PaulDotCom mailing list archives
Re: IPSec MitM
From: toomanysecrets <toomsec () gmail com>
Date: Fri, 6 Jul 2012 15:47:25 +0200
Hi, I´m still working on this subject and making some progress, but I´m almost certain I´m missing something fundamentally. My setup right now is OpenSwan with xl2tpd as the (rogue) IPSec gateway and some self-signed certificates using OpenSSL. Clients using my own CA signed certificates are connecting perfectly. But what I want to achieve is, excepting any client´s certificate no matter who´s CA signed it. ....anyone a suggestion how to do this? I played around with several settings in the /etc/ipsec.d/...conf like "authby=", right=%any, rightca=, rightrsasigkey=%cert leftid=%fromcert, leftrsasigkey=%cert, leftcert=my.pem.....no luck yet. Logs still say: #1: issuer cacert not found #1: X.509 certificate rejected Many thanks! On Wed, Jun 20, 2012 at 7:48 PM, Matt Summers <matt () fireantsecurity co uk>wrote:
Howdy, I can't comment too much about IPSEC/IKE but I know my PKI and here is my 2c.... So the SubjectAltName attribute can be set to any name e.g. server1.domain.com or server1. The trick is whether the client supports it or the x509 component used by the client supports it. If it did it would more than likely work how SubjectAltName works in an SSL environment in that the CN is checked first and if that doesn't match only then will it check the SubjectAltName. You might be better off attacking the certificate chain validation such as using a self-singed cert does the client complain? Maybe also attacking the CRL or OCSP checking with a MITM fake cert. Matt On Wed 20/06/12 15:27 , toomanysecrets toomsec () gmail com sent: Hi, I´m currently looking into IPSec/IKE security assessments. The environment I´m testing on is using certificate based authentication. I wonder if there are tools available to handle MitM attacks e.g. to test if an IPSec client would accept a certificate with a "subjectAltName" different to the operator FQDN or what happens if the EKU check on the client is being disabled etc.. The only MitM attack tools I came across so far when it comes to IKE, are FakeIKEd (http://www.roe.ch/FakeIKEd), for handling VPN PSK+XAUTH based authentication, the ike-scan suite, ikeprober etc... but no tools to support certificate based attacks. The traffic redirection itself is not the issue (DNS spoofing / ARP poisoning...) Any ideas or experiences? Thanks! toomanysecrets _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom"> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com">http://pauldotcom.com _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Re: IPSec MitM toomanysecrets (Jul 06)