IPsec IKEv1 PSK+XAUTH MitM attack daemon
GPL-2.0 License
/*
// Overview
This is a fake IKE daemon supporting just enough of the standards and Cisco extensions to attack commonly found insecure Cisco PSK+XAUTH VPN setups.
Basically, if you know the pre-shared key, also known as shared secret or group password, you can impersonate the VPN gateway in IKE phase 1, and learn XAUTH user credentials in phase 2.
This attack [2,3] is not new. It has been known for a long time that IKE using PSK with XAUTH is insecure, and this is not the first actual implementation of the attack.
The configuration supported by fiked is IKE aggressive mode using pre-shared keys and XAUTH. Supported algorithms are DES, 3DES, AES128, AES192, AES256; MD5, SHA1; and DH groups 1, 2 and 5. Main mode is not supported.
Based on this work, a full MITM attack could be implemented.
// Attack Setup
To successfully demostrate an attack on a VPN site, you need to know the shared secret, and you must be able to intercept the IKE traffic between the clients and the VPN gateway.
There are several ways to find out the shared secret [4], and several ways to redirect the IKE traffic to your running fiked instance.
With the -r option, you can control whether fiked should forge the source address on packets or not, depending on whether your particular attack setup needs it or not.
// Installation
You need these libraries to build and run fiked:
You should be able to build and install fiked by just running GNU make install (gmake on BSD) on systems with a C99 capable GCC.
Fiked has been developed on FreeBSD, but should build and run fine on other BSD and Linux boxes. Please do send me patches. Reported to work fine are OpenBSD and Debian.
By defining WITHOUT_LIBNET, you can omit libnet support, which will remove the dependency on libnet, and will give you a fiked which does not support sending replies with forged source address (-r option).
// Credits
Fiked is loosely based on vpnc [5]. The code borrowed from vpnc is found in the vpnc subdirectory, see vpnc/NOTICE.
// References
[1] http://www.roe.ch/FakeIKEd [2] http://www.cisco.com/warp/public/707/cisco-sn-20040415-grppass.shtml [3] http://www.ima.umn.edu/~pliam/xauth/ [4] http://ikecrack.sourceforge.net/ [5] http://www.unix-ag.uni-kl.de/~massar/vpnc/