VPNś ike-scan

Usually during the penetration testing we may encounter VPN endpoints. However, finding loopholes in those endpoints and exploiting them is not very popular method, but itś very much effective. VPN endpoints use Internet Key Exchange (IKE) protocol to set up a security association between multiple clients to establish a VPN tunnel. What does ike-scan here ? ike-scan determine that which hosts are running IKE. This is done by displaying those hosts which respond to the IKE requests by the ike-scan.
ike-scan -h

To understand this method we need to learn how IKE works. In simple words IKE has two phases, phase 1 is responsible for setting up and establishing secure authenticated communication channel, and phase 2 encrypts and transports data.

Our focus of interest here would be phase 1; it uses two methods of exchanging keys: 
  • Main Mode
  • Aggressive Mode
We will hunt for aggressive mode enabled VPN endpoints using PSK authentication. 

Letś Start

For this we need to use the tool ike-scan and ikeprobe . First we need to update our Kali Linux system by using following command :
apt-get update && apt-get upgrade
Then we install ike-scan by cloning the github repository :
git clone https://github.com/royhills/ike-scan.git
Or as you know that you can download it directly from Github by following link https://github.com/royhills/ike-scan.

After downloading the ike-scan we need to configure it follow given steps :

  • Browse to the directory where ike-scan is installed.
  • Install autoconf by running following command :
apt-get install autoconf

  • Run 

autoconf --install
to generate a .configure file.

  • Then, run following command


  • Run 

to build the project.

  • And then run following command

make check
to verify the building project.

  • Run 

make install
to install ike-scan.

  • To scan a host for an aggressive mode handshake, use the following commands :

ike-scan x.x.x.x -M -A
Here x.x.x.x is the targetś ip address.

The following screenshot shows the output for preceding command :

  • Sometimes we will see the response after providing a valid group name like (vpn) :

ike-scan x.x.x.x -M -A id=vpn

We can even brute force the groupnames using the following script :

The command :
./dt_group_enum.sh x.x.x.x groupnames.dic

Cracking the PSK

PSK crack attempts to crack IKE aggressive mode Pre-Shared Keys (PSK) that we can collect from ike-scan.

To learn how to crack the given steps:
  • Adding a -p flag in the ike-scan command it will show a response with the captured hash.
  • To save the hash we provide a filename along with the -p flag.
  • Next we can use the psk-crack with following command :
psk-crack -b 5 /path/to/pskkey
where -b is brute force mode and length is 5.

  • To use a dictionary based attack we use the following command :

psk-crack -d /path/to/dictionary /path/to/pskkey
The following screenshot shows the output of preceding command :

How it works

In aggressive mode the authentication hash is transmitted as a response to the packet of the VPN client that tries to establish a connection Tunnel (IPSEC). This hash is not encrypted and hence it allows us to capture the hash and perform a brute force attack against it to recover our PSK.

This is not possible in Main Mode as it uses an encrypted hash along with a six way handshake, whereas aggressive mode uses only three way.
Powered by Blogger.