1IKE-SCAN(1) General Commands Manual IKE-SCAN(1)
2
6 ike-scan - Discover and fingerprint IKE hosts (IPsec VPN servers)
7
9 ike-scan [options] [hosts...]
10 Target hosts must be specified on the command line unless the --file
12 option is specified.
13
15 ike-scan discovers IKE hosts and can also fingerprint them using the
16 retransmission backoff pattern.
17 ike-scan does two things:
19 1) Discovery: Determine which hosts are running IKE. This is done
21 by displaying those hosts which respond to the IKE requests sent
22 by ike-scan.
23 2) Fingerprinting: Determine which IKE implementation the hosts are
25 using. There are several ways to do this: (a) Backoff finger‐
26 printing - recording the times of the IKE response packets from
27 the target hosts and comparing the observed retransmission back‐
28 off pattern against known patterns; (b) vendor id fingerprinting
29 - matching the vendor-specific vendor IDs against known vendor
30 ID patterns; and (c) proprietary notify message codes.
31 The retransmission backoff fingerprinting concept is discussed in more
33 detail in the UDP backoff fingerprinting paper which should be included
34 in the ike-scan kit as udp-backoff-fingerprinting-paper.txt.
35 The program sends IKE Phase-1 requests to the specified hosts and dis‐
37 plays any responses that are received. It handles retry and retrans‐
38 mission with backoff to cope with packet loss. It also limits the
39 amount of bandwidth used by the outbound IKE packets.
40 IKE is the Internet Key Exchange protocol which is the key exchange and
42 authentication mechanism used by IPsec. Just about all modern VPN sys‐
43 tems implement IPsec, and the vast majority of IPsec VPNs use IKE for
44 key exchange.
45 Phase-1 has two modes: Main Mode and Aggressive Mode. ike-scan sup‐
47 ports both Main and Aggressive mode, and uses Main Mode by default.
48 RFC 2409 (IKE) section 5 specifies that main mode must be implemented,
49 therefore all IKE implementations can be expected to support main mode.
50
52 --help or -h
53 Display this usage message and exit.
54 --file=<fn> or -f <fn>
56 Read hostnames or addresses from the specified file instead of
57 from the command line. One name or IP address per line. Use "-"
58 for standard input.
59 --sport=<p> or -s <p>
61 Set UDP source port to <p>, default=500, 0=random. Some IKE
62 implementations require the client to use UDP source port 500
63 and will not talk to other ports. Note that superuser privi‐
64 leges are normally required to use non-zero source ports below
65 1024. Also only one process on a system may bind to a given
66 source port at any one time. Use of the --nat-t option changes
67 the default source port to 4500
68 --dport=<p> or -d <p>
70 Set UDP destination port to <p>, default=500. UDP port 500 is
71 the assigned port number for ISAKMP and this is the port used by
72 most if not all IKE implementations. Use of the --nat-t option
73 changes the default destination port to 4500
74 --retry=<n> or -r <n>
76 Set total number of attempts per host to <n>, default=3.
77 --timeout=<n> or -t <n>
79 Set initial per host timeout to <n> ms, default=500. This time‐
80 out is for the first packet sent to each host. subsequent time‐
81 outs are multiplied by the backoff factor which is set with
82 --backoff.
83 --bandwidth=<n> or -B <n>
85 Set desired outbound bandwidth to <n>, default=56000 The value
86 is in bits per second by default. If you append "K" to the
87 value, then the units are kilobits per second; and if you append
88 "M" to the value, the units are megabits per second. The "K"
89 and "M" suffixes represent the decimal, not binary, multiples.
90 So 64K is 64000, not 65536.
91 --interval=<n> or -i <n>
93 Set minimum packet interval to <n> ms. The packet interval will
94 be no smaller than this number. The interval specified is in
95 milliseconds by default. if "u" is appended to the value, then
96 the interval is in microseconds, and if "s" is appended, the
97 interval is in seconds. If you want to use up to a given band‐
98 width, then it is easier to use the --bandwidth option instead.
99 You cannot specify both --interval and --bandwidth because they
100 are just different ways to change the same underlying variable.
101 --backoff=<b> or -b <b>
103 Set timeout backoff factor to <b>, default=1.50. The per-host
104 timeout is multiplied by this factor after each timeout. So, if
105 the number of retries is 3, the initial per-host timeout is
106 500ms and the backoff factor is 1.5, then the first timeout will
107 be 500ms, the second 750ms and the third 1125ms.
108 --verbose or -v
110 Display verbose progress messages. Use more than once for
111 greater effect: 1 - Show when each pass is completed and when
112 packets with invalid cookies are received. 2 - Show each packet
113 sent and received and when hosts are removed from the list. 3 -
114 Display the host, Vendor ID and backoff lists before scanning
115 starts.
116 --quiet or -q
118 Don't decode the returned packet. This prints less protocol
119 information so the output lines are shorter.
120 --multiline or -M
122 Split the payload decode across multiple lines. With this
123 option, the decode for each payload is printed on a separate
124 line starting with a TAB. This option makes the output easier
125 to read, especially when there are many payloads.
126 --lifetime=<s> or -l <s>
128 Set IKE lifetime to <s> seconds, default=28800. RFC 2407 speci‐
129 fies 28800 as the default, but some implementations may require
130 different values. If you specify this as a a decimal integer,
131 e.g. 86400, then the attribute will use a 4-byte value. If you
132 specify it as a hex number, e.g. 0xFF, then the attribute will
133 use the appropriate size value (one byte for this example). If
134 you specify the string "none" then no lifetime attribute will be
135 added at all. You can use this option more than once in con‐
136 junction with the --trans options to produce multiple transform
137 payloads with different lifetimes. Each --trans option will use
138 the previously specified lifetime value.
139 --lifesize=<s> or -z <s>
141 Set IKE lifesize to <s> Kilobytes, default=0. If you specify
142 this as a a decimal integer, e.g. 86400, then the attribute
143 will use a 4-byte value. If you specify it as a hex number,
144 e.g. 0xFF, then the attribute will use the appropriate size
145 value (one byte for this example). You can use this option more
146 than once in conjunction with the --trans options to produce
147 multiple transform payloads with different lifesizes. Each
148 --trans option will use the previously specified lifesize value.
149 --auth=<n> or -m <n>
151 Set auth. method to <n>, default=1 (PSK). RFC defined values
152 are 1 to 5. See RFC 2409 Appendix A. Checkpoint hybrid mode is
153 64221. GSS (Windows "Kerberos") is 65001. XAUTH uses 65001 to
154 65010. This is not applicable to IKEv2.
155 --version or -V
157 Display program version and exit.
158 --vendor=<v> or -e <v>
160 Set vendor id string to hex value <v>. You can use this option
161 more than once to send multiple vendor ID payloads.
162 --trans=<t> or -a <t>
164 Use custom transform <t> instead of default set. You can use
165 this option more than once to send an arbitrary number of custom
166 transforms. There are two ways to specify the transform: The
167 new way, where you specify the attribute/value pairs, and the
168 old way where you specify the values for a fixed list of
169 attributes. For the new method, the transform <t> is specified
170 as (attr=value, attr=value, ...) Where "attr" is the attribute
171 number, and "value" is the value to assign to that attribute.
172 You can specify an arbitary number of attribute/value pairs.
173 See RFC 2409 Appendix A for details of the attributes and val‐
174 ues. Note that brackets are special to some shells, so you may
175 need to quote them, e.g. --trans="(1=1,2=2,3=3,4=4)". For exam‐
176 ple, --trans=(1=1,2=2,3=1,4=2) specifies Enc=3DES-CBC,
177 Hash=SHA1, Auth=shared key, DH Group=2; and
178 --trans=(1=7,14=128,2=1,3=3,4=5) specifies Enc=AES/128,
179 Hash=MD5, Auth=RSA sig, DH Group=5. For the old method, the
180 transform <t> is specified as enc[/len],hash,auth,group. Where
181 enc is the encryption algorithm, len is the key length for vari‐
182 able length ciphers, hash is the hash algorithm, and group is
183 the DH Group. For example, --trans=5,2,1,2 specifies Enc=3DES-
184 CBC, Hash=SHA1, Auth=shared key, DH Group=2; and
185 --trans=7/256,1,1,5 specifies Enc=AES-256, Hash=MD5, Auth=shared
186 key, DH Group=5. This option is not yet supported for IKEv2.
187 --showbackoff[=<n>] or -o[<n>]
189 Display the backoff fingerprint table. Display the backoff ta‐
190 ble to fingerprint the IKE implementation on the remote hosts.
191 The optional argument specifies time to wait in seconds after
192 receiving the last packet, default=60. If you are using the
193 short form of the option (-o) then the value must immediately
194 follow the option letter with no spaces, e.g. -o25 not -o 25.
195 --fuzz=<n> or -u <n>
197 Set pattern matching fuzz to <n> ms, default=500. This sets the
198 maximum acceptable difference between the observed backoff times
199 and the reference times in the backoff patterns file. Larger
200 values allow for higher variance but also increase the risk of
201 false positive identifications. Any per-pattern-entry fuzz
202 specifications in the patterns file will override the value set
203 here.
204 --patterns=<f> or -p <f>
206 Use IKE backoff patterns file <f>, default=/usr/local/share/ike-
207 scan/ike-backoff-patterns. This specifies the name of the file
208 containing IKE backoff patterns. This file is only used when
209 --showbackoff is specified.
210 --vidpatterns=<f> or -I <f>
212 Use Vendor ID patterns file <f>, default=/usr/local/share/ike-
213 scan/ike-vendor-ids. This specifies the name of the file con‐
214 taining Vendor ID patterns. These patterns are used for Vendor
215 ID fingerprinting.
216 --aggressive or -A
218 Use IKE Aggressive Mode (The default is Main Mode) If you spec‐
219 ify --aggressive, then you may also specify --dhgroup, --id and
220 --idtype. If you use custom transforms with aggressive mode
221 with the --trans option, note that all transforms should have
222 the same DH Group and this should match the group specified with
223 --dhgroup or the default if --dhgroup is not used.
224 --id=<id> or -n <id>
226 Use <id> as the identification value. This option is only
227 applicable to Aggressive Mode. <id> can be specified as a
228 string, e.g. --id=test or as a hex value with a leading "0x",
229 e.g. --id=0xdeadbeef.
230 --idtype=<n> or -y <n>
232 Use identification type <n>. Default 3 (ID_USER_FQDN). This
233 option is only applicable to Aggressive Mode. See RFC 2407
234 4.6.2 for details of Identification types.
235 --dhgroup=<n> or -g <n>
237 Use Diffie Hellman Group <n>. Default 2. This option is only
238 applicable to Aggressive Mode and IKEv2. For both of these, it
239 is used to determine the size of the key exchange payload. If
240 you use Aggressive Mode with custom transforms, then you will
241 normally need to use the --dhgroup option unless you are using
242 the default DH group. Acceptable values are
243 1,2,5,14,15,16,17,18 (MODP only).
244 --gssid=<n> or -G <n>
246 Use GSS ID <n> where <n> is a hex string. This uses transform
247 attribute type 16384 as specified in draft-ietf-ipsec-isakmp-
248 gss-auth-07.txt, although Windows-2000 has been observed to use
249 32001 as well. For Windows 2000, you'll need to use
250 --auth=65001 to specify Kerberos (GSS) authentication.
251 --random or -R
253 Randomise the host list. This option randomises the order of
254 the hosts in the host list, so the IKE probes are sent to the
255 hosts in a random order. It uses the Knuth shuffle algorithm.
256 --tcp[=<n>] or -T[<n>]
258 Use TCP transport instead of UDP. This allows you to test a
259 host running IKE over TCP. You won't normally need this option
260 because the vast majority of IPsec systems only support IKE over
261 UDP. The optional value <n> specifies the type of IKE over TCP.
262 There are currently two possible values: 1 = RAW IKE over TCP as
263 used by Checkpoint (default); 2 = Encapsulated IKE over TCP as
264 used by Cisco. If you are using the short form of the option
265 (-T) then the value must immediately follow the option letter
266 with no spaces, e.g. -T2 not -T 2. You can only specify a sin‐
267 gle target host if you use this option.
268 --tcptimeout=<n> or -O <n>
270 Set TCP connect timeout to <n> seconds (default=10). This is
271 only applicable to TCP transport mode.
272 --pskcrack[=<f>] or -P[<f>]
274 Crack aggressive mode pre-shared keys. This option outputs the
275 aggressive mode pre-shared key (PSK) parameters for offline
276 cracking using the "psk-crack" program that is supplied with
277 ike-scan. You can optionally specify a filename, <f>, to write
278 the PSK parameters to. If you do not specify a filename then
279 the PSK parameters are written to standard output. If you are
280 using the short form of the option (-P) then the value must
281 immediately follow the option letter with no spaces, e.g. -Pfile
282 not -P file. You can only specify a single target host if you
283 use this option. This option is only applicable to IKE aggres‐
284 sive mode.
285 --nodns or -N
287 Do not use DNS to resolve names. If you use this option, then
288 all hosts must be specified as IP addresses.
289 --noncelen=<n> or -c <n>
291 Set the nonce length to <n> bytes. Default=20 This option con‐
292 trols the length of the nonce payload that is sent in an aggres‐
293 sive mode or IKEv2 request. Normally there is no need to use
294 this option unless you want to reduce the nonce size to speed up
295 pre-shared key cracking, or if you want to see how a particular
296 server handles different length nonce payloads. RFC 2409 states
297 that the length of nonce payload must be between 8 and 256
298 bytes, but ike-scan does not enforce this. Specifying a large
299 nonce length will increase the size of the packet sent by ike-
300 scan. A very large nonce length may cause fragmentation, or
301 exceed the maximum IP packet size. This option is only applica‐
302 ble to IKE aggressive mode.
303 --headerlen=<n> or -L <n>
305 Set the length in the ISAKMP header to <n> bytes. You can use
306 this option to manually specify the value to be used for the
307 ISAKMP header length. By default, ike-scan will fill in the
308 correct value. Use this option to manually specify an incorrect
309 length. <n> can be specified as "+n" which sets the length to n
310 bytes more than it should be, "-n" which sets it to n bytes
311 less, or "n" which sets it to exactly bytes. Changing the
312 header length to an incorrect value can sometimes disrupt VPN
313 servers.
314 --mbz=<n> or -Z <n>
316 Use the value <n> for reserved (MBZ) fields, default=0. Speci‐
317 fying this option makes the outgoing packet non-RFC compliant,
318 and should only be used if you want to see how a VPN server will
319 respond to invalid packets. The value of <n> should be in the
320 range 0-255.
321 --headerver=<n> or -E <n>
323 Specify the ISAKMP header version. The default is 0x10 (16)
324 which corresponds to v1.0. Specifying a non-default value will
325 make the outgoing packet non-RFC compliant, and should only be
326 used if you want to see how the VPN server reacts to strange
327 versions. The value should be in the range 0-255.
328 --certreq=<c> or -C <c>
330 Add the CertificateRequest payload <c>. <c> should be specified
331 as a hex value. The first byte of the hex value will be inter‐
332 preted as the certificate type; the remaining bytes as the cer‐
333 tificate authority as described in RFC 2408 3.10. The certifi‐
334 cate types are listed in RFC 2408 sec 3.9. RFC 2048 states "The
335 Certificate Request payload MUST be accepted at any point during
336 the exchange"
337 --doi=<d> or -D <d>
339 Set the SA DOI to <d>, default 1 (IPsec). You will not normally
340 want to change this unless you want to see how the VPN server
341 responds to a non-standard DOI.
342 --situation=<s> or -S <s>
344 Set the SA Situation to <d>, default 1. The meaning of the sit‐
345 uation depends on the DOI, and is detailed in the appropriate
346 DOI document. For the IPsec DOI, the default Situation of 1
347 represents SIT_IDENTITY_ONLY. You will not normally want to
348 change this unless you want to see how the VPN server responds
349 to a non-standard situation.
350 --protocol=<p> or -j <p>
352 Set the Proposal protocol ID to <p>, default 1. The meaning of
353 the proposal protocol ID depends on the DOI, and is detailed in
354 the appropriate DOI document. For the IPsec DOI, the default
355 proposal protocol id of 1 represents PROTO_ISAKMP. You will not
356 normally want to change this unless you want to see how the VPN
357 server responds to a non-standard protocol ID.
358 --transid=<t> or -k <t>
360 Set the Transform ID to <t>, default 1. The meaning of the
361 transform ID depends on the DOI, and is detailed in the appro‐
362 priate DOI document. For the IPsec DOI, the default transform
363 id of 1 represents KEY_IKE. You will not normally want to
364 change this unless you want to see how the VPN server responds
365 to a non-standard transform ID.
366 --spisize=<n>
368 Set the proposal SPI size to <n>. Default=0 If this is non-
369 zero, then a random SPI of the specified size will be added to
370 the proposal payload. The default of zero means no SPI.
371 --hdrflags=<n>
373 Set the ISAKMP header flags to <n>. Default=0 The flags are
374 detailed in RFC 2408 section 3.1
375 --hdrmsgid=<n>
377 Set the ISAKMP header message ID to <n>. Default=0 This should
378 be zero for IKE Phase-1.
379 --cookie=<n>
381 Set the ISAKMP initiator cookie to <n> The cookie value should
382 be specified in hex. By default, the cookies are automatically
383 generated and have unique values. If you specify this option,
384 then you can only specify a single target, because ike-scan
385 requires unique cookie values to match up the response packets.
386 --exchange=<n>
388 Set the exchange type to <n> This option allows you to change
389 the exchange type in the ISAKMP header to an arbitrary value.
390 Note that ike-scan only supports Main and Aggressive modes (val‐
391 ues 2 and 4 respectively). Specifying other values will change
392 the exchange type value in the ISAKMP header, but will not
393 adjust the other payloads. The exchange types are defined in
394 RFC 2408 sec 3.1.
395 --nextpayload=<n>
397 Set the next payload in the ISAKMP header to <n> Normally, the
398 next payload is automatically set to the correct value.
399 --randomseed=<n>
401 Use <n> to seed the pseudo random number generator. This option
402 seeds the PRNG with the specified number, which can be useful if
403 you want to ensure that the packet data is exactly repeatable
404 when it includes payloads with random data such as key exchange
405 or nonce. By default, the PRNG is seeded with an unpredictable
406 value.
407 --timestamp
409 Display timestamps for received packets. This option causes a
410 timestamp to be displayed for each received packet.
411 --sourceip=<s>
413 Set source IP address for outgoing packets to <s>. This option
414 causes the outgoing IKE packets to have the specified source IP
415 address. The address can either be an IP address in dotted quad
416 format, or the string "random" which will use a different random
417 source address for each packet that is sent. If this option is
418 used, no packets will be received This option requires raw
419 socket support, and you will need superuser privileges to use
420 this option, even if you specify a high source port. This
421 option does not work on all operating systems.
422 --shownum
424 Display the host number for received packets. This displays the
425 ordinal host number of the responding host before the IP
426 address. It can be useful when sending many packets to the same
427 target IP, to see if any probes are being ignored.
428 --nat-t
430 Use RFC 3947 NAT-Traversal encapsulation. This option adds the
431 non-ESP marker to the beginning of outgoing packets and strips
432 it from received packets, as described in RFC 3947. It also
433 changes the default source port to 4500 and the default destina‐
434 tion port to 4500, which are the ports for NAT-T IKE. These
435 port numbers can be changed with the --sport and --dport
436 options, providing they are used after the --nat-t option.
437 --rcookie=<n>
439 Set the ISAKMP responder cookie to <n>. This sets the responder
440 cookie to the specified hex value. By default, the responder
441 cookie is set to zero.
442 --ikev2 or -2
444 Use IKE version 2 This causes the outgoing packets to use IKEv2
445 format as defined in RFC 4306 instead of the default IKEv1 for‐
446 mat. Any packets returned are automatically decoded as IKE or
447 IKEv2 depending on their payloads irrespective of this option.
448 The --ikev2 option is currently experimental. It has not been
449 extensively tested, and it only supports sending the default
450 proposal.
451
453 /usr/local/share/ike-scan/ike-backoff-patterns
454 List of UDP backoff patterns. Used when the --showbackoff
455 option is specified.
456 /usr/local/share/ike-scan/ike-vendor-ids
458 List of known Vendor ID patterns.
459
461 Roy Hills <Roy.Hills@nta-monitor.com>
462
464 http://www.nta-monitor.com/wiki/ The ike-scan wiki page.
465 http://www.nta-monitor.com/tools/ike-scan/ The ike-scan homepage.
467 January 14, 2007 IKE-SCAN(1)