That's a good article to have in your back pocket. Thanks :) ----- Shawn R. Quillman Robert Bosch Corporation RBNA/CIT1.1 38000 Hills Tech Drive Farmington Hills, MI 48331 (248) 553-1164 (P) (248) 848-2855 (F) shawn.quillman@xxxxxxxxxxxx -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Monday, May 05, 2003 8:34 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: IPSec with Preshared secret warning. http://www.ISAserver.org Hi John, Found it! http://support.microsoft.com/?kbid=257225 How's that for good security planning on Microsoft's part? Thanks! Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: Thomas W Shinder Sent: Monday, May 05, 2003 6:51 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: IPSec with Preshared secret warning. http://www.ISAserver.org Hi John, With Deb's help, I found some good info on Aggressive Mode. AFAIK, Win2k and Win2003 use Main and Quick Modes, but I don't think they fall back on, or support Aggressive Mode. If they do, I've never read anything about it, or they are using different terminology. Thanks! Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: Thomas W Shinder Sent: Monday, May 05, 2003 6:35 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: IPSec with Preshared secret warning. http://www.ISAserver.org Hi John, Pretty interesting stuff. But, maybe somebody smart than me can explain what "aggressive mode" is? I notice the neologism.com site mentions that its possible and that they did it, but didn't mention how long the key was (probably used "mom" for the preshared key, bet it took a long time to figure that one out)l. But seriously, I would be interesting to know how long it would take to crack a key that was more than 8 characters, that had both upper and lower case letters, numbers and symbols in it, that didn't use the @ for the letter A :-) Thanks! Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: John Tolmachoff (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx] Sent: Monday, May 05, 2003 5:22 PM To: [ISAserver.org Discussion List] Subject: [isalist] IPSec with Preshared secret warning. http://www.ISAserver.org FYI, copied from the SANS Critical Vulnerability Analysis Vol 2 No 17 (3) HIGH: IPSec Aggressive Mode Preshared Secret Exposure Affected Products: IPSec servers that support "aggressive" mode authentication with preshared secrets Description: When operating in aggressive mode, an IPSec server provides a connecting client with a cleartext hash value derived from the preshared secret. Attackers can collect a copy of the hash by sniffing an attempt to establish a VPN tunnel (the attempt can fail). The hash can then be used in an offline dictionary attack to recover the preshared secret. VPN gateways that accept connection requests from arbitrary IP addresses are especially at risk. Note that some servers (e.g. Cisco routers) will automatically switch to aggressive mode if the client requests it. This attack has been known for some time to security researchers but has not been widely publicized. Proof-of- concept tools is available to retrieve the hash from a vulnerable server and execute the dictionary attack to recover the preshared secret. Council Site Actions: Most of the reporting council sites do not use preshared secrets for their VPN connections and most have "Aggressive Mode" set to "false" on their concentrators. Several of the sites do have limited uses of preshared keys and stated that in these cases they use strong, random secrets. Also, some of these sites restrict the VPN connections by IP address. Risk: Remote attackers can recover the preshared secret and authenticate to the VPN gateway as a valid user. Deployment: Widely deployed. Many VPN products support aggressive mode by default, and are configured to accept connections from any IP address in order to support traveling employees. Ease of Exploitation: Trivial. Tools are available to automate the hash collection and cracking process. The password guessing task can be split across multiple machines running in parallel for greater speed. Status: Confirmed. If preshared secrets and aggressive mode authentication must be used, "strong" secrets that are unlikely to be cracked in a dictionary attack should be selected and changed periodically. If possible, aggressive mode can be disabled in favor of main mode authentication. References: Paper by Michael Thurman describing the attack http://archives.neohapsis.com/archives/bugtraq/2003-04/0274.html Posting by Damir Rajnovic, Cisco PSIRT http://archives.neohapsis.com/archives/bugtraq/2003-04/0285.html Posting by Curt Sampson http://archives.neohapsis.com/archives/bugtraq/2003-04/0322.html IKECrack Tool http://ikecrack.sourceforge.net/ Posting by Anton Rager, IKECrack Author http://archives.neohapsis.com/archives/bugtraq/2003-04/0306.html SecurityFocus BID (published October 1999) http://www.securityfocus.com/bid/7423/info/ John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: shawn.quillman@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')