LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > General
User Name
Password
General This forum is for non-technical general discussion which can include both Linux and non-Linux topics. Have fun!

Notices


Reply
  Search this Thread
Old 04-14-2017, 08:57 AM   #1
dpc2008
LQ Newbie
 
Registered: May 2016
Posts: 4

Rep: Reputation: Disabled
IPSEC VPN Hacking


I've been looking into VPN hacking.

Basically, you have 2 phases of an IPSEC VPN.

1-negotiate a secure tunnel and authenticate the peer.
2-negotiate a tunnel to send data across

Both phase 1 and 2 use a hash to authenticate the data received.

My question is, what exactly is gained from compromising the hash and how is that benefit obtained?

Example:

Say I have sniffed a VPN communication. I use some cryptanalysis to hack the hash offline. Now what? The data is encrypted and I have only hacked the hash being used. I've read online that without a hash (it is an option) you shouldn't even bother with a VPN. What use is a hacked hash to an attacker when that hash is part of phase 1? What about the hash for phase 2?
 
Old 04-14-2017, 03:06 PM   #2
jefro
Moderator
 
Registered: Mar 2008
Posts: 18,983

Rep: Reputation: 2866Reputation: 2866Reputation: 2866Reputation: 2866Reputation: 2866Reputation: 2866Reputation: 2866Reputation: 2866Reputation: 2866Reputation: 2866Reputation: 2866
Then don't do this.

"Furthermore, IPsec VPNs using "Aggressive Mode" settings send a hash of the PSK in the clear. This can be and apparently is targeted by the NSA using offline dictionary attack"

https://en.wikipedia.org/wiki/IPsec
 
Old 04-17-2017, 09:22 AM   #3
dpc2008
LQ Newbie
 
Registered: May 2016
Posts: 4

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by jefro View Post
Then don't do this.

"Furthermore, IPsec VPNs using "Aggressive Mode" settings send a hash of the PSK in the clear. This can be and apparently is targeted by the NSA using offline dictionary attack"

https://en.wikipedia.org/wiki/IPsec
Agreed. Aggressive mode is bad. But again.... say the hash is nothing. The PSK would be clear but it would be sent inside of a secure tunnel so what good would it be to an attacker to know the hash?
 
Old 04-17-2017, 02:53 PM   #4
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,078
Blog Entries: 4

Rep: Reputation: 3175Reputation: 3175Reputation: 3175Reputation: 3175Reputation: 3175Reputation: 3175Reputation: 3175Reputation: 3175Reputation: 3175Reputation: 3175Reputation: 3175
More basically: Do Not Use PSKs == Passwords!

No matter what you call it, a PSK is a PSK is a simple password. It has almost no entropy. It is probably based on a dictionary word. In any case, it is never more than a hundred-or-less bits long.

It can be targeted, not only by a "dictionary attack," but also by a "heuristics attack" a.k.a. "phoneme attack" or "Scrabble® attack." (For example, your password is likely to be a pronounceable word. If the word is suspected to be English, the first letter is almost certain not to be any one of {j, x, q}. And so on.)

Always use digital certificates with any VPN solution. (Or with ssh, for that matter!)

These certificates should be at least 4096 bits long, and they should be one-of-a-kind ... unique. Each authorized party has a certificate all their own. The server uses certificates to validate the clients, while the clients also use certificates to validate the server. The only way to gain access is to possess a certificate that has not been revoked ... and to know, if applicable, the protection-password by which it may have been enciphered. If any certificate is lost or stolen, it can be immediately and selectively invalidated.

Both IPSec and OpenVPN provide comparable facilities in this regard.

Consider This: when you walk into the building where you work each morning, there's no one there demanding that you "say the magic word." My prized Apple® badge won't get me into One Infinite Loop these days unless and until I have another contract with them. They didn't mind at all that I kept it as a memento. (I asked ...) They didn't mind, because it wouldn't let me inside anymore.

Like ssh, IPSec has certain legacy options that should not be used today.

Last edited by sundialsvcs; 04-17-2017 at 03:03 PM.
 
Old 04-17-2017, 07:25 PM   #5
jefro
Moderator
 
Registered: Mar 2008
Posts: 18,983

Rep: Reputation: 2866Reputation: 2866Reputation: 2866Reputation: 2866Reputation: 2866Reputation: 2866Reputation: 2866Reputation: 2866Reputation: 2866Reputation: 2866Reputation: 2866
Hash is the key to unlocking.
 
Old 04-17-2017, 08:15 PM   #6
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,078
Blog Entries: 4

Rep: Reputation: 3175Reputation: 3175Reputation: 3175Reputation: 3175Reputation: 3175Reputation: 3175Reputation: 3175Reputation: 3175Reputation: 3175Reputation: 3175Reputation: 3175
Quote:
Hash is the key to unlocking ...
Actually, no, as would be made quite clear if you follow the footnotes given to this tantalizing WikiPedia single-sentence paragraph.

This "hash," as used in IPSec, is intended to merely be a digest of various bits of information, intended essentially to produce a "unique identifier," as all good hashes should be. I-F you were so foolish as to be using a "mere password," then perhaps it is possible that someone could apply some "dictionary" to that hash-value. However, "why in heaven's name would you be that stupid?"

Nevertheless, "the hash" is not the entirety of the necessary group of secrets that are required to complete the entire exchange of which it is a part – and "possession of the hash" is not enough to allow you to successfully decrypt the conversation.

In Any Case: Never use "any dictionary, anywhere," as a source of the entire(!) secret that protects your secrets!

A digital certificate is an easy to use – and, easy to verify(!) – package which contains thousands of bits of truly-pseudorandom key information. It can readily be used, not only to "open the lock," but also to positively identify its authorized holder, such that it can be selectively revoked at will, should the need ever arise.

If you're "itchin' to use a password," let it be a concealment key that you merely use to encipher your otherwise-strong random certificate, so that it can't be used by the slob who just stole your laptop out of the men's room at the airport. Nothing more.

Last edited by sundialsvcs; 04-17-2017 at 08:20 PM.
 
Old 04-18-2017, 05:38 PM   #7
rob.rice
Senior Member
 
Registered: Apr 2004
Distribution: slack what ever
Posts: 1,073

Rep: Reputation: 202Reputation: 202Reputation: 202
Quote:
Originally Posted by sundialsvcs View Post

In Any Case: Never use "any dictionary, anywhere," as a source of the entire(!) secret that protects your secrets!
if you absolutely must have a mnemonic you could convert a phrase to leet
like "this to shall pass" > "7h15!70@5h4ll#p455" !@#my way of replacing spaces in leet
you could post-a-it note the plain text to your computer and just remember that it's the plain test of your leet password make sure you replace the spaces with a keyboard pattern you can remember

Last edited by rob.rice; 04-18-2017 at 05:42 PM.
 
Old 04-19-2017, 08:55 AM   #8
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,078
Blog Entries: 4

Rep: Reputation: 3175Reputation: 3175Reputation: 3175Reputation: 3175Reputation: 3175Reputation: 3175Reputation: 3175Reputation: 3175Reputation: 3175Reputation: 3175Reputation: 3175
Quote:
Originally Posted by rob.rice View Post
if you absolutely must have a mnemonic you could convert a phrase to leet
like "this to shall pass" > "7h15!70@5h4ll#p455" !@#my way of replacing spaces in leet
you could post-a-it note the plain text to your computer and just remember that it's the plain test of your leet password make sure you replace the spaces with a keyboard pattern you can remember
I respectfully dissent.

It's quite trivial to "Leet-ify" a dictionary. And, in any case, there is still virtually no entropy in a password. Whereas a digital certificate might contain 4,096 bits or more of very pure entropy. There are no patterns. Every bit is equally likely to be a zero or a one.

Like the badge that you swipe at the door of the place where you work, a certificate is one-of-a-kind, issued specifically to you, and can be revoked so that it doesn't work anymore. You can't forge the certificate or create another one that works. Either you possess it (and know the password by which it has been encrypted, if applicable), or you don't. It's that simple.

Each time your certificate is presented, it is known that you are the probably one presenting it, because no one else has a certificate like yours. And, since the server also has a verifiable certificate, connecting users can be certain of the identity of the machine to which they are connecting. Passwords cannot do this.

If you're itching to enter a password, then encrypt the certificate so that you must enter a password in order to utilize it. The security rests in the certificate, not in the password. (If anyone did steal a copy, and even if they knew how to decrypt it, you simply revoke it, rendering it useless to anyone. No one else's certificate is affected.)

Last edited by sundialsvcs; 04-19-2017 at 01:08 PM.
 
Old 04-19-2017, 01:39 PM   #9
dpc2008
LQ Newbie
 
Registered: May 2016
Posts: 4

Original Poster
Rep: Reputation: Disabled
Great replies.

So the question still remains - what, exactly, is the risk of the phase 1 hash being cracked if it's weak (eg. md5 or sha1). IPSEC VPNs I'm talking about are lan 2 lan VPNs, not remote access VPNs anyone with the credentials from any location can use. The peer is specified in the configuration. So, that said, what exactly can be done with a cracked hash or even the PSK for that matter? Say the psk is 'password' and someone decides to try that. They wouldn't get in because the VPN has a peer specified. And yes, as mentioned, the data is still encrypted (AES-256, presumed not hacked).
 
Old 04-19-2017, 04:36 PM   #10
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,078
Blog Entries: 4

Rep: Reputation: 3175Reputation: 3175Reputation: 3175Reputation: 3175Reputation: 3175Reputation: 3175Reputation: 3175Reputation: 3175Reputation: 3175Reputation: 3175Reputation: 3175
Quote:
Originally Posted by dpc2008 View Post
So the question still remains - what, exactly, is the risk of the phase 1 hash being cracked if it's weak (eg. md5 or sha1). IPSEC VPNs I'm talking about are lan 2 lan VPNs, not remote access VPNs anyone with the credentials from any location can use. The peer is specified in the configuration. So, that said, what exactly can be done with a cracked hash or even the PSK for that matter? Say the psk is 'password' and someone decides to try that. They wouldn't get in because the VPN has a peer specified. And yes, as mentioned, the data is still encrypted (AES-256, presumed not hacked).
The hash is only an issue in Aggressive mode and when a PSK = Password is used. You should not use Aggressive mode with IPSec, and you should never under any circumstances use a PSK with anything. Passwords Are Evil.™

The same is true of ssh, which should always require "certificates only," and which of course should be put behind a VPN to prevent it from being discovered. But, ssh is far too permissive and it is very easy to wind up with false security.

Anyone could attempt to connect to the VPN, not just the peer that you intended to connect with, and if they know the secret, they would succeed. This is one of the many reasons why you must instead use certificates, which must be possessed. These are what make it impossible to break in, and also what allows the two parties who wish to communicate to positively identify one another. This is also what makes it possible to selectively revoke one party's access without affecting anyone else's.

There is definitely a "right way" and a "wrong way" to approach security, and the fact that we have a "Sticky" thread about unauthorized ssh access-attempts is tacit evidence of just how many people get it wrong. It is no more difficult to manage certificates than it is to use passwords. But, it is infinitely more secure – and accountable, which passwords are not.

Last edited by sundialsvcs; 04-19-2017 at 04:42 PM.
 
Old 04-25-2017, 03:35 PM   #11
dpc2008
LQ Newbie
 
Registered: May 2016
Posts: 4

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by sundialsvcs View Post
The hash is only an issue in Aggressive mode and when a PSK = Password is used. You should not use Aggressive mode with IPSec, and you should never under any circumstances use a PSK with anything. Passwords Are Evil.™

The same is true of ssh, which should always require "certificates only," and which of course should be put behind a VPN to prevent it from being discovered. But, ssh is far too permissive and it is very easy to wind up with false security.

Anyone could attempt to connect to the VPN, not just the peer that you intended to connect with, and if they know the secret, they would succeed. This is one of the many reasons why you must instead use certificates, which must be possessed. These are what make it impossible to break in, and also what allows the two parties who wish to communicate to positively identify one another. This is also what makes it possible to selectively revoke one party's access without affecting anyone else's.

There is definitely a "right way" and a "wrong way" to approach security, and the fact that we have a "Sticky" thread about unauthorized ssh access-attempts is tacit evidence of just how many people get it wrong. It is no more difficult to manage certificates than it is to use passwords. But, it is infinitely more secure – and accountable, which passwords are not.
So, lets say someone has the hash for phase1 cracked. They can use that to send in the hash of the PSK. They can spoof the IP address and get in? They'd need something local to the LAN segment the external interface is on. A spoofed IP can get in but it can't get back to the sender.

Hacker at 1.1.1.1 sends spoof of IP to the VPN (this a lan to lan VPN here, not a remote access one that users use on home laptops).
ASA gets the spoofed ip and hash, thinks its the real thing, and builds the connection, and then phase 2 (where the hash is SHA-256 and not hacked) back to the real peer at 2.2.2.2. 2.2.2.2 gets it but 1.1.1.1 is left in the dark.

How would one break in with a hacked sha-1 / phase 1 bit of info?

Edit: This is using IKEv2, not IKEv1 Aggressive mode.
 
Old 04-25-2017, 08:27 PM   #12
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,078
Blog Entries: 4

Rep: Reputation: 3175Reputation: 3175Reputation: 3175Reputation: 3175Reputation: 3175Reputation: 3175Reputation: 3175Reputation: 3175Reputation: 3175Reputation: 3175Reputation: 3175
Quote:
Originally Posted by dpc2008 View Post
So, lets say someone has the hash for phase1 cracked. They can use that to send in the hash of the PSK. They can spoof the IP address and get in? They'd need something local to the LAN segment the external interface is on. A spoofed IP can get in but it can't get back to the sender.

Hacker at 1.1.1.1 sends spoof of IP to the VPN (this a lan to lan VPN here, not a remote access one that users use on home laptops).
ASA gets the spoofed ip and hash, thinks its the real thing, and builds the connection, and then phase 2 (where the hash is SHA-256 and not hacked) back to the real peer at 2.2.2.2. 2.2.2.2 gets it but 1.1.1.1 is left in the dark.

How would one break in with a hacked sha-1 / phase 1 bit of info?

Edit: This is using IKEv2, not IKEv1 Aggressive mode.
Basically, IMHO:
  1. "Aggressive Mode" was a bad idea, and it should never be used. Nothing(!) should ever be "passed 'in the clear.'
  2. "Aggressive Mode PLUS PSKs==Passwords" is a death sentence for security.
Consider this: (emphasis mine)
Quote:
Aggressive mode can be used within the phase 1 VPN negotiations, as opposed to Main mode. Aggressive mode takes part in fewer packet exchanges. Aggressive mode does not give identity protection of the two IKE peers, unless digital certificates are used. This means VPN peers exchange their identities without encryption (clear text). It is not as secure as main mode, but the advantage to aggressive mode is that it is faster than Main mode.
You will never convince me that it is actually, pragmatically, "faster" to "omit packet exchanges." (Face it, we're talking milliseconds here ...) Especially when you completely give-up cryptographic protection as "the price that you pay." Believe me, there is no justification whatsoever for any such nonsense. "Ever!"

However: there is also(!) no justification for "settling for a few-hundred at-best 'bits of potentially-guessable(!) entropy,'" when the use of a certificate would not only utterly-vacate the threat of "guessing" but confer advantages that "one of a kind" alone can give. "Case closed!"

Therefore: "if you are destined to use IPSec as the basis for your VPN, use it the right way!
  1. Under no circumstances should you ever use "aggressive mode." ...and(!)...
  2. Under no circumstances should you ever use "PSKs == Passwords!" (with any sort of VPN (or SSH...) solution whatsoever!)
With these covenants having been established, with regard to your(!) actual use of this technology, the remainder of the argument becomes "thankfully irrelevant," because you can now be certain that they do not – and, will never – apply to you.

Last edited by sundialsvcs; 04-25-2017 at 08:35 PM.
 
Old 05-31-2019, 04:22 AM   #13
netaxiz
LQ Newbie
 
Registered: Mar 2014
Posts: 4

Rep: Reputation: Disabled
" They can spoof the IP address and get in? They'd need something local to the LAN segment the external interface is on. A spoofed IP can get in but it can't get back to the sender."

This is the Crux, even if you are given the PSK and hack the hash, and spoof the IP.

Then what? the remote peer will try and complete the connection to the real local peer IP. and not to the hacker.

So how is a site to site VPN hacked ? having the PSK, hacking the hash and even spoofing the IP is not enough.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
IPSec VPN zahir1 Linux - Security 0 11-07-2011 05:48 AM
vpn-ipsec : Failed to parse config setup portion of ipsec.conf hari85 Linux - Newbie 1 07-17-2010 08:12 PM
SSL/TLS VPN VS IPSec VPN Peter_APIIT Linux - Security 2 11-13-2008 11:06 PM
Dynamic IP VPN between IpSec(OpenBSD) and Linux VPN software Peter_APIIT Linux - Server 2 04-09-2008 05:08 AM
Need help with IPSec VPN securespeed Linux - Networking 3 07-19-2004 12:25 PM

LinuxQuestions.org > Forums > Non-*NIX Forums > General

All times are GMT -5. The time now is 06:28 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration