iker is a Python tool to analyse the security of the key exchange phase in IPsec based VPNs.
Key features
- Discover VPN services running
- Fingerprint based on vendor IDs (VID)
- Guess implementation basing on responses analysis (backoff)
- Enumerate supported transforms in Main Mode
- Check for Aggressive Mode
- Enumerate supported transforms in this Aggressive Mode
- Enumerate valid client/group IDs in Aggressive Mode
- Allow for rate limiting
- Analyse results to list actual issues
- Export results in 2 different formats
- Load IPs from command line or text files
- Determine support for IKEv2
Overview
iker scans and analyses the Internet Key Exchange (IKE) protocol, identifying common misconfigurations in VPN concentrators. It is based on ike-scan.
It discovers and try to fingerprint the VPNs in a first step. Later, it tries to enumerates valid transforms in Main Mode and in Aggressive Mode if it is supported. Finally, it will try to enumerate group IDs if a dictionary was provided.
iker implements two ways of enumerating valid group IDs:
- Cisco IPSec VPN Implementation Group Name Enumeration Vulnerability
- Responses analysis
Once all the tests have been launched, iker analyses the results and generates a report with the issues found.
Requirements
In addition, the following Python packages are used (they usually are included with normal Python installations):
- subprocess
- argparse
Installation
Download iker from the link below and uncompress it.
Usage
$ sudo python iker.py -h
iker v. 1.0
The ike-scan based script which checks for security flaws in IPsec-based VPNs.
by Julio Gomez ( jgo@portcullis-security.com )
usage: iker.py [-h] [-v] [-d DELAY] [-i INPUT] [-o OUTPUT] [-x XML]
[--encalgs ENCALGS] [--hashalgs HASHALGS]
[--authmethods AUTHMETHODS] [--dhgroups DHGROUPS] [--fullalgs]
[--ikepath IKEPATH] [-c CLIENTIDS]
[target]
positional arguments:
target The IP address or the network (CIDR notation) to scan.
optional arguments:
-h, --help show this help message and exit
-v, --verbose Be verbose.
-d DELAY, --delay DELAY
Delay between requests (in milliseconds). Default: 0
(No delay).
-i INPUT, --input INPUT
An input file with an IP address/network per line.
-o OUTPUT, --output OUTPUT
An output file to store the results.
-x XML, --xml XML An output file to store the results in XML format.
Default: output.xml
--encalgs ENCALGS The encryption algorithms to check. Default: DES,
3DES, AES/128, AES/192 and AES/256. Example:
--encalgs="1 5 7/128 7/192 7/256"
--hashalgs HASHALGS The hash algorithms to check. Default: MD5 and SHA1.
Example: --hashalgs="1 2"
--authmethods AUTHMETHODS
The authorization methods to check. Default: Pre-
Shared Key, RSA Signatures, Hybrid Mode and XAUTH.
Example: --authmethods="1 3 64221 65001"
--dhgroups DHGROUPS The Diffie-Hellman groups to check. Default: MODP 768,
MODP 1024 and MODP 1536. Example: --dhgroups="1 2 5"
--fullalgs Equivalent to: --encalgs="1 2 3 4 5 6 7/128 7/192
7/256 8" --hashalgs="1 2 3 4 5 6" --authmethods="1 2 3
4 5 6 7 8 64221 64222 64223 64224 65001 65002 65003
65004 65005 65006 65007 65008 65009 65010"
--dhgroups="1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
18"
--ikepath IKEPATH The FULL ike-scan path if it is not in the PATH
variable and/or the name changed.
-c CLIENTIDS, --clientids CLIENTIDS
A file (dictionary) with a client ID per line to
enumerate valid client IDs in Aggressive Mode.
Default: unset - This test is not launched by default.
Examples
Loading the hosts/ranges to scan from a text file and saving the results into a text and an XML file:
$ sudo python iker.py -i ips.txt -o output.txt -x output.xml -v
iker v. 1.0
The ike-scan based script which checks for security flaws in IPsec-based VPNs.
by Julio Gomez ( jgo@portcullis-security.com )
Starting iker (https://labs.portcullis.co.uk/tools/) at Mon, 20 Jan 2014 14:34:15 +0000
[*] Discovering IKE services, please wait...
10.0.0.2 Notify message 14 (NO-PROPOSAL-CHOSEN)
HDR=(CKY-R=0000000000000000, msgid=f904f872)
[*] Trying to fingerprint the devices. This proccess is going to take a while (1-5 minutes per IP). Be patient...
[*] The device 10.0.0.2 could not been fingerprinted because no transform is known.
[*] Looking for accepted transforms at 10.0.0.2
[*] Transform found: Enc=3DES Hash=MD5 Auth=RSA_Sig Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00007080
[*] Vendor ID identified for IP 10.0.0.2 with transform Enc=3DES Hash=MD5 Auth=RSA_Sig Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00007080: Firewall-1 NGX
[*] Trying to fingerprint the devices (again). This proccess is going to take a while (1-5 minutes per IP). Be patient...
[*] Implementation guessed for IP 10.0.0.2: Firewall-1 4.1/NG/NGX
...
Specifying the encryption algorithms to check for supported transforms:
$ sudo python iker.py --encalgs "1 2 3 4 5 6 7/128 7/192 7/256 8" 10.0.2.2 [...]
Specifying that all the encryption algorithms, the hashing algorithms, the authentication methods and the DH groups must be checked:
$ sudo python iker.py --fullalgs 10.0.2.2 [...]
