IPSec/IKE Protocol Hacking ToorCon 2K2 - PowerPoint PPT Presentation

About This Presentation
Title:

IPSec/IKE Protocol Hacking ToorCon 2K2

Description:

IPSec/IKE Protocol Hacking. ToorCon 2K2 San Diego, CA ... IKE Tools and preso Download http://ikecrack.sourceforge.net. Anton Rager arager_at_avaya.com ... – PowerPoint PPT presentation

Number of Views:126
Avg rating:3.0/5.0
Slides: 18
Provided by: anthon79
Category:

less

Transcript and Presenter's Notes

Title: IPSec/IKE Protocol Hacking ToorCon 2K2


1
IPSec/IKE Protocol HackingToorCon 2K2 San
Diego, CA
  • Anton Rager Sr. Security Consultant
    Avaya Security Consulting

2
Agenda
  • IKE Overview and Protocol Weaknesses
  • Vendor Implementation Problems
  • IKE Tools discussion and demo

3
Aggressive Mode IKE
Cookie_R
Cookie_I
Responder
Initiator
SA_IKE_INonce_IID_I
SA_RKE_RNonce_RID_RHash_R
Hash_I
  • Note Aggressive uses ID that is independent of
    initiator IP

4
Main Mode IKE
Cookie_R
Cookie_I
Responder
Initiator
SA_I
SA_R
KE_INonce_I
KE_RNonce_R
ID_I
ID_R
Hash_I
Hash_R
  • Note ID is normally IP address of each endpoint

5
Aggressive Mode ID
  • ID sent in clear- Well known problem
  • IETF specifies that aggressive mode will send ID
    UserID or GroupID in clear
  • Eavesdropper can collect remote access user IDs
  • Some vendors have proprietary ways of hashing ID
    when using their client to hide ID
  • Interoperability SafeNet/PGPNet requires IETF
    adherence ID leakage

6
Aggressive Mode PSK Attacks
  • PSK password or shared-secret authentication
    uses a hash sent in the clear
  • HASH is derived from public exchanged info PSK
  • Bruteforce/Dictionary attacks possible against
    HASH as a passive listener
  • Some vendors use DH private value for hash
    derivation to prevent passive attacks attack
    must be active MITM with knowledge of hashing
    method

7
Attack ProcessAggressive PSK Cracking
Cookie_R
Cookie_I
Responder
Initiator
SA_IKE_INonce_IID_I
SA_RKE_RNonce_RID_RHash_R
Hash_I
Assume MD5-HMAC for Hash function based on hash
in SA Responder Hash HASH_RMD5-HMAC(MD5-HMAC(Gu
essed PSK, Nonce_I Nonce_R), resp DH pub, init
DH pub cookie_R cookie_I init SA header
resp ID header)
8
Aggressive Mode ID Enumeration
  • IKE protocol specification does not discuss how
    invalid ID should be handled. Many
    implementations respond with an invalid ID during
    the initial IKE negotiation others just dont
    respond
  • This can allow an active dictionary/bruteforce
    enumeration
  • Submit IKE initiator frame to concentrator with
    guessed ID. Concentrator will tell you if guess
    is wrong
  • Vendor Workarounds Obfuscation responses

9
Main Mode PSK Attacks
  • Similar problem to aggressive mode, except HASH
    is passed encrypted.
  • Main Mode requires an active or MITM attack to
    attack PSK to derive DH secret
  • IDs are normally the IPs of endpoints
  • We will guess the PSK and try to determine the
    encryption key for the 1st encrypted packet

10
Attack ProcessMain Mode PSK Cracking
Cookie_R
Cookie_I
Responder (Attacker)
Initiator
SA_I
SA_R
KE_INonce_I
KE_RNonce_R
ID_I
ID_R
Hash_I
Hash_R
11
Attack ProcessMain Mode PSK Cracking
  • Collect public IKE values Nonces, DH Public
    values, Cookies, headers, etc and assume IDs are
    IP endpoint IPs
  • Collect 1ST encrypted packet
  • Calculate DH Secret
  • Choose PSK value and calculate SYKEYID, SKEYID_d,
    KEYID_a, KEYID_e
  • Generate IV from hash of DH Public values
  • Decrypt packet with IV and SKEYID_e check for
    known plaintext to validate

12
Main Mode Policy Enumeration
  • Similar to aggressive mode ID enumeration
  • Peer will only respond to valid IP address that
    has a defined policy
  • Attacker can send spoofed init frames to peer
    to search IP address space
  • Correct IP will cause an SA proposal reply from
    peer
  • Some vendors will send a no proposal choosen if
    SA is from invalid host

13
Implementation Vulnerabilities
  • Cisco VPN Client 3.5
  • Cisco VPN Client 1.1
  • SafeNet/IRE SoftPK and SoftRemote
  • PGPFreeware 7.03 - PGPNet

14
Tools
  • IKECrack aggressive mode PSK cracker
  • IKEProbe IKE packet mangler

15
IKECrackhttp//ikecrack.sourceforge.net
  • IKE PSK Cracker dictionary, hybrid, brute
  • Simplistic implementation Aggressive mode only
  • Must use IETF HASH_R calculations (RFC 2409)
  • MD5 HMAC only 93K kps on 1.8ghz P4
  • PERL script that requires HMAC PerlMod and uses
    tcpdump x output for capture Its a hack, but
    it works.

16
IKEProberhttp//ikecrack.sourceforge.net
  • Command-line utility for building arbitrary IKE
    packets
  • Supports common IKE options and allows user
    specified data or repeated chars
  • Useful for finding BoF problems with option
    parsing Used to find Cisco/PGPNet/Safenet probs
  • Perl based and requires NetCat in Unix -- Also a
    hack.
  • Can also be used for user enumeration

17
Contact Info
  • IKE Tools and preso Download http//ikecrack.sourc
    eforge.net
  • Anton Rager arager_at_avaya.com
  • Code criticism This is proof-of-concept stuff --
    fix it yourself
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "IPSec/IKE Protocol Hacking ToorCon 2K2 " is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!