IKECrack – IKE/IPSec Authentication Cracking Tool

Outsmart Malicious Hackers


IKECrack is an open source IKE/IPSec authentication crack tool. This tool is designed to bruteforce or dictionary attack the key/password used with Pre-Shared-Key [PSK] IKE authentication. The open source version of this tool is to demonstrate proof-of-concept, and will work with RFC 2409 based aggressive mode PSK authentication.

IKE Agressive Mode BruteForce Summary

Aggressive Mode IKE authentication is composed of the following steps:

  1. Initiating client sends encryption options proposal, DH public key, random number [nonce_i], and an ID in an un-encrypted packet to the gateway/responder.
  2. Responder creates a DH public value, another random number [nonce_r], and calculates a HASH that is sent back to the initiator in an un-encrypted packet. This hash is used to authenticate the parties to each other, and is based on the exchange nonces, DH public values, the initiator ID, other values from the initiator packet, and the Pre-Shared-Key [PSK].
  3. The Initiating client sends a reply packet also containing a HASH, but this response is normally sent in an encrypted packet.

IKECrack utilizies the HASH sent in step 2, and attempts a realtime bruteforce of the PSK. This involves a HMAC-MD5 of the PSK with nonce values to determine the SKEYID, and a HMAC-MD5 of the SKEYID with DH pubkeys, cookies, ID, and SA proposal. In practice, SKEYID and HASH_R are calculated with the Hash cipher proposed by the initiator, so could actually be either SHA1 or MD5 in HMAC mode.

Project Details

IKECrack utilizes components from the following OpenSource/PublicDomain programs:

  • MDCrack
  • Ron Rivest’s MD5
  • Simeon Pilgrim’s Reverse MD5
  • MD5 and HMAC-MD5 PerlMods
  • libpcap

Performance

Initial testing with Perl based IKECrack shows numbers of 18,000 tests per second with a PIII 700, and can bruteforce 3 chars of ucase/lcase/0-9 in 13 seconds.

MDCrack [a MD5 bruteforce tool] can achieve 1.5 million keys per second with pure MD5 and a PIII 700. PSK bruteforcing consists of 4 MD5’s, and 4 64 byte XORs….but should still be able to achieve 375,000 IKE keys per second. Preliminary tests in C have shown 26,000 keys per second with un-optimized routines. I’m hoping that Simeon Pilgrim’s MD5 routines will speed this up a bit more.

You can download IKECrack here:

ikecrack-snarf-1.00.pl

Or read more here.

Posted in: Hacking News

,


Latest Posts:


CloudFrunt - Identify Misconfigured CloudFront Domains CloudFrunt – Identify Misconfigured CloudFront Domains
CloudFrunt is a Python-based tool for identifying misconfigured CloudFront domains, it uses DNS and looks for CNAMEs which may be allowed to be associated with CloudFront distributions.
Airbash - Fully Automated WPA PSK Handshake Capture Script Airbash – Fully Automated WPA PSK Handshake Capture Script
Airbash is a POSIX-compliant, fully automated WPA PSK handshake capture script aimed at penetration testing, it is compatible with Bash and Android Shell.
XXEinjector - Automatic XXE Injection Tool For Exploitation XXEinjector – Automatic XXE Injection Tool For Exploitation
XXEinjector is an XXE Injection Tool that automates retrieving files using direct and out of band methods. Directory listing only works in Java applications.
Yahoo! Fined 35 Million USD For Late Disclosure Of Hack Yahoo! Fined 35 Million USD For Late Disclosure Of Hack
Ah Yahoo! in trouble again, this time the news is Yahoo! fined for 35 million USD by the SEC for the 2 year delayed disclosure of the massive hack, we actually reported on the incident in 2016 when it became public.
Drupwn - Drupal Enumeration Tool & Security Scanner Drupwn – Drupal Enumeration Tool & Security Scanner
Drupwn is a Python-based Drupal Enumeration Tool that also includes an exploit mode, which can check for and exploit relevant CVEs.
MyEtherWallet DNS Hack Causes 17 Million USD User Loss MyEtherWallet DNS Hack Causes 17 Million USD User Loss
Big news in the crypto scene this week was that the MyEtherWallet DNS Hack that occured managed to collect about $17 Million USD worth of Ethereum in just a few hours.


Comments are closed.