IKECrack – IKE/IPSec Authentication Cracking Tool


IKECrack is an open source IKE/IPSec authentication crack tool. This tool is designed to bruteforce or dictionary attack the key/password used with Pre-Shared-Key [PSK] IKE authentication. The open source version of this tool is to demonstrate proof-of-concept, and will work with RFC 2409 based aggressive mode PSK authentication.

IKE Agressive Mode BruteForce Summary

Aggressive Mode IKE authentication is composed of the following steps:

  1. Initiating client sends encryption options proposal, DH public key, random number [nonce_i], and an ID in an un-encrypted packet to the gateway/responder.
  2. Responder creates a DH public value, another random number [nonce_r], and calculates a HASH that is sent back to the initiator in an un-encrypted packet. This hash is used to authenticate the parties to each other, and is based on the exchange nonces, DH public values, the initiator ID, other values from the initiator packet, and the Pre-Shared-Key [PSK].
  3. The Initiating client sends a reply packet also containing a HASH, but this response is normally sent in an encrypted packet.

IKECrack utilizies the HASH sent in step 2, and attempts a realtime bruteforce of the PSK. This involves a HMAC-MD5 of the PSK with nonce values to determine the SKEYID, and a HMAC-MD5 of the SKEYID with DH pubkeys, cookies, ID, and SA proposal. In practice, SKEYID and HASH_R are calculated with the Hash cipher proposed by the initiator, so could actually be either SHA1 or MD5 in HMAC mode.

Project Details

IKECrack utilizes components from the following OpenSource/PublicDomain programs:

  • MDCrack
  • Ron Rivest’s MD5
  • Simeon Pilgrim’s Reverse MD5
  • MD5 and HMAC-MD5 PerlMods
  • libpcap

Performance

Initial testing with Perl based IKECrack shows numbers of 18,000 tests per second with a PIII 700, and can bruteforce 3 chars of ucase/lcase/0-9 in 13 seconds.

MDCrack [a MD5 bruteforce tool] can achieve 1.5 million keys per second with pure MD5 and a PIII 700. PSK bruteforcing consists of 4 MD5’s, and 4 64 byte XORs….but should still be able to achieve 375,000 IKE keys per second. Preliminary tests in C have shown 26,000 keys per second with un-optimized routines. I’m hoping that Simeon Pilgrim’s MD5 routines will speed this up a bit more.

You can download IKECrack here:

ikecrack-snarf-1.00.pl

Or read more here.

Posted in: Hacking News

,


Latest Posts:


dSploit APK Download - Hacking & Security Toolkit For Android dSploit APK Download – Hacking & Security Toolkit For Android
dSploit APK Download is a Hacking & Security Toolkit For Android which can conduct network analysis and penetration testing activities.
Scallion - GPU Based Onion Hash Generator Scallion – GPU Based Onion Hash Generator
Scallion is a GPU-driven Onion Hash Generator written in C#, it lets you create vanity GPG keys and .onion addresses (for Tor's hidden services).
WiFi-Dumper - Dump WiFi Profiles and Cleartext Passwords WiFi-Dumper – Dump WiFi Profiles and Cleartext Passwords
WiFi-Dumper is an open-source Python-based tool to dump WiFi profiles and cleartext passwords of the connected access points on a Windows machine.
truffleHog - Search Git for High Entropy Strings with Commit History truffleHog – Search Git for High Entropy Strings with Commit History
truffleHog is a Python-based tool to search Git for high entropy strings, digging deep into commit history and branches. This is effective at finding secrets accidentally committed.
AIEngine - AI-driven Network Intrusion Detection System AIEngine – AI-driven Network Intrusion Detection System
AIEngine is a next-generation interactive/programmable Python/Ruby/Java/Lua and Go AI-driven Network Intrusion Detection System engine with many capabilities.
Sooty - SOC Analyst All-In-One CLI Tool Sooty – SOC Analyst All-In-One CLI Tool
Sooty is a tool developed with the task of aiding a SOC analyst to automate parts of their workflow and speed up their process.


Comments are closed.