ike-scan is a command-line tool for discovering, fingerprinting and testing IPsec VPN systems. It constructs and sends IKE Phase-1 packets to the specified hosts, and displays any responses that are received.
ike-scan does two things:
- Discovery: Determine which hosts are running IKE. This is done by displaying those hosts which respond to the IKE requests sent by ike-scan.
- Fingerprinting: Determine which IKE implementation the hosts are using. There are several ways to do this: (a) Backoff fingerprinting – recording the times of the IKE response packets from the target hosts and comparing the observed retransmission backoff pattern against known patterns; (b) vendor id fingerprinting – matching the vendor-specific vendor IDs against known vendor ID patterns; and (c) proprietary notify message codes.
Basic scan
# ike-scan x.x.x.x Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 65.111.172.164 Main Mode Handshake returned HDR=(CKY-R=e6e1202cb8c44f2d) SA=(Enc=3DES Hash=SHA1 Auth=PSK Group=2:modp1024 LifeType=Seconds LifeDuration=28800) VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T) VID=7d9419a65310ca6f2c179d9215529d56 (draft-ietf-ipsec-nat-t-ike-03) VID=90cb80913ebb696e086381b5ec427b1f (draft-ietf-ipsec-nat-t-ike-02\n) VID=cd60464335df21f87cfdb2fc68b6a448 (draft-ietf-ipsec-nat-t-ike-02) VID=4485152d18b6bbcd0be8a8469579ddcc (draft-ietf-ipsec-nat-t-ike-00) VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0) Ending ike-scan 1.9: 1 hosts scanned in 0.512 seconds (1.95 hosts/sec). 1 returned handshake; 0 returned notify
Aggressive mode with user-id
# ike-scan --aggressive --multiline --id akhil x.x.x.x Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 65.111.172.164 Aggressive Mode Handshake returned HDR=(CKY-R=4fb76b5165da9e05) SA=(Enc=3DES Hash=SHA1 Auth=PSK Group=2:modp1024 LifeType=Seconds LifeDuration=28800) KeyExchange(128 bytes) Nonce(16 bytes) ID(Type=ID_IPV4_ADDR, Value=65.111.172.164) Hash(20 bytes) VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T) VID=7d9419a65310ca6f2c179d9215529d56 (draft-ietf-ipsec-nat-t-ike-03) VID=90cb80913ebb696e086381b5ec427b1f (draft-ietf-ipsec-nat-t-ike-02\n) VID=cd60464335df21f87cfdb2fc68b6a448 (draft-ietf-ipsec-nat-t-ike-02) VID=4485152d18b6bbcd0be8a8469579ddcc (draft-ietf-ipsec-nat-t-ike-00) VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0) Ending ike-scan 1.9: 1 hosts scanned in 0.512 seconds (1.95 hosts/sec). 1 returned handshake; 0 returned notify