YOU ARE DOWNLOADING DOCUMENT

Please tick the box to continue:

Transcript
Page 1: Attacking VPN's

VPN penetration testingBy

Abdul Adil

Page 2: Attacking VPN's

Who am i?

• Web application & Network pentester • Malware reverse engineering• Regular to Null Hyderabad chapter • Email: [email protected] • Website: Connectica.in• Twitter:@AbdulAdil02

Page 3: Attacking VPN's

Agenda

• What & Why VPN?• Types of VPN• VPN Internals• VPN issues• Demo• Questionnaire?

Page 4: Attacking VPN's

What & Why VPN?

• VPN stands for “Virtual private network”.• It extends a private network across a public network (internet).• It establishes a virtual point-to-point connection.• Connection is encrypted!.

Page 5: Attacking VPN's

Scenario of VPN usage

Page 6: Attacking VPN's

Type of VPN protocol

• PPTP• IPSec• SSL VPN• Hybrid VPN

Page 7: Attacking VPN's

Types of VPN protocol• PPTP(Point to point tunneling protocol): This is the most common and widely used

VPN protocol. They enable authorized remote users to connect to the VPN network using their existing Internet connection and then log on to the VPN using password authentication.

• IPSec: Trusted protocol which sets up a tunnel from the remote site into your central site. As the name suggests, it’s designed for IP traffic. IPSec requires expensive, time consuming client installations and this can be considered an important disadvantage.

Page 8: Attacking VPN's

VPN protocol & types

•SSL VPN:SSL or Secure Socket Layer is a VPN accessible via https over web browser. SSL creates a secure session from your PC browser to the application server you’re accessing. The major advantage of SSL is that it doesn’t need any software installed because it uses the web browser as the client application.

•Hybrid VPN: It combines the features of SSL and IPSec & also other types of VPN types. Hybrid VPN servers are able to accept connections from multiple types of VPN clients. They offer higher flexibility at both client and server levels and bound to be expensive.

Page 9: Attacking VPN's

VPN Internals

Page 10: Attacking VPN's

VPN Traffic

Page 11: Attacking VPN's

VPN appliance and applications

VPN Appliance

VPN application

Page 12: Attacking VPN's

VPN issues

• Some of the protocols provide weak encryptions.• Vulnerable to brute force attacks as there is only one DES 56bit key to

crack.• RC4 cipher which is used for encryption does not doesn’t helps us

with the integrity of the data.• If not configure properly it can lead to leakage of data over

network(Port fail vulnerability).

Page 13: Attacking VPN's
Page 14: Attacking VPN's

Twitter:@AbdulAdil02 Email:[email protected]

Page 15: Attacking VPN's

Thanks to Null Hyderabad.