IPSec
IP Security

IKE

Get Transform Set

Using ikeforce.py:
$ sudo python ikeforce.py 10.10.13.37 -a
Using ike-scan via brute force. Generate list of all transform-sets:
$ for ENC in 1 2 3 4 5 6 7/128 7/192 7/256 8; do for HASH in 1 2 3 4 5 6; do for AUTH in 1 2 3 4 5 6 7 8 64221 64222 64223 64224 65001 65002 65003 65004 65005 65006 65007 65008 65009 65010; do for GROUP in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18; do echo "$ENC,$HASH,$AUTH,$GROUP" >> trans-dict.txt; done; done; done; done
Brute force supported transform-sets:
$ while read t; do (echo "[+] Valid trans-set: $t"; sudo ike-scan -M --trans=$t 10.10.13.37) |grep -B14 "1 returned handshake" |grep "Valid trans-set" |tee -a trans.txt; done < trans-dict.txt
Or (for aggressive mode)
$ while read t; do (echo "[+] Valid trans-set: $t"; sudo ike-scan -M -A -P'handshake.txt' -n FAKEID --trans=$t 10.10.13.37) |grep -B7 "SA=" |grep "Valid trans-set" |tee -a trans.txt; done < trans-dict.txt
Or
$ sudo python ikeforce.py -s1 -a 10.10.13.37 # -s1 for max speed

Get Vendor Info

Get information about vendor:
$ sudo ike-scan -M --showbackoff [--trans=<TRANSFORM-SET>] 10.10.13.37

Test for Aggressive Mode

Test for aggressive mode ON:
$ sudo ike-scan -M -A -P -n FAKEID [--trans=<TRANSFORM-SET>] 10.10.13.37

Brute Force Group ID

If no hash value is returned then brute force is (maybe also) possible:
$ while read id; do (echo "[+] Valid ID: $id" && sudo ike-scan -M -A -n $id --trans=<TRANSFORM-SET> 10.10.13.37) | grep -B14 "1 returned handshake" | grep "Valid ID" |tee -a group-id.txt; done < dict.txt
Or
$ sudo python ikeforce.py 10.10.13.37 -e -w wordlists/groupnames.dic -t <TRANSFORM-SET-IN-SEPARATE-ARGS>
Dictionaries:
  • /usr/share/seclists/Miscellaneous/ike-groupid.txt
  • ~/tools/ikeforce/wordlists/groupnames.dic
Copy link
On this page
IKE
Get Transform Set
Get Vendor Info
Test for Aggressive Mode
Brute Force Group ID