IPSec/IKE Protocol Hacking ToorCon 2K2 – San Diego, CA Anton Rager Sr. Security Consultant Avaya Security Consulting.

IPSec/IKE Protocol HackingIPSec/IKE Protocol HackingToorCon 2K2 – San Diego, CAToorCon 2K2 – San Diego, CA

IPSec/IKE Protocol HackingIPSec/IKE Protocol HackingToorCon 2K2 – San Diego, CAToorCon 2K2 – San Diego, CA

Anton Rager Sr. Security Consultant Avaya Security Consulting

2

Agenda

• IKE Overview and Protocol Weaknesses

• Vendor Implementation Problems

• IKE Tools discussion and demo

3

SA_R+KE_R+Nonce_R+ID_R+Hash_R

SA_I+KE_I+Nonce_I+ID_I

[Hash_I]

Initiator

Cookie_IResponder

Cookie_R

• Note: Aggressive uses ID that is independent of initiator IP

Aggressive Mode IKE

4

SA_RSA_I

KE_I+Nonce_I

Initiator

Cookie_IResponder

Cookie_R

KE_R+Nonce_R

[ID_I][ID_R]

[Hash_I]

[Hash_R]

Main Mode IKE

• Note: ID is normally IP address of each endpoint

5

Aggressive Mode ID

• ID sent in clear- Well known problem• IETF specifies that aggressive mode will send

ID [UserID or GroupID] in clear• Eavesdropper can collect remote access user

IDs• Some vendors have proprietary ways of

hashing ID when using their client to hide ID• Interoperability [SafeNet/PGPNet] requires

IETF adherence – ID leakage

6

Aggressive Mode PSK Attacks

• PSK [password or shared-secret] authentication uses a hash sent in the clear

• HASH is derived from public exchanged info + PSK

• Bruteforce/Dictionary attacks possible against HASH as a passive listener

• Some vendors use DH private value for hash derivation to prevent passive attacks – attack must be active MITM with knowledge of hashing method

7

SA_R+KE_R+Nonce_R+ID_R+Hash_R

SA_I+KE_I+Nonce_I+ID_I

[Hash_I]

Initiator

Cookie_IResponder

Cookie_R

Attack ProcessAggressive PSK Cracking

Assume MD5-HMAC for Hash function – based on hash in SA

Responder Hash:

HASH_R=MD5-HMAC(MD5-HMAC(Guessed PSK, Nonce_I + Nonce_R), resp DH pub, init DH pub + cookie_R + cookie_I + init SA header + resp ID header)

8

Aggressive Mode ID Enumeration

• IKE protocol specification does not discuss how invalid ID should be handled. Many implementations respond with an invalid ID during the initial IKE negotiation – others just don’t respond

• This can allow an active dictionary/bruteforce enumeration

• Submit IKE initiator frame to concentrator with guessed ID. Concentrator will tell you if guess is wrong

• Vendor Workarounds: Obfuscation responses

9

Main Mode PSK Attacks

• Similar problem to aggressive mode, except HASH is passed encrypted.

• Main Mode requires an active or MITM attack to attack PSK to derive DH secret

• IDs are normally the IPs of endpoints• We will guess the PSK and try to

determine the encryption key for the 1st encrypted packet

10

SA_RSA_I

KE_I+Nonce_I

Initiator

Cookie_IResponder

(Attacker)

Cookie_R

KE_R+Nonce_R

[ID_I][ID_R]

[Hash_I]

[Hash_R]

Attack ProcessMain Mode PSK Cracking

11

• Collect public IKE values [Nonces, DH Public values, Cookies, headers, etc] and assume IDs are IP endpoint IPs

• Collect 1ST encrypted packet• Calculate DH Secret• Choose PSK value and calculate SYKEYID,

SKEYID_d, KEYID_a, KEYID_e• Generate IV from hash of DH Public values• Decrypt packet with IV and SKEYID_e – check

for known plaintext to validate

Attack ProcessMain Mode PSK Cracking

12

Main Mode Policy Enumeration

• Similar to aggressive mode ID enumeration• Peer will only respond to valid IP address that

has a defined policy• Attacker can send spoofed init frames to

“peer” to search IP address space• Correct IP will cause an SA proposal reply

from “peer”• Some vendors will send a “no proposal

choosen” if SA is from invalid host

13

Implementation Vulnerabilities

• Cisco VPN Client 3.5

• Cisco VPN Client 1.1

• SafeNet/IRE SoftPK and SoftRemote

• PGPFreeware 7.03 - PGPNet

14

Tools

• IKECrack – aggressive mode PSK cracker

• IKEProbe – IKE packet mangler

15

IKECrackhttp://ikecrack.sourceforge.net

• IKE PSK Cracker – dictionary, hybrid, brute• Simplistic implementation – Aggressive mode

only• Must use IETF HASH_R calculations (RFC

2409)• MD5 HMAC only – 93K kps on 1.8ghz P4• PERL script that requires HMAC PerlMod and

uses tcpdump –x output for capture – It’s a hack, but it works.

16

IKEProberhttp://ikecrack.sourceforge.net

• Command-line utility for building arbitrary IKE packets

• Supports common IKE options and allows user specified data or repeated chars

• Useful for finding BoF problems with option parsing – Used to find Cisco/PGPNet/Safenet probs

• Perl based and requires NetCat in Unix -- Also a hack.

• Can also be used for user enumeration

17

Contact Info

• IKE Tools and preso Download http://ikecrack.sourceforge.net

• Anton Rager [email protected]

• Code criticism: This is proof-of-concept stuff -- fix it yourself