IPSec/IKE Protocol Hacking

ToorCon 2K2 San Diego, CA

Anton Rager Sr. Security Consultant Avaya Security Consulting

Agenda
IKE Overview and Protocol Weaknesses Vendor Implementation Problems IKE Tools discussion and demo

Aggressive Mode IKE

Cookie_I Initiator Cookie_R Responder SA_I+KE_I+Nonce_I+ID_I SA_R+KE_R+Nonce_R+ID_R+Hash_R [Hash_I]

Note: Aggressive uses ID that is independent of initiator IP

Main Mode IKE

Cookie_I Initiator Cookie_R Responder SA_I SA_R KE_I+Nonce_I KE_R+Nonce_R [ID_I] [ID_R] [Hash_I] [Hash_R]

Note: ID is normally IP address of each endpoint

4

Aggressive Mode ID
ID sent in clear- Well known problem IETF specifies that aggressive mode will send ID [UserID or GroupID] in clear Eavesdropper can collect remote access user IDs Some vendors have proprietary ways of hashing ID when using their client to hide ID Interoperability [SafeNet/PGPNet] requires IETF adherence ID leakage
5

Aggressive Mode PSK Attacks

PSK [password or shared-secret] authentication uses a hash sent in the clear HASH is derived from public exchanged info + PSK Bruteforce/Dictionary attacks possible against HASH as a passive listener Some vendors use DH private value for hash derivation to prevent passive attacks attack must be active MITM with knowledge of hashing method
6

Attack Process
Aggressive PSK Cracking
Cookie_I Initiator Cookie_R Responder SA_I+KE_I+Nonce_I+ID_I SA_R+KE_R+Nonce_R+ID_R+Hash_R [Hash_I] Assume MD5-HMAC for Hash function based on hash in SA

Responder Hash: HASH_R=MD5-HMAC(MD5-HMAC(Guessed PSK, Nonce_I + Nonce_R), resp DH pub, init DH pub + cookie_R + cookie_I + init SA header + resp ID header)
7

Aggressive Mode ID Enumeration

IKE protocol specification does not discuss how invalid ID should be handled. Many implementations respond with an invalid ID during the initial IKE negotiation others just dont respond This can allow an active dictionary/bruteforce enumeration Submit IKE initiator frame to concentrator with guessed ID. Concentrator will tell you if guess is wrong Vendor Workarounds: Obfuscation responses
8

Main Mode PSK Attacks

Similar problem to aggressive mode, except HASH is passed encrypted. Main Mode requires an active or MITM attack to attack PSK to derive DH secret IDs are normally the IPs of endpoints We will guess the PSK and try to determine the encryption key for the 1st encrypted packet
9

Attack Process
Main Mode PSK Cracking
Cookie_I Initiator Cookie_R Responder SA_I SA_R KE_I+Nonce_I KE_R+Nonce_R [ID_I] [ID_R] [Hash_I] [Hash_R] (Attacker)

10

Attack Process
Main Mode PSK Cracking

Collect public IKE values [Nonces, DH Public values, Cookies, headers, etc] and assume IDs are IP endpoint IPs Collect 1ST encrypted packet Calculate DH Secret Choose PSK value and calculate SYKEYID, SKEYID_d, KEYID_a, KEYID_e Generate IV from hash of DH Public values Decrypt packet with IV and SKEYID_e check for known plaintext to validate
11

Main Mode Policy Enumeration

Similar to aggressive mode ID enumeration Peer will only respond to valid IP address that has a defined policy Attacker can send spoofed init frames to peer to search IP address space Correct IP will cause an SA proposal reply from peer Some vendors will send a no proposal choosen if SA is from invalid host
12

Implementation Vulnerabilities
Cisco VPN Client 3.5 Cisco VPN Client 1.1 SafeNet/IRE SoftPK and SoftRemote PGPFreeware 7.03 - PGPNet

13

Tools
IKECrack aggressive mode PSK cracker IKEProbe IKE packet mangler

14

IKECrack
http://ikecrack.sourceforge.net

IKE PSK Cracker dictionary, hybrid, brute Simplistic implementation Aggressive mode only Must use IETF HASH_R calculations (RFC 2409) MD5 HMAC only 93K kps on 1.8ghz P4 PERL script that requires HMAC PerlMod and uses tcpdump x output for capture Its a hack, but it works.
15

IKEProber
http://ikecrack.sourceforge.net

Command-line utility for building arbitrary IKE packets Supports common IKE options and allows user specified data or repeated chars Useful for finding BoF problems with option parsing Used to find Cisco/PGPNet/Safenet probs Perl based and requires NetCat in Unix -Also a hack. Can also be used for user enumeration
16

Contact Info
IKE Tools and preso Download http://ikecrack.sourceforge.net Anton Rager arager@avaya.com Code criticism: This is proof-of-concept stuff -- fix it yourself

17