Hey, thanks for the hints. You mentioned "a MITM fake certificate".....that´s exactly what I´m trying now to do. I installed Openswan and xl2tp and I´m in the middle of getting it up and running.
But to get this straight, the MITM part of it is basically, - issuing a fake aka: self signed certificate for my own IPSec gateway and playing around with different settings for CN, SubjectAltName , etc... - Redirecting the traffic from the client to my IPSec gateway (ARP poisoning, re-routing, DNS spoofing) - Checking if the client is accepting my fake IPSec gateway and especially the fake certificate .....right? Thanks! On Wed, Jun 20, 2012 at 7:48 PM, Matt Summers <[email protected]>wrote: > Howdy, > > I can't comment too much about IPSEC/IKE but I know my PKI and here is my > 2c.... > > So the SubjectAltName attribute can be set to any name e.g. > server1.domain.com or server1. The trick is whether the client supports > it or the x509 component used by the client supports it. If it did it would > more than likely work how SubjectAltName works in an SSL environment in > that the CN is checked first and if that doesn't match only then will it > check the SubjectAltName. You might be better off attacking the certificate > chain validation such as using a self-singed cert does the client complain? > Maybe also attacking the CRL or OCSP checking with a MITM fake cert. > > Matt > > > On Wed 20/06/12 15:27 , toomanysecrets [email protected] sent: > > > Hi, > I´m currently looking into IPSec/IKE security assessments. The environment > I´m testing on is using certificate based authentication. > I wonder if there are tools available to handle MitM attacks e.g. to test > if an IPSec client would accept a certificate with a "subjectAltName" > different to the operator FQDN or what happens if the EKU check on the > client is being disabled etc.. > > The only MitM attack tools I came across so far when it comes to IKE, are > FakeIKEd (http://www.roe.ch/FakeIKEd), for handling VPN PSK+XAUTH based > authentication, the ike-scan suite, ikeprober etc... but no tools to > support certificate based attacks. The traffic redirection itself is not > the issue (DNS spoofing / ARP poisoning...) > > Any ideas or experiences? > > Thanks! > > toomanysecrets > > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom";> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com";>http://pauldotcom.com > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
