Sunday, June 2, 2013

VPN Flaws & Limitations

Virtual Private Network is a technology that has been taken for granted by several organizations as the secure protocol for communication between their various branches. But even though it has robust nature, it is, like most other technologies, not completely secure. We will hereby discuss some of the security flaws of the VPN technology.

VPNs could be the most targeted area for an attack simply because of the amount of sensitive information it carries. VPNs also connect two internal networks via the insecure Internet, which means that a VPN has access to internal network of an organization. So successfully attacking a VPN means gaining control of the internal network of the organization. Moreover the VPN traffic is invisible to Intrusion Detection Systems. So they will be blind to an attack over the VPN.


·         VPN Fingerprinting – Like OS Fingerprinting where user finds the information of the remote Operating System, VPN Fingerprinting is done in order to get the information of a VPN like what technology is used, what encryption is used etc. While it is not so difficult though, as certain vendors reveal its identity like Cisco PIX and Nortel Contivity. Some may show their software versions as well.

 ·         Storage of VPN passwords – Most VPN clients tend to store VPN credentials somewhere. This poses a great security risk.

o   Storing the username unencrypted in a file or registry – access to the username makes half the job done. Now the attacker can perform an offline brute force attack to get the password.

o   Storing password in a scrambled form – it’s just the matter of knowing the obfuscation algorithm in order to reveal the actual password.

o   Storing the plain text password in memory – there are many tools available that can give you the memory dump of the physical memory. Many clients at runtime store the actual password in plain text in memory making it easy for the attacker.

o   Week registry or file permission for stored credentials – if you store credentials, then it is readable by everybody who has access to your system physically or via network

Username enumeration vulnerabilities – The original PSK authentication scheme has a flaw. That for an incorrect login attempt it should not disclose which value of the two- username or password was incorrect, but it does reveal it. When the VPN client sends its first packet, the VPN server responds to it differently like

o   Responds only if the client username is valid, otherwise no response.

o   Responds with a particular message if false username.

o   Responds with a hash payload generated by a NULL password, if wrong username, which is very easy to figure out.

In this way it becomes easy for the attacker to determine wrong usernames. What should be actually done is that the VPN server must respond with a hash payload generated from a random password.

·         Offline password cracking – Once the attacker get his hands on the username, it can, with the help of the hash response given by the server, then perform a dictionary based attack or a brute force attack and figure out the password.

The attacker uses all the passwords in the dictionary, applies it to the hash algorithm and compares it with the one given by the server. Whichever matches, is the password.
Man in the Middle attack – MitM attack is fairly possible, even though there are two levels of authentication; it’s just the matter of passing the first level.

o   Install the MitM system in between the path of client/server. It could be installed in the same network as the client so as to perform ARP poisoning.

o   Sniff the username travelling in plain text.

o   Calculate its password as discussed above.

o   Now reset the connection between the actual client and the server. Let the client establish the connection again.

o   Now that we have the username and the password, we can act as a server for the client, and the client for the server.

o   For the second level authentication, the actual server passes a XAUTH challenge, which the MitM simply forwards to the client.

o   The client’s response to the challenge is then forwarded to the actual server by the MitM system.

o   Man in the Middle attack can now be successfully carried out in peace.

·         Lack of Account Lockout – VPN server actually allows any number of incorrect login attempts, which should not be the case.

·         Poor default configuration – Most VPN server’s default configuration is not so secure. For example instead of using stronger encryption, it is set to use week encryption.

·         Lack of proper documentation and poor guidance – People must be educated about setting up a secure VPN connection, which encryption should be used and why. Even the vendors’ documentations are not so well written in order to guide a proper and secure setup of the VPN connection.


Most people focus and rely only on strong encryption. Well that maybe important but there are other lot of things to be taken into account for securing a VPN.

-          User should be careful about not leaking the password(s) as well as username(s).

-          They should focus on security mechanisms other than a strong cryptographic algorithm.

-          The configuration of the VPN server should be properly modified for greater security.

-          A proper understanding of all configuration options helps a lot.

-          They should check for software bugs in the VPN client/server that could possibly open security holes.

-          User should always use a properly tested VPN package.


Author : Mufaddal Makati
Contact :

No comments: