Cisco IPSec VPN Implementation Group Name Enumeration
Summary – 22.03.2011
Name: Cisco IPSec VPN Implementation Group Name Enumeration
Reference: NGS00014
Discoverer: Gavin Jones
Vendor: Cisco
Vendor Reference: CSCei51783, CSCtj96108 Systems Affected: ASA 5500 Series Adaptive Security Appliances -Cisco PIX 500 Series Security Appliances -Cisco VPN 3000 Series Concentrators (models 3005, 3015, 3020, 3030, 3060, and 3080)
Risk: Low
Status: Published
TimeLine
Discovered: 20 March 2009
Released: 8 November 2010
Approved: 8 November 2010
Reported: 8 November 2010
Fixed: 1 December 2010
Published: 22 March 2011
Description
Due to the device(s) returning differing responses to IKE requests it is possible to enumerate valid group names from the VPN device(s). With the correct group name the pre-shared key can then be captured and a brute-force attack carried out off-line.
Technical Details
This output shows an aggressive query against the device specifying an invalid group:
Starting ike-scan 1.9 with 1 hosts
(http://www.nta-monitor.com/tools/ike-scan/)
10.1.0.1 Aggressive Mode Handshake returned
HDR=(CKY-R=d508a1efacad8015)
SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=XAUTH LifeType=Seconds
LifeDuration=28800)
KeyExchange(128 bytes)
Nonce(20 bytes)
ID(Type=ID_FQDN, Value=Pix.domain.com)
Hash(20 bytes)
VID=12f5f28c457168a9702d9fe274cc0100 (Cisco Unity)
VID=09002689dfd6b712 (XAUTH)
VID=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation)
VID=1f07f70eaa6514d3b0fa96542a500100 (Cisco VPN Concentrator)
Ending ike-scan 1.9: 1 hosts scanned in 0.031 seconds (32.62 hosts/sec). 1 returned handshake; 0 returned notify
The above request is then repeated with a valid group name and as can be seen the response is different:
Starting ike-scan 1.9 with 1 hosts
(http://www.nta-monitor.com/tools/ike-scan/)
10.1.0.1 Aggressive Mode Handshake returned
HDR=(CKY-R=4fa4cf45d5039335)
SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=XAUTH LifeType=Seconds
LifeDuration=28800)
KeyExchange(128 bytes)
Nonce(20 bytes)
ID(Type=ID_FQDN, Value=Pix.domain.com)
Hash(20 bytes)
VID=12f5f28c457168a9702d9fe274cc0100 (Cisco Unity)
VID=09002689dfd6b712 (XAUTH)
VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
VID=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation)
VID=1f07f70eaa6514d3b0fa96542a500100 (Cisco VPN Concentrator)
Ending ike-scan 1.9: 1 hosts scanned in 0.031 seconds (32.19 hosts/sec). 1 returned handshake; 0 returned notify
As can be seen above, the request with the valid group name has an additional field contained in the response:
VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
By checking the responses for this additional VID it is possible to enumerate the valid group name.
This has been replicated in testing against a number of PIX based devices and with the valid group name the PSK can then be collected and cracked using psk-crack.
Fix Information
Cisco has released a patch that addresses the issue. The announcement of this patch can be found here:
http://www.cisco.com/en/US/products/products_security_response09186a0080b5992c.html
Patches can be downloaded from Cisco’s online support portal at: