree of anonimity. So your
connection cannot be easyly tracked back to you, if there's some sysadmin
vigilant.

Hope this helps.
Regards.

Attachment: _bin
Description: