[TOOL] PSK Cracking Using IKE Aggressive Mode

From: SecuriTeam (support_at_securiteam.com)
Date: 04/18/04

  • Next message: SecuriTeam: "[NEWS] Cisco IPsec VPN Implementation Group Password Usage Vulnerability"
    To: list@securiteam.com
    Date: 18 Apr 2004 14:25:42 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      PSK Cracking Using IKE Aggressive Mode
    ------------------------------------------------------------------------

    SUMMARY

    DETAILS

    Presented below is a method and its proof-of-concept tool of recovering
    PSK (prehashed key) from an IKE set in Aggressive Mode.

    IKE Aggressive Mode:
    In IKE Aggressive Mode the authentication hash based on a prehashed key
    (PSK) is transmitted as response to the initial packet of a VPN client who
    wishes to establish an IPSec tunnel. This hash is not encrypted. A packet
    sniffer (i.e. tcpdump) can be used to capture these hashes and a
    dictionary or brute force attack can be used against the hash to recover
    the PSK

    This attack only works in IKE aggressive mode because in IKE Main Mode the
    hash is already encrypted. Based on this fact, we can learn that IKE
    Aggressive Mode is not very secure.

    ADDITIONAL INFORMATION

    The full paper can be found at: <www.ernw.de/download/pskattack.pdf>
    www.ernw.de/download/pskattack.pdf

    The tool's homepage is: <http://ikecrack.sourceforge.net/>
    http://ikecrack.sourceforge.net/

    The information has been provided by <mailto:mlthumann@ids-guide.de>
    Michael Thumann.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[NEWS] Cisco IPsec VPN Implementation Group Password Usage Vulnerability"

    Relevant Pages

    • [NT] Windows 2000/2003 SYN DoS Attack Protection
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Windows 2000/2003 SYN DoS Attack Protection ... The vulnerability resides in the hash table management, ...
      (Securiteam)
    • [NEWS] Default Configuration Information Disclosure in Lotus Domino (Including Password Hashes)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... * Lotus Domino R5 WebMail ... hidden field called "HTTPPassword" which contains the password hash. ... Vendor response stating that they couldn't find a way to ...
      (Securiteam)
    • [TOOL] QCrack - Message Diggest Brute Force Tool
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... known hash, or calculate the hash of a given string. ... The information in this bulletin is provided "AS IS" without warranty of any kind. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
      (Securiteam)