psk-crack – Crack IKE Aggressive Mode Pre-Shared Keys
psk-crack attempts to crack IKE Aggressive Mode pre-shared keys that have previously been gathered using ike-scan with the –pskcrack option. psk-crack can operate in two different modes: 1) Dictionary cracking mode: this is the default mode in which psk- crack tries each candidate word from the dictionary file in turn until it finds a match, or all the words in the dictionary have been tried. 2) Brute-force cracking mode: in this mode, psk-crack tries all possible combinations of a specified character set up to a given length.
psk-crack [options] <psk-parameters-file>
<psk-parameters-file> is a file containing the parameters for the pre- shared key cracking process in the format generated by ike-scan with the --pskcrack (-P) option. This file can contain one or more entries. For multiple entries, each one must be on a separate line. The program can crack either MD5 or SHA1-based hashes. The type of hash is automatically determined from the length of the hash (16 bytes for MD5 or 20 bytes for SHA1). Each entry in the <psk-parameters-file> is handled separately, so it is possible to crack a mixture of MD5 and SHA1 hashes. psk-crack can also crack the proprietary hash format used by Nortel Contivity / VPN Router systems. When cracking Nortel format hashes, you need to specify the username of the hash that you are cracking with the --norteluser (-u) option. When cracking Nortel format hashes, you can only crack one hash at a time. By default, psk-crack will perform dictionary cracking using the default dictionary. The dictionary can be changed with the --dictionary (-d) option, or brute-force cracking can be selected with the --bruteforce (-B) option.
--help or -h Display this usage message and exit. --version or -V Display program version and exit. --verbose or -v Display verbose progress messages. --dictionary=<f> or -d <f> Set dictionary file to <f>. The default is /usr/local/share/ike-scan/psk-crack-dictionary. --norteluser=<u> or -u <u> Specify the username for Nortel Contivity cracking. This option is required when cracking pre-shared keys on Nortel Contivity / VPN Router systems. These systems use a proprietary method to calculate the hash that includes the username. This option is only needed when cracking Nortel format hashes, and should not be used for standard format hashes. --bruteforce=<n> or -B <n> Select bruteforce cracking up to <n> characters. --charset=<s> or -c <s> Set bruteforce character set to <s> Default is "0123456789abcdefghijklmnopqrstuvwxyz"
If you are familiar with ike-scan and you hold NVidia card(s), you could be interested by cracking Pre-Shared Keys with your GPU(s).
CUDA/GPU implementation and this code must not be considered as optimized. Cracking this PSK could be nice .
To give you an idea of the improvement, brute-forcing the PSK “hello1“requires about:
2 hours and 50 minutes with CPU (HP EliteBook 8440p – 2.5GHz Intel Core 5)
2 minutes and 40 seconds with GPUs (GT 650 M + GTX 480)
It’s not that bad for a first try, even if the occupancy rate of the cards is low.
Sample output with GPU:
cyborg@cyborg:~$ time mp64.bin -i -1 ?l?d ?1?1?1?1?1?1 | psk-crack --gpu /tmp/psk_sha1 Starting psk-crack [ike-scan 1.9] (http://www.nta-monitor.com/tools/ike-scan/) Running in brute-force cracking mode GPU Mode: on CUDA-capable device count: 2 - GPU : "GeForce GT 650M" - GPU : "GeForce GTX 480" Init GPU(s) and structures - GPU is ready - GPU is ready Running ... MATCH 'hello1' Clean up GPU(s) - GPU - GPU real 2m39.148s user 2m58.950s sys 0m8.720s
Same test on CPU
cyborg@cyborg:~$ time psk-crack -b 6 -c abcdefghijklmnopqrstuvwxyz0123456789 /tmp/psk_sha1 Starting psk-crack [ike-scan 1.9] (http://www.nta-monitor.com/tools/ike-scan/) Running in brute-force cracking mode Brute force with 36 chars up to length 6 will take up to 2176782336 iterations key "hello1" matches SHA1 hash 6b7c8600c2348d5235fe2b02f6e7f9919032c323 Ending psk-crack: 1656629000 iterations in 10200.623 seconds (162404.69 iterations/sec) real 170m0.625s user 169m46.849s sys 0m5.552s