Last active
March 27, 2023 16:48
-
-
Save claudijd/5976192 to your computer and use it in GitHub Desktop.
IKE-Scan Mode/TransformSet/VID Enumeration Helper
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # An quick and dirty ike-scan wrapper to enumerate | |
| # supported transform sets and vendor ID fingerprints | |
| # on IPSec VPN Endpoints. | |
| # | |
| # Example Targeted Run Output | |
| # | |
| #$ rvmsudo ruby harvest.rb --targets 192.168.1.1 --enc-types 5 --hash-types 2 --dh-types 2 --auth-types 1 | |
| #I, [2013-08-12T23:53:14.490138 #27197] INFO -- : 5 transform combinations to try | |
| #D, [2013-08-12T23:53:14.490221 #27197] DEBUG -- : Trying ike-scan --multiline 192.168.1.1 | |
| #I, [2013-08-12T23:53:14.726363 #27197] INFO -- : Found a new VID VID=5b362bc820f60001 | |
| #D, [2013-08-12T23:53:14.726580 #27197] DEBUG -- : Trying ike-scan -M --multiline 192.168.1.1 | |
| #D, [2013-08-12T23:53:14.875583 #27197] DEBUG -- : Trying ike-scan -A --multiline 192.168.1.1 | |
| #D, [2013-08-12T23:53:15.020898 #27197] DEBUG -- : Trying ike-scan -M --multiline --trans=5,2,1,2 192.168.1.1 | |
| #D, [2013-08-12T23:53:15.162350 #27197] DEBUG -- : Trying ike-scan -A --multiline --trans=5,2,1,2 192.168.1.1 | |
| # | |
| ################ Start Scan Summary ############### | |
| #### SUCCESSFUL IKE-SCAN CMDs w/ SAs | |
| #ike-scan --multiline 192.168.1.1 | |
| #ike-scan -M --multiline 192.168.1.1 | |
| #ike-scan -M --multiline --trans=5,2,1,2 192.168.1.1 | |
| #### ENUMERATED VENDOR IDS | |
| #VID=5b362bc820f60001 | |
| ################ End Scan Summary ############### | |
| require 'optparse' | |
| require 'open3' | |
| require 'set' | |
| require 'logger' | |
| enc_types = { | |
| "1" => "DES", | |
| "2" => "DEA", | |
| "3" => "BLOWFISH", | |
| "4" => "RC5", | |
| "5" => "3DES", | |
| "6" => "CAST", | |
| "7/128" => "AES128", | |
| "7/192" => "AES192", | |
| "7/256" => "AES256", | |
| "8" => "Camellia" | |
| } | |
| hash_types = { | |
| "1" => "MD5", | |
| "2" => "SHA1", | |
| "3" => "Tiger", | |
| "4" => "SHA2-256", | |
| "5" => "SHA2-384", | |
| "6" => "SHA2-512", | |
| } | |
| auth_types = { | |
| "1" => "Preshared Key", | |
| "2" => "DSS Signature", | |
| "3" => "RSA Signature", | |
| "4" => "RSA Encryption", | |
| "5" => "Revised RSA Encryption", | |
| "6" => "EIGAMEL Encryption", | |
| "7" => "Revised EIGAMEL Encryption", | |
| "8" => "ECDSA Signature", | |
| "64221" => "Hybrid Mode (common on check point Fws)", | |
| "65001" => "XAUTH" | |
| } | |
| dh_types = { | |
| "1" => "MODP768", | |
| "2" => "MODP1024", | |
| "5" => "MODP1536", | |
| "14" => "MODP2048" | |
| } | |
| modes = { | |
| "M" => "Main Mode", | |
| "A" => "Aggressive Mode" | |
| } | |
| options = { | |
| :enc_types => enc_types.keys, | |
| :hash_types => hash_types.keys, | |
| :auth_types => auth_types.keys, | |
| :dh_types => dh_types.keys, | |
| :modes => modes.keys | |
| } | |
| OptionParser.new do |opts| | |
| opts.banner = "Usage: ruby harvest.rb [options]" | |
| opts.on("--targets x,y,z", Array, "List of IPs to Scan") do |targets| | |
| options[:targets] = targets | |
| end | |
| opts.on("--enc-types x,y,z", Array, "List of Encryption Types") do |e| | |
| options[:enc_types] = e | |
| end | |
| opts.on("--hash-types x,y,z", Array, "List of Hash Types") do |h| | |
| options[:hash_types] = h | |
| end | |
| opts.on("--auth-types x,y,z", Array, "List of Auth Types") do |a| | |
| options[:auth_types] = a | |
| end | |
| opts.on("--dh-types x,y,z", Array, "List of Diffie Types") do |d| | |
| options[:dh_types] = d | |
| end | |
