Aerosol Posted December 19, 2014 Report Posted December 19, 2014 (edited) IntroductionA VPN (Virtual Private Network) enables connections between clients and servers from multiple different internal networks across a public network (like the Internet) as if the nodes were located in the same private network. Since the communication is transferred across the public network, it must be properly encrypted to prevent eavesdropping. When a user is connected to the VPN connection, he/she can access the extended network services the same way as if they were located with its private network.There are two types of VPNs: the remote-access VPN used to connect a device to a network and site-to-site VPN used when connecting two networks together. A VPN can be used for multiple different scenarios, like allowing employees to securely access the company’s internal network even when outside the office (remote-access VPN), connecting two remote offices together into one internal private network (site-to-site VPN), etc.There are different implementations of the VPN protocols, including the ones listed below (summarized after [1]):Internet Protocol Security (IPsec): a widely used VPN implementation that uses IPv4 and operates on layer 2, where the packet is encapsulated into an IPsec header and sent to its endpoint.Transport Layer Security (SSL/TLS): another widely used VPN implementation that’s most often incorporated with OpenVPN, which we’ll take a look in this article. OpenVPN is an SSL-based VPN that uses SSL certificates to encrypt the data in transit.Datagram Transport Layer Security (DTLS)Microsoft Point-to-Point Encryption (MPPE)Microsoft Secure Socket Tunneling Protocol (SSTP)Secure Shell (SSH) VPNPentesting OpenVPNDepending on the type of VPN we’re checking during our penetration test, there are different procedures that will drive our testing. Despite the type of VPN being used, the basic steps to pentest the VPN are the following:Reconnaissance: the first step is determining which type of VPN we’re dealing with in order to plan how to proceed with the attack. We can do that with a simple port scan by using an open-source tool like Nmap or any other tool with port scanning capabilities. The purpose is determining the type of VPN implementation we’re dealing with, which is often bound to a default port. Usually the following ports are involved with VPN services: UDP 500 (IPSec), TCP 1723, TCP 443 (SSL VPN) and UDP 1194 (OpenVPN).Exploitation: the phase is under direct influence of the type of the VPN we’re dealing with. When testing network-based IPSec VPN, we can rely on the Ike-scan program to perform the testing. First, we can identify the VPN product and its version and search for related vulnerabilities online; there are vulnerabilities for different vendors like Cisco or CheckPoint regarding the VPN services that we can use to our advantage. When dealing with SSL VPN, we could theoretically use the tools used for SSL pentesting, and in some cases we can do that, but most tools out there support TCP protocol only, where UDP isn’t supported. One of the most critical vulnerabilities this year has been the HeartBleed vulnerability, which affects the OpenSSL library that OpenVPN is also using. Therefore, if OpenVPN is using a vulnerable version of the OpenSSL library, the service can be exploited by malicious attackers and the whole server can be compromised. This is why we have to take every security precaution in order to protect our network.Credentials: when the connection with a VPN server is initiated, a client must present a valid passphrase or a certificate to prove that it’s authorized to use the server. If the VPN server is only using passphrases, we should instead configure to use certificates with each of the passphrases to improve security. I’ve often seen a VPN server using only user credentials to authenticate to the VPN server; not to mention some of the user passwords were quite simple and easy to guess within a few bruteforcing attempts. That is certainly something we have to keep in mind when conducting a penetration test of the VPN server or when setting up such a server for our own network.Recommendations for Hardening OpenVPNTo harden the OpenVPN security, we have to edit its configuration file, usually passed to the OpenVPN daemon by the –config command-line option. If we use the “ps -ef” command and grep the OpenVPN processes, we can see where the configuration file is located and view it accordingly.Table 1: Security configuration options in openvpn.confConclusionIt goes without saying that when a hacker stumbles upon an open VPN port, he will most likely check it for different security holes. Therefore, we have to properly protect our VPN server in order to secure our users and our whole internal network. If an attacker is able to compromise the VPN service, he can get access to our whole network.Some of the administrators might argue that the VPN service is very secure by itself and needs no additional protection, but such predictions have been proved incorrect in the past. One such vulnerability was found in April 2014, named the HeartBleed vulnerability, which can be used to dump memory from the OpenVPN daemon process. Therefore, if an attacker is able to determine that VPN service is running on some port, he might be able to dump arbitrary memory from the server or possibly even take control of the server. Once such a vulnerability is discovered, we must patch it as soon as possible, but properly a hardened service should give an attacker as little access to the server as possible. Imagine a new devastating vulnerability being found in OpenVPN/OpenSSL in the future; a secure service running under an unprivileged account might be just what you need to protect yourself from being a victim of cyber attack.References[1] Virtual private network,https://en.wikipedia.org/wiki/Virtual_private_network.[2] Hardening OpenVPN Security,https://openvpn.net/index.php/open-source/documentation/howto.html#security.Source Edited December 19, 2014 by Aerosol Quote
