spiderlabs / ikeforce Goto Github PK

While running ikeforce.py IP -e -w wordlists/groupnames.dic -t 5 2 65001 2 it detects the device is vulnerable to multiple response group name enumeration however the next phase, "Using New Cisco Group Enumeration Technique" where it says to 'Press return for a status update' it appears to hang. Additionally, the status updates do not work when I press enter, only a new line appears.

Attempting to troubleshoot but not making too much progress yet.

I'm running
root@test:/home/soc/ikeforce# python ikeforce.py 192.168.1.9 -b -i 3000 -k abc123 -u fed -w t.txt -t 5 2 65001 2
After that the final debug message is
--------------------Received Packet Number: 2--------------------

Duplicate of packet 1, discarding
Duplicate packet count: 1

I'm testing my openswan server with config and secrets
ipsec.secrets
192.168.1.9 %any : PSK "abc123"
192.168.1.9 @3000: PSK "abc123"
@fed : XAUTH "aaa"
ipsec.config
conn iketest
leftxauthserver=yes
pfs=yes
#rekey=no
leftmodecfgserver=yes
rightmodecfgclient=yes
#modecfgpull=yes

    rightid=@3000
    rightxauthclient=yes
    left=192.168.1.9
    [email protected]
    leftsubnet=10.1.0.0/24
    right=%any
    authby=secret
    ike=3des-sha;modp1024
    aggrmode=yes
    auth=esp
    esp=3des-sha1
    auto=add

Ikeforce is working while searching for groupID, correct ID was found but it doesn't work with the password
Could you help me?
Thank you

Hi,
I'm trying to use ikeforce to enumerate groupnames and get valid PSKs for some Cisco devices.
I installed pyip, pycrypto and pyopenssl
When I try to run the program it says "Missing 'udp' library: install it with 'pip install pyip' then run again"
I realised that I got a Segmentation fault error when installing pyopenssl. After some research it seems that package python-openssl (already installed in my system) was causing the problem. I uninstall it and installed pyopenssl again, ikeforce is still not working, but the error now is a traceback from ikeclient.py "OpenSSL not installed"
I tried re-installing python-openssl and uninstalllling pyopenssl, but I get again the error "Missing 'udp' library: try installing pyip"; same if I re-install pyopenssl, (this time it installs without any problem)

Is there anything else that needs to be installed/removed?
I'm running up-to-date 4.9.0-kali4-amd64

Any help is really appreciated,
Cheers,

If you are having this problem.

./ikeforce.py [HOST_IP] -a
[+]Program started in Transform Set Enumeration Mode
[+]Checking for acceptable Transforms

Accepted (AM) Transform Sets

Traceback (most recent call last):
File "./ikeforce.py", line 307, in
iCookie = ikeneg.secRandom(8).encode('hex')
File "/home/master/git/ikeforce/ikeclient.py", line 46, in secRandom
randomBytes = OpenSSL.rand.bytes(bytes)
AttributeError: 'module' object has no attribute 'rand'

You can fix buy running this command

pip install 'pyopenssl==17.2.0'

Getting the following error when running ikeforce:
Encrypted payload received.
Encrypted Payload: 768b4af3fd440dfe3d584f392af38db99907a97b60c1383b49c8493e95889882d1f8035fea1694e4f8826b5d8a230b68aeffe1b23dddc6197355ab8b11200cef491eab4e28919f46cedaeda02f3eb59758bb7fb4b0d36da4f914b0178b0af3a5
Traceback (most recent call last):
File "./ikeforce.py", line 708, in
respDict,listVIDs = ikeHandling.main(packets[-1],encType,hashType,encKey,initIV,curIV)
File "/opt/ikeforce/ikehandler.py", line 618, in main
ikeDecrypt = ikeCrypto.ikeCipher(encKey, initIV.decode('hex'), encType)
File "/usr/lib/python2.7/encodings/hex_codec.py", line 42, in hex_decode
output = binascii.a2b_hex(input)
TypeError: Non-hexadecimal digit found

I attempted to run a brute force and got the following error:

root@wopr:/opt/ikeforce# ./ikeforce.py 1.2.3.4 -b -k ******** -i DefaultRAGroup -u cisco -w 500-worst-passwords.txt '

[+]Program started in XAUTH Brute Force Mode
[+]Single user provided - brute forcing passwords for user: cisco
Press return for a status update
Traceback (most recent call last):
File "./ikeforce.py", line 1876, in
respDict,vidHolder = ikeHandling.main(packets[-1],encType,hashType,encKey,initIV,curIV)
ValueError: too many values to unpack

I'm seeing another crash in the xauth brute force mode.

Traceback (most recent call last):
File "ikeforce.py", line 2582, in
mcfgIP = str(dicCrypto["MCFG_IPi"]).decode('hex')
KeyError: 'MCFG_IPi'

Not sure what would be needed to track this down.

I've got the correct transform set for an IKE Aggressive mode, which is 7/256 2 65001 2, discovered via generate-transforms.sh | xargs ike-scan...
When I give it to ikeforce to enumerate groups, it doesn't accept 7/256 because it says value is not an integer, and if I give only 7 it doesn't recognize the transform as good and tells me to use -a. If I use -a, it cannot find any valid transform.
I know that even groupid enumeration on latest VPNs has been patched, but I wanted to give it a try. Also, I could loop over all the groups in the list and search for XAUTH credentials (used by my pentest target).
So I'm wondering if AES 7/256 is just not supported by the tool.

Thank you in advance

Hi very nice tool.
Spotted a problem while using AES with keyLen 256bit. It would stick to the default 128bit.

Traced the error at https://github.com/SpiderLabs/ikeforce/blob/master/ikeclient.py#L218-L221

You will need to correct "padding1+encTypehashType+authtype" to "padding1+encType+hashType+authType"

Now the exception does not makes sense at all since it was erroneously added due to this syntax error (in a hurry? :) )

Better to check if the keyLen is None or empty. Please feel free to commit the best option since you know the protocol lots better than me..

Thanks,

Dimitris Strevinas

First of, great tool! While in Test Mode using the -c flag, the following error was thrown:
IKE Server running in Thread-1
Traceback (most recent call last):
File "ikeforce.py", line 2389, in
ikeCrypto = crypto.ikeCrypto()
NameError: name 'crypto' is not defined

Found it was due to an unchanged reference in line 2389 of ikeforce.py (probably a reference which 'cloaked' itself :-) when you made reference changes in this commit) which;
currently reads: "ikeCrypto = crypto.ikeCrypto()"
but should be: "ikeCrypto = ikecrypto.ikeCrypto()"

Same issue found in "ikehandler.py", line 902
currently reads: "ikeCrypto = crypto.ikeCrypto()"
but should be: "ikeCrypto = ikecrypto.ikeCrypto()"

Sorry, I don't know github very well. I understand that I should make Pull request, but don't know how((

1. I have error in ikehandler.py line 902: ikeCrypto = crypto.ikeCrypto(). I have solved it by edit this row: ikeCrypto = ikecrypto.ikeCrypto()

2. Also I have error in ikeforce.py line 1876 respDict,vidHolder = ikeHandling.main(packets[-1],encType,hashType,encKey,initIV,curIV) ValueError: too many values to unpack.
   I have solved it by edit row 937 in ikeHandler.py:
   return dicCrypto, None