This project is no longer maintained
IKEForce
Dan Turner [email protected]
http://www.spiderlabs.com
IKEForce is a command line IPSEC VPN brute forcing tool for Linux that allows group name/ID enumeration and XAUTH brute forcing capabilities.
Guides can be found here:
- http://blog.spiderlabs.com/2013/03/cracking-ike-aggressive-mode-hashes-part-1.html
- http://blog.spiderlabs.com/2013/04/cracking-ike-missionimprobable-part-2.html
- http://blog.spiderlabs.com/2014/09/cracking-ike-missionimprobable-part3.html
Requires the pyip
, pycrypto
and pyopenssl
modules installed, but other than that it's only standard libs.
pyip
is the most likely lib that you won't have, install it with 'pip install pyip'
./ikeforce.py [target] [mode] -w /path-to/wordlist.txt [optional] -t 5 1 1 2
Example (find all AM transforms):
./ikeforce.py 192.168.1.110 -a -s 1
Example (enum mode):
./ikeforce.py 192.168.1.110 -e -w groupnames.txt -s 1
Example (brute mode):
./ikeforce.py 192.168.1.110 -b -i groupid -u dan -k psk123 -w passwords.txt -s 1
Options:
-h, --help
show this help message and exit
-w WORDLIST, --wordlist=WORDLIST
Path to wordlist file
-t TRANS, --trans=TRANS
[OPTIONAL] Transform set: encryption type, hash type, authentication type, dh group (5 1 1 2)
-e, --enum
Set Enumeration Mode
-a, --all
Set Transform Set Enumeration Mode
-b, --brute
Set XAUTH Brute Force Mode
-k PSK, --psk=PSK
Pre Shared Key to be used with Brute Force Mode
-i ID, --id=ID
ID or group name. To be used with Brute Force Mode
-u USERNAME, --username=USERNAME
XAUTH username to be used with Brute Force Mode
-U USERLIST, --userlist=USERLIST
[OPTIONAL] XAUTH username list to be used with Brute Force Mode
-p PASSWORD, --password=PASSWORD
XAUTH password to be used with Connect Mode
--sport=SPORT
Source port to use, default is 500
-d, --debug
Set debug on
-c, --connect
Set Connect Mode (test a connection)
-y IDTYPE, --idtype=IDTYPE
[OPTIONAL] ID Type for Identification payload. Default
is 2 (FQDN)
-s SPEED, --speed=SPEED
[OPTIONAL] Speed of guessing attempts. A numerical
value between 1 - 5 where 1 is faster and 5 is slow.
Default is 3
-l KEYLEN, --keylen=KEYLEN
[OPTIONAL] Key Length, for use with AES encryption
types
-v VENDOR, --vendor=VENDOR
[OPTIONAL] Vendor Type (cisco or watchguard currently
accepted)
--version=VERSION [OPTIONAL] IKE verison (default verison 1)
Transform Set Helper (Non-exhautive):
Enc Type (1) | Hash Type (2) | Auth Type (3) | DH Group (4) |
---|---|---|---|
1 = DES | 1 = HMAC-MD5 | 1 = PSK | 1 = 768-bit MODP group |
2 = IDEA | 2 = HMAC-SHA | 2 = DSS-Sig | 2 = 1024-bit MODP group |
3 = Blowfish | 3 = TIGER | 3 = RSA-Sig | 3 = EC2N group on GP[2^155] |
4 = RC5-R16-B64 | 4 = SHA2-256 | 4 = RSA-Enc | 4 = EC2N group on GP[2^185] |
5 = 3DES | 5 = SHA2-384 | 5 = Revised RSA-Sig | 5 = 1536-bit MODP group |
6 = CAST | 6 = SHA2-512 | 64221 = Hybrid Mode | |
7 = AES | 65001 = XAUTHInitPreShared |
Have a look at the ike-scan User Guide for more values.
- Improved timeout in enum mode
- Fixed server exit trace errors
- Added automated transform set enumeration using the -a flag
- Improved transform code and several other parts of the client/handler code.
- Improved/added full connect mode (-c) which allows to negotiation of a full IPSEC connection. The ESP keys are provided after successful negotiation
- Fixed a bug in brute mode
- Added a check for XAUTH bypass (CVE-2015-0760)