New VPN Hunter Service Scans Domains For Remote-Access Systems

Type threatpost
Reporter Dennis Fisher
Modified 2013-04-17T16:32:35


If there’s one thing attackers love, it’s readily accessible remote-connection services running on a target company’s network. Once an attacker knows that an organization is running a specific kind of VPN or has RDP enabled on a bunch of machines, he can then start looking for known vulnerabilities or target users’ credentials for those systems. The folks at Duo Security are releasing a new service today called VPN Hunter that will help companies identify which remote-access services on their networks are exposed to the Internet.

VPN Hunter is a simple Web interface that enables a user to enter any domain name and will then return a list of every remote access service that’s found on the domain, including IPsec VPNs, SSL VPNs, RDP and SSH. It will also look for indications of whether the company has two-factor authentication enabled for each particular service.

So an administrator or security specialist in an organization who is interested in getting a handle on the kinds and number of remote-access services that are running on his network can enter any domains and subdomains he chooses into the search box and quickly get a list of them.

“VPN Hunter discovers and classifies SSL VPNs from top vendors including Juniper, Cisco, Palo Alto, Citrix, Fortinet, F5, SonicWALL, Barracuda, Microsoft, and Array. VPN Hunter will also attempt to detect whether two-factor authentication is enabled on the target SSL VPNs,” the site says.

It’s not just VPNs that the system looks for, however. VPN Hunter also can find other systems like Outlook Web Access webmail portals, extranet portals and other remotely accessible services. Jon Oberheide, one of the founders of Duo Security, said that the company hasn’t done any large-scale scanning of domains to see which services typically are running, but that kind of scan may be in the plans for the near future.