VPN Security: A Pentester's Guide to VPN Vulnerabilities
by Gilad David Maayan
What Is a VPN?
A virtual private network (VPN) is a secure networking model that creates an encrypted connection between a user device and a server. Remote access VPN infrastructure helps users securely connect to an organization’s internal network or the public Internet. The goal is to prevent exposing web traffic to the Internet.
VPNs secure traffic containing confidential or proprietary data. Organizations use VPNs to:
- Enable remote workers to access sensitive data and internal applications securely.
- Establish one common network to connect several branch offices.
Business VPNs may offer several options, such as:
- Remote access—these VPNs let remote users securely access corporate network infrastructure, encrypting all traffic sent and received by authorized remote workers.
- Site-to-site networking—these VPNs create a connection between two or more networks instead of connecting an individual user or device to a central network. Organizations employ a site-to-site VPN as an alternative to a private multiprotocol label switching (MPLS) circuit to achieve a secure Internet connection for confidential traffic.
While beneficial in some ways, business VPNs pose security risks, restricting this traffic to the security perimeter’s limitations.
VPN Vulnerabilities and Security Risks
Here are the most common security risks associated with VPNs:
- VPN hijacking—occurs when an unauthorized user takes control of a VPN connection using a remote client.
- Man-in-the-Middle (MitM)—these attacks allow threat actors to intercept data
- Weak user authentication—insecure practices like weak and default passwords or one-factor authentication allow threat actors to steal credentials.
- Split tunneling—occurs when a user can access an insecure Internet connection while accessing a VPN connected to a private network.
- Malware infection—insecure VPNs can allow malware to infect a client machine and spread through the network.
- Highly privileged accounts—occurs when admins grant users too many network access rights.
- DNS leaks—occur when a computer uses a default DNS connection instead of the VPN’s secure DNS server.
VPNs are not immune to cyberattacks and data breaches. A VPN operates on the basis of trusting any entity that enters the network instead of using the more secure principle of least privilege. Some VPN solutions offer more secure measures but can be difficult to implement. Organizations with many remote workers can find VPN management costly, especially when using a reputable provider.
How Does MITRE ATT&CK Define VPN Attacks?
MITRE ATT&CK is a database of tactics, techniques, and procedures (TTP) describing exactly how cybercriminals conduct attacks. MITRE ATT&CK has a technique known as External Remote Services (T1133), which describes the typical techniques used to attack networks using VPN and similar services. This type of attack is either used as a persistent access mechanism, or a redundant form of access alongside other access methods.
MITRE notes that alongside VPN, attackers might leverage other remote access mechanisms such as remote service gateways, Windows Remote Management, and VNC remote desktop access. Whatever the access mechanism, attackers typically start by obtaining access to a valid account, typically via credential pharming.
Here are examples provided by MITRE of real VPN attacks. These examples reference code names of advanced persistent threat (APT) groups:
- APT18 obtained legitimate credentials and used them to log into external remote services.
- APT28 used Tor and a commercial VPN services to perform a brute force authentication breach.
- APT29 used compromised identities to gain unauthorized access to networks via SSH, VPNs, and other remote access tools.
- APT41 used VPN access, granted to a third-party service provider, to compromise an online payment service
- Chimera used compromised credentials to login to an external VPN and other remote services.
- Ke3chang gained access to a network through VPNs, using stolen VPN certificates and compromised accounts.
What Is A Network Penetration Test?
A network penetration test is an authorized simulation of a cyberattack conducted to detect vulnerabilities in a software system. It tests an organization's resilience to help gauge its ability to withstand a breach or compromise.
A network penetration test is typically performed by ethical hackers authorized to intentionally deploy methods and techniques used by malicious actors. The goal is to uncover and help fix security flaws and weaknesses in the tested system.
Ethical hackers get authorized and legal permission to conduct these attack simulations. This means a pentester must have a documented mandate or authorization from the targeted organization to proceed with the ethical hacking exploits.
The results of a network penetration test provide organizations with recommendations to improve the organization's network and overall security against future cyberattacks. These tests typically cover network-layer assessments, application-layer tests, and testing remote access vectors like VPN connections.
VPN Penetration Testing Steps
VPN penetration testing helps identify weaknesses and vulnerabilities related to VPNs, providing organizations with the information needed to fix these issues and secure their networks and data assets.
There are two main types of VPNs—secure sockets layer (SSL) and Internet protocol security (IPSec)—each requires applying different steps during a penetration test. However, there are several steps common to both, which you can apply to your VPN security assessment. These include planning, port scanning and fingerprinting, exploiting known vulnerabilities, and reports.
Step 1: Planning
This step defines the rest of the testing activity. It involves determining the scope of the test, setting realistic deadlines, and defining clear roles and responsibilities for all involved parties.
Step 2: Port scanning and fingerprinting
Port scanning can help identify your VPN type. If you know where the VPN is located, you can direct the scanning tool to a specific range of IP addresses rather than the entire network. Determining the VPN type involves checking the list of open ports.
Here is how to identify the VPN type according to the open ports:
- IPSec VPN—when port number 500 is open.
- SSL VPN—when port number 443 is open.
After running a port scan, you need to fingerprint the vendor’s VPN and model. You can use this information to search for model and vendor-specific attacks. There are many possibilities, including:
- Identify the authentication type the VPN uses.
- Exploit security weaknesses in the pre-shared key (PSK) authentication mechanism.
- Run captured hashes through password cracking software to retrieve passwords.
You can use web application scanners for SSL-based VPNs. Automated tests can give false positives, so you may also need manual testing. Like firewalls, IPSec VPNs have default user accounts. After the installation completes, the default user accounts are no longer required.
Step 3: Exploiting known vulnerabilities
This step involves exploiting the vulnerabilities discovered in the previous step to identify those that require immediate patching. Additionally, if the test identifies default user accounts, you must remove or change them.
Step 4: Reporting
The final report summarizes all findings and lists the action points on which the security team must act. These action points help security teams learn what they need to do to patch the discovered vulnerabilities.
In this article, I explained the basics of VPN security vulnerabilities and showed how to perform a VPN penetration test in four steps:
- Planning the penetration test to identify scope and set expectations with the client
- Port scanning and fingerprinting to identify the VPN vendor, model, and version
- Exploiting known vulnerabilities in the discovered VPN infrastructure
- Reporting on vulnerabilities and proposed mitigation steps
I hope this will be useful as you step up your VPN security strategy with a proactive penetration testing approach.
The article has been originally published at: https://pentestmag.com/product/pentest-wireless-pentesting-toolkit/