Presentation is loading. Please wait.

Presentation is loading. Please wait.

IPSec/IKE Protocol Hacking ToorCon 2K2 – San Diego, CA Anton Rager Sr. Security Consultant Avaya Security Consulting.

Published byEthel Banks Modified over 8 years ago

Similar presentations

Presentation on theme: "IPSec/IKE Protocol Hacking ToorCon 2K2 – San Diego, CA Anton Rager Sr. Security Consultant Avaya Security Consulting."— Presentation transcript:

1 IPSec/IKE Protocol Hacking ToorCon 2K2 – San Diego, CA Anton Rager Sr. Security Consultant Avaya Security Consulting

2 2 Agenda IKE Overview and Protocol Weaknesses Vendor Implementation Problems IKE Tools discussion and demo

3 3 SA_R+KE_R+Nonce_R+ID_R+Hash_R SA_I+KE_I+Nonce_I+ID_I [Hash_I] Initiator Cookie_I Responder Cookie_R Note: Aggressive uses ID that is independent of initiator IP Aggressive Mode IKE

4 4 SA_R SA_I KE_I+Nonce_I Initiator Cookie_I Responder Cookie_R KE_R+Nonce_R [ID_I] [ID_R] [Hash_I] [Hash_R] Main Mode IKE Note: ID is normally IP address of each endpoint

5 5 Aggressive Mode ID ID sent in clear- Well known problem IETF specifies that aggressive mode will send ID [UserID or GroupID] in clear Eavesdropper can collect remote access user IDs Some vendors have proprietary ways of hashing ID when using their client to hide ID Interoperability [SafeNet/PGPNet] requires IETF adherence – ID leakage

6 6 Aggressive Mode PSK Attacks PSK [password or shared-secret] authentication uses a hash sent in the clear HASH is derived from public exchanged info + PSK Bruteforce/Dictionary attacks possible against HASH as a passive listener Some vendors use DH private value for hash derivation to prevent passive attacks – attack must be active MITM with knowledge of hashing method

7 7 SA_R+KE_R+Nonce_R+ID_R+Hash_R SA_I+KE_I+Nonce_I+ID_I [Hash_I] Initiator Cookie_I Responder Cookie_R Attack Process Aggressive PSK Cracking Assume MD5-HMAC for Hash function – based on hash in SA Responder Hash: HASH_R=MD5-HMAC(MD5-HMAC(Guessed PSK, Nonce_I + Nonce_R), resp DH pub, init DH pub + cookie_R + cookie_I + init SA header + resp ID header)

8 8 Aggressive Mode ID Enumeration IKE protocol specification does not discuss how invalid ID should be handled. Many implementations respond with an invalid ID during the initial IKE negotiation – others just don’t respond This can allow an active dictionary/bruteforce enumeration Submit IKE initiator frame to concentrator with guessed ID. Concentrator will tell you if guess is wrong Vendor Workarounds: Obfuscation responses

9 9 Main Mode PSK Attacks Similar problem to aggressive mode, except HASH is passed encrypted. Main Mode requires an active or MITM attack to attack PSK to derive DH secret IDs are normally the IPs of endpoints We will guess the PSK and try to determine the encryption key for the 1 st encrypted packet

10 10 SA_R SA_I KE_I+Nonce_I Initiator Cookie_I Responder (Attacker) Cookie_R KE_R+Nonce_R [ID_I] [ID_R] [Hash_I] [Hash_R] Attack Process Main Mode PSK Cracking

11 11 Collect public IKE values [Nonces, DH Public values, Cookies, headers, etc] and assume IDs are IP endpoint IPs Collect 1 ST encrypted packet Calculate DH Secret Choose PSK value and calculate SYKEYID, SKEYID_d, KEYID_a, KEYID_e Generate IV from hash of DH Public values Decrypt packet with IV and SKEYID_e – check for known plaintext to validate Attack Process Main Mode PSK Cracking

12 12 Main Mode Policy Enumeration Similar to aggressive mode ID enumeration Peer will only respond to valid IP address that has a defined policy Attacker can send spoofed init frames to “peer” to search IP address space Correct IP will cause an SA proposal reply from “peer” Some vendors will send a “no proposal choosen” if SA is from invalid host

13 13 Implementation Vulnerabilities Cisco VPN Client 3.5 Cisco VPN Client 1.1 SafeNet/IRE SoftPK and SoftRemote PGPFreeware 7.03 - PGPNet

14 14 Tools IKECrack – aggressive mode PSK cracker IKEProbe – IKE packet mangler

15 15 IKECrack http://ikecrack.sourceforge.net http://ikecrack.sourceforge.net IKE PSK Cracker – dictionary, hybrid, brute Simplistic implementation – Aggressive mode only Must use IETF HASH_R calculations (RFC 2409) MD5 HMAC only – 93K kps on 1.8ghz P4 PERL script that requires HMAC PerlMod and uses tcpdump –x output for capture – It’s a hack, but it works.

16 16 IKEProber http://ikecrack.sourceforge.net http://ikecrack.sourceforge.net Command-line utility for building arbitrary IKE packets Supports common IKE options and allows user specified data or repeated chars Useful for finding BoF problems with option parsing – Used to find Cisco/PGPNet/Safenet probs Perl based and requires NetCat in Unix -- Also a hack. Can also be used for user enumeration

17 17 Contact Info IKE Tools and preso Download http://ikecrack.sourceforge.net http://ikecrack.sourceforge.net Anton Rager arager@avaya.comarager@avaya.com Code criticism: This is proof-of-concept stuff -- fix it yourself

Download ppt "IPSec/IKE Protocol Hacking ToorCon 2K2 – San Diego, CA Anton Rager Sr. Security Consultant Avaya Security Consulting."

Similar presentations

Network Security. Reasons to attack Steal information Modify information Deny service (DoS)

Network Security. Reasons to attack Steal information Modify information Deny service (DoS)
IKEv2 extension: MOBIKE Faisal Memon Erik Weathers CS 259.

IKEv2 extension: MOBIKE Faisal Memon Erik Weathers CS 259.
1 IPSec—An Overview Somesh Jha Somesh Jha University of Wisconsin University of Wisconsin.

1 IPSec—An Overview Somesh Jha Somesh Jha University of Wisconsin University of Wisconsin.
Chapter 5 Network Security Protocols in Practice Part I

Chapter 5 Network Security Protocols in Practice Part I
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.

ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
1 MD5 Cracking One way hash. Used in online passwords and file verification.

1 MD5 Cracking One way hash. Used in online passwords and file verification.
IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.

IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.
Security in Wireless LAN 802.11 Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.

Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.
CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.
IKE message flow IKE message flow always consists of a request followed by a response. It is the responsibility of the requester to ensure reliability.

IKE message flow IKE message flow always consists of a request followed by a response. It is the responsibility of the requester to ensure reliability.
Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.

Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.
IEEE 802.11 Wireless Local Area Networks (WLAN’s).

IEEE Wireless Local Area Networks (WLAN’s).
Cryptography and Network Security

Cryptography and Network Security
Georgy Melamed Eran Stiller

Georgy Melamed Eran Stiller
Internet Security CSCE 813 IPsec. CSCE 813 - Farkas2 Reading Today: – Oppliger: IPSec: Chapter 14 – Stalllings: Network Security Essentials, 3 rd edition,

Internet Security CSCE 813 IPsec. CSCE Farkas2 Reading Today: – Oppliger: IPSec: Chapter 14 – Stalllings: Network Security Essentials, 3 rd edition,
Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.

Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.

What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.

Similar presentations

Ads by Google