Published on July 2, 2016
1. VPN penetration testing By Abdul Adil
2. Who am i? • Web application & Network pentester • Malware reverse engineering • Regular to Null Hyderabad chapter • Email: Abdul.Adil@connectica.in • Website: Connectica.in • Twitter:@AbdulAdil02
3. Agenda • What & Why VPN? • Types of VPN • VPN Internals • VPN issues • Demo • Questionnaire?
4. What & Why VPN? • VPN stands for “Virtual private network”. • It extends a private network across a public network (internet). • It establishes a virtual point-to-point connection. • Connection is encrypted!.
5. Scenario of VPN usage
6. Type of VPN protocol • PPTP • IPSec • SSL VPN • Hybrid VPN
7. Types of VPN protocol • PPTP(Point to point tunneling protocol): This is the most common and widely used VPN protocol. They enable authorized remote users to connect to the VPN network using their existing Internet connection and then log on to the VPN using password authentication. • IPSec: Trusted protocol which sets up a tunnel from the remote site into your central site. As the name suggests, it’s designed for IP traffic. IPSec requires expensive, time consuming client installations and this can be considered an important disadvantage.
8. VPN protocol & types •SSL VPN:SSL or Secure Socket Layer is a VPN accessible via https over web browser. SSL creates a secure session from your PC browser to the application server you’re accessing. The major advantage of SSL is that it doesn’t need any software installed because it uses the web browser as the client application. •Hybrid VPN: It combines the features of SSL and IPSec & also other types of VPN types. Hybrid VPN servers are able to accept connections from multiple types of VPN clients. They offer higher flexibility at both client and server levels and bound to be expensive.
9. VPN Internals
10. VPN Traffic
11. VPN appliance and applications VPN Appliance VPN application
12. VPN issues • Some of the protocols provide weak encryptions. • Vulnerable to brute force attacks as there is only one DES 56bit key to crack. • RC4 cipher which is used for encryption does not doesn’t helps us with the integrity of the data. • If not configure properly it can lead to leakage of data over network(Port fail vulnerability).
13. Twitter:@AbdulAdil02 Email:Abdul.Adil@connectica.in
14. Thanks to Null Hyderabad.