Ikev2 about ike-scan HOT 19 OPEN

As you've noted, the current version of ike-scan doesn't support custom transforms for ikev2. It only supports a pre-defined ikev2 transform set, which is generated by the following code in ike-scan.c:

   2197    if (params->ike_version != 1) {      /* IKEv2 Transforms */
   2198       unsigned char *attr;
   2199       size_t attr_len;
   2200
   2201       add_attr(0, NULL, 'B', OAKLEY_KEY_LENGTH, 0, 256, NULL);
   2202       attr = add_attr(1, &attr_len, '\0', 0, 0, 0, NULL);
   2203       add_transform2(0, NULL, IKEV2_TYPE_ENCR, IKEV2_ENCR_AES_CBC, attr, attr_len);
   2204       free(attr);
   2205       add_attr(0, NULL, 'B', OAKLEY_KEY_LENGTH, 0, 128, NULL);
   2206       attr = add_attr(1, &attr_len, '\0', 0, 0, 0, NULL);
   2207       add_transform2(0, NULL, IKEV2_TYPE_ENCR, IKEV2_ENCR_AES_CBC, attr, attr_len);
   2208       free(attr);
   2209       add_transform2(0, NULL, IKEV2_TYPE_ENCR, IKEV2_ENCR_3DES, NULL, 0);
   2210       add_transform2(0, NULL, IKEV2_TYPE_ENCR, IKEV2_ENCR_DES, NULL, 0);
   2211       add_transform2(0, NULL, IKEV2_TYPE_PRF, IKEV2_PRF_HMAC_SHA1, NULL, 0);
   2212       add_transform2(0, NULL, IKEV2_TYPE_PRF, IKEV2_PRF_HMAC_MD5, NULL, 0);
   2213       add_transform2(0, NULL, IKEV2_TYPE_INTEG, IKEV2_AUTH_HMAC_SHA1_96, NULL, 0);
   2214       add_transform2(0, NULL, IKEV2_TYPE_INTEG, IKEV2_AUTH_HMAC_MD5_96, NULL, 0);
   2215       add_transform2(0, NULL, IKEV2_TYPE_DH, 2, NULL, 0);
   2216       add_transform2(0, NULL, IKEV2_TYPE_DH, 5, NULL, 0);
   2217       add_transform2(0, NULL, IKEV2_TYPE_DH, 14, NULL, 0);
   2218       transforms = add_transform2(1, &trans_len, 0, 0, NULL, 0);
   2219       no_trans=11;
   2220    }

It is possible to alter this code to change the transforms, which is what I've done when experimenting with ikev2, but I realise that's far from ideal.

It would be preferrable to add support for custom transforms, but that would require some code refactoring in order to do so neatly.

Now I know that there's some interest in ikev2 enumeration I might look at this. Of course, pull requests are always welcome :-)

from ike-scan.

If i get some spare time I'd love to contribute and will aim at doing so, but I'll warn you, the extent of my coding is dirty scripting in python for pen testing. Do you have a good reference to ensure i have the write syntax for similar items above for other encryption, algorithm and dh groups somewhere? I am also a bit confused, maybe you could clarify, is the above block of code sending one request that says this is what i support so the server can respond with the default (this is what I'm obsering now). The idea here would be to allow a user the option of which transforms to choose and send that as well as to enumerate all correct?

from ike-scan.

The code shown above is constructing the following IKEv2 transforms:

Encryption Algorithm = AES_CBC, 256 bit key
Encryption Algorithm = AES_CBC, 128 bit key
Encryption Algorithm = 3DES
Encryption Algorithm = DES
Pseudo-random Function = SHA1
Pseudo-random Function = MD5
Integrity Algorithm = SHA1
Integrity Algorithm = MD5
Diffie-Hellman Group = 2
Diffie-Hellman Group = 5
Diffie-Hellman Group = 14

This transform set forms part of the proposal which in turn forms part of the SA payload.

RFC 4306 states:

If there are multiple transforms with the same Transform Type, the proposal is an OR of those transforms. If there are multiple Transforms with different Transform Types, the proposal is an AND of the different groups

Which means the proposal is:

Encryption: (AES/256 or AES/128 or 3DES or DES) and
Pseudo-random Function: (SHA1 or MD5) and
Integrity Algorithm: (SHA1 or MD5) and
Diffie-Hellman Group: (2 or 5 or 14)

Edit: the simplest way to enumerate transforms is to send one custom transform at a time and see what responses are returned. But this custom transform needs to be sent instead of the default, not in addition to it.

from ike-scan.

I've been trying to understand the yIKEs tool seen here which exclusively supports IKEv2. It is the only custom transform tool I've seen public:

• https://github.com/aatlasis/yIKEs

Would love to eventually have ike-scan perform the same function as yIKEs but at a higher level.

If you want super quick IKEv1 full algorithm support, checkout Patator:

• https://github.com/lanjelot/patator

from ike-scan.