3 :500/udp ipsec
Using https://book.hacktricks.xyz/pentesting/ipsec-ike-vpn-pentesting
# finding out what server uses
$ ike-scan -M 10.10.10.116
Starting ike-scan 1.9.4 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.10.10.116 Main Mode Handshake returned
HDR=(CKY-R=48e4f117f9520cfd)
SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080)
VID=1e2b516905991c7d7c96fcbfb587e46100000009 (Windows-8)
VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)
VID=90cb80913ebb696e086381b5ec427b1f (draft-ietf-ipsec-nat-t-ike-02\n)
VID=4048b7d56ebce88525e7de7f00d6c2d3 (IKE Fragmentation)
VID=fb1de3cdf341b7ea16b7e5be0855f120 (MS-Negotiation Discovery Capable)
VID=e3a5966a76379fe707228231e5ce8652 (IKE CGA version 1)
Ending ike-scan 1.9.4: 1 hosts scanned in 0.075 seconds (13.28 hosts/sec). 1 returned handshake; 0 returned notify
# 1 returned handshake; 0 returned notify
# find a valid transformation
# generate all possible transformations
for ENC in 1 2 3 4 5 6 7/128 7/192 7/256 8; do for HASH in 1 2 3 4 5 6; do for AUTH in 1 2 3 4 5 6 7 8 64221 64222 64223 64224 65001 65002 65003 65004 65005 65006 65007 65008 65009 65010; do for GROUP in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18; do echo "--trans=$ENC,$HASH,$AUTH,$GROUP" >> ike-dict.txt ;done ;done ;done ;done
# brute force
$ while read line; do (echo "Valid trans found: $line" && sudo ike-scan -M $line 10.10.10.116) | grep -B14 "1 returned handshake" | grep "Valid trans found" ; done < ike-dict.txt
| will try aggressive scan if this doesn't give output
Valid trans found: --trans=5,2,1,2
Valid trans found: --trans=7/128,2,1,2
# server fingerprinting with both --trans is same
$ ike-scan -M --showbackoff 10.10.10.116 --trans=5,2,1,2
Starting ike-scan 1.9.4 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.10.10.116 Main Mode Handshake returned
HDR=(CKY-R=e3673e4fc68ed2b4)
SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080)
VID=1e2b516905991c7d7c96fcbfb587e46100000009 (Windows-8)
VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)
VID=90cb80913ebb696e086381b5ec427b1f (draft-ietf-ipsec-nat-t-ike-02\n)
VID=4048b7d56ebce88525e7de7f00d6c2d3 (IKE Fragmentation)
VID=fb1de3cdf341b7ea16b7e5be0855f120 (MS-Negotiation Discovery Capable)
VID=e3a5966a76379fe707228231e5ce8652 (IKE CGA version 1)
IKE Backoff Patterns:
IP Address No. Recv time Delta Time
10.10.10.116 1 1632466790.012245 0.000000
10.10.10.116 Implementation guess: Linksys Etherfast
Ending ike-scan 1.9.4: 1 hosts scanned in 60.099 seconds (0.02 hosts/sec). 1 returned handshake; 0 returned notify
# find correct ID (group name)
$ ike-scan -P -M -A -n fakeID 10.10.10.116
Starting ike-scan 1.9.4 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
Ending ike-scan 1.9.4: 1 hosts scanned in 2.441 seconds (0.41 hosts/sec). 0 returned handshake; 0 returned notify
# no hash is returned, brute forcing the ID(group name)
$ sudo /opt/ike/iker.py conceal.htb
iker v. 1.1
Starting iker (http://labs.portcullis.co.uk/tools/iker) at Fri, 08 Oct 2021 18:41:30 +0000
[*] Discovering IKE services, please wait...
[*] IKE service identified at: 10.10.10.116
[*] Checking for IKE version 2 support...
[*] Vendor ID identified for IP 10.10.10.116 with transform Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080: IKE CGA version 1
[*] Trying to fingerprint the devices. This proccess is going to take a while (1-5 minutes per IP). Be patient...
[*] Implementation guessed for IP 10.10.10.116: Linksys Etherfast
[*] Looking for accepted transforms at 10.10.10.116
[*] Transform found: Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080
[*] Transform found: Enc=AES KeyLength=128 Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080
[====================] 100% - Current transform: 7/256,2,65001,5
[*] Looking for accepted transforms in aggressive mode at 10.10.10.116
[====================] 100% - Current transform: 7/256,2,65001,5
Results:
--------
Resuls for IP 10.10.10.116:
[+] The IKE service could be discovered (Risk: LOW)
[+] The IKE service could be fingerprinted by analysing the vendor ID (VID) returned (Risk: LOW)
IKE CGA version 1
[+] The IKE service could be fingerprinted by analysing the responses received (Risk: LOW): Linksys Etherfast
iker finished at Fri, 08 Oct 2021 18:47:35 +0000
Last updated