# IPsec/IKE VPN - Port 500/UDP

{% tabs %}
{% tab title="Support VeryLazyTech 🎉" %}
Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! 🎁**

* **Follow** us on:
  * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.**
  * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.**
  * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
  * **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.**
  * **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.**
  * **🕵️‍♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.**
* Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses. 📚
  {% endtab %}
  {% endtabs %}

### Basic Info <a href="#basic-information" id="basic-information"></a>

**IPsec** is widely recognized as the principal technology for securing communications between networks (LAN-to-LAN) and from remote users to the network gateway (remote access), serving as the backbone for enterprise VPN solutions.

The establishment of a **security association (SA)** between two points is managed by **IKE**, which operates under the umbrella of ISAKMP, a protocol designed for the authentication and key exchange. This process unfolds in several phases:

* **Phase 1:** A secure channel is created between two endpoints. This is achieved through the use of a Pre-Shared Key (PSK) or certificates, employing either main mode, which involves three pairs of messages, or **aggressive mode**.
* **Phase 1.5:** Though not mandatory, this phase, known as the Extended Authentication Phase, verifies the identity of the user attempting to connect by requiring a username and password.
* **Phase 2:** This phase is dedicated to negotiating the parameters for securing data with **ESP** and **AH**. It allows for the use of algorithms different from those in Phase 1 to ensure **Perfect Forward Secrecy (PFS)**, enhancing security.

**Default port:** 500/udp

***

## Enumertion

### **Scan for IPsec VPN Services**

Start by scanning the target for **UDP port 500**, which is used by the **IKE (Internet Key Exchange) protocol** in IPsec VPNs.

```bash
nmap -sU -p 500 --script ike-version <target_ip>
```

**What it does:**

* `-sU` → Scans UDP ports
* `-p 500` → Scans IKE service
* `--script ike-version` → Detects IKE version (IKEv1 or IKEv2)

**Output**

```
arduinoCopyEdit500/udp open isakmp
| ike-version: 
|   1.0 (ISAKMP 1.0)
|   2.0 (IKEv2)
```

### **Identify VPN Vendor & Configuration**

Use **ike-scan** to fingerprint the VPN system.

#### **Passive Fingerprinting**

```bash
ike-scan -M -A <target_ip>
```

**What it does:**

* `-M` → Main mode scanning
* `-A` → Aggressive mode detection

**Output**

```
Starting ike-scan against <target_ip>
Responder matches: Cisco VPN 3000 Concentrator (IKEv1)
```

#### **Aggressive Mode Detection**

```bash
ike-scan -A --trans=1,2,3,4,5 <target_ip>
```

**Why this matters:**

* If Aggressive Mode is enabled, the VPN may **leak the group name** and be vulnerable to **credential brute-force attacks**.

## **Extract VPN Group Name & Hash**

If aggressive mode is enabled, use **ike-scan** to grab the **pre-shared key (PSK) hash**.

```bash
ike-scan -A --pskcrack <target_ip>
```

If a PSK hash is found, crack it using **pskcrack**:

```bash
pskcrack hashfile.txt
```

{% hint style="danger" %}
**Warning:** If aggressive mode is enabled, **this is a security risk** because it allows an attacker to retrieve VPN group names and crack credentials offline.
{% endhint %}

## **Brute-Force IKE Authentication**

Try brute-forcing VPN credentials using **Hydra**.

```bash
hydra -L userlist.txt -P passlist.txt -e ns -u <target_ip> ike
```

**What it does:**

* `-L userlist.txt` → List of possible usernames
* `-P passlist.txt` → List of passwords
* `-e ns` → Tries null and same-as-username passwords
* `-u` → Tries usernames one by one instead of parallel requests

## **Intercept and Analyze VPN Traffic**

If you have access to network traffic, use **Wireshark** to capture and analyze IKE packets.

#### **Filter for VPN Traffic**

Apply the Wireshark filter:

```
udp.port == 500
```

**Why this matters:**

* Helps detect **IKE negotiations, key exchanges, and potential misconfigurations.**
* If Aggressive Mode is used, you may see the **group name in plaintext**.

## **Exploit Weak VPN Configurations**

#### **Check for CVE Vulnerabilities**

Search for known **VPN-related vulnerabilities**:

```bash
searchsploit ike
```

or

```bash
msfconsole
msf> search ike
```

#### **Exploit Weak Pre-Shared Keys (IKEv1)**

If weak pre-shared keys are detected, **use Metasploit** to exploit them:

```bash
use auxiliary/scanner/ipsec/ike_enum
set RHOSTS <target_ip>
exploit
```

***

## **Mitigation & Hardening Recommendations**

**Disable Aggressive Mode** (Only use **Main Mode**)\
**Use strong Pre-Shared Keys (PSKs)** and avoid weak passwords\
**Implement Certificate-Based Authentication** instead of PSK\
**Limit VPN Access to Known IPs**\
**Use IKEv2 instead of IKEv1** for better security

***

{% hint style="success" %}
Learn & practice [**For the OSCP.**](https://shop.verylazytech.com/)

<details>

<summary>Support VeryLazyTech 🎉</summary>

Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! 🎁**

* **Follow** us on:
  * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.**
  * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.**
  * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
  * **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.**
  * **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.**
  * **🕵️‍♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.**
* Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses. 📚

</details>
{% endhint %}