Name: Cisco IPSec VPN Implementation Group Name Enumeration
Release Date: 22 March 2011
Reference: NGS00014
Discoverer: Gavin Jones
Vendor: Cisco
Vendor Reference: CSCei51783, CSCtj96108
Systems Affected: ASA 5500 Series Adaptive Security Appliances -Cisco PIX 500 Series Security Appliances -Cisco VPN 3000 Series Concentrators (models 3005, 3015,
3020, 3030, 3060, and 3080)
Risk: Low
Status: Published
Discovered: 20 March 2009
Released: 8 November 2010
Approved: 8 November 2010
Reported: 8 November 2010
Fixed: 1 December 2010
Published: 22 March 2011
Due to the device(s) returning differing responses to IKE requests it is possible to enumerate valid group names from the VPN device(s). With the correct group
name the pre-shared key can then be captured and a brute-force attack carried out off-line.
This output shows an aggressive query against the device specifying an invalid group:
Starting ike-scan 1.9 with 1 hosts
(http://www.nta-monitor.com/tools/ike-scan/)
10.1.0.1 Aggressive Mode Handshake returned
HDR=(CKY-R=d508a1efacad8015)
SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=XAUTH LifeType=Seconds
LifeDuration=28800)
KeyExchange(128 bytes)
Nonce(20 bytes)
ID(Type=ID_FQDN, Value=Pix.domain.com)
Hash(20 bytes)
VID=12f5f28c457168a9702d9fe274cc0100 (Cisco Unity)
VID=09002689dfd6b712 (XAUTH)
VID=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation)
VID=1f07f70eaa6514d3b0fa96542a500100 (Cisco VPN Concentrator)
Ending ike-scan 1.9: 1 hosts scanned in 0.031 seconds (32.62 hosts/sec). 1
returned handshake; 0 returned notify
The above request is then repeated with a valid group name and as can be seen the response is different:
Starting ike-scan 1.9 with 1 hosts
(http://www.nta-monitor.com/tools/ike-scan/)
10.1.0.1 Aggressive Mode Handshake returned
HDR=(CKY-R=4fa4cf45d5039335)
SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=XAUTH LifeType=Seconds
LifeDuration=28800)
KeyExchange(128 bytes)
Nonce(20 bytes)
ID(Type=ID_FQDN, Value=Pix.domain.com)
Hash(20 bytes)
VID=12f5f28c457168a9702d9fe274cc0100 (Cisco Unity)
VID=09002689dfd6b712 (XAUTH)
VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
VID=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation)
VID=1f07f70eaa6514d3b0fa96542a500100 (Cisco VPN Concentrator)
Ending ike-scan 1.9: 1 hosts scanned in 0.031 seconds (32.19 hosts/sec). 1
returned handshake; 0 returned notify
As can be seen above, the request with the valid group name has an additional field contained in the response:
VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
By checking the responses for this additional VID it is possible to enumerate the valid group name.
This has been replicated in testing against a number of PIX based devices and with the valid group name the PSK can then be collected and cracked using psk-crack.
Cisco has released a patch that addresses the issue. The announcement of this patch can be found here:
http://www.cisco.com/en/US/products/products_security_response09186a0080b5992c.html
Patches can be downloaded from Cisco's online support portal at:
NGS Secure Research
http://www.ngssecure.com
Research@NGSSecure
NGS Secure
,
Telephone:
Mobile:
Fax:
Website: www.ngssecure.com<http://www.ngssecure.com>
Email: [email protected]<mailto:[email protected]>
[http://www.nccgroup.com/_client/images/global/NGS%20Secure.jpg] <http://www.ngssecure.com/>
This email is sent for and on behalf of NGS Secure Limited (Registered in England CRN: 04474600). The ultimate holding company is NCC Group plc (Registered in
England CRN: 4627044). Registered Office: Manchester Technology Centre, Oxford Road, Manchester, M1 7EF
Confidentiality: This e-mail contains proprietary information, some or all of which may be confidential and/or legally privileged. It is for the intended recipient
only. If an addressing or transmission error has misdirected this e-mail, please notify the author by replying to this e-mail and then delete the original. If you
are not the intended recipient you may not use, disclose, distribute, copy, print or rely on any information contained in this e-mail. You must not inform any other
person other than NCC Group or the sender of its existence.
For more information about NGS Secure please visit www.ngssecure.com<http://www.ngssecure.com>
P Before you print think about the ENVIRONMENT