Usually during the penetration testing we may encounter VPN endpoints. However, finding loopholes in those endpoints and exploiting them is not very popular method, but itś very much effective. VPN endpoints use Internet Key Exchange (IKE) protocol to set up a security association between multiple clients to establish a VPN tunnel. What does ike-scan here ? ike-scan determine that which hosts are running IKE. This is done by displaying those hosts which respond to the IKE requests by the ike-scan.
Or as you know that you can download it directly from Github by following link
https://github.com/royhills/ike-scan.
to generate a .configure file.
to build the project.
to verify the building project.
to install ike-scan.
Here x.x.x.x is the targetś ip address.
The following screenshot shows the output for preceding command :
We can even brute force the groupnames using the following script :
https://github.com/SpiderLabs/groupenum.
The command :
where -b is brute force mode and length is 5.
The following screenshot shows the output of preceding command :
ike-scan -h |
To understand this method we need to learn how IKE works. In simple words IKE has two phases, phase 1 is responsible for setting up and establishing secure authenticated communication channel, and phase 2 encrypts and transports data.
Our focus of interest here would be phase 1; it uses two methods of exchanging keys:
- Main Mode
- Aggressive Mode
Letś Start
For this we need to use the tool ike-scan and ikeprobe . First we need to update our Kali Linux system by using following command :
Then we install ike-scan by cloning the github repository :
After downloading the ike-scan we need to configure it follow given steps :
- Browse to the directory where ike-scan is installed.
- Install autoconf by running following command :
- Run
to generate a .configure file.
- Then, run following command
- Run
to build the project.
- And then run following command
to verify the building project.
- Run
to install ike-scan.
- To scan a host for an aggressive mode handshake, use the following commands :
Here x.x.x.x is the targetś ip address.
The following screenshot shows the output for preceding command :
- Sometimes we will see the response after providing a valid group name like (vpn) :
We can even brute force the groupnames using the following script :
https://github.com/SpiderLabs/groupenum.
The command :
Cracking the PSK
PSK crack attempts to crack IKE aggressive mode Pre-Shared Keys (PSK) that we can collect from ike-scan.
To learn how to crack the given steps:
- Adding a -p flag in the ike-scan command it will show a response with the captured hash.
- To save the hash we provide a filename along with the -p flag.
- Next we can use the psk-crack with following command :
- To use a dictionary based attack we use the following command :
The following screenshot shows the output of preceding command :
How it works
In aggressive mode the authentication hash is transmitted as a response to the packet of the VPN client that tries to establish a connection Tunnel (IPSEC). This hash is not encrypted and hence it allows us to capture the hash and perform a brute force attack against it to recover our PSK.
This is not possible in Main Mode as it uses an encrypted hash along with a six way handshake, whereas aggressive mode uses only three way.