Post on 11-Jan-2016
transcript
IPSec/IKE Protocol HackingIPSec/IKE Protocol HackingToorCon 2K2 – San Diego, CAToorCon 2K2 – San Diego, CA
IPSec/IKE Protocol HackingIPSec/IKE Protocol HackingToorCon 2K2 – San Diego, CAToorCon 2K2 – San Diego, CA
Anton Rager Sr. Security Consultant Avaya Security Consulting
2
Agenda
• IKE Overview and Protocol Weaknesses
• Vendor Implementation Problems
• IKE Tools discussion and demo
3
SA_R+KE_R+Nonce_R+ID_R+Hash_R
SA_I+KE_I+Nonce_I+ID_I
[Hash_I]
Initiator
Cookie_IResponder
Cookie_R
• Note: Aggressive uses ID that is independent of initiator IP
Aggressive Mode IKE
4
SA_RSA_I
KE_I+Nonce_I
Initiator
Cookie_IResponder
Cookie_R
KE_R+Nonce_R
[ID_I][ID_R]
[Hash_I]
[Hash_R]
Main Mode IKE
• Note: ID is normally IP address of each endpoint
5
Aggressive Mode ID
• ID sent in clear- Well known problem• IETF specifies that aggressive mode will send
ID [UserID or GroupID] in clear• Eavesdropper can collect remote access user
IDs• Some vendors have proprietary ways of
hashing ID when using their client to hide ID• Interoperability [SafeNet/PGPNet] requires
IETF adherence – ID leakage
6
Aggressive Mode PSK Attacks
• PSK [password or shared-secret] authentication uses a hash sent in the clear
• HASH is derived from public exchanged info + PSK
• Bruteforce/Dictionary attacks possible against HASH as a passive listener
• Some vendors use DH private value for hash derivation to prevent passive attacks – attack must be active MITM with knowledge of hashing method
7
SA_R+KE_R+Nonce_R+ID_R+Hash_R
SA_I+KE_I+Nonce_I+ID_I
[Hash_I]
Initiator
Cookie_IResponder
Cookie_R
Attack ProcessAggressive PSK Cracking
Assume MD5-HMAC for Hash function – based on hash in SA
Responder Hash:
HASH_R=MD5-HMAC(MD5-HMAC(Guessed PSK, Nonce_I + Nonce_R), resp DH pub, init DH pub + cookie_R + cookie_I + init SA header + resp ID header)
8
Aggressive Mode ID Enumeration
• IKE protocol specification does not discuss how invalid ID should be handled. Many implementations respond with an invalid ID during the initial IKE negotiation – others just don’t respond
• This can allow an active dictionary/bruteforce enumeration
• Submit IKE initiator frame to concentrator with guessed ID. Concentrator will tell you if guess is wrong
• Vendor Workarounds: Obfuscation responses
9
Main Mode PSK Attacks
• Similar problem to aggressive mode, except HASH is passed encrypted.
• Main Mode requires an active or MITM attack to attack PSK to derive DH secret
• IDs are normally the IPs of endpoints• We will guess the PSK and try to
determine the encryption key for the 1st encrypted packet
10
SA_RSA_I
KE_I+Nonce_I
Initiator
Cookie_IResponder
(Attacker)
Cookie_R
KE_R+Nonce_R
[ID_I][ID_R]
[Hash_I]
[Hash_R]
Attack ProcessMain Mode PSK Cracking
11
• Collect public IKE values [Nonces, DH Public values, Cookies, headers, etc] and assume IDs are IP endpoint IPs
• Collect 1ST encrypted packet• Calculate DH Secret• Choose PSK value and calculate SYKEYID,
SKEYID_d, KEYID_a, KEYID_e• Generate IV from hash of DH Public values• Decrypt packet with IV and SKEYID_e – check
for known plaintext to validate
Attack ProcessMain Mode PSK Cracking
12
Main Mode Policy Enumeration
• Similar to aggressive mode ID enumeration• Peer will only respond to valid IP address that
has a defined policy• Attacker can send spoofed init frames to
“peer” to search IP address space• Correct IP will cause an SA proposal reply
from “peer”• Some vendors will send a “no proposal
choosen” if SA is from invalid host
13
Implementation Vulnerabilities
• Cisco VPN Client 3.5
• Cisco VPN Client 1.1
• SafeNet/IRE SoftPK and SoftRemote
• PGPFreeware 7.03 - PGPNet
14
Tools
• IKECrack – aggressive mode PSK cracker
• IKEProbe – IKE packet mangler
15
IKECrackhttp://ikecrack.sourceforge.net
• IKE PSK Cracker – dictionary, hybrid, brute• Simplistic implementation – Aggressive mode
only• Must use IETF HASH_R calculations (RFC
2409)• MD5 HMAC only – 93K kps on 1.8ghz P4• PERL script that requires HMAC PerlMod and
uses tcpdump –x output for capture – It’s a hack, but it works.
16
IKEProberhttp://ikecrack.sourceforge.net
• Command-line utility for building arbitrary IKE packets
• Supports common IKE options and allows user specified data or repeated chars
• Useful for finding BoF problems with option parsing – Used to find Cisco/PGPNet/Safenet probs
• Perl based and requires NetCat in Unix -- Also a hack.
• Can also be used for user enumeration
17
Contact Info
• IKE Tools and preso Download http://ikecrack.sourceforge.net
• Anton Rager arager@avaya.com
• Code criticism: This is proof-of-concept stuff -- fix it yourself