Home > 技术点滴 > Aggressive Mode VPN — IKE-Scan, PSK-Crack, and Cain vpn crack

Aggressive Mode VPN — IKE-Scan, PSK-Crack, and Cain vpn crack

October 2nd, 2012 baoz Go to comments

There hasnt been much in the way of updates on breaking into VPN servers that have aggressive mode enabled.

ike-scan is probably still your best bet.

检测方式ike-scan -A ip即可发现是否支持Aggressive侵略模式

If you have no idea what i’m talking about go read this:
http://www.sersc.org/journals/IJAST/vol8/2.pdf and

In IKE Aggressive mode the authentication hash based on a preshared key (PSK) is transmitted as response to the initial packet of a vpn client that wants to establish an IPSec Tunnel (Hash_R). This hash is not encrypted. It’s possible to capture these packets using a sniffer, for example tcpdump and start dictionary or brute force attack against this hash to recover the PSK.

This attack only works in IKE aggressive mode because in IKE Main Mode the hash is already encrypted. Based on such facts IKE aggressive mode is not very secure.

It looks like this:

To save with some output:

Once you have you psk file to crack you’re stuck with two options psk-crack and cain

psk-crack is fairly rudamentary

to brute force:

Default is charset is “0123456789abcdefghijklmnopqrstuvwxyz” can be changed with –charset=

To dictionary attack:

You may find yourself wanting a bit more flexibility or options during bruteforcing or dictionary attacking (i.e. character substition). For this you’ll need to use Cain. The problem I ran in to was Cain is a Windows tool and ike-scan is *nix. I couldnt get the windows tool that is floating around to work. Solution…run in vmware and have Cain sniff on your VMware interface. The PSK should show up in passwords of the sniffer tab, then you can select and “send to cracker”. Its slow as hell, but more options than psk-crack.

  1. No comments yet.