IPsec/IKE VPN - Port 500/UDP
Become VeryLazyTech member! π
Follow us on:
β Twitter @VeryLazyTech.
πΎ Github @VeryLazyTech.
π Medium @VeryLazyTech.
πΊ YouTube @VeryLazyTech.
π© Telegram @VeryLazyTech.
π΅οΈββοΈ My Site @VeryLazyTech.
Visit our shop for e-books and courses. π
Basic Info
IPsec is widely recognized as the principal technology for securing communications between networks (LAN-to-LAN) and from remote users to the network gateway (remote access), serving as the backbone for enterprise VPN solutions.
The establishment of a security association (SA) between two points is managed by IKE, which operates under the umbrella of ISAKMP, a protocol designed for the authentication and key exchange. This process unfolds in several phases:
Phase 1: A secure channel is created between two endpoints. This is achieved through the use of a Pre-Shared Key (PSK) or certificates, employing either main mode, which involves three pairs of messages, or aggressive mode.
Phase 1.5: Though not mandatory, this phase, known as the Extended Authentication Phase, verifies the identity of the user attempting to connect by requiring a username and password.
Phase 2: This phase is dedicated to negotiating the parameters for securing data with ESP and AH. It allows for the use of algorithms different from those in Phase 1 to ensure Perfect Forward Secrecy (PFS), enhancing security.
Default port: 500/udp
Enumertion
Scan for IPsec VPN Services
Start by scanning the target for UDP port 500, which is used by the IKE (Internet Key Exchange) protocol in IPsec VPNs.
nmap -sU -p 500 --script ike-version <target_ip>
What it does:
-sU
β Scans UDP ports-p 500
β Scans IKE service--script ike-version
β Detects IKE version (IKEv1 or IKEv2)
Output
arduinoCopyEdit500/udp open isakmp
| ike-version:
| 1.0 (ISAKMP 1.0)
| 2.0 (IKEv2)
Identify VPN Vendor & Configuration
Use ike-scan to fingerprint the VPN system.
Passive Fingerprinting
ike-scan -M -A <target_ip>
What it does:
-M
β Main mode scanning-A
β Aggressive mode detection
Output
Starting ike-scan against <target_ip>
Responder matches: Cisco VPN 3000 Concentrator (IKEv1)
Aggressive Mode Detection
ike-scan -A --trans=1,2,3,4,5 <target_ip>
Why this matters:
If Aggressive Mode is enabled, the VPN may leak the group name and be vulnerable to credential brute-force attacks.
Extract VPN Group Name & Hash
If aggressive mode is enabled, use ike-scan to grab the pre-shared key (PSK) hash.
ike-scan -A --pskcrack <target_ip>
If a PSK hash is found, crack it using pskcrack:
pskcrack hashfile.txt
Warning: If aggressive mode is enabled, this is a security risk because it allows an attacker to retrieve VPN group names and crack credentials offline.
Brute-Force IKE Authentication
Try brute-forcing VPN credentials using Hydra.
hydra -L userlist.txt -P passlist.txt -e ns -u <target_ip> ike
What it does:
-L userlist.txt
β List of possible usernames-P passlist.txt
β List of passwords-e ns
β Tries null and same-as-username passwords-u
β Tries usernames one by one instead of parallel requests
Intercept and Analyze VPN Traffic
If you have access to network traffic, use Wireshark to capture and analyze IKE packets.
Filter for VPN Traffic
Apply the Wireshark filter:
udp.port == 500
Why this matters:
Helps detect IKE negotiations, key exchanges, and potential misconfigurations.
If Aggressive Mode is used, you may see the group name in plaintext.
Exploit Weak VPN Configurations
Check for CVE Vulnerabilities
Search for known VPN-related vulnerabilities:
searchsploit ike
or
msfconsole
msf> search ike
Exploit Weak Pre-Shared Keys (IKEv1)
If weak pre-shared keys are detected, use Metasploit to exploit them:
use auxiliary/scanner/ipsec/ike_enum
set RHOSTS <target_ip>
exploit
Mitigation & Hardening Recommendations
Disable Aggressive Mode (Only use Main Mode) Use strong Pre-Shared Keys (PSKs) and avoid weak passwords Implement Certificate-Based Authentication instead of PSK Limit VPN Access to Known IPs Use IKEv2 instead of IKEv1 for better security
Learn & practice For the OSCP.
Last updated
Was this helpful?