1IKE-SCAN(1)                 General Commands Manual                IKE-SCAN(1)
2
3
4

NAME

6       ike-scan - Discover and fingerprint IKE hosts (IPsec VPN servers)
7

SYNOPSIS

9       ike-scan [options] [hosts...]
10
11       Target  hosts  must  be specified on the command line unless the --file
12       option is specified.
13

DESCRIPTION

15       ike-scan discovers IKE hosts and can also fingerprint  them  using  the
16       retransmission backoff pattern.
17
18       ike-scan does two things:
19
20       1)     Discovery:  Determine which hosts are running IKE.  This is done
21              by displaying those hosts which respond to the IKE requests sent
22              by ike-scan.
23
24       2)     Fingerprinting: Determine which IKE implementation the hosts are
25              using.  There are several ways to do this: (a)  Backoff  finger‐
26              printing  - recording the times of the IKE response packets from
27              the target hosts and comparing the observed retransmission back‐
28              off pattern against known patterns; (b) vendor id fingerprinting
29              - matching the vendor-specific vendor IDs against  known  vendor
30              ID patterns; and (c) proprietary notify message codes.
31
32       The  retransmission backoff fingerprinting concept is discussed in more
33       detail in the UDP backoff fingerprinting paper which should be included
34       in the ike-scan kit as udp-backoff-fingerprinting-paper.txt.
35
36       The  program sends IKE Phase-1 requests to the specified hosts and dis‐
37       plays any responses that are received.  It handles retry  and  retrans‐
38       mission  with  backoff  to  cope  with packet loss.  It also limits the
39       amount of bandwidth used by the outbound IKE packets.
40
41       IKE is the Internet Key Exchange protocol which is the key exchange and
42       authentication mechanism used by IPsec.  Just about all modern VPN sys‐
43       tems implement IPsec, and the vast majority of IPsec VPNs use  IKE  for
44       key exchange.
45
46       Phase-1  has  two  modes: Main Mode and Aggressive Mode.  ike-scan sup‐
47       ports both Main and Aggressive mode, and uses  Main  Mode  by  default.
48       RFC  2409 (IKE) section 5 specifies that main mode must be implemented,
49       therefore all IKE implementations can be expected to support main mode.
50

OPTIONS

52       --help or -h
53              Display this usage message and exit.
54
55       --file=<fn> or -f <fn>
56              Read hostnames or addresses from the specified file  instead  of
57              from the command line. One name or IP address per line.  Use "-"
58              for standard input.
59
60       --sport=<p> or -s <p>
61              Set UDP source port to <p>,  default=500,  0=random.   Some  IKE
62              implementations  require  the  client to use UDP source port 500
63              and will not talk to other ports.  Note  that  superuser  privi‐
64              leges  are  normally required to use non-zero source ports below
65              1024.  Also only one process on a system may  bind  to  a  given
66              source  port  at any one time. Use of the --nat-t option changes
67              the default source port to 4500
68
69       --dport=<p> or -d <p>
70              Set UDP destination port to <p>, default=500.  UDP port  500  is
71              the assigned port number for ISAKMP and this is the port used by
72              most if not all IKE implementations. Use of the  --nat-t  option
73              changes the default destination port to 4500
74
75       --retry=<n> or -r <n>
76              Set total number of attempts per host to <n>, default=3.
77
78       --timeout=<n> or -t <n>
79              Set initial per host timeout to <n> ms, default=500.  This time‐
80              out is for the first packet sent to each host.  subsequent time‐
81              outs  are  multiplied  by  the  backoff factor which is set with
82              --backoff.
83
84       --bandwidth=<n> or -B <n>
85              Set desired outbound bandwidth to <n>, default=56000  The  value
86              is  in  bits  per  second  by default.  If you append "K" to the
87              value, then the units are kilobits per second; and if you append
88              "M"  to  the  value, the units are megabits per second.  The "K"
89              and "M" suffixes represent the decimal, not  binary,  multiples.
90              So 64K is 64000, not 65536.
91
92       --interval=<n> or -i <n>
93              Set minimum packet interval to <n> ms.  The packet interval will
94              be no smaller than this number.  The interval  specified  is  in
95              milliseconds  by default.  if "u" is appended to the value, then
96              the interval is in microseconds, and if  "s"  is  appended,  the
97              interval  is in seconds.  If you want to use up to a given band‐
98              width, then it is easier to use the --bandwidth option  instead.
99              You  cannot specify both --interval and --bandwidth because they
100              are just different ways to change the same underlying variable.
101
102       --backoff=<b> or -b <b>
103              Set timeout backoff factor to <b>, default=1.50.   The  per-host
104              timeout is multiplied by this factor after each timeout.  So, if
105              the number of retries is 3,  the  initial  per-host  timeout  is
106              500ms and the backoff factor is 1.5, then the first timeout will
107              be 500ms, the second 750ms and the third 1125ms.
108
109       --verbose or -v
110              Display verbose progress  messages.   Use  more  than  once  for
111              greater  effect:  1  - Show when each pass is completed and when
112              packets with invalid cookies are received.  2 - Show each packet
113              sent and received and when hosts are removed from the list.  3 -
114              Display the host, Vendor ID and backoff  lists  before  scanning
115              starts.
116
117       --quiet or -q
118              Don't  decode  the  returned  packet.  This prints less protocol
119              information so the output lines are shorter.
120
121       --multiline or -M
122              Split the payload  decode  across  multiple  lines.   With  this
123              option,  the  decode  for  each payload is printed on a separate
124              line starting with a TAB.  This option makes the  output  easier
125              to read, especially when there are many payloads.
126
127       --lifetime=<s> or -l <s>
128              Set IKE lifetime to <s> seconds, default=28800.  RFC 2407 speci‐
129              fies 28800 as the default, but some implementations may  require
130              different  values.   If you specify this as a a decimal integer,
131              e.g.  86400, then the attribute will use a 4-byte value.  If you
132              specify  it  as a hex number, e.g. 0xFF, then the attribute will
133              use the appropriate size value (one byte for this example).   If
134              you specify the string "none" then no lifetime attribute will be
135              added at all.  You can use this option more than  once  in  con‐
136              junction  with the --trans options to produce multiple transform
