SOURCE Barcelona
BruCON
EuroTrashSecurity Website
«  
  »

Test your IPSEC VPN Systems with ike-scan

I found a nice tool today: ike-scan via another blog.

ike-scan is a command-line tool for discovering, fingerprinting and testing IPsec VPN systems. It constructs and sends IKE Phase-1 packets to the specified hosts, and displays any responses that are received.

The documentation give also a nice introduction of the IPSEC protocol. I installed the tool on a box and performed some tests:

# ./ike-scan x.x.x.x
Starting ike-scan 1.9 with 1 hosts \
(http://www.nta-monitor.com/tools/ike-scan/)
x.x.x.x	Main Mode Handshake returned HDR=(CKY-R=ef37b97f6fa8f857) \
SA=(Enc=3DES Hash=SHA1 Auth=PSK Group=2:modp1024 \
LifeType=Seconds LifeDuration(4)=0x00007080) VID=f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d4925b9df0000000018000000 (Firewall-1 NGX)

Ending ike-scan 1.9: 1 hosts scanned in 0.087 seconds \
(11.47 hosts/sec).  1 returned handshake; 0 returned notify

There are plenty of options to change the way tests are performed. It’s also possible to use the IKE aggressive mode (not supported/configured on all IPSEC systems):

# ./ike-scan --aggressive --multiline --id johndoe x.x.x.x
Starting ike-scan 1.9 with 1 hosts \
(http://www.nta-monitor.com/tools/ike-scan/)
x.x.x.x	Aggressive Mode Handshake returned
	HDR=(CKY-R=238dc8a43b8bc064)
	SA=(Enc=3DES Hash=MD5 Group=2:modp1024 Auth=PSK \
LifeType=Seconds LifeDuration=28800)
	KeyExchange(128 bytes)
	Nonce(20 bytes)
	ID(Type=ID_IPV4_ADDR, Value=213.189.190.3)
	Hash(16 bytes)
	VID=12f5f28c457168a9702d9fe274cc0100 (Cisco Unity)
	VID=09002689dfd6b712 (XAUTH)
	VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
	VID=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation)
	VID=d64a6fb93b8ac0640f54a5e3c829ac04
	VID=1f07f70eaa6514d3b0fa96542a500407 (Cisco VPN Concentrator)

Ending ike-scan 1.9: 1 hosts scanned in 0.446 seconds \
(2.24 hosts/sec).  1 returned handshake; 0 returned notify

Using the –pskcrack flag, it’s possible to save the aggressive more pre-shared key. Then, another tool (pst-crack) is available to get the key (using a dictionary attack).

November 20th, 2008 | Tags: , | Category: Security, Software | Leave a comment

Leave a Reply

 

 

 

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

IMPORTANT! To be able to proceed, you need to solve the following simple math (so we know that you are a human) :-)

What's the sum of 5 and 4 ?
Please leave these two fields as-is: