PaulDotCom mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IPSec MitM

From: toomanysecrets <toomsec () gmail com>
Date: Fri, 6 Jul 2012 15:47:25 +0200
Hi,
I´m still working on this subject and making some progress, but I´m almost
certain I´m missing something fundamentally.

My setup right now is OpenSwan with xl2tpd as the (rogue) IPSec gateway and
some self-signed certificates using OpenSSL. Clients using my own CA signed
certificates are connecting perfectly. But what I want to achieve is,
excepting any client´s certificate no matter who´s CA signed it.

....anyone a suggestion how to do this?
I played around with several settings in the /etc/ipsec.d/...conf   like
"authby=",    right=%any,  rightca=,     rightrsasigkey=%cert
leftid=%fromcert, leftrsasigkey=%cert,  leftcert=my.pem.....no luck yet.

Logs still say:
#1: issuer cacert not found
#1: X.509 certificate rejected

Many thanks!



On Wed, Jun 20, 2012 at 7:48 PM, Matt Summers <matt () fireantsecurity co uk>wrote:


Howdy,

I can't comment too much about IPSEC/IKE but I know my PKI and here is my
2c....

So the SubjectAltName attribute can be set to any name e.g.
server1.domain.com or server1. The trick is whether the client supports
it or the x509 component used by the client supports it. If it did it would
more than likely work how SubjectAltName works in an SSL environment in
that the CN is checked first and if that doesn't match only then will it
check the SubjectAltName. You might be better off attacking the certificate
chain validation such as using a self-singed cert does the client complain?
Maybe also attacking the CRL or OCSP checking with a MITM fake cert.

Matt


On Wed 20/06/12 15:27 , toomanysecrets toomsec () gmail com sent:


Hi,
I´m currently looking into IPSec/IKE security assessments. The environment
I´m testing on is using certificate based authentication.
I wonder if there are tools available to handle MitM attacks e.g. to test
if an IPSec client would accept a certificate with a "subjectAltName"
different to the operator FQDN or what happens if the EKU check on the
client is being disabled etc..

The only MitM attack tools I came across so far when it comes to IKE, are
FakeIKEd (http://www.roe.ch/FakeIKEd), for handling VPN PSK+XAUTH based
authentication, the ike-scan suite, ikeprober etc... but no tools to
support certificate based attacks.  The traffic redirection itself is not
the issue (DNS spoofing / ARP poisoning...)

Any ideas or experiences?

Thanks!

toomanysecrets



_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom";>
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com";>http://pauldotcom.com


_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
Previous By Date Next
Previous By Thread Next

Current thread: