[isalist] Re: VPN Connection

Cain and Able doesn't do RDP brute forcing...   only if you manage to do some 
MITM attack, which probably won't work anyway over RDP given the auth 
channel...  And it's not "shameless self promotion" if I've been giving the 
tool away for years ;)

And the good stuff about the tool was actually written by Ryan Russell  - I 
architected it and did all the research and stuff - he's the one that got the 
MSTSC api calls to work with ROBOCLIENT.   So, if anyone gets the true kudos 
for "l337ness," it's Ryan and not me :)

t

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jerry Young
Sent: Wednesday, November 25, 2009 8:07 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: VPN Connection

Thor = Shameless Self Promotion?

Why use brute forcing when firing up Cain & Abel is so much easier (providing 
you can hide it from anti-virus software)?  Well, I suppose as more and more 
RDP sessions become protected by TLS that might be one reason but wouldn't TLS 
also defeat brute forcing (don't beat up on me - I'm still a neophyte!)?  Or is 
this tool capable of that because the fricken genius who wrote it is a fricken 
l337 haxxor?

I wanna see... please show me?  Please? :)

By the way: Happy Turkey Day!
On Tue, Nov 24, 2009 at 3:51 PM, Greg Mulholland 
<greg@xxxxxxxxxxxxxx<mailto:greg@xxxxxxxxxxxxxx>> wrote:
It is indeed a tool!

________________________________
From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> 
[isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On Behalf 
Of Thor (Hammer of God) [thor@xxxxxxxxxxxxxxx<mailto:thor@xxxxxxxxxxxxxxx>]
Sent: Tuesday, November 24, 2009 9:01 AM
To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>
Subject: [isalist] Re: VPN Connection
Brute forcing RDP connections is very difficult.  In fact, it would take a 
freaking genius to write such a tool.  I mean, the author would have to be a 
freaking l337 haxxor or something.  I only know of one tool in the world that 
does that ;)

t

From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> 
[mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On 
Behalf Of Jim Harrison
Sent: Tuesday, November 24, 2009 6:25 AM
To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>
Subject: [isalist] Re: VPN Connection

The downside to this technique is that if you stop the firewall service, you 
can't reach the ISA from outside.
OTOH, if you add the External network to the system policy Remote manglement 
rule, you can still reach the ISA remotely even when the firewall service is 
stopped (as when a plug-in goes <poof>).
Granted, this also opens the ISA to RDP -based attacks from the Internet, but 
unless you use a custom port in the RDP publishing to the Internernal NIC, 
you've effectively done the same thing.

Jim

From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> 
[mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On 
Behalf Of Steve Moffat
Sent: Tuesday, November 24, 2009 4:37 AM
To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>
Subject: [isalist] Re: VPN Connection

Erm....correct me if I'm wrong here....but you can publish the rdp listener to 
the internal interface can you not??? WTH would you publish the external if 
it's causing issues?

S

From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> 
[mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On 
Behalf Of Paul T. Laudenslager
Sent: Tuesday, November 24, 2009 12:31 AM
To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>
Subject: [isalist] Re: VPN Connection

Hi Jim,

You know, you are probably right and I'm off target but this has happened on a 
few machines to me.  It's probably the way I build my ISA servers as I do them 
all the same.

I always have a need to RDP to the IP on the external interface.  The majority 
of the time, I never have a problem connecting.  However, on the boxes that I 
have intermittantly had problems connecting with, I've noticed a few common 
issues...

1.  Whenever the ISA box was rebooted unexpectedly - such as a power outage - I 
noticed that I was unable to connect via RDP when the box came back up until I 
restarted the firewall service.  After the firewall service was stopped or 
restarted, I could reconnect via RDP to the external IP just fine.

Whenever the problem appeared, I was not able to connect via RDP to the ISA box 
itself.  However, I was always able to remote to a published server behind the 
firewall.  I'm not sure why, but that's the way it worked.

I would just open up the services applet on the internal server and then 
"connect to another computer" back to the firewall and restart the firewall 
service.   Once the firewall service was restarted (or just plain stopped), I 
was able to RDP to the box just fine.

Anyway, to make a long story shorter...

2.  Whenever the box had problems, the VPN connections always stopped working 
as well.  In fact, this was usually how I found out there was a problem as 
customers started ringing my phone off the hook.

Going through the log files, I usually found the server was rebooted for one 
reason or the other... Power outages, hardware issues, or even when Microsoft 
forcefully rebooted it.  This was the common theme everytime it happened.  The 
server would boot back up and everything was published... The only problems 
noticed were VPN connections and RDP issue.

I assume that one was related to the other because they always happened at the 
same time.

Thanks for all the help that you (and others) give here on the list.

Your friend in Virginia,
Paul Laudenslager
paul@xxxxxxxxxxxxxxxx<mailto:paul@xxxxxxxxxxxxxxxx>

________________________________
From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> 
[isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On Behalf 
Of Jim Harrison [Jim@xxxxxxxxxxxx<mailto:Jim@xxxxxxxxxxxx>]
Sent: Monday, November 23, 2009 9:00 PM
To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>
Subject: [isalist] Re: VPN Connection
er...

How did you assemble the two?
Yes, there is a problem with having RDP listening on the external interface if 
you also have a server publishing listener configured to do the same (race 
condition), but where does this have any relationship to PPTP VPN failures?

Jim

________________________________
From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> 
[isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On Behalf 
Of Paul T. Laudenslager [paul@xxxxxxxxxxxxxxxx<mailto:paul@xxxxxxxxxxxxxxxx>]
Sent: Monday, November 23, 2009 4:08 PM
To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>
Subject: [isalist] Re: VPN Connection
This is the old dreaded multiple NICs selected for Remote Desktop into ISA.

When our server would be rebooted (like a power outage), we could not longer 
connect properly with RD and VPN's stopped working as well.  Restarting the 
firewall/routing services seemed to get everything working but doing a 
start/shutdown/restart would NOT resolve the issue.

I believe, from what I've read, if you tell Terminal Services to only respond 
on the Internal NIC card, this problem goes away.  However, I like connecting 
to the outside IP (from remote).  So each time I have a problem, I have to 
remote in to a server BEHIND the firewall and restart the services on the 
firewall itself.  It's a pain, but doesn't happen often.  Only when the server 
reboots does it appear... ie.  Microsoft forces a reboot on the server for 
updates even when you tell it NOT to... go figure.

Having the services only responding to one NIC should resolve your VPN issue... 
Hopefully... <grin>

Your friend,
-paul

From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> 
[mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On 
Behalf Of Ball, Dan
Sent: Friday, November 13, 2009 1:30 PM
To: 'isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>'
Subject: [isalist] Re: VPN Connection

RRAS is configured to use the C:\WINDOWS\system32\LogFiles directory, but when 
I looked in there it was empty.  I have since enabled the logging of 
Authentication Requests (from within the RRAS console), so hopefully this will 
record something next time around.

Sorry I don't have much info to work with...   I've set the server to reboot 
itself tonight, so will do some testing this weekend on it (had busy nights 
this week).


From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> 
[mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On 
Behalf Of Jim Harrison
Sent: Friday, November 13, 2009 11:23 AM
To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>
Subject: [isalist] Re: VPN Connection

What about the RRAS logs?
Normally, they're located in %windir%\tracing...

Jim

________________________________
From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> 
[isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On Behalf 
Of Ball, Dan [DBall@xxxxxxxxxxx<mailto:DBall@xxxxxxxxxxx>]
Sent: Wednesday, November 11, 2009 6:36 AM
To: 'isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>'
Subject: [isalist] Re: VPN Connection
Not much there either... In the logs I see the server reboot, RRAS service 
starts, it gets an IP address to use, but I don't see any other messages.
Note: The security log doesn't go back far enough, so I'll have to wait until 
it happens again see if there is anything in that log.


From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> 
[mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On 
Behalf Of Jim Harrison
Sent: Tuesday, November 10, 2009 4:13 PM
To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>
Subject: [isalist] Re: VPN Connection

WSACONNREFUSED indicates that the RRAS service is not accepting new connections.
What do you find from Routing & Remote Access in the event logs?
________________________________
From: Ball, Dan <DBall@xxxxxxxxxxx<mailto:DBall@xxxxxxxxxxx>>
Sent: Monday, November 09, 2009 10:44
To: 'isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>' 
<isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>>
Subject: [isalist] Re: VPN Connection
Well, the ISA traffic monitor shows that the "[System] Allow VPN client traffic 
to ISA Server" rule generates a "0x8007274d WSAECONNREFUSED" error, but that is 
about all I could find.

Since I'm not exactly sure what time the problems start (we don't use VPN every 
day) I don't know about the event log.  I'll have to try rebooting it tonight 
and see if it quits working upon reboot.


From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> 
[mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On 
Behalf Of Jim Harrison
Sent: Monday, November 09, 2009 11:02 AM
To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>
Subject: [isalist] Re: VPN Connection

Dan,

It should be "manual", because the firewall service manages its state.
When you say "not going through" - what exactly is happening?
What do  you see in the RRAS, ISA or event logs at the time the problems start?

Jim

________________________________
From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> 
[isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On Behalf 
Of Ball, Dan [DBall@xxxxxxxxxxx<mailto:DBall@xxxxxxxxxxx>]
Sent: Monday, November 09, 2009 4:36 AM
To: 'isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>'
Subject: [isalist] VPN Connection
A few times over the last couple of months I've had problems with the VPN 
connections not going through our ISA2006 server.  Each time, the problem 
appears to be in the Routing and Remote Access part of the server.   A restart 
of the RRAS service seems to fix it, but rebooting the entire server does not.  
I noticed the service is set to Manual startup, is this correct or is it 
supposed to be set to Automatic?


--------------------------------------------------
Dan Ball
Network and Systems Technician
Marquette Area Public Schools
1103 West College Avenue
Marquette, MI 49855
E-Mail: dball@xxxxxxxxxxx<https://mail.optimum.bm/owa/UrlBlockedError.aspx>
Phone: (906)225-5779
Fax: (906)225-5377
--------------------------------------------------


________________________________
This email is confidential and should only be read by the intended recipient.

________________________________
This email is confidential and should only be read by the intended recipient.



--
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer

Other related posts: