Security Basics
Open VPN for PEN testing Sep 17 2013 06:07PM
ToddAndMargo (ToddAndMargo zoho com) (1 replies)
Re: Open VPN for PEN testing Sep 18 2013 01:05PM
Luis Lezcano Airaldi (luislezcair gmail com)
On Tue, Sep 17, 2013 at 11:07:06AM -0700, ToddAndMargo wrote:
> Hi All,
>
> I have heard several folks say that they use Open VPN for human
> penetration testing.
> Reference: https://www.pcisecuritystandards.org/pdfs/infosupp_11_3_penetration_test
ing.pdf
>
> I apparently did not pay close enough attention. I figured that Open
> VPN would get you past the firewall and the multilayer switch. Which
> sounded right to me. Use Open VPN to create a connection to the
> computer and/or network to be tested. Then test the
> computer/network with nmap, Metasploit, etc.
>
> But, if I remember correctly, they also said they used Open VPN
> as a direct attack mechanism to try to break into ports. Not as
> a mechanism to gain access to the computer/network.
>
> Am I missing something? Can Open VPN actually be used as an attack
> mechanism (nmap, metasploit) to test a computer/network?

Hi! Sometimes, enterprises use VPN to let employees connect to the local
network from their homes. So it is logical to try to break into the local
network using their credentials.

Also, VPNs are used as a way to gain certain degree of anonimity. So your
connection cannot be easyly tracked back to you, if there's some sysadmin
vigilant.

Hope this helps.
Regards.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQEcBAEBAgAGBQJSOaUdAAoJEBsZGqIWb+DRHlgH/imYIMLs+fGbdTbmb1Xsr3XP
PRwpFlcevfUYFhDF8bw84nV32kApth2C3WMUX0lM7Evek1H5KCstVoaMw1duhLQM
lesImMsHANbanNAHkggiwNRnbFkaWgVFO3E+mGD/OO0MocP3VWqepRP8SZ/jp9O6
cki3IBrA2jyRRUwNuCut6dxZqZyTFDNlJ1zQ9eq5pqGOwSXy2Y+6rfpO++SjWcf4
mquK7d+kmSD8hcfFbpE56V/HwuFG0y73bZeI4TaMMEw6dKzUBI4G7xU15IidnLsi
ZNPZW1JBYcnKz9wLHDKmVmUj3qAeslhWTJcL8EazPzrLhUiiAoSGNAAwzj6ClIc=
=MThZ
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus