psk-crack – Crack IKE Aggressive Mode Pre-Shared Keys

psk-crack attempts to crack IKE Aggressive Mode pre-shared keys that have previously been gathered using ike-scan with the –pskcrack option. psk-crack can operate in two different modes: 1) Dictionary cracking mode: this is the default mode in which psk- crack tries each candidate word from the dictionary file in turn until it finds a match, or all the words in the dictionary have been tried. 2) Brute-force cracking mode: in this mode, psk-crack tries all possible combinations of a specified character set up to a given length.


psk-crack [options] <psk-parameters-file>

<psk-parameters-file>  is a file containing the parameters for the pre-
       shared key cracking process in the format generated  by  ike-scan  with
       the --pskcrack (-P) option.  This file can contain one or more entries.
       For multiple entries, each one must be on a separate line.

       The program can crack either MD5 or SHA1-based  hashes.   The  type  of
       hash  is automatically determined from the length of the hash (16 bytes
       for MD5 or 20 bytes for SHA1).  Each entry in the <psk-parameters-file>
       is  handled separately, so it is possible to crack a mixture of MD5 and
       SHA1 hashes.

       psk-crack can also crack the proprietary hash  format  used  by  Nortel
       Contivity  /  VPN  Router systems.  When cracking Nortel format hashes,
       you need to specify the username of the hash that you are cracking with
       the  --norteluser (-u) option.  When cracking Nortel format hashes, you
       can only crack one hash at a time.

       By default,  psk-crack  will  perform  dictionary  cracking  using  the
       default   dictionary.    The   dictionary   can  be  changed  with  the
       --dictionary (-d) option, or brute-force cracking can be selected  with
       the --bruteforce (-B) option.


       --help or -h
              Display this usage message and exit.

       --version or -V
              Display program version and exit.

       --verbose or -v
              Display verbose progress messages.

       --dictionary=<f> or -d <f>
              Set    dictionary    file    to    <f>.     The    default    is

       --norteluser=<u> or -u <u>
              Specify the username for Nortel Contivity cracking.  This option
              is required when cracking pre-shared keys on Nortel Contivity  /
              VPN  Router  systems.  These systems use a proprietary method to
              calculate the hash that includes the username.  This  option  is
              only  needed  when cracking Nortel format hashes, and should not
              be used for standard format hashes.

       --bruteforce=<n> or -B <n>
              Select bruteforce cracking up to <n> characters.

       --charset=<s> or -c <s>
              Set   bruteforce   character   set    to    <s>    Default    is


If you are familiar with ike-scan and you hold NVidia card(s), you could be interested by cracking Pre-Shared Keys with your GPU(s).

 CUDA/GPU implementation and this code must not be considered as optimized.  Cracking this PSK could be nice  .

To give you an idea of the improvement, brute-forcing the PSK “hello1“requires about:

  • 2 hours and 50 minutes with CPU (HP EliteBook 8440p – 2.5GHz Intel Core 5)

  • 2 minutes and 40  seconds with GPUs (GT 650 M + GTX 480)

It’s not that bad for a first try, even if the occupancy rate of the cards is low.


Sample output with GPU:

cyborg@cyborg:~$ time mp64.bin -i -1 ?l?d ?1?1?1?1?1?1 | psk-crack --gpu /tmp/psk_sha1 Starting psk-crack [ike-scan 1.9] ( Running in brute-force cracking mode GPU Mode: on CUDA-capable device count: 2 - GPU[0] : "GeForce GT 650M" - GPU[1] : "GeForce GTX 480" Init GPU(s) and structures - GPU[0] is ready - GPU[1] is ready Running ... MATCH 'hello1' Clean up GPU(s) - GPU[0] - GPU[1] 
 real 2m39.148s
 user 2m58.950s
 sys 0m8.720s

Same test on CPU

cyborg@cyborg:~$ time psk-crack -b 6 -c abcdefghijklmnopqrstuvwxyz0123456789 /tmp/psk_sha1
Starting psk-crack [ike-scan 1.9] (
Running in brute-force cracking mode
Brute force with 36 chars up to length 6 will take up to 2176782336 iterations
key "hello1" matches SHA1 hash 6b7c8600c2348d5235fe2b02f6e7f9919032c323
Ending psk-crack: 1656629000 iterations in 10200.623 seconds (162404.69 iterations/sec)

real	170m0.625s
user	169m46.849s
sys	0m5.552s

Leave a reply


We're are building as a community and a team. Be a part of it.


©2017 Ztrela Knowledge Solutions Pvt. Ltd

Log in with your credentials

Forgot your details?