| opts.on("--modes x,y,z", Array, "List of Modes") do |m| | |
| options[:modes] = m | |
| end | |
| opts.on_tail("-h", "--help", "Show this message") do | |
| puts opts | |
| puts "" | |
| puts "Examples:" | |
| puts "" | |
| puts "A Specific Transform Set" | |
| puts "sudo ruby harvest.rb --targets 192.168.1.1 --enc-types 5 --hash-types 2 --dh-types 2 --auth-types 1" | |
| puts "" | |
| puts "Just Aggressive PSK Auth Transform Sets" | |
| puts "sudo ruby harvest.rb --targets 192.168.1.1 --auth-types 1 --modes A" | |
| puts "" | |
| puts "All Transform Sets" | |
| puts "sudo ruby harvest.rb --targets 192.168.1.1" | |
| puts "" | |
| exit | |
| end | |
| end.parse! | |
| # Generate a list of ike-scan commands via transform combos | |
| def generate_command_list(enc_types, hash_types, auth_types, dh_types, modes, targets) | |
| cmds = [] | |
| targets.each do |target| | |
| modes.each do |mode| | |
| enc_types.each do |enc_type| | |
| hash_types.each do |hash_type| | |
| auth_types.each do |auth_type| | |
| dh_types.each do |dh_type| | |
| cmds << "ike-scan " + | |
| "-#{mode} " + | |
| "--multiline " + | |
| "--trans=#{enc_type},#{hash_type},#{auth_type},#{dh_type} " + | |
| target | |
| end | |
| end | |
| end | |
| end | |
| end | |
| end | |
| return cmds | |
| end | |
| def generate_default_command_list(targets, modes) | |
| cmds = [] | |
| targets.each do |target| | |
| # Default Command | |
| cmds << "ike-scan " + | |
| "--multiline " + | |
| target | |
| # Default Command per Mode | |
| modes.each do |mode| | |
| cmds << "ike-scan " + | |
| "-#{mode} " + | |
| "--multiline " + | |
| target | |
| end | |
| end | |
| return cmds | |
| end | |
| command_list = generate_default_command_list( | |
| options[:targets], | |
| options[:modes] | |
| ) | |
| command_list += generate_command_list( | |
| options[:enc_types], | |
| options[:hash_types], | |
| options[:auth_types], | |
| options[:dh_types], | |
| options[:modes], | |
| options[:targets] | |
| ) | |
| successful_cmds = Set.new | |
| unique_vendor_ids = Set.new | |
| #Stand up some logging | |
| log = Logger.new(STDERR) | |
| log.level = Logger::DEBUG | |
| log.info("#{command_list.size.to_s} transform combinations to try") | |
| command_list.each do |cmd| | |
| log.debug("Trying #{cmd}") | |
| stdin, stdout, stderr, thread = Open3.popen3(cmd) | |
| #Make sure command completes | |
| thread.join | |
| #Read stderr and stdout | |
| error = stderr.read | |
| output = stdout.read | |
| # Check for errors and bomb hard if we see them | |
| # This is to prevent people from running concurrent | |
| # ike-scans, which is unsupported | |
| if error.match(/^ERROR:/) | |
| puts "Received Fatal Error from ike-scan: \n#{error}" | |
| exit 1 | |
| end | |
| # Check for successful SA | |
| if output.match(/SA=/) | |
| successful_cmds << cmd | |
| #Snatch out the VIDs | |
| vids = output.scan(/(VID=[0-9a-z]+ ?(.*)?)/) | |
| vids.each do |vid| | |
| unless unique_vendor_ids.include?(vid[0]) | |
| log.info("Found a new VID #{vid[0]}") | |
| unique_vendor_ids << vid[0] | |
| end | |
| end | |
| end | |
| end | |
| puts "" | |
| puts "############### Start Scan Summary ###############" | |
| puts "\n" | |
| puts "### SUCCESSFUL IKE-SCAN CMDs w/ SAs" | |
| successful_cmds.each do |cmd| | |
| puts cmd | |
| end | |
| puts "\n" | |
| puts "### ENUMERATED VENDOR IDS" | |
| unique_vendor_ids.each do |vid| | |
| puts vid | |
| end | |
| puts "\n" | |
| puts "############### End Scan Summary ###############" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment