LinuxCommandLibrary

ike-scan

Discover VPN servers using IKE protocol

SYNOPSIS

ike-scan [options] [target2...]

PARAMETERS

--help
    Display help information and exit.

--version
    Display version information and exit.


    IP address or hostname of the target IKE server.

--sport=
    Source UDP port (default: 4500).

--dport=
    Destination UDP port (default: 500).

--id=
    Set the initiator's IKE ID (default: My ID).

--trans=
    Specify an IKE proposal (e.g., 3des-md5-des-sha1).

--file=
    Read target hosts from a file, one IP/hostname per line.

--retry=
    Number of attempts to send each packet (default: 3).

--timeout=
    Timeout in milliseconds (default: 10000).

--nodns
    Do not use DNS to resolve hostnames.

--showbackoff
    Show backoff time between requests.

--quiet
    Suppress non-error output.

--aggressive
    Use aggressive mode, send all packets at once.

--vendorid=
    Specify a vendor ID to send.
Example: --vendorid="Cisco VPN Concentrator"

DESCRIPTION

Ike-scan is a command-line tool used to discover and fingerprint IKE (Internet Key Exchange) VPN servers. It works by sending IKE Phase 1 negotiation requests to specified hosts, analyzing the responses, and identifying the IKE implementation and supported cryptographic protocols. It's useful for security auditing, vulnerability assessment, and troubleshooting VPN configurations.

Ike-scan is typically used by security professionals to identify potential weaknesses in IKE configurations, such as weak ciphers or outdated protocol versions. It can also be used to verify that VPN servers are configured securely and are not vulnerable to known attacks. The tool supports a wide range of IKE proposals and can be customized to target specific protocols or vulnerabilities.

CAVEATS

Ike-scan can be detected by intrusion detection systems (IDS). Using aggressive mode can increase the likelihood of detection. Some firewalls may block or rate-limit IKE traffic.

UNDERSTANDING IKE PROPOSALS

IKE proposals define the cryptographic algorithms and parameters used during the IKE Phase 1 negotiation.
Understanding these proposals is crucial for interpreting the results of ike-scan and identifying potential security weaknesses. Common components include encryption algorithms (e.g., 3DES, AES), hash algorithms (e.g., MD5, SHA1, SHA256), and authentication methods (e.g., pre-shared key, digital certificates).

INTERPRETING THE OUTPUT

The output of ike-scan typically includes information about the IKE implementation, supported proposals, and vendor ID.
Analyzing this information can reveal vulnerabilities, such as the use of weak ciphers or outdated protocol versions. Pay close attention to any warnings or errors reported by ike-scan.

HISTORY

Ike-scan was originally developed by Robert Graham. It's been maintained and updated by others since then.
Its use has become more relevant with the increasing importance of VPN security audits and the need to identify vulnerable IKE configurations.

SEE ALSO

nmap(1), tcpdump(1)

Copied to clipboard