You must have aggressive mode enabled on the VPN Client to use this feature.
This was introduced in Cisco IOS Software Release 12.1.T. The ID of the exchange is used as the user name to query AAA if no local key can be found on the Cisco IOS® router to which the user is trying to connect. In the IKE shared secret feature that uses an AAA server, the shared secret is accessed during the aggressive mode of IKE negotiation through the AAA server. When using dynamic IP addressing such as Dynamic Host Configuration Protocol (DHCP) or Point-to-Point Protocol (PPP) dial-ups, the changing IP address can make key lookup difficult or impossible unless a wildcard pre-shared key is used. Pre-shared keys do not scale well when you deploy a large-scale VPN system without a certification authority (CA). The IKE shared secret feature that uses an authentication, authorization, and accounting (AAA) server enables key lookup from the AAA server. If using BT5 or similar Linux pen test distribution with root access, this is not needed).This document describes how to configure Internet Key Exchange (IKE) shared secret using a RADIUS server. (Note: sudo is used if we don't have root access. generate-transforms.sh | xargs -max-lines=8 sudo ike-scan -M > log.txt If this script is called generate-transforms.sh, we could use it to run ike-scan with up to eight transforms and capturing output in log file, in each run as follows: # Authentication methods: Pre-Shared Key,
# Encryption algorithms: DES, Triple-DES, AES/128, AES/192 and AES/256 (this one is 6 characters - takes 12 hours on P4 based server)įrom the above link, there is a good script to check variety of authentication methods that could be used by remote VPN target under test: # You can try brute force, on 4-5 char length using default or custom string of char #Run cracker, default is on dictionary file of approx. #Save data produced by -pskcrack in a file (copy & paste) e.g.
Ike-scan -auth=1 -A -id "Some Text" -pskcrack #IKE with PSK (auth=1), aggressive (-A) and collect data for psk-crack Check the captured hash value over period of time to see if it is changing or not.) This value could be captured and used in off-line brute force decode with variety of dictionary files.(Note: Often VPN solutions change frequently PSK. If it is, there is a weakness that hash of the Pre Shared Key (PSK) is shared in clear at the start of negotiation. # If detected VPN on udp 500, check if aggressive mode is enabled.
0 kommentar(er)
