IPsec/IKE VPN - Port 500/UDP

Basic Info

IPsec is