RE: Pen-Testing VPN

["Rob Shein" <shoten () starpower net>]

When I've done this, I first tried to figure out what kind of VPN it was.
What ports does the VPN use?  Not all of them use IPSEC, for example, and
some have some additional ports for varying reasons.  If you know of some
VPN gateways in existence that are of a known type, you can compare them to
what you're pen-testing as well.

Once you have an idea which kind it is, see if you can get a client for it
(you usually can).  Then try to connect, and sniff the traffic.  Try
different variables (login name, etc) and mix it up so that you can find the
values being passed to the gateway...and then see what happens when you put
too many characters in one of those fields.

Just a thought :)

-----Original Message-----
From: Darren Beattie [mailto:darren.beattie () blueyonder co uk] 
Sent: Thursday, April 03, 2003 1:43 PM
To: pen-test () securityfocus com
Subject: Pen-Testing VPN




Hi All,

I use various scanners and tools to test firewalls and servers. I will 
testing a firewall that has VPNs connected to it. I am wandering how to 
test the VPN for security. I am sure that I could see the vpn port on the 
firewall, listening for connections.

I would like to establish a VPN tunnel and 'hit it' to see how secure it 
really is.

I would like some help in identifying any tools out there that would allow 
me to carry this out.

Regards,

Darren

top spam and e-mail risk at the gateway.
SurfControl E-mail Filter puts the brakes on spam & viruses
and gives you the reports to prove it. See exactly how much junk never even
makes it in the door. Free 30-day trial:
http://www.securityfocus.com/SurfControl-pen-test




top spam and e-mail risk at the gateway.
SurfControl E-mail Filter puts the brakes on spam & viruses
and gives you the reports to prove it. See exactly how much
junk never even makes it in the door. Free 30-day trial:
http://www.securityfocus.com/SurfControl-pen-test