IKECrack – IKE/IPSec Authentication Cracking Tool


IKECrack is an open source IKE/IPSec authentication crack tool. This tool is designed to bruteforce or dictionary attack the key/password used with Pre-Shared-Key [PSK] IKE authentication. The open source version of this tool is to demonstrate proof-of-concept, and will work with RFC 2409 based aggressive mode PSK authentication.

IKE Agressive Mode BruteForce Summary

Aggressive Mode IKE authentication is composed of the following steps:

  1. Initiating client sends encryption options proposal, DH public key, random number [nonce_i], and an ID in an un-encrypted packet to the gateway/responder.
  2. Responder creates a DH public value, another random number [nonce_r], and calculates a HASH that is sent back to the initiator in an un-encrypted packet. This hash is used to authenticate the parties to each other, and is based on the exchange nonces, DH public values, the initiator ID, other values from the initiator packet, and the Pre-Shared-Key [PSK].
  3. The Initiating client sends a reply packet also containing a HASH, but this response is normally sent in an encrypted packet.

IKECrack utilizies the HASH sent in step 2, and attempts a realtime bruteforce of the PSK. This involves a HMAC-MD5 of the PSK with nonce values to determine the SKEYID, and a HMAC-MD5 of the SKEYID with DH pubkeys, cookies, ID, and SA proposal. In practice, SKEYID and HASH_R are calculated with the Hash cipher proposed by the initiator, so could actually be either SHA1 or MD5 in HMAC mode.

Project Details

IKECrack utilizes components from the following OpenSource/PublicDomain programs:

  • MDCrack
  • Ron Rivest’s MD5
  • Simeon Pilgrim’s Reverse MD5
  • MD5 and HMAC-MD5 PerlMods
  • libpcap

Performance

Initial testing with Perl based IKECrack shows numbers of 18,000 tests per second with a PIII 700, and can bruteforce 3 chars of ucase/lcase/0-9 in 13 seconds.

MDCrack [a MD5 bruteforce tool] can achieve 1.5 million keys per second with pure MD5 and a PIII 700. PSK bruteforcing consists of 4 MD5’s, and 4 64 byte XORs….but should still be able to achieve 375,000 IKE keys per second. Preliminary tests in C have shown 26,000 keys per second with un-optimized routines. I’m hoping that Simeon Pilgrim’s MD5 routines will speed this up a bit more.

You can download IKECrack here:

ikecrack-snarf-1.00.pl

Or read more here.

Posted in: Hacking News

,


Latest Posts:


Arcane - Tool To Backdoor iOS Packages (iPhone ARM) Arcane – Tool To Backdoor iOS Packages (iPhone ARM)
Arcane is a simple script tool to backdoor iOS packages (iPhone ARM) and create the necessary resources for APT repositories.
SharpHose - Asynchronous Password Spraying Tool SharpHose – Asynchronous Password Spraying Tool
SharpHose is an asynchronous password spraying tool in C# for Windows environments that takes into consideration fine-grained password policies and can be run over Cobalt Strike's execute-assembly.
Axiom - Pen-Testing Server For Collecting Bug Bounties Axiom – Pen-Testing Server For Collecting Bug Bounties
Project Axiom is a set of utilities for managing a small dynamic infrastructure setup for bug bounty, basically a pen-testing server out of the box with 1-line.
Quasar RAT - Windows Remote Administration Tool Quasar RAT – Windows Remote Administration Tool
Quasar is a fast and light-weight Windows remote administration tool coded in C#. Used for user support through day-to-day administrative work to monitoring.
Pingcastle - Active Directory Security Assessment Tool Pingcastle – Active Directory Security Assessment Tool
PingCastle is a Active Directory Security Assessment Tool designed to quickly assess the Active Directory security level based on a risk and maturity framework.
Second Order - Subdomain Takeover Scanner Tool Second Order – Subdomain Takeover Scanner Tool
Second Order Subdomain Takeover Scanner Tool scans web apps for second-order subdomain takeover by crawling the application and collecting URLs (and other data)


Comments are closed.