Transcript
8/6/2019 Ike Hacking Toorcon2k2
http://slidepdf.com/reader/full/ike-hacking-toorcon2k2 1/17
IPSec/IKE Protocol HackingIPSec/IKE Protocol Hacking
ToorCon 2K2ToorCon 2K2 ± ± San Diego, CASan Diego, CA
IPSec/IKE Protocol HackingIPSec/IKE Protocol Hacking
ToorCon 2K2ToorCon 2K2 ± ± San Diego, CASan Diego, CA
Anton Rager
Sr. Security Consultant
Avaya Security Consulting
8/6/2019 Ike Hacking Toorcon2k2
http://slidepdf.com/reader/full/ike-hacking-toorcon2k2 2/17
2
Agenda
� IKE Overview and Protocol
Weaknesses
� Vendor Implementation Problems
� IKE Tools discussion and demo
8/6/2019 Ike Hacking Toorcon2k2
http://slidepdf.com/reader/full/ike-hacking-toorcon2k2 3/17
3
SA_R+KE_R+Nonce_R+ID_R+Hash_R
SA_I+KE_I+Nonce_I+ID_I
[Hash_I]
Initiator
Cookie_I
Responder
Cookie_R
� Note: Aggressive uses ID that is independent of
initiator IP
Aggressive Mode IKE
8/6/2019 Ike Hacking Toorcon2k2
http://slidepdf.com/reader/full/ike-hacking-toorcon2k2 4/17
4
SA_R
SA_I
KE_I+Nonce_I
Initiator
Cookie_I
Responder
Cookie_R
KE_R+Nonce_R
[ID_I]
[ID_R]
[Hash_I]
[Hash_R]
Main Mode IKE
� Note: ID is normally IP address of each endpoint
8/6/2019 Ike Hacking Toorcon2k2
http://slidepdf.com/reader/full/ike-hacking-toorcon2k2 5/17
5
Aggressive Mode ID
� ID sent in clear- Well known problem
� IETF specifies that aggressive mode will send
ID [UserID or GroupID] in clear � Eavesdropper can collect remote access user
IDs
� Some vendors have proprietary ways of
hashing ID when using their client to hide ID� Interoperability [SafeNet/PGPNet] requires
IETF adherence ± ID leakage
8/6/2019 Ike Hacking Toorcon2k2
http://slidepdf.com/reader/full/ike-hacking-toorcon2k2 6/17
6
Aggressive Mode PSK Attacks
� PSK [password or shared-secret]authentication uses a hash sent in the clear
� HASH is derived from public exchanged info+ PSK
� Bruteforce/Dictionary attacks possible againstHASH as a passive listener
� Some vendors use DH private value for hashderivation to prevent passive attacks ± attackmust be active MITM with knowledge of hashing method
8/6/2019 Ike Hacking Toorcon2k2
http://slidepdf.com/reader/full/ike-hacking-toorcon2k2 7/17
7
SA_R+KE_R+Nonce_R+ID_R +Hash_R
SA_I+KE_I+Nonce_I+ID_I
[Hash_I]
Initiator
Cookie_I
Responder
Cookie_R
Attack ProcessAggressive PSK Cracking
Assume MD5-HMAC for Hash function ± based on hash in SA
Responder Hash:
HASH_R=MD5-HMAC(MD5-HMAC(Guessed PSK, Nonce_I +
Nonce_R), resp DH pub, init DH pub + cookie_R + cookie_I +
init SA header + resp ID header)
8/6/2019 Ike Hacking Toorcon2k2
http://slidepdf.com/reader/full/ike-hacking-toorcon2k2 8/17
8
Aggressive Mode ID Enumeration
� IKE protocol specification does not discusshow invalid ID should be handled. Many
implementations respond with an invalid IDduring the initial IKE negotiation ± others justdon¶t respond
� This can allow an active dictionary/bruteforce
enumeration� Submit IKE initiator frame to concentrator withguessed ID. Concentrator will tell you if guess is wrong
� Vendor Workarounds: Obfuscation responses
8/6/2019 Ike Hacking Toorcon2k2
http://slidepdf.com/reader/full/ike-hacking-toorcon2k2 9/17
9
Main Mode PSK Attacks
� Similar problem to aggressive mode,except HASH is passed encrypted.
� Main Mode requires an active or MITMattack to attack PSK to derive DH secret
� IDs are normally the IPs of endpoints
� We will guess the PSK and try todetermine the encryption key for the 1st
encrypted packet
8/6/2019 Ike Hacking Toorcon2k2
http://slidepdf.com/reader/full/ike-hacking-toorcon2k2 10/17
10
SA_R
SA_I
KE_I+Nonce_I
Initiator
Cookie_I
Responder
(Attacker)
Cookie_R
KE_R+Nonce_R
[ ID_I ]
[ ID_R ]
[Hash_I]
[Hash_R]
Attack ProcessMain Mode PSK Cracking
8/6/2019 Ike Hacking Toorcon2k2
http://slidepdf.com/reader/full/ike-hacking-toorcon2k2 11/17
11
� Collect public IKE values [Nonces, DH Publicvalues, Cookies, headers, etc] and assume
IDs are IP endpoint IPs� Collect 1ST encrypted packet
� Calculate DH Secret
� Choose PSK value and calculate SYKEYID,
SKEYID_d, KEYID_a, KEYID_e� Generate IV from hash of DH Public values
� Decrypt packet with IV and SKEYID_e ±check for known plaintext to validate
Attack ProcessMain Mode PSK Cracking
8/6/2019 Ike Hacking Toorcon2k2
http://slidepdf.com/reader/full/ike-hacking-toorcon2k2 12/17
12
Main Mode Policy Enumeration
� Similar to aggressive mode ID enumeration
� Peer will only respond to valid IP address that
has a defined policy� Attacker can send spoofed init frames to
³peer´ to search IP address space
� Correct IP will cause an SA proposal reply
from ³peer´� Some vendors will send a ³no proposal
choosen´ if SA is from invalid host
8/6/2019 Ike Hacking Toorcon2k2
http://slidepdf.com/reader/full/ike-hacking-toorcon2k2 13/17
13
Implementation Vulnerabilities
� Cisco VPN Client 3.5
� Cisco VPN Client 1.1
� SafeNet/IRE SoftPK and SoftRemote
� PGPFreeware 7.03 - PGPNet
8/6/2019 Ike Hacking Toorcon2k2
http://slidepdf.com/reader/full/ike-hacking-toorcon2k2 14/17
14
Tools
� IKECrack ± aggressive mode PSK
cracker
� IKEProbe ± IKE packet mangler
8/6/2019 Ike Hacking Toorcon2k2
http://slidepdf.com/reader/full/ike-hacking-toorcon2k2 15/17
15
IKECrack http://ikecrack.sourceforge.net
� IKE PSK Cracker ± dictionary, hybrid, brute
� Simplistic implementation ± Aggressive mode
only� Must use IETF HASH_R calculations (RFC
2409)
� MD5 HMAC only ± 93K kps on 1.8ghz P4
� PERL script that requires HMAC PerlMod anduses tcpdump ±x output for capture ± It¶s ahack, but it works.
8/6/2019 Ike Hacking Toorcon2k2
http://slidepdf.com/reader/full/ike-hacking-toorcon2k2 16/17
16
IKEProber http://ikecrack.sourceforge.net
� Command-line utility for building arbitrary IKEpackets
� Supports common IKE options and allowsuser specified data or repeated chars
� Useful for finding BoF problems with optionparsing ± Used to find Cisco/PGPNet/Safenet
probs� Perl based and requires NetCat in Unix --
Also a hack.
� Can also be used for user enumeration
8/6/2019 Ike Hacking Toorcon2k2
http://slidepdf.com/reader/full/ike-hacking-toorcon2k2 17/17
17
Contact Info
� IKE Tools and preso Download
http://ikecrack.sourceforge.net
� Anton Rager arager@avaya.com
� Code criticism: This is proof-of-concept
stuff -- fix it yourself
top related