IPSec

IP Security

IKE

Get Transform Set

Using ikeforce.py:

$ sudo python ikeforce.py 10.10.13.37 -a

Using ike-scan via brute force. Generate list of all transform-sets:

$ for ENC in 1 2 3 4 5 6 7/128 7/192 7/256 8; do for HASH in 1 2 3 4 5 6; do for AUTH in 1 2 3 4 5 6 7 8 64221 64222 64223 64224 65001 65002 65003 65004 65005 65006 65007 65008 65009 65010; do for GROUP in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18; do echo "$ENC,$HASH,$AUTH,$GROUP" >> trans-dict.txt; done; done; done; done

Brute force supported transform-sets:

$ while read t; do (echo "[+] Valid trans-set: $t"; sudo ike-scan -M --trans=$t 10.10.13.37) |grep -B14 "1 returned handshake" |grep "Valid trans-set" |tee -a trans.txt; done < trans-dict.txt
Or (for aggressive mode)
$ while read t; do (echo "[+] Valid trans-set: $t"; sudo ike-scan -M -A -P'handshake.txt' -n FAKEID --trans=$t 10.10.13.37) |grep -B7 "SA=" |grep "Valid trans-set" |tee -a trans.txt; done < trans-dict.txt
Or
$ sudo python ikeforce.py -s1 -a 10.10.13.37  # -s1 for max speed

Get Vendor Info

Get information about vendor:

$ sudo ike-scan -M --showbackoff [--trans=<TRANSFORM-SET>] 10.10.13.37

Test for Aggressive Mode

Test for aggressive mode ON:

$ sudo ike-scan -M -A -P -n FAKEID [--trans=<TRANSFORM-SET>] 10.10.13.37

Brute Force Group ID

If no hash value is returned then brute force is (maybe also) possible:

$ while read id; do (echo "[+] Valid ID: $id" && sudo ike-scan -M -A -n $id --trans=<TRANSFORM-SET> 10.10.13.37) | grep -B14 "1 returned handshake" | grep "Valid ID" |tee -a group-id.txt; done < dict.txt
Or
$ sudo python ikeforce.py 10.10.13.37 -e -w wordlists/groupnames.dic -t <TRANSFORM-SET-IN-SEPARATE-ARGS>

Dictionaries:

/usr/share/seclists/Miscellaneous/ike-groupid.txt
~/tools/ikeforce/wordlists/groupnames.dic

Last updated 4 years ago

hashtagIKE

hashtagGet Transform Set

hashtagGet Vendor Info

hashtagTest for Aggressive Mode

hashtagBrute Force Group ID

IKE

Get Transform Set

Get Vendor Info

Test for Aggressive Mode

Brute Force Group ID