500 (IPSEC IKE)

ike-scan IP -A

  • aggressive-mode (-A) get PSK

ike-scan IP -M

  • multi-line - easy to read

  • SA (Security association data) --- copy it.

if a SNMP is open make sure to do some snmpwalk to get VPN PSK data, which you could use with the SA data. (hash type, group)

Life duration -- it will print hexadecimal characters ---> convert it to decimal. ---> hours)

apt install srongswan

once downloaded, you can edit the /etc/ipsec.secrets

paste the followiog:

VICTIM_IP %any ; PSK "paste the plain text PSK"

Edit /etc/ipsec.conf

Unser Sample VPN conections:

conn BOX_NAME
    type=transport
    keyexchange=ikev1
    left=your_IP
    leftprotoport=tcp
    right=victim-IP
    rightprotoport=tcp 
    authby=PSK
    esp=3des-sha1
    ike=3des-sha1-mod1024
    ikelifetime=8h
    auto=start 

ipsec start --no fork

-leftprotoport=tcp & rightprotoport=tcp

  • set these if TCP ports are hidden from us.

For trouble shooting ike stuff, https://docs.netgate.com/pfsense/en/latest/troubleshooting/ipsec-traffic.html

If no errors, run nmap scan wit -sT option!

(you cannot do a SYN scan---the default scan, when the client is using a VPN service. You have to complete a handshake.)

Last updated