ike-scan - Discover and fingerprint IKE hosts (IPsec VPN servers)

ike-scan [options] [hosts...]

Target hosts must be specified on the command line unless the --file option is specified.

ike-scan discovers IKE hosts and can also fingerprint them using the retransmission backoff pattern.

ike-scan does two things:

1)

Discovery: Determine which hosts are running IKE. This is done by displaying those hosts which respond to the IKE requests sent by ike-scan.

2)

Fingerprinting: Determine which IKE implementation the hosts are using. There are several ways to do this: (a) Backoff fingerprinting - recording the times of the IKE response packets from the target hosts and comparing the observed retransmission backoff pattern against known patterns; (b) vendor id fingerprinting - matching the vendor-specific vendor IDs against known vendor ID patterns; and (c) proprietary notify message codes.

The retransmission backoff fingerprinting concept is discussed in more detail in the UDP backoff fingerprinting paper which should be included in the ike-scan kit as udp-backoff-fingerprinting-paper.txt.

The program sends IKE Phase-1 requests to the specified hosts and displays any responses that are received. It handles retry and retransmission with backoff to cope with packet loss. It also limits the amount of bandwidth used by the outbound IKE packets.

IKE is the Internet Key Exchange protocol which is the key exchange and authentication mechanism used by IPsec. Just about all modern VPN systems implement IPsec, and the vast majority of IPsec VPNs use IKE for key exchange.

Phase-1 has two modes: Main Mode and Aggressive Mode. ike-scan supports both Main and Aggressive mode, and uses Main Mode by default. RFC 2409 (IKE) section 5 specifies that main mode must be implemented, therefore all IKE implementations can be expected to support main mode.

--help or -h

Display this usage message and exit.

--file=<fn> or -f <fn>

Read hostnames or addresses from the specified file instead of from the command line. One name or IP address per line. Use "-" for standard input.

--sport=<p> or -s <p>

Set UDP source port to <p>, default=500, 0=random. Some IKE implementations require the client to use UDP source port 500 and will not talk to other ports. Note that superuser privileges are normally required to use non-zero source ports below 1024. Also only one process on a system may bind to a given source port at any one time.

--dport=<p> or -d <p>

Set UDP destination port to <p>, default=500. UDP port 500 is the assigned port number for ISAKMP and this is the port used by most if not all IKE implementations.

--retry=<n> or -r <n>

Set total number of attempts per host to <n>, default=3.

--timeout=<n> or -t <n>

Set initial per host timeout to <n> ms, default=500. This timeout is for the first packet sent to each host. subsequent timeouts are multiplied by the backoff factor which is set with --backoff.

--interval=<n> or -i <n>

Set minimum packet interval to <n> ms, default=75. This controls the outgoing bandwidth usage by limiting the rate at which packets can be sent. The packet interval will be no smaller than this number. The outgoing packets have a total size of 364 bytes (20 bytes IP hdr + 8 bytes UDP hdr + 336 bytes data) when the default transform set is used, or 112 bytes if a custom transform is specified. Therefore for default transform set: 50=58240bps, 80=36400bps and for custom transform: 15=59733bps, 30=35840bps.

--backoff=<b> or -b <b>

Set timeout backoff factor to <b>, default=1.50. The per-host timeout is multiplied by this factor after each timeout. So, if the number of retrys is 3, the initial per-host timeout is 500ms and the backoff factor is 1.5, then the first timeout will be 500ms, the second 750ms and the third 1125ms.

--verbose or -v

Display verbose progress messages. Use more than once for greater effect: 1 - Show when each pass is completed and when packets with invalid cookies are received. 2 - Show each packet sent and received and when hosts are removed from the list. 3 - Display the host, Vendor ID and backoff lists before scanning starts.

--quiet or -q

Don't decode the returned packet. This prints less protocol information so the output lines are shorter.

--multiline or -M

Split the payload decode across multiple lines. With this option, the decode for each payload is printed on a seperate line starting with a TAB. This option makes the output easier to read, especially when there are many payloads.

--lifetime=<s> or -l <s>

Set IKE lifetime to <s> seconds, default=28800. RFC 2407 specifies 28800 as the default, but some implementations may require different values. If you specify 0, then no lifetime will be specified. You can use this option more than once in conjunction with the --trans options to produce multiple transform payloads with different lifetimes. Each --trans option will use the previously specified lifetime value.

--lifesize=<s> or -z <s>

Set IKE lifesize to <s> Kilobytes, default=0. If you specify 0, then no lifesize will be specified. You can use this option more than once in conjunction with the --trans options to produce multiple transform payloads with different lifesizes. Each --trans option will use the previously specified lifesize value.

--auth=<n> or -m <n>

Set auth. method to <n>, default=1 (pre-shared key). RFC defined values are 1 to 5. See RFC 2409 Appendix A. Checkpoint hybrid mode is 64221. GSS (Windows "Kerberos") is 65001. XAUTH uses 65001 to 65010.

--version or -V

Display program version and exit.