137              payloads with different lifetimes.  Each --trans option will use
138              the previously specified lifetime value.
139
140       --lifesize=<s> or -z <s>
141              Set  IKE  lifesize  to <s> Kilobytes, default=0.  If you specify
142              this as a a decimal integer, e.g.   86400,  then  the  attribute
143              will  use  a  4-byte  value.  If you specify it as a hex number,
144              e.g. 0xFF, then the attribute  will  use  the  appropriate  size
145              value (one byte for this example).  You can use this option more
146              than once in conjunction with the  --trans  options  to  produce
147              multiple  transform  payloads  with  different  lifesizes.  Each
148              --trans option will use the previously specified lifesize value.
149
150       --auth=<n> or -m <n>
151              Set auth. method to <n>, default=1 (PSK).   RFC  defined  values
152              are 1 to 5.  See RFC 2409 Appendix A.  Checkpoint hybrid mode is
153              64221.  GSS (Windows "Kerberos") is 65001.  XAUTH uses 65001  to
154              65010.  This is not applicable to IKEv2.
155
156       --version or -V
157              Display program version and exit.
158
159       --vendor=<v> or -e <v>
160              Set  vendor id string to hex value <v>.  You can use this option
161              more than once to send multiple vendor ID payloads.
162
163       --trans=<t> or -a <t>
164              Use custom transform <t> instead of default set.   You  can  use
165              this option more than once to send an arbitrary number of custom
166              transforms.  There are two ways to specify  the  transform:  The
167              new  way,  where  you specify the attribute/value pairs, and the
168              old way where you  specify  the  values  for  a  fixed  list  of
169              attributes.   For the new method, the transform <t> is specified
170              as (attr=value, attr=value, ...)  Where "attr" is the  attribute
171              number,  and  "value"  is the value to assign to that attribute.
172              You can specify an arbitary  number  of  attribute/value  pairs.
173              See  RFC  2409 Appendix A for details of the attributes and val‐
174              ues.  Note that brackets are special to some shells, so you  may
175              need to quote them, e.g. --trans="(1=1,2=2,3=3,4=4)".  For exam‐
176              ple,    --trans=(1=1,2=2,3=1,4=2)    specifies     Enc=3DES-CBC,
177              Hash=SHA1,      Auth=shared     key,     DH     Group=2;     and
178              --trans=(1=7,14=128,2=1,3=3,4=5)     specifies      Enc=AES/128,
179              Hash=MD5,  Auth=RSA  sig,  DH  Group=5.  For the old method, the
180              transform <t> is specified as enc[/len],hash,auth,group.   Where
181              enc is the encryption algorithm, len is the key length for vari‐
182              able length ciphers, hash is the hash algorithm,  and  group  is
183              the  DH Group.  For example, --trans=5,2,1,2 specifies Enc=3DES-
184              CBC,   Hash=SHA1,   Auth=shared    key,    DH    Group=2;    and
185              --trans=7/256,1,1,5 specifies Enc=AES-256, Hash=MD5, Auth=shared
186              key, DH Group=5.  This option is not yet supported for IKEv2.
187
188       --showbackoff[=<n>] or -o[<n>]
189              Display the backoff fingerprint table.  Display the backoff  ta‐
190              ble  to  fingerprint the IKE implementation on the remote hosts.
191              The optional argument specifies time to wait  in  seconds  after
192              receiving  the  last  packet,  default=60.  If you are using the
193              short form of the option (-o) then the  value  must  immediately
194              follow the option letter with no spaces, e.g. -o25 not -o 25.
195
196       --fuzz=<n> or -u <n>
197              Set pattern matching fuzz to <n> ms, default=500.  This sets the
198              maximum acceptable difference between the observed backoff times
199              and  the  reference  times in the backoff patterns file.  Larger
200              values allow for higher variance but also increase the  risk  of
201              false  positive  identifications.   Any  per-pattern-entry  fuzz
202              specifications in the patterns file will override the value  set
203              here.
204
205       --patterns=<f> or -p <f>
206              Use IKE backoff patterns file <f>, default=/usr/local/share/ike-
207              scan/ike-backoff-patterns.  This specifies the name of the  file
208              containing  IKE  backoff  patterns.  This file is only used when
209              --showbackoff is specified.
210
211       --vidpatterns=<f> or -I <f>
212              Use Vendor ID patterns file  <f>,  default=/usr/local/share/ike-
213              scan/ike-vendor-ids.   This  specifies the name of the file con‐
214              taining Vendor ID patterns.  These patterns are used for  Vendor
215              ID fingerprinting.
216
217       --aggressive or -A
218              Use  IKE Aggressive Mode (The default is Main Mode) If you spec‐
219              ify --aggressive, then you may also specify --dhgroup, --id  and
220              --idtype.   If  you  use  custom transforms with aggressive mode
221              with the --trans option, note that all  transforms  should  have
222              the same DH Group and this should match the group specified with
223              --dhgroup or the default if --dhgroup is not used.
224
225       --id=<id> or -n <id>
226              Use <id> as the  identification  value.   This  option  is  only
227              applicable  to  Aggressive  Mode.   <id>  can  be specified as a
228              string, e.g. --id=test or as a hex value with  a  leading  "0x",
229              e.g. --id=0xdeadbeef.
230
231       --idtype=<n> or -y <n>
232              Use  identification  type  <n>.  Default 3 (ID_USER_FQDN).  This
233              option is only applicable to  Aggressive  Mode.   See  RFC  2407
234              4.6.2 for details of Identification types.
235
236       --dhgroup=<n> or -g <n>
237              Use  Diffie  Hellman Group <n>.  Default 2.  This option is only
238              applicable to Aggressive Mode and IKEv2.  For both of these,  it
239              is  used  to determine the size of the key exchange payload.  If
240              you use Aggressive Mode with custom transforms,  then  you  will
241              normally  need  to use the --dhgroup option unless you are using
242              the    default    DH    group.     Acceptable     values     are
243              1,2,5,14,15,16,17,18 (MODP only).
244
245       --gssid=<n> or -G <n>
246              Use  GSS  ID <n> where <n> is a hex string.  This uses transform
247              attribute type 16384 as  specified  in  draft-ietf-ipsec-isakmp-
248              gss-auth-07.txt,  although Windows-2000 has been observed to use
249              32001  as  well.   For  Windows  2000,  you'll   need   to   use
250              --auth=65001 to specify Kerberos (GSS) authentication.
251
252       --random or -R
253              Randomise  the  host  list.  This option randomises the order of
254              the hosts in the host list, so the IKE probes are  sent  to  the
255              hosts in a random order.  It uses the Knuth shuffle algorithm.
256
257       --tcp[=<n>] or -T[<n>]
258              Use  TCP  transport  instead  of UDP.  This allows you to test a
259              host running IKE over TCP.  You won't normally need this  option
260              because the vast majority of IPsec systems only support IKE over
261              UDP.  The optional value <n> specifies the type of IKE over TCP.
262              There are currently two possible values: 1 = RAW IKE over TCP as
263              used by Checkpoint (default); 2 = Encapsulated IKE over  TCP  as
264              used  by  Cisco.   If you are using the short form of the option
265              (-T) then the value must immediately follow  the  option  letter
266              with  no spaces, e.g. -T2 not -T 2.  You can only specify a sin‐
267              gle target host if you use this option.
268
269       --tcptimeout=<n> or -O <n>
270              Set TCP connect timeout to <n> seconds  (default=10).   This  is
271              only applicable to TCP transport mode.
272
273       --pskcrack[=<f>] or -P[<f>]
274              Crack  aggressive mode pre-shared keys.  This option outputs the
275              aggressive mode pre-shared  key  (PSK)  parameters  for  offline
276              cracking  using  the  "psk-crack"  program that is supplied with
277              ike-scan.  You can optionally specify a filename, <f>, to  write
278              the  PSK  parameters  to.  If you do not specify a filename then
279              the PSK parameters are written to standard output.  If  you  are
280              using  the  short  form  of  the option (-P) then the value must
281              immediately follow the option letter with no spaces, e.g. -Pfile
282              not  -P  file.  You can only specify a single target host if you
283              use this option.  This option is only applicable to IKE  aggres‐
284              sive mode.
285
286       --nodns or -N
287              Do  not  use DNS to resolve names.  If you use this option, then
288              all hosts must be specified as IP addresses.
289
290       --noncelen=<n> or -c <n>
291              Set the nonce length to <n> bytes. Default=20 This  option  con‐
292              trols the length of the nonce payload that is sent in an aggres‐
293              sive mode or IKEv2 request.  Normally there is no  need  to  use
294              this option unless you want to reduce the nonce size to speed up
295              pre-shared key cracking, or if you want to see how a  particular
296              server handles different length nonce payloads.  RFC 2409 states
297              that the length of nonce payload  must  be  between  8  and  256
298              bytes,  but  ike-scan does not enforce this.  Specifying a large
299              nonce length will increase the size of the packet sent  by  ike-
300              scan.  A  very  large  nonce  length may cause fragmentation, or
301              exceed the maximum IP packet size.  This option is only applica‐
302              ble to IKE aggressive mode.
303
304       --headerlen=<n> or -L <n>
305              Set  the  length in the ISAKMP header to <n> bytes.  You can use
306              this option to manually specify the value to  be  used  for  the
307              ISAKMP  header  length.   By  default, ike-scan will fill in the
308              correct value.  Use this option to manually specify an incorrect
309              length.  <n> can be specified as "+n" which sets the length to n
310              bytes more than it should be, "-n" which  sets  it  to  n  bytes
311              less,  or  "n"  which  sets  it  to exactly bytes.  Changing the
312              header length to an incorrect value can  sometimes  disrupt  VPN
313              servers.
314
315       --mbz=<n> or -Z <n>
316              Use  the value <n> for reserved (MBZ) fields, default=0.  Speci‐
317              fying this option makes the outgoing packet  non-RFC  compliant,
318              and should only be used if you want to see how a VPN server will
319              respond to invalid packets.  The value of <n> should be  in  the
320              range 0-255.
321
322       --headerver=<n> or -E <n>
323              Specify  the  ISAKMP  header  version.  The default is 0x10 (16)
324              which corresponds to v1.0.  Specifying a non-default value  will
325              make  the  outgoing packet non-RFC compliant, and should only be
326              used if you want to see how the VPN  server  reacts  to  strange
327              versions.  The value should be in the range 0-255.
328
329       --certreq=<c> or -C <c>
330              Add the CertificateRequest payload <c>.  <c> should be specified
331              as a hex value.  The first byte of the hex value will be  inter‐
332              preted  as the certificate type; the remaining bytes as the cer‐
333              tificate authority as described in RFC 2408 3.10.  The  certifi‐
334              cate types are listed in RFC 2408 sec 3.9.  RFC 2048 states "The
335              Certificate Request payload MUST be accepted at any point during
336              the exchange"
337
338       --doi=<d> or -D <d>
339              Set the SA DOI to <d>, default 1 (IPsec).  You will not normally
340              want to change this unless you want to see how  the  VPN  server
341              responds to a non-standard DOI.
342
343       --situation=<s> or -S <s>
344              Set the SA Situation to <d>, default 1.  The meaning of the sit‐
345              uation depends on the DOI, and is detailed  in  the  appropriate
346              DOI  document.   For  the  IPsec DOI, the default Situation of 1
347              represents SIT_IDENTITY_ONLY.  You will  not  normally  want  to
348              change  this  unless you want to see how the VPN server responds
349              to a non-standard situation.
350
351       --protocol=<p> or -j <p>
352              Set the Proposal protocol ID to <p>, default 1.  The meaning  of
353              the  proposal protocol ID depends on the DOI, and is detailed in
354              the appropriate DOI document.  For the IPsec  DOI,  the  default
355              proposal protocol id of 1 represents PROTO_ISAKMP.  You will not
356              normally want to change this unless you want to see how the  VPN
357              server responds to a non-standard protocol ID.
358
359       --transid=<t> or -k <t>
360              Set  the  Transform  ID  to  <t>, default 1.  The meaning of the
361              transform ID depends on the DOI, and is detailed in  the  appro‐
362              priate  DOI  document.  For the IPsec DOI, the default transform
363              id of 1 represents KEY_IKE.   You  will  not  normally  want  to
364              change  this  unless you want to see how the VPN server responds
365              to a non-standard transform ID.
366
367       --spisize=<n>
368              Set the proposal SPI size to <n>.  Default=0  If  this  is  non-
369              zero,  then  a random SPI of the specified size will be added to
370              the proposal payload.  The default of zero means no SPI.
371
372       --hdrflags=<n>
373              Set the ISAKMP header flags to <n>.   Default=0  The  flags  are
374              detailed in RFC 2408 section 3.1
375
376       --hdrmsgid=<n>
377              Set  the ISAKMP header message ID to <n>.  Default=0 This should
