Portcullis Labs » scanner https://labs.portcullis.co.uk Research and Development en-US hourly 1 http://wordpress.org/?v=3.8.5 iker https://labs.portcullis.co.uk/tools/iker/ https://labs.portcullis.co.uk/tools/iker/#comments Mon, 27 Jan 2014 12:12:52 +0000 https://labs.portcullis.co.uk/?p=3177 iker is a Python tool to analyse the security of the key exchange phase in IPsec based VPNs. Key features Discover VPN services running Fingerprint based on vendor IDs (VID) Guess implementation basing on responses analysis (backoff) Enumerate supported transforms in Main Mode Check for Aggressive Mode Enumerate supported transforms in this Aggressive Mode Enumerate […]

The post iker appeared first on Portcullis Labs.

]]>
iker is a Python tool to analyse the security of the key exchange phase in IPsec based VPNs.

Key features

  • Discover VPN services running
  • Fingerprint based on vendor IDs (VID)
  • Guess implementation basing on responses analysis (backoff)
  • Enumerate supported transforms in Main Mode
  • Check for Aggressive Mode
  • Enumerate supported transforms in this Aggressive Mode
  • Enumerate valid client/group IDs in Aggressive Mode
  • Allow for rate limiting
  • Analyse results to list actual issues
  • Export results in 2 different formats
  • Load IPs from command line or text files
  • Determine support for IKEv2

Overview

iker scans and analyses the Internet Key Exchange (IKE) protocol, identifying common misconfigurations in VPN concentrators. It is based on ike-scan.

It discovers and try to fingerprint the VPNs in a first step. Later, it tries to enumerates valid transforms in Main Mode and in Aggressive Mode if it is supported. Finally, it will try to enumerate group IDs if a dictionary was provided.

iker implements two ways of enumerating valid group IDs:

Once all the tests have been launched, iker analyses the results and generates a report with the issues found.

Requirements

In addition, the following Python packages are used (they usually are included with normal Python installations):

  • subprocess
  • argparse

Installation

Download iker from the link below and uncompress it.

Usage

$ sudo python iker.py -h

iker v. 1.0

The ike-scan based script which checks for security flaws in IPsec-based VPNs.

                               by Julio Gomez ( jgo@portcullis-security.com )

usage: iker.py [-h] [-v] [-d DELAY] [-i INPUT] [-o OUTPUT] [-x XML]
               [--encalgs ENCALGS] [--hashalgs HASHALGS]
               [--authmethods AUTHMETHODS] [--dhgroups DHGROUPS] [--fullalgs]
               [--ikepath IKEPATH] [-c CLIENTIDS]
               [target]

positional arguments:
  target                The IP address or the network (CIDR notation) to scan.

optional arguments:
  -h, --help            show this help message and exit
  -v, --verbose         Be verbose.
  -d DELAY, --delay DELAY
                        Delay between requests (in milliseconds). Default: 0
                        (No delay).
  -i INPUT, --input INPUT
                        An input file with an IP address/network per line.
  -o OUTPUT, --output OUTPUT
                        An output file to store the results.
  -x XML, --xml XML     An output file to store the results in XML format.
                        Default: output.xml
  --encalgs ENCALGS     The encryption algorithms to check. Default: DES,
                        3DES, AES/128, AES/192 and AES/256. Example:
                        --encalgs="1 5 7/128 7/192 7/256"
  --hashalgs HASHALGS   The hash algorithms to check. Default: MD5 and SHA1.
                        Example: --hashalgs="1 2"
  --authmethods AUTHMETHODS
                        The authorization methods to check. Default: Pre-
                        Shared Key, RSA Signatures, Hybrid Mode and XAUTH.
                        Example: --authmethods="1 3 64221 65001"
  --dhgroups DHGROUPS   The Diffie-Hellman groups to check. Default: MODP 768,
                        MODP 1024 and MODP 1536. Example: --dhgroups="1 2 5"
  --fullalgs            Equivalent to: --encalgs="1 2 3 4 5 6 7/128 7/192
                        7/256 8" --hashalgs="1 2 3 4 5 6" --authmethods="1 2 3
                        4 5 6 7 8 64221 64222 64223 64224 65001 65002 65003
                        65004 65005 65006 65007 65008 65009 65010"
                        --dhgroups="1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
                        18"
  --ikepath IKEPATH     The FULL ike-scan path if it is not in the PATH
                        variable and/or the name changed.
  -c CLIENTIDS, --clientids CLIENTIDS
                        A file (dictionary) with a client ID per line to
                        enumerate valid client IDs in Aggressive Mode.
                        Default: unset - This test is not launched by default.

Examples

Loading the hosts/ranges to scan from a text file and saving the results into a text and an XML file:

$ sudo python iker.py -i ips.txt -o output.txt -x output.xml -v

iker v. 1.0

The ike-scan based script which checks for security flaws in IPsec-based VPNs.

                               by Julio Gomez ( jgo@portcullis-security.com )

Starting iker (https://labs.portcullis.co.uk/tools/) at Mon, 20 Jan 2014 14:34:15 +0000
[*] Discovering IKE services, please wait...
10.0.0.2 Notify message 14 (NO-PROPOSAL-CHOSEN)
 HDR=(CKY-R=0000000000000000, msgid=f904f872)

[*] Trying to fingerprint the devices. This proccess is going to take a while (1-5 minutes per IP). Be patient...
[*] The device 10.0.0.2 could not been fingerprinted because no transform is known.

[*] Looking for accepted transforms at 10.0.0.2
[*] Transform found: Enc=3DES Hash=MD5 Auth=RSA_Sig Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00007080
[*] Vendor ID identified for IP 10.0.0.2 with transform Enc=3DES Hash=MD5 Auth=RSA_Sig Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00007080: Firewall-1 NGX

[*] Trying to fingerprint the devices (again). This proccess is going to take a while (1-5 minutes per IP). Be patient...
[*] Implementation guessed for IP 10.0.0.2: Firewall-1 4.1/NG/NGX
...

Specifying the encryption algorithms to check for supported transforms:

$ sudo python iker.py --encalgs "1 2 3 4 5 6 7/128 7/192 7/256 8" 10.0.2.2
[...]

Specifying that all the encryption algorithms, the hashing algorithms, the authentication methods and the DH groups must be checked:

$ sudo python iker.py --fullalgs 10.0.2.2
[...]
Iker
iker_v1.1.tar
July 17, 2014
Version: 1.1
40.0 KiB
MD5 hash: c255b6beffcf1e0a2026a9fd3faede8a
Details

The post iker appeared first on Portcullis Labs.

]]>
https://labs.portcullis.co.uk/tools/iker/feed/ 0