Key features

• Discover VPN services running
• Fingerprint based on vendor IDs (VID)
• Guess implementation basing on responses analysis (backoff)
• Enumerate supported transforms in Main Mode
• Check for Aggressive Mode
• Enumerate supported transforms in this Aggressive Mode
• Enumerate valid client/group IDs in Aggressive Mode
• Allow for rate limiting
• Analyse results to list actual issues
• Export results in 2 different formats
• Load IPs from command line or text files
• Determine support for IKEv2

Overview

iker scans and analyses the Internet Key Exchange (IKE) protocol, identifying common misconfigurations in VPN concentrators. It is based on ike-scan.

It discovers and try to fingerprint the VPNs in a first step. Later, it tries to enumerates valid transforms in Main Mode and in Aggressive Mode if it is supported. Finally, it will try to enumerate group IDs if a dictionary was provided.

iker implements two ways of enumerating valid group IDs:

• Cisco IPSec VPN Implementation Group Name Enumeration Vulnerability
• Responses analysis

Once all the tests have been launched, iker analyses the results and generates a report with the issues found.

Requirements

• ike-scan
• Python

In addition, the following Python packages are used (they usually are included with normal Python installations):

• subprocess
• argparse

Installation

Download iker from the link below and uncompress it.

Usage

$ sudo python iker.py -h

iker v. 1.0

The ike-scan based script which checks for security flaws in IPsec-based VPNs.

                               by Julio Gomez ( jgo@portcullis-security.com )

usage: iker.py [-h] [-v] [-d DELAY] [-i INPUT] [-o OUTPUT] [-x XML]
               [--encalgs ENCALGS] [--hashalgs HASHALGS]
               [--authmethods AUTHMETHODS] [--dhgroups DHGROUPS] [--fullalgs]
               [--ikepath IKEPATH] [-c CLIENTIDS]
               [target]

positional arguments:
  target                The IP address or the network (CIDR notation) to scan.

optional arguments:
  -h, --help            show this help message and exit
  -v, --verbose         Be verbose.
  -d DELAY, --delay DELAY
                        Delay between requests (in milliseconds). Default: 0
                        (No delay).
  -i INPUT, --input INPUT
                        An input file with an IP address/network per line.
  -o OUTPUT, --output OUTPUT
                        An output file to store the results.
  -x XML, --xml XML     An output file to store the results in XML format.
                        Default: output.xml
  --encalgs ENCALGS     The encryption algorithms to check. Default: DES,
                        3DES, AES/128, AES/192 and AES/256. Example:
                        --encalgs="1 5 7/128 7/192 7/256"
  --hashalgs HASHALGS   The hash algorithms to check. Default: MD5 and SHA1.
                        Example: --hashalgs="1 2"
  --authmethods AUTHMETHODS
                        The authorization methods to check. Default: Pre-
                        Shared Key, RSA Signatures, Hybrid Mode and XAUTH.
                        Example: --authmethods="1 3 64221 65001"
  --dhgroups DHGROUPS   The Diffie-Hellman groups to check. Default: MODP 768,
                        MODP 1024 and MODP 1536. Example: --dhgroups="1 2 5"
  --fullalgs            Equivalent to: --encalgs="1 2 3 4 5 6 7/128 7/192
                        7/256 8" --hashalgs="1 2 3 4 5 6" --authmethods="1 2 3
                        4 5 6 7 8 64221 64222 64223 64224 65001 65002 65003
                        65004 65005 65006 65007 65008 65009 65010"
                        --dhgroups="1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
                        18"
  --ikepath IKEPATH     The FULL ike-scan path if it is not in the PATH
                        variable and/or the name changed.
  -c CLIENTIDS, --clientids CLIENTIDS
                        A file (dictionary) with a client ID per line to
                        enumerate valid client IDs in Aggressive Mode.
                        Default: unset - This test is not launched by default.

Examples

Loading the hosts/ranges to scan from a text file and saving the results into a text and an XML file:

$ sudo python iker.py -i ips.txt -o output.txt -x output.xml -v

iker v. 1.0

The ike-scan based script which checks for security flaws in IPsec-based VPNs.

                               by Julio Gomez ( jgo@portcullis-security.com )

Starting iker (https://labs.portcullis.co.uk/tools/) at Mon, 20 Jan 2014 14:34:15 +0000
[*] Discovering IKE services, please wait...
10.0.0.2 Notify message 14 (NO-PROPOSAL-CHOSEN)
 HDR=(CKY-R=0000000000000000, msgid=f904f872)

[*] Trying to fingerprint the devices. This proccess is going to take a while (1-5 minutes per IP). Be patient...
[*] The device 10.0.0.2 could not been fingerprinted because no transform is known.

[*] Looking for accepted transforms at 10.0.0.2
[*] Transform found: Enc=3DES Hash=MD5 Auth=RSA_Sig Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00007080
[*] Vendor ID identified for IP 10.0.0.2 with transform Enc=3DES Hash=MD5 Auth=RSA_Sig Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00007080: Firewall-1 NGX

[*] Trying to fingerprint the devices (again). This proccess is going to take a while (1-5 minutes per IP). Be patient...
[*] Implementation guessed for IP 10.0.0.2: Firewall-1 4.1/NG/NGX
...

Specifying the encryption algorithms to check for supported transforms:

$ sudo python iker.py --encalgs "1 2 3 4 5 6 7/128 7/192 7/256 8" 10.0.2.2
[...]

Specifying that all the encryption algorithms, the hashing algorithms, the authentication methods and the DH groups must be checked:

$ sudo python iker.py --fullalgs 10.0.2.2
[...]

iker_v1.1.tar
July 17, 2014
Version: 1.1

40.0 KiB
MD5 hash: c255b6beffcf1e0a2026a9fd3faede8a
Details

Date:

July 17, 2014

The post iker appeared first on Portcullis Labs.