Ike Hacking Toorcon2k2

8/6/2019 Ike Hacking Toorcon2k2

http://slidepdf.com/reader/full/ike-hacking-toorcon2k2 1/17

IPSec/IKE Protocol HackingIPSec/IKE Protocol Hacking

ToorCon 2K2ToorCon 2K2 ± ± San Diego, CASan Diego, CA

IPSec/IKE Protocol HackingIPSec/IKE Protocol Hacking

ToorCon 2K2ToorCon 2K2 ± ± San Diego, CASan Diego, CA

Anton Rager

Sr. Security Consultant

Avaya Security Consulting



2

Agenda

� IKE Overview and Protocol

Weaknesses

� Vendor Implementation Problems

� IKE Tools discussion and demo



3

SA_R+KE_R+Nonce_R+ID_R+Hash_R

SA_I+KE_I+Nonce_I+ID_I

[Hash_I]

Initiator

Cookie_I

Responder

Cookie_R

� Note: Aggressive uses ID that is independent of

initiator IP

Aggressive Mode IKE



4

SA_R

SA_I

KE_I+Nonce_I

Initiator

Cookie_I

Responder

Cookie_R

KE_R+Nonce_R

[ID_I]

[ID_R]

[Hash_I]

[Hash_R]

Main Mode IKE

� Note: ID is normally IP address of each endpoint



5

Aggressive Mode ID

� ID sent in clear- Well known problem

� IETF specifies that aggressive mode will send

ID [UserID or GroupID] in clear � Eavesdropper can collect remote access user

IDs

� Some vendors have proprietary ways of

hashing ID when using their client to hide ID� Interoperability [SafeNet/PGPNet] requires

IETF adherence ± ID leakage



6

Aggressive Mode PSK Attacks

� PSK [password or shared-secret]authentication uses a hash sent in the clear

� HASH is derived from public exchanged info+ PSK

� Bruteforce/Dictionary attacks possible againstHASH as a passive listener

� Some vendors use DH private value for hashderivation to prevent passive attacks ± attackmust be active MITM with knowledge of hashing method



7

SA_R+KE_R+Nonce_R+ID_R +Hash_R

SA_I+KE_I+Nonce_I+ID_I

[Hash_I]

Initiator

Cookie_I

Responder

Cookie_R

Attack ProcessAggressive PSK Cracking

Assume MD5-HMAC for Hash function ± based on hash in SA

Responder Hash:

HASH_R=MD5-HMAC(MD5-HMAC(Guessed PSK, Nonce_I +

Nonce_R), resp DH pub, init DH pub + cookie_R + cookie_I +

init SA header + resp ID header)



8

Aggressive Mode ID Enumeration

� IKE protocol specification does not discusshow invalid ID should be handled. Many

implementations respond with an invalid IDduring the initial IKE negotiation ± others justdon¶t respond

� This can allow an active dictionary/bruteforce

enumeration� Submit IKE initiator frame to concentrator withguessed ID. Concentrator will tell you if guess is wrong

� Vendor Workarounds: Obfuscation responses



9

Main Mode PSK Attacks

� Similar problem to aggressive mode,except HASH is passed encrypted.

� Main Mode requires an active or MITMattack to attack PSK to derive DH secret

� IDs are normally the IPs of endpoints

� We will guess the PSK and try todetermine the encryption key for the 1st

encrypted packet



10

SA_R

SA_I

KE_I+Nonce_I

Initiator

Cookie_I

Responder

(Attacker)

Cookie_R

KE_R+Nonce_R

[ ID_I ]

[ ID_R ]

[Hash_I]

[Hash_R]

Attack ProcessMain Mode PSK Cracking



11

� Collect public IKE values [Nonces, DH Publicvalues, Cookies, headers, etc] and assume

IDs are IP endpoint IPs� Collect 1ST encrypted packet

� Calculate DH Secret

� Choose PSK value and calculate SYKEYID,

SKEYID_d, KEYID_a, KEYID_e� Generate IV from hash of DH Public values

� Decrypt packet with IV and SKEYID_e ±check for known plaintext to validate

Attack ProcessMain Mode PSK Cracking



12

Main Mode Policy Enumeration

� Similar to aggressive mode ID enumeration

� Peer will only respond to valid IP address that

has a defined policy� Attacker can send spoofed init frames to

³peer´ to search IP address space

� Correct IP will cause an SA proposal reply

from ³peer´� Some vendors will send a ³no proposal

choosen´ if SA is from invalid host



13

Implementation Vulnerabilities

� Cisco VPN Client 3.5

� Cisco VPN Client 1.1

� SafeNet/IRE SoftPK and SoftRemote

� PGPFreeware 7.03 - PGPNet



14

Tools

� IKECrack ± aggressive mode PSK

cracker

� IKEProbe ± IKE packet mangler



15

IKECrack http://ikecrack.sourceforge.net

� IKE PSK Cracker ± dictionary, hybrid, brute

� Simplistic implementation ± Aggressive mode

only� Must use IETF HASH_R calculations (RFC

2409)

� MD5 HMAC only ± 93K kps on 1.8ghz P4

� PERL script that requires HMAC PerlMod anduses tcpdump ±x output for capture ± It¶s ahack, but it works.



16

IKEProber http://ikecrack.sourceforge.net

� Command-line utility for building arbitrary IKEpackets

� Supports common IKE options and allowsuser specified data or repeated chars

� Useful for finding BoF problems with optionparsing ± Used to find Cisco/PGPNet/Safenet

probs� Perl based and requires NetCat in Unix --

Also a hack.

� Can also be used for user enumeration



17

Contact Info

� IKE Tools and preso Download

http://ikecrack.sourceforge.net

� Anton Rager [email protected]

� Code criticism: This is proof-of-concept

stuff -- fix it yourself

Documents

Ike Hacking Toorcon2k2