ike-scan is a command-line tool for discovering, fingerprinting and testing IPsec VPN systems. It constructs and sends IKE Phase-1 packets to the specified hosts, and displays any responses that are received.

ike-scan allows you to:

  • Send IKE packets to any number of destination hosts, using a configurable output bandwidth or packet rate.

    This is useful for VPN detection, when you may need to scan large address spaces.

  • Construct the outgoing IKE packet in a flexible way.

    This includes IKE packets which do not comply with the RFC requirements.

  • Decode and display any returned packets.

  • Crack aggressive mode pre-shared keys.

    You can use ike-scan to obtain the PSK hash data, and then use psk-crack to obtain the key.


Introduction to IPsec

ike-scan Ike-Scan

IPsec Protocol Hierarchy Diagram

IPsec is a group of protocols rather than a single protocol.

As the diagram on the right shows, there are three main protocols that are used by IPsec: IKE, AH and ESP. IKE provides authentication and key exchange, and AH and ESP are used to send the data over the VPN connection. Some old implementations used “manual IPsec” connections which did not require the use of IKE. However, these are now obsolete and all modern IPsec systems will use IKE. Of these three protocols, IKE is by far the most complex. In this document we are only concerned with the IKE protocol, so we will not cover AH or ESP any further.

The use of IKE to authenticate and exchange key material for an ESP or AH connection is a two-phase process. Phase-1 authenticates the peers and establishes a secure channel (called an IKE SA) for Phase-2, which negotiates the IPsec mode and establishes a secure channel for the AH or ESP traffic called an IPsec SA.

Phase-1 can run in one of two modes: either Main Mode or Aggressive Mode, whereas Phase-2 only has a single mode called Quick Mode. When testing IPsec VPN systems you will be dealing primarily with IKE Phase-1, as Phase-2 is only accessible upon successful authentication. For the remainder of this document, we will only be considering IKE Phase-1.

Main Mode is the standard Phase-1 mode, and all IKE implementations must support it. Main Mode provides identity protection by not passing the identities until the channel is encrypted, and also avoids some denial of service attacks by performing a proof of liveness check before undertaking the expensive Diffie-Hellman exponentiation.

Aggressive Mode is an optional Phase-1 mode, which not all implementations support. It is a simpler exchange, requiring less packets, but is less flexible than Main Mode and also has a number of security weaknesses. The main use of aggressive mode in practice is to allow the use of Pre-Shared Key authentication for remote access solutions. Because of the way the keying material is calculated, it is not possible to use main mode with PSK authentication, unless the IP address of the initiator is known beforehand (which is not normally the case in a remote access situation).


USAGE and Example : 

Visit : http://www.nta-monitor.com/wiki/index.php/Ike-scan_User_Guide


Leave a reply


We're are building as a community and a team. Be a part of it.


©2018 Ztrela Knowledge Solutions Pvt. Ltd

Log in with your credentials

Forgot your details?