378              be zero for IKE Phase-1.
379
380       --cookie=<n>
381              Set the ISAKMP initiator cookie to <n> The cookie  value  should
382              be  specified in hex.  By default, the cookies are automatically
383              generated and have unique values.  If you specify  this  option,
384              then  you  can  only  specify  a single target, because ike-scan
385              requires unique cookie values to match up the response packets.
386
387       --exchange=<n>
388              Set the exchange type to <n> This option allows  you  to  change
389              the  exchange  type  in the ISAKMP header to an arbitrary value.
390              Note that ike-scan only supports Main and Aggressive modes (val‐
391              ues  2 and 4 respectively).  Specifying other values will change
392              the exchange type value in  the  ISAKMP  header,  but  will  not
393              adjust  the  other  payloads.  The exchange types are defined in
394              RFC 2408 sec 3.1.
395
396       --nextpayload=<n>
397              Set the next payload in the ISAKMP header to <n>  Normally,  the
398              next payload is automatically set to the correct value.
399
400       --randomseed=<n>
401              Use <n> to seed the pseudo random number generator.  This option
402              seeds the PRNG with the specified number, which can be useful if
403              you  want  to  ensure that the packet data is exactly repeatable
404              when it includes payloads with random data such as key  exchange
405              or  nonce.  By default, the PRNG is seeded with an unpredictable
406              value.
407
408       --timestamp
409              Display timestamps for received packets.  This option  causes  a
410              timestamp to be displayed for each received packet.
411
412       --sourceip=<s>
413              Set  source IP address for outgoing packets to <s>.  This option
414              causes the outgoing IKE packets to have the specified source  IP
415              address.  The address can either be an IP address in dotted quad
416              format, or the string "random" which will use a different random
417              source  address for each packet that is sent.  If this option is
418              used, no packets will  be  received  This  option  requires  raw
419              socket  support,  and  you will need superuser privileges to use
420              this option, even if you  specify  a  high  source  port.   This
421              option does not work on all operating systems.
422
423       --shownum
424              Display the host number for received packets.  This displays the
425              ordinal host  number  of  the  responding  host  before  the  IP
426              address.  It can be useful when sending many packets to the same
427              target IP, to see if any probes are being ignored.
428
429       --nat-t
430              Use RFC 3947 NAT-Traversal encapsulation.  This option adds  the
431              non-ESP  marker  to the beginning of outgoing packets and strips
432              it from received packets, as described  in  RFC  3947.  It  also
433              changes the default source port to 4500 and the default destina‐
434              tion port to 4500, which are the ports  for  NAT-T  IKE.   These
435              port  numbers  can  be  changed  with  the  --sport  and --dport
436              options, providing they are used after the --nat-t option.
437
438       --rcookie=<n>
439              Set the ISAKMP responder cookie to <n>.  This sets the responder
440              cookie  to  the  specified hex value.  By default, the responder
441              cookie is set to zero.
442
443       --ikev2 or -2
444              Use IKE version 2 This causes the outgoing packets to use  IKEv2
445              format  as defined in RFC 4306 instead of the default IKEv1 for‐
446              mat. Any packets returned are automatically decoded  as  IKE  or
447              IKEv2  depending  on their payloads irrespective of this option.
448              The --ikev2 option is currently experimental. It  has  not  been
449              extensively  tested,  and  it  only supports sending the default
450              proposal.
451

FILES

453       /usr/local/share/ike-scan/ike-backoff-patterns
454              List of UDP  backoff  patterns.   Used  when  the  --showbackoff
455              option is specified.
456
457       /usr/local/share/ike-scan/ike-vendor-ids
458              List of known Vendor ID patterns.
459

AUTHOR

461       Roy Hills <Roy.Hills@nta-monitor.com>
462

SEE ALSO

464       http://www.nta-monitor.com/wiki/ The ike-scan wiki page.
465
466       http://www.nta-monitor.com/tools/ike-scan/ The ike-scan homepage.
467
468
469
470                               January 14, 2007                    IKE-SCAN(1)
Impressum