IKE VPN Service

UDP Port - 500 : isakmp

Description

IKEv1 has two phases, Phase 1 operates in Main Mode (6-way handshake) or Aggressive Mode (3-way handshake) while Phase 2 operates in Quick Mode.

ike-scan

ike-scan -M 10.10.10.11
10.10.10.116    Main Mode Handshake returned
        HDR=(CKY-R=11768058e4d59051)
        SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080)
        VID=1e2b516905991c7d7c96fcbfb587e46100000009 (Windows-8)
        VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)
        VID=90cb80913ebb696e086381b5ec427b1f (draft-ietf-ipsec-nat-t-ike-02\n)
        VID=4048b7d56ebce88525e7de7f00d6c2d3 (IKE Fragmentation)
        VID=fb1de3cdf341b7ea16b7e5be0855f120 (MS-Negotiation Discovery Capable)
        VID=e3a5966a76379fe707228231e5ce8652 (IKE CGA version 1)

Version identification : nmap

nmap -sU -p 500 --script ike-version 10.10.10.116

IPSec : Tool: strongswan

sudo apt install strongswan strongswan-pki
----------------------
sudo ipsec start
Starting strongSwan 5.8.4 IPsec [starter]...

------------------------
sudo ipsec up conceal
......
connection 'conceal' established successfully

Once IPsec is up and running, simply go the browser and search for the IP.[In this case 10.10.10.116:80]

Configuration

/etc/ipsec.conf
conn conceal                                                                                                                                                                                             
        authby=secret                                                                                                                                                                                    
        auto=route                                                                                                                                                                                       
        keyexchange=ikev1                                                                                                                                                                                
        ike=3des-sha1-modp1024                                                                                                                                                                           
        left=10.10.14.7                                                                                                                                                                                  
        right=10.10.10.116                                                                                                                                                                               
        type=transport                                                                                                                                                                                   
        esp=3des-sha1                                                                                                                                                                                    
        rightprotoport=tcp

  • inactivity specifies the timeout interval, after which a CHILD_SA is closed if it did not send or receive any traffic.

  • keyexchange : Ike version

  • ike specifies the cipher suite that we want to use. This is not new to us because this is the cipher suite exposed by ike-scan earlier on.

  • esp parameter is the only parameter that we need to guess.

  • rightsubnet specifies we are connecting securely (over IPSec) to Conceal for all TCP ports. [Recall from SNMP that Conceal is also listening on 21/tcp, 80/tcp, 139/tcp, and 445/tcp]

  • typespecifies the type of connection we want to establish. In this case, we want to establish transport mode. [Since we're already using HTB VPN]

Add the Pass Key

/etc/ipsec.secrets
10.10.14.7 10.10.10.116 : PSK "Dudecake1!"

Post connect: nmap scan

nmap -n -v -Pn -sT -p21,80,139,445 10.10.10.116

Aggressive Mode

Article:https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cracking-ike-missionimprobable-part-1/

  • Check if the 'Dead Peer Detection' field is in the response for fake group IDs. If yes, group ID cannot be enumerated.

PreviousMicrosoft SQL ServerNextSNMP

Last updated