Assorted Pen Test Scripts / ikeVPNmodes.sh

Posted on 2015/08/06 by Felix

In this article, I would like to help our fellow cybersecurity experts, by providing them with Pen Test Scripts.

I have created a new GitHub repository for my random Pen Test Scripts to speed up pen testing. Pen test scripts repository can be found here.

At the moment I have only added one script, it is a simple bash handler to take an existing tool that bit further…

That tool is called ikescan and my script can be used to enumerate the modes that are available on a particular IKE VPN. In particular, this is useful when trying to discover aggressive mode VPNs…

IKE scan handler script is here.

VPN Pen Test with ikescan enumeration script

Internet Key Exchange (IKE) protocol or the abbreviation IKE is the authentication mechanism that IPsec is using. Most of all modern VPN systems implement IPsec, and the vast majority of IPsec VPNs use IKE for key exchange. It constructs and sends IKE Phase-1 authentication packets to specific hosts, and displays any responses that the ikescan sent.

With ikescan you can test VPN’s and find vulnerable configurations.

What does ikescan do?

Discovery: Find out which hosts are running IKE. This happens by showing those hosts which respond to the IKE requests.

Fingerprinting: Determine which IKE implementation the hosts are using. You can accomplish with the following two ways:

a) Backoff fingerprinting: This involves recording the times of the IKE response packets from the target hosts and comparing the observed retransmission backoff pattern against known patterns.

b) By Vendor ID fingerprinting which compares Vendor ID payloads from the VPN servers against known vendor id patterns.

Transform Enumeration: Find which transform attributes the VPN server for IKE Phase-1 can support(e.g. encryption algorithm, hash algorithm etc.).

User Enumeration: For some VPN systems, discover valid VPN usernames.

Pre-Shared Key Cracking Perform offline dictionary or brute-force password cracking for IKE Aggressive Mode with Pre-Shared Key authentication. This uses the tool to obtain the hash and other parameters, and psk-crack (which is part of the package) to perform the cracking.

What does ikescan handler script do?

The handler script takes the ikescan tool and attempts to connect to the target VPN with every known configuration in order to determine which options are available. This is a process known as enumerating.

YGHT can help you secure your technologies

Learn how by contacting us

This entry was posted in Penetration Testing. Bookmark the permalink.