iker is a Python tool to analyse the security of the key exchange phase in IPsec based VPNs.
- Discover VPN services running
- Fingerprint based on vendor IDs (VID)
- Guess implementation basing on responses analysis (backoff)
- Enumerate supported transforms in Main Mode
- Check for Aggressive Mode
- Enumerate supported transforms in this Aggressive Mode
- Enumerate valid client/group IDs in Aggressive Mode
- Allow for rate limiting
- Analyse results to list actual issues
- Export results in 2 different formats
- Load IPs from command line or text files
- Determine support for IKEv2
iker scans and analyses the Internet Key Exchange (IKE) protocol, identifying common misconfigurations in VPN concentrators. It is based on ike-scan.
It discovers and try to fingerprint the VPNs in a first step. Later, it tries to enumerates valid transforms in Main Mode and in Aggressive Mode if it is supported. Finally, it will try to enumerate group IDs if a dictionary was provided.
iker implements two ways of enumerating valid group IDs:
- Cisco IPSec VPN Implementation Group Name Enumeration Vulnerability
- Responses analysis
Once all the tests have been launched, iker analyses the results and generates a report with the issues found.
In addition, the following Python packages are used (they usually are included with normal Python installations):
Download iker from the link below and uncompress it.
$ sudo python iker.py -h iker v. 1.0 The ike-scan based script which checks for security flaws in IPsec-based VPNs. by Julio Gomez ( email@example.com ) usage: iker.py [-h] [-v] [-d DELAY] [-i INPUT] [-o OUTPUT] [-x XML] [--encalgs ENCALGS] [--hashalgs HASHALGS] [--authmethods AUTHMETHODS] [--dhgroups DHGROUPS] [--fullalgs] [--ikepath IKEPATH] [-c CLIENTIDS] [target] positional arguments: target The IP address or the network (CIDR notation) to scan. optional arguments: -h, --help show this help message and exit -v, --verbose Be verbose. -d DELAY, --delay DELAY Delay between requests (in milliseconds). Default: 0 (No delay). -i INPUT, --input INPUT An input file with an IP address/network per line. -o OUTPUT, --output OUTPUT An output file to store the results. -x XML, --xml XML An output file to store the results in XML format. Default: output.xml --encalgs ENCALGS The encryption algorithms to check. Default: DES, 3DES, AES/128, AES/192 and AES/256. Example: --encalgs="1 5 7/128 7/192 7/256" --hashalgs HASHALGS The hash algorithms to check. Default: MD5 and SHA1. Example: --hashalgs="1 2" --authmethods AUTHMETHODS The authorization methods to check. Default: Pre- Shared Key, RSA Signatures, Hybrid Mode and XAUTH. Example: --authmethods="1 3 64221 65001" --dhgroups DHGROUPS The Diffie-Hellman groups to check. Default: MODP 768, MODP 1024 and MODP 1536. Example: --dhgroups="1 2 5" --fullalgs Equivalent to: --encalgs="1 2 3 4 5 6 7/128 7/192 7/256 8" --hashalgs="1 2 3 4 5 6" --authmethods="1 2 3 4 5 6 7 8 64221 64222 64223 64224 65001 65002 65003 65004 65005 65006 65007 65008 65009 65010" --dhgroups="1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18" --ikepath IKEPATH The FULL ike-scan path if it is not in the PATH variable and/or the name changed. -c CLIENTIDS, --clientids CLIENTIDS A file (dictionary) with a client ID per line to enumerate valid client IDs in Aggressive Mode. Default: unset - This test is not launched by default.
Loading the hosts/ranges to scan from a text file and saving the results into a text and an XML file:
$ sudo python iker.py -i ips.txt -o output.txt -x output.xml -v iker v. 1.0 The ike-scan based script which checks for security flaws in IPsec-based VPNs. by Julio Gomez ( firstname.lastname@example.org ) Starting iker (https://labs.portcullis.co.uk/tools/) at Mon, 20 Jan 2014 14:34:15 +0000 [*] Discovering IKE services, please wait... 10.0.0.2 Notify message 14 (NO-PROPOSAL-CHOSEN) HDR=(CKY-R=0000000000000000, msgid=f904f872) [*] Trying to fingerprint the devices. This proccess is going to take a while (1-5 minutes per IP). Be patient... [*] The device 10.0.0.2 could not been fingerprinted because no transform is known. [*] Looking for accepted transforms at 10.0.0.2 [*] Transform found: Enc=3DES Hash=MD5 Auth=RSA_Sig Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00007080 [*] Vendor ID identified for IP 10.0.0.2 with transform Enc=3DES Hash=MD5 Auth=RSA_Sig Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00007080: Firewall-1 NGX [*] Trying to fingerprint the devices (again). This proccess is going to take a while (1-5 minutes per IP). Be patient... [*] Implementation guessed for IP 10.0.0.2: Firewall-1 4.1/NG/NGX ...
Specifying the encryption algorithms to check for supported transforms:
$ sudo python iker.py --encalgs "1 2 3 4 5 6 7/128 7/192 7/256 8" 10.0.2.2 [...]
Specifying that all the encryption algorithms, the hashing algorithms, the authentication methods and the DH groups must be checked:
$ sudo python iker.py --fullalgs 10.0.2.2 [...]