IPSec/IKE Protocol Hacking ToorCon 2K2 – San Diego, CA Anton Rager Sr. Security Consultant Avaya Security Consulting.

Slides:

Advertisements

Similar presentations

Network Security. Reasons to attack Steal information Modify information Deny service (DoS)

Advertisements

IKEv2 extension: MOBIKE Faisal Memon Erik Weathers CS 259.

1 IPSec—An Overview Somesh Jha Somesh Jha University of Wisconsin University of Wisconsin.

Chapter 5 Network Security Protocols in Practice Part I

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.

IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

1 MD5 Cracking One way hash. Used in online passwords and file verification.

IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.

Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.

CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.

IKE message flow IKE message flow always consists of a request followed by a response. It is the responsibility of the requester to ensure reliability.

Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.

IEEE Wireless Local Area Networks (WLAN’s).

Cryptography and Network Security

Georgy Melamed Eran Stiller

Internet Security CSCE 813 IPsec. CSCE Farkas2 Reading Today: – Oppliger: IPSec: Chapter 14 – Stalllings: Network Security Essentials, 3 rd edition,

Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.

What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.

VPN Wireless Security at Penn State Rich Cropp Senior Systems Engineer Information Technology Services The Pennsylvania State University © All rights.

Internet Key Exchange (IKE) protocol vulnerability risks Master's thesis seminar HUT, Networking Laboratory Composed by Ari Muittari at Nokia.

SYSTEM ADMINISTRATION Chapter 13 Security Protocols.

IPsec: IKE, Internet Key Exchange IPsec does not use Public Key Infrastructure and exchanging keys before an IPsec connection is established is a problem.

VPN AND SECURITY FLAWS Rajesh Perumal Clemson University.

Network Access for Remote Users: Practical IPSec Dr John S. Graham ULCC

Wireless Security Beyond WEP. Wireless Security Privacy Authorization (access control) Data Integrity (checksum, anti-tampering)

1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.

IPSec Chapter 3 – Secure WAN’s. Definition IPsec, Internet Protocol Security, is a set of protocols defined by the IETF, Internet Engineering Task Force,

1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.

Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),

1 Network Security Lecture 8 IP Sec Waleed Ejaz

Lecture 14 ISAKMP / IKE Internet Security Association and Key Management Protocol / Internet Key Exchange CIS CIS 5357 Network Security.

ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.

IT:Network:Apps.  RRAS does nice job of routing ◦ NAT is nice ◦ BASIC firewall ok but somewhat weak  Communication on network (WS to SRV) is in clear.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 Module 3 City College of San.

WEP AND WPA by Kunmun Garabadu. Wireless LAN Hot Spot : Hotspot is a readily available wireless connection.  Access Point : It serves as the communication.

1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.

Karlstad University IP security Ge Zhang

IPsec IPsec (IP security) Security for transmission over IP networks –The Internet –Internal corporate IP networks –IP packets sent over public switched.

Abusing : Weaknesses in LEAP Challenge/Response – Defcon 2003 Slide 1 Weaknesses in LEAP Challenge/Response Joshua Wright

IP Security.  In CERTs 2001 annual report it listed 52,000 security incidents  the most serious involving:  IP spoofing intruders creating packets.

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys.

1 Virtual Private Networks (VPNs) and IP Security (IPSec) G53ACC Chris Greenhalgh.

CS 525M – Mobile and Ubiquitous Computing Seminar Bradley Momberger Randy Chong.

Cody Brookshear Andy Borman

Attacking IPsec VPNs Charles D George Jr. Overview Internet Protocol Security (IPSec) is a suite of protocols for authenticating and encrypting packets.

IPSec VPN: How does it really work? Yasushi Kono (ComputerLinks Frankfurt)

Virtual Private Network. ATHENA Main Function of VPN  Privacy  Authenticating  Data Integrity  Antireplay.

IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.

Wireless Security Rick Anderson Pat Demko. Wireless Medium Open medium Broadcast in every direction Anyone within range can listen in No Privacy Weak.

IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.

IPSec VPN Chapter 13 of Malik. 2 Outline Types of IPsec VPNs IKE (or Internet Key Exchange) protocol.

Virtual Private Network Chapter 4. Lecturer : Trần Thị Ngọc Hoa2 Objectives  VPN Overview  Tunneling Protocol  Deployment models  Lab Demo.

Cryptography and Network Security (CS435) Part Thirteen (IP Security)

1 Secure Key Exchange: Diffie-Hellman Exchange Dr. Rocky K. C. Chang 19 February, 2002.

Lect 8 Tahani al jehain. Types of attack Remote code execution: occurs when an attacker exploits a software and runs a program that the user does not.

@Yuan Xue CS 285 Network Security Secure Socket Layer Yuan Xue Fall 2013.

8-1Network Security Virtual Private Networks (VPNs) motivation:  institutions often want private networks for security.  costly: separate routers, links,

By Collin Donaldson Man in the Middle Attack: Password Sniffing and Cracking.

Department of Computer Science Chapter 5 Introduction to Cryptography Semester 1.

Comparison of Network Attacks COSC 356 Kyler Rhoades.

VPNs & IPsec Dr. X Slides adopted by Prof. William Enck, NCSU.

IPsec Problems and Solutions

UNIT 7- IP Security 1.IP SEC 2.IP Security Architecture

Chapter 18 IP Security  IP Security (IPSec)

Somesh Jha University of Wisconsin

CSE 4905 IPsec II.

CSE 5/7349 – February 15th 2006 IPSec.

Presentation transcript:

IPSec/IKE Protocol Hacking ToorCon 2K2 – San Diego, CA Anton Rager Sr. Security Consultant Avaya Security Consulting

2 Agenda IKE Overview and Protocol Weaknesses Vendor Implementation Problems IKE Tools discussion and demo

3 SA_R+KE_R+Nonce_R+ID_R+Hash_R SA_I+KE_I+Nonce_I+ID_I [Hash_I] Initiator Cookie_I Responder Cookie_R Note: Aggressive uses ID that is independent of initiator IP Aggressive Mode IKE

4 SA_R SA_I KE_I+Nonce_I Initiator Cookie_I Responder Cookie_R KE_R+Nonce_R [ID_I] [ID_R] [Hash_I] [Hash_R] Main Mode IKE Note: ID is normally IP address of each endpoint

5 Aggressive Mode ID ID sent in clear- Well known problem IETF specifies that aggressive mode will send ID [UserID or GroupID] in clear Eavesdropper can collect remote access user IDs Some vendors have proprietary ways of hashing ID when using their client to hide ID Interoperability [SafeNet/PGPNet] requires IETF adherence – ID leakage

6 Aggressive Mode PSK Attacks PSK [password or shared-secret] authentication uses a hash sent in the clear HASH is derived from public exchanged info + PSK Bruteforce/Dictionary attacks possible against HASH as a passive listener Some vendors use DH private value for hash derivation to prevent passive attacks – attack must be active MITM with knowledge of hashing method

7 SA_R+KE_R+Nonce_R+ID_R+Hash_R SA_I+KE_I+Nonce_I+ID_I [Hash_I] Initiator Cookie_I Responder Cookie_R Attack Process Aggressive PSK Cracking Assume MD5-HMAC for Hash function – based on hash in SA Responder Hash: HASH_R=MD5-HMAC(MD5-HMAC(Guessed PSK, Nonce_I + Nonce_R), resp DH pub, init DH pub + cookie_R + cookie_I + init SA header + resp ID header)

8 Aggressive Mode ID Enumeration IKE protocol specification does not discuss how invalid ID should be handled. Many implementations respond with an invalid ID during the initial IKE negotiation – others just don’t respond This can allow an active dictionary/bruteforce enumeration Submit IKE initiator frame to concentrator with guessed ID. Concentrator will tell you if guess is wrong Vendor Workarounds: Obfuscation responses

9 Main Mode PSK Attacks Similar problem to aggressive mode, except HASH is passed encrypted. Main Mode requires an active or MITM attack to attack PSK to derive DH secret IDs are normally the IPs of endpoints We will guess the PSK and try to determine the encryption key for the 1 st encrypted packet

10 SA_R SA_I KE_I+Nonce_I Initiator Cookie_I Responder (Attacker) Cookie_R KE_R+Nonce_R [ID_I] [ID_R] [Hash_I] [Hash_R] Attack Process Main Mode PSK Cracking

11 Collect public IKE values [Nonces, DH Public values, Cookies, headers, etc] and assume IDs are IP endpoint IPs Collect 1 ST encrypted packet Calculate DH Secret Choose PSK value and calculate SYKEYID, SKEYID_d, KEYID_a, KEYID_e Generate IV from hash of DH Public values Decrypt packet with IV and SKEYID_e – check for known plaintext to validate Attack Process Main Mode PSK Cracking

12 Main Mode Policy Enumeration Similar to aggressive mode ID enumeration Peer will only respond to valid IP address that has a defined policy Attacker can send spoofed init frames to “peer” to search IP address space Correct IP will cause an SA proposal reply from “peer” Some vendors will send a “no proposal choosen” if SA is from invalid host

13 Implementation Vulnerabilities Cisco VPN Client 3.5 Cisco VPN Client 1.1 SafeNet/IRE SoftPK and SoftRemote PGPFreeware PGPNet

14 Tools IKECrack – aggressive mode PSK cracker IKEProbe – IKE packet mangler

15 IKECrack IKE PSK Cracker – dictionary, hybrid, brute Simplistic implementation – Aggressive mode only Must use IETF HASH_R calculations (RFC 2409) MD5 HMAC only – 93K kps on 1.8ghz P4 PERL script that requires HMAC PerlMod and uses tcpdump –x output for capture – It’s a hack, but it works.

16 IKEProber Command-line utility for building arbitrary IKE packets Supports common IKE options and allows user specified data or repeated chars Useful for finding BoF problems with option parsing – Used to find Cisco/PGPNet/Safenet probs Perl based and requires NetCat in Unix -- Also a hack. Can also be used for user enumeration

17 Contact Info IKE Tools and preso Download Anton Rager Code criticism: This is proof-of-concept stuff -- fix it yourself