--vendor=<v> or -e <v>

Set vendor id string to hex value <v>. You can use this option more than once to send multiple vendor ID payloads.

--trans=<t> or -a <t>

Use custom transform <t> instead of default set. <t> is specified as enc[/len],hash,auth,group. Where enc is the encryption algorithm, len is the key length for variable length ciphers, hash is the hash algorithm, and group is the DH Group. See RFC 2409 Appendix A for details of which values to use. For example, --trans=5,2,1,2 specifies Enc=3DES-CBC, Hash=SHA1, Auth=shared key, DH Group=2 and --trans=7/256,1,1,5 specifies Enc=AES-256, Hash=MD5, Auth=shared key, DH Group=5 You can use this option more than once to send an arbitary number of custom transforms.

--showbackoff[=<n>] or -o[<n>]

Display the backoff fingerprint table. Display the backoff table to fingerprint the IKE implementation on the remote hosts. The optional argument specifies time to wait in seconds after receiving the last packet, default=60. If you are using the short form of the option (-o) then the value must immediately follow the option letter with no spaces, e.g. -o25 not -o 25.

--fuzz=<n> or -u <n>

Set pattern matching fuzz to <n> ms, default=100. This sets the maximum acceptable difference between the observed backoff times and the reference times in the backoff patterns file. Larger values allow for higher variance but also increase the risk of false positive identifications. Any per-pattern-entry fuzz specifications in the patterns file will override the value set here.

--patterns=<f> or -p <f>

Use IKE patterns file <f>, default=/usr/local/share/ike-scan/ike-backoff-patterns. This specifies the name of the file containing IKE backoff patterns. This file is only used when --showbackoff is specified.

--vidpatterns=<f> or -I <f>

Use Vendor ID patterns file <f>, default=/usr/local/share/ike-scan/ike-vendor-ids. This specifies the name of the file containing Vendor ID patterns. These patterns are used for Vendor ID fingerprinting.

--aggressive or -A

Use IKE Aggressive Mode (The default is Main Mode) If you specify --aggressive, then you may also specify --dhgroup, --id and --idtype. If you use custom transforms with aggressive mode with the --trans option, note that all transforms should have the same DH Group and this should match the group specified with --dhgroup or the default if --dhgroup is not used.

--id=<id> or -n <id>

Use <id> as the identification value. This option is only applicable to Aggressive Mode. <id> can be specified as a string, e.g. --id=test or as a hex value with a leading "0x", e.g. --id=0xdeadbeef.

--idtype=n or -y n

Use identification type <n>. Default 3 (ID_USER_FQDN). This option is only applicable to Aggressive Mode. See RFC 2407 4.6.2 for details of Identification types.

--dhgroup=n or -g n

Use Diffie Hellman Group <n>. Default 2. This option is only applicable to Aggressive Mode where it is used to determine the size of the key exchange payload. Acceptable values are 1,2,5,14,15,16,17,18 (MODP only).

--gssid=<n> or -G <n>

Use GSS ID <n> where <n> is a hex string. This uses transform attribute type 16384 as specified in draft-ietf-ipsec-isakmp-gss-auth-07.txt, although Windows-2000 has been observed to use 32001 as well. For Windows 2000, you'll need to use --auth=65001 to specify Kerberos (GSS) authentication.

--random or -R

Randomise the host list. This option randomises the order of the hosts in the host list, so the IKE probes are sent to the hosts in a random order. It uses the Knuth shuffle algorithm.

--tcp[=n] or -T[n]

Use TCP transport instead of UDP. This allows you to test a host running IKE over TCP. You won't normally need this option because the vast majority of IPsec systems only support IKE over UDP. The optional value <n> specifies the type of IKE over TCP. There are currently two possible values: 1 = RAW IKE over TCP as used by Checkpoint (default); 2 = Encapsulated IKE over TCP as used by Cisco. If you are using the short form of the option (-T) then the value must immediately follow the option letter with no spaces, e.g. -T2 not -T 2. You can only specify a single target host if you use this option.

--tcptimeout=n or -O n

Set TCP connect timeout to n seconds (default=10). This is only applicable to TCP transport mode.

--pskcrack[=f] or -P[f]

Crack aggressive mode pre-shared keys. This option outputs the aggressive mode pre-shared key (PSK) parameters for offline cracking using the "psk-crack" program that is supplied with ike-scan. You can optionally specify a filename, "f", to write the PSK parameters to. If you do not specify a filename then the PSK parameters are written to standard output. If you are using the short form of the option (-P) then the value must immediately follow the option letter with no spaces, e.g. -Pfile not -P file. You can only specify a single target host if you use this option. This option is only applicable to IKE aggressive mode.

--nodns or -N

Do not use DNS to resolve names. If you use this option, then all hosts must be specified as IP addresses.

/usr/local/share/ike-scan/ike-backoff-patterns

List of UDP backoff patterns. Used when the --showbackoff option is specified.

/usr/local/share/ike-scan/ike-vendor-ids

List of known Vendor ID patterns.

Roy Hills <Roy.Hills@nta-monitor.com>