Jump to content
Nytro

IKECrack

By Nytro, in Programe hacking

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

[h=3]IKECrack[/h]IKECrack is an open source IKE/IPSec authentication crack tool. This tool is designed to bruteforce or dictionary attack the key/password used with Pre-Shared-Key [PSK] IKE authentication. The open source version of this tool is to demonstrate proof-of-concept, and will work with RFC 2409 based aggressive mode PSK authentication.

Our SourceForge development area is at IKECrack | Free Security & Utilities software downloads at SourceForge.net

[h=4]Presentation Materials and Additional Tools[/h] My ToorCon 2K2 preso on IKE hacking can be downloaded here

The IKEProber tool mentioned in the preso can be downloaded here

[h=4]IKE Agressive Mode BruteForce Summary[/h] Aggressive Mode IKE authentication is composed of the following steps:

1 - Initiating client sends encryption options proposal, DH public key, random number [nonce_i], and an ID in an un-encrypted packet to the gateway/responder.

2 - Responder creates a DH public value, another random number [nonce_r], and calculates a HASH that is sent back to the initiator in an un-encrypted packet. This hash is used to authenticate the parties to each other, and is based on the exchange nonces, DH public values, the initiator ID, other values from the initiator packet, and the Pre-Shared-Key [PSK].

3 - The Initiating client sends a reply packet also containing a HASH, but this response is normally sent in an encrypted packet.

IKECrack utilizies the HASH sent in step 2, and attempts a realtime bruteforce of the PSK. This involves a HMAC-MD5 of the PSK with nonce values to determine the SKEYID, and a HMAC-MD5 of the SKEYID with DH pubkeys, cookies, ID, and SA proposal. In practice, SKEYID and HASH_R are calculated with the Hash cipher proposed by the initiator, so could actually be either SHA1 or MD5 in HMAC mode.

[h=4]Project Details[/h] IKECrack utilizes components from the following OpenSource/PublicDomain programs

MDCrack

HiFn Linux Drivers - HiFn makes one of the better commercial encryption/compression accelerators. I have access to 7751 based PCI cards, and plan one for offloading MD5, SHA1,DES, and 3DES

Author: Anton T. Rager Ron Rivest's MD5

Simeon Pilgrim's Reverse MD5

MD5 and HMAC-MD5 PerlMods

libpcap

[h=4]Performance[/h] Initial tesing with Perl based IKECrack shows numbers of 18,000 tests per second with a PIII 700, and can bruteforce 3 chars of ucase/lcase/0-9 in 13 seconds.

MDCrack [a MD5 bruteforce tool] can achieve 1.5 million keys per second with pure MD5 and a PIII 700. PSK bruteforcing consists of 4 MD5's, and 4 64 byte XORs....but should still be able to achieve 375,000 IKE keys per second. Preliminary tests in C have shown 26,000 keys per second with un-optimized routines. I'm hoping that Simeon Pilgrim's MD5 routines will speed this up a bit more.

[h=4]Cool Links[/h] Other projects we are considering integrating into IKECrack

dkbf - An open source distributed NT LANMan/Hash cracker using MPI - An IKECrack cluster!

Download:

http://sourceforge.net/projects/ikecrack/files/latest/download

Sursa: IKECrack - Bruteforce crack for IPSec

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...