IPsec / IKE VPN
aka ike, isakmp, vpn
IPsec VPN key exchange on 500/udp. Fingerprint the gateway with ike-scan; if Aggressive Mode is enabled you can grab the PSK hash and crack it offline to authenticate to the VPN.
Ports
| Port | Proto | Notes |
|---|---|---|
500 | udp | IKE / ISAKMP |
4500 | udp | IPsec NAT-T |
Fingerprint
- ike-scan returns a handshake + vendor ID (Cisco, Fortinet, etc.)
- nmap -sU -p500 shows isakmp open
Exploitation primitives
- ike-scan fingerprints the VPN vendor/version
- Aggressive Mode leaks the PSK hash → crack offline with psk-crack
- Cracked PSK + a valid username/group = VPN access into the internal network
Overview
IKE on 500/udp negotiates IPsec VPN tunnels. The classic win is an Aggressive Mode gateway, which hands back a crackable PSK hash before authentication.
Enumeration
Fingerprint the gateway:
sudo ike-scan -M <TARGET>Test for Aggressive Mode and capture the PSK hash:
sudo ike-scan -M -A -n fakegroup -P psk.txt <TARGET>Crack the PSK
psk-crack -d /usr/share/wordlists/rockyou.txt psk.txtHardening
Disable Aggressive Mode, use certificate auth instead of PSK, and use a long random PSK if you must keep it.