VPN Services
Default Ports: 500/4500 UDP (IPsec/IKE), 1194 (OpenVPN), 51820 (WireGuard), 1723 (PPTP), 1701 (L2TP)
VPN services provide remote access into internal networks. In pentests, VPN testing focuses on exposed portals, weak pre-shared keys, user enumeration, MFA behavior, legacy protocols, and post-login network access.
Connect
IPsec / IKE
Start by checking IKE response, aggressive mode, and NAT-T.
ike-scan target.com
ike-scan -A target.com
nmap -sU -p 500,4500 target.com
OpenVPN
OpenVPN may use UDP, TCP, or TCP 443.
nmap -sU -p 1194 target.com
nmap -sT -p 1194,443 target.com
sudo openvpn --config client.ovpn
WireGuard
WireGuard may stay silent without valid keys.
nmap -sU -p 51820 target.com
sudo wg show
PPTP and L2TP
PPTP and L2TP are legacy findings worth reporting when exposed.
nmap -p 1723 -sV target.com
nmap -sU -p 1701 target.com
nmap -sU -p 500,4500 target.com
Recon
Service Detection with Nmap
Scan both UDP tunnel ports and TCP web portal ports.
nmap -sU -sT -p U:500,4500,1194,1701,51820,T:443,8443,9443,1194,1723 target.com
nmap -p 443,8443,9443,10443 -sV --script ssl-cert,ssl-enum-ciphers target.com
nmap -p 1723 --script pptp-version target.com
Web Portal Discovery
SSL VPN portals expose vendor, version, login, and MFA behavior.
httpx -u https://target.com -title -tech-detect -status-code -follow-redirects
curl -I https://target.com/
curl -I https://target.com/remote/login
curl -I https://target.com/+CSCOE+/logon.html
IKE Enumeration
IKE enumeration identifies transform sets and aggressive mode.
ike-scan target.com
ike-scan -A target.com
ike-scan --showbackoff target.com
Certificate Review
VPN certificates reveal product names, hostnames, and expiry issues.
openssl s_client -connect target.com:443 -servername target.com </dev/null 2>/dev/null | openssl x509 -noout -subject -issuer -dates
Enumeration
Vendor Enumeration
Identify the appliance before vulnerability or config testing.
httpx -u https://target.com -title -tech-detect -status-code
curl -sk https://target.com/ | grep -Ei 'fortinet|fortigate|pulse|globalprotect|anyconnect|sonicwall|openvpn'
User Enumeration
Login flows may reveal valid users through messages, timing, or MFA prompts.
curl -sk -X POST https://target.com/login -d 'username=test&password=test'
MFA Enumeration
Compare behavior for invalid users, valid users, bad passwords, and MFA prompts.
curl -sk -X POST https://target.com/login -d 'username=validuser&password=wrong'
curl -sk -X POST https://target.com/login -d 'username=invaliduser&password=wrong'
Profile and Config Review
Client profiles may expose internal routes, DNS, certificates, and scripts.
grep -Ei 'remote|route|dhcp-option|auth-user-pass|cert|key|script' client.ovpn
grep -Ei 'AllowedIPs|Endpoint|PrivateKey|DNS' wg0.conf
Attack Vectors
IKE Aggressive Mode PSK Capture
Aggressive mode may expose material for offline PSK cracking.
ike-scan -A target.com --id=groupname -M
psk-crack -d wordlist.txt ike-scan-output.txt
Weak Portal Credentials
Credential attacks must be scoped and rate-limited.
hydra -L users.txt -P passwords.txt https-post-form "/login:username=^USER^&password=^PASS^:Invalid"
MFA Bypass or Fail-Open
Test alternate clients, portals, and legacy protocols for inconsistent MFA.
curl -sk https://target.com/
nmap -p 443,8443,9443,10443 -sV target.com
Legacy PPTP Exposure
PPTP is weak compared with modern VPN protocols.
nmap -p 1723 --script pptp-version target.com
OpenVPN Profile Leakage
Profiles may embed credentials, private keys, or broad routes.
grep -Ei 'auth-user-pass|BEGIN PRIVATE KEY|redirect-gateway|route ' *.ovpn
WireGuard Key and Route Issues
Overbroad AllowedIPs and leaked keys can expose internal networks.
grep -Ei 'PrivateKey|AllowedIPs|Endpoint|DNS' wg*.conf
Post-Exploitation
Route Enumeration
After authorized login, map assigned routes and DNS.
ip route
ip addr
cat /etc/resolv.conf
netstat -rn
Internal Access Review
Validate which internal ranges and services are reachable.
nmap -sn 10.0.0.0/24
nmap -p 22,80,443,445,3389,5985 10.0.0.0/24
Split Tunnel Review
Split tunnel configuration affects traffic exposure and monitoring.
ip route | grep -E 'default|tun|wg|ppp'
traceroute 8.8.8.8
Logging Check
Generate controlled failed logins and confirm detection.
curl -sk -X POST https://target.com/login -d 'username=invalid&password=invalid'
Useful Tools
| Tool | Purpose |
|---|---|
ike-scan | IKE enumeration |
psk-crack | IKE PSK cracking |
openvpn | OpenVPN client testing |
wg | WireGuard config review |
nmap | Port and internal scans |
httpx | Portal fingerprinting |
openssl | Certificate review |
hydra | Scoped credential testing |
Security Misconfigurations
| Misconfiguration | Risk |
|---|---|
| IKE aggressive mode | Offline PSK cracking |
| Weak VPN credentials | Remote internal access |
| Missing or inconsistent MFA | Remote access bypass |
| Legacy PPTP exposed | Weak authentication model |
| Leaked VPN profiles | Key and route exposure |
| Broad VPN routes | Excessive internal access |
| Weak split-tunnel controls | Traffic and policy gaps |
| Outdated VPN appliance | Known vulnerability exposure |