Target hosts must be specified on the command line unless the --file option is specified.
ike-scan discovers IKE hosts and can also fingerprint them using the retransmission backoff pattern.
ike-scan does two things:
- Discovery: Determine which hosts are running IKE. This is done by displaying those hosts which respond to the IKE requests sent by ike-scan.
- Fingerprinting: Determine which IKE implementation the hosts are using. There are several ways to do this: (a) Backoff fingerprinting - recording the times of the IKE response packets from the target hosts and comparing the observed retransmission backoff pattern against known patterns; (b) vendor id fingerprinting - matching the vendor-specific vendor IDs against known vendor ID patterns; and (c) proprietary notify message codes.
The retransmission backoff fingerprinting concept is discussed in more detail in the UDP backoff fingerprinting paper which should be included in the ike-scan kit as udp-backoff-fingerprinting-paper.txt.
The program sends IKE Phase-1 requests to the specified hosts and displays any responses that are received. It handles retry and retransmission with backoff to cope with packet loss. It also limits the amount of bandwidth used by the outbound IKE packets.
IKE is the Internet Key Exchange protocol which is the key exchange and authentication mechanism used by IPsec. Just about all modern VPN systems implement IPsec, and the vast majority of IPsec VPNs use IKE for key exchange.
Phase-1 has two modes: Main Mode and Aggressive Mode. ike-scan supports both Main and Aggressive mode, and uses Main Mode by default. RFC 2409 (IKE) section 5 specifies that main mode must be implemented, therefore all IKE implementations can be expected to support main mode.
http://www.nta-monitor.com/wiki/ The ike-scan wiki page.
http://www.nta-monitor.com/tools/ike-scan/ The ike-scan homepage.