11.2 Attacking IPsec VPNs

To fully assess the security of an IPsec VPN, as with any target network or system, you need to perform enumeration, initial testing, investigation, and exploitation. Here I discuss how to enumerate, probe, and investigate vulnerable IPsec VPN components efficiently. If you have access to the wire, there are a number of complex man in the middle (MITM) and sniffing attacks that can be launched to compromise IPsec VPN tunnels; however, these attacks lie outside of the scope of this book.

11.2.1 IPsec Enumeration

ipsecscan is a Win32 command-line utility that can identify IPsec enabled devices and hosts; it's available at http://ntsecurity.nu/toolbox/ipsecscan/.[1]

[1] URLs for tools in this book are mirrored at the O'Reilly site, http://examples.oreilly.com/networksa/tools.

Example 11-1 shows ipsecscan in action, scanning from to for IPsec support.

Example 11-1. ipsecscan in use to identify IPsec enabled devices
D:\> ipsecscan

IPSecScan 1.1  - (c) 2001, Arne Vidstrom, arne.vidstrom@ntsecurity.nu

               - http://ntsecurity.nu/toolbox/ipsecscan/ IPSec status: Indeterminable IPSec status: Indeterminable IPSec status: Enabled IPSec status: Indeterminable IPSec status: Indeterminable IPSec status: Enabled IPSec status: Indeterminable IPSec status: Indeterminable IPSec status: Indeterminable IPSec status: Indeterminable

You can also use nmap to identify the ISAKMP service on UDP port 500. After identifying accessible ISAKMP services, you can probe and investigate these services to fingerprint and identify them.

11.2.2 Initial ISAKMP Service Probing

You can use Roy Hills' ike-scan to fingerprint the ISAKMP service and derive the software package of which it is a part. ike-scan is available for download at http://www.nta-monitor.com/ike-scan.

Example 11-2 shows ike-scan being used against the two IP addresses found in the previous example that support IPsec, identifying them as NetScreen and Cisco devices.

Example 11-2. ike-scan in use to fingerprint the service
# ike-scan --showbackoff

Starting ike-scan 1.4 (http://www.nta-monitor.com/ike-scan/)    IKE Main Mode Handshake returned (1 transforms)    IKE Main Mode Handshake returned (1 transforms)

IKE Backoff Patterns:

IP Address  No.     Recv time               Delta Time    1       1065942743.329658       0.000000    2       1065942747.314266       3.984608    3       1065942751.307847       3.993581    4       1065942755.301361       3.993514    5       1065942759.294996       3.993635    6       1065942763.291496       3.996500    7       1065942767.282147       3.990651    8       1065942771.275722       3.993575    9       1065942775.269286       3.993564    10      1065942779.262847       3.993561    11      1065942783.253430       3.990583    12      1065942787.243944       3.990514    Implementation guess: netscreen

IKE Backoff Patterns:

IP Address  No.     Recv time               Delta Time    1       1042797937.070152       0.000000    2       1042797952.061102       14.990950    3       1042797967.064137       15.003035    Implementation guess: Cisco IOS / PIX

Ending ike-scan 1.4: 2 hosts scanned.  2 returned handshake;

0 returned notify

11.2.3 Investigating Known ISAKMP and IKE Weaknesses

You can identify ISAKMP and IKE security issues (such as denial-of-service conditions) if you know the type of device or host you have access to. Table 11-1 shows a number of serious remotely exploitable issues with these protocols, as listed in the ISS X-Force vulnerability database at http://xforce.iss.net.

Table 11-1. Remotely exploitable IKE and ISAKMP vulnerabilities






Check Point IKE buffer overflow



Check Point IKE aggressive mode user enumeration



Cisco VPN 3000 malformed ISAKMP packet denial of service



Multiple vendor IKE response handling buffer overflow



Cisco VPN Client IKE packet payload buffer overflow



Cisco VPN Client IKE packet long SPI buffer overflow

At the time of writing, one issue not listed in the X-Force list is SecurityFocus BID 8964, which covers multiple OpenBSD isakmpd IKE payload handling weaknesses. This highlights the fact that you can't rely on a single source for current vulnerability information.

The most serious ISAKMP and IKE security issues arise from poor configuration. One very serious remotely exploitable issue arises when a VPN gateway is configured with aggressive mode IKE support, and preshared keys are used as an authentication mechanism. The associated attack is known as aggressive mode IKE PSK cracking.

11.2.4 Aggressive Mode IKE PSK Cracking

Remote users who require remote access to internal network resources often use a preshared key (PSK) to authenticate. A serious flaw exists in IPsec, which can be exploited if a VPN gateway supports aggressive mode IKE, and a PSK is used to provide authentication.

A remote attacker can attempt to authenticate using aggressive mode IKE and obtain a hashed authentication response from the gateway. When using main mode IKE, this authentication response is protected using a Diffie-Hellman shared secret, but aggressive mode doesn't provide any protection. If a PSK is in use (as opposed to digital signatures or public key encryption), the aggressive mode IKE authentication response is the PSK hashed using MD5 or SHA1. This hash can be attacked offline, and the PSK compromised.

Michael Thumann has written an excellent Win32 utility called ikeprobe, which you can use to force a target VPN gateway into using aggressive mode IKE and obtain the encrypted authentication hash. You can sniff and crack the hash using a tool such as Cain & Abel (http://www.oxid.it/cain.html), which can crack both MD5 and SHA1 PSK hashes. You can download ikeprobe at http://www.ernw.de/download/ikeprobe.zip.

Example 11-3 shows ikeprobe in use against a Cisco PIX firewall at The tool attempts to use a number of combinations of ciphers, hashes, and Diffie-Hellman groups to solicit an aggressive mode IKE response containing the hashed PSK.

Example 11-3. Probing to obtain the PSK hash
D:\ikeprobe> ikeprobe

IKEProbe 0.1beta   (c) 2003 Michael Thumann (www.ernw.de)

Portions Copyright (c) 2003 Cipherica Labs (www.cipherica.com)

Read license-cipherica.txt for LibIKE License Information

IKE Aggressive Mode PSK Vulnerability Scanner (Bugtraq ID 7423)

Supported Attributes

Ciphers              : DES, 3DES, AES-128, CAST

Hashes               : MD5, SHA1

Diffie Hellman Groups: DH Groups 1,2 and 5

IKE Proposal for Peer:

Aggressive Mode activated ...

Attribute Settings:

Cipher DES

Hash SHA1

Diffie Hellman Group 1

  0.000 3: ph1_initiated(00443ee0, 007d45b0)

  0.016 3: << ph1 (00443ee0, 244)

  2.016 3: << ph1 (00443ee0, 244)

  5.016 3: << ph1 (00443ee0, 244)

  8.016 3: ph1_disposed(00443ee0)

As this process is running, use Cain & Abel to sniff for, and crack, IKE PSK hashes. IKECrack (http://ikecrack.sourceforge.net/) is a very similar tool for use in Unix environments, but it can crack only MD5 hashes at the time of writing. Figure 11-3 shows Cain & Abel sniffing and cracking the PSK hash from the wire, as ikeprobe is run. In the figure, the preshared key is cisco.

Figure 11-3. Cain & Abel attacks the PSK authentication hash

After compromising the PSK, you can use PGPnet or similar IPsec VPN client software to establish a VPN tunnel and assess the amount of internal network access granted. Michael Thumann has written an excellent step-by-step guide for configuring PGPnet after compromising the PSK; it's available as part of his PSK attack paper and is downloadable at http://www.ernw.de/download/pskattack.pdf.