During a pentest, we may encounter VPN endpoints. However, finding vulnerabilities in those endpoints and exploiting them is not a well-known method. VPN endpoints use the Internet Key Exchange (IKE) protocol to set up a security association between multiple clients to establish a VPN tunnel.

IKE has two phases. Phase 1 is responsible for setting up and establishing a secure authenticated communication channel. Phase 2 encrypts and transports data.

Our focus of interest here is Phase 1. It uses two methods of exchanging keys:

• Main mode
• Aggressive mode

We hunt for Aggressive-mode-enabled VPN endpoints using PSK authentication.

For this recipe, we will use the ike-scan and ikeprobe tools. First, we install ike-scan by cloning the Git repository:

git clone https://github.com/royhills/ike-scan.git

Or, you can use the following URL: https://github.com/royhills/ike-scan.

1. Browse to the directory where ike-scan is installed.
2. Install autoconf by running the following command:

apt-get install autoconf

3. Run autoreconf --install to generate a .configure file.
4. Run ./configure.
5. Run make to build the project.
6. Run make check to verify the building stage.
7. Run make install to install ike-scan.
8. To scan a host for an Aggressive mode handshake, use the following command:

   ike-scan x.x.x.x –M -A

The following screenshot shows the output of the preceding command:

9. Sometimes, we will see the response after providing a valid group name such as vpn:

ike-scan x.x.x.x –M –A id=vpn

10. To view the list of all available options, we can run the following command:

ike-scan -h 

The following screenshot shows the output of the preceding command:

1. Adding a –P flag in the ike-scan command will show a response with the captured hash.
2. To save the hash, we provide a filename along with the –P flag.
3. Next, we can use psk-crack with the following command:

psk-crack –b 5 /path/to/pskkey

-b is brute force mode and length is 5.

4. To use a dictionary-based attack, we use the following command with -d flag to input the dictionary file:

psk-crack –d /path/to/dictionary /path/to/pskkey

The following screenshot shows the output of the preceding command:

In Aggressive mode, the authentication hash is transmitted as a response to the packet of the VPN client that tries to establish a connection tunnel (IPSec). This hash is not encrypted and hence it allows us to capture the hash and perform a brute force attack against it to recover our PSK.

This is not possible in Main mode, as it uses an encrypted hash along with a 6-way handshake, whereas Aggressive mode uses only a 3-way handshake.