Often during a pentest we may encounter VPN endpoints. However, finding vulnerabilities in those endpoints and exploiting them is not a well known method. VPN endpoints use Internet Key Exchange (IKE) protocol to set up a security association between multiple clients to establish a VPN tunnel.

IKE has two phases, phase 1 is responsible for setting up and establishing secure authenticated communication channel, and phase 2 encrypts and transports data.

Our focus of interest here would be phase 1; it uses two methods of exchanging keys:

• Main mode
• Aggressive mode

We will hunt for aggressive mode enabled VPN endpoints using PSK authentication.

For this recipe we will use the tools ike-scan and ikeprobe. First we install ike-scan by cloning the git repository:

git clone https://github.com/royhills/ike-scan.git

Or you can use the following URL to download it from https://github.com/royhills/ike-scan.

To configure ike-scan follow the given steps:

1. Browse to the directory where ike-scan is installed.
2. Install autoconf by running the following command:

        apt-get install autoconf

3. Run autoreconf --install to generate a .configure file.
4. Run ./configure.
5. Run make to build the project.
6. Run make check to verify the building stage.
7. Run make install to install ike-scan.
8. To scan a host for an aggressive mode handshake, use the following commands:

        ike-scan x.x.x.x -M -A

The following screenshot shows the output for the preceding command:

9. Sometimes we will see the response after providing a valid group name like (vpn):

        ike-scan x.x.x.x -M -A id=vpn

The following screenshot shows the example of the preceding command:

To learn how to crack the PSK follow the given steps:

1. Adding a -P flag in the ike-scan command it will show a response with the captured hash.
2. To save the hash we provide a filename along with the -P flag.
3. Next we can use the psk-crack with the following command:

        psk-crack -b 5 /path/to/pskkey

4. Where -b is brute force mode and length is 5.
5. To use a dictionary based attack we use the following command:

        psk-crack -d /path/to/dictionary /path/to/pskkey

The following screenshot shows the output for the preceding command:

In aggressive mode the authentication hash is transmitted as a response to the packet of the VPN client that tries to establish a connection Tunnel (IPSEC). This hash is not encrypted and hence it allows us to capture the hash and perform a brute force attack against it to recover our PSK.

This is not possible in main mode as it uses an encrypted hash along with a six way handshake, whereas aggressive mode uses only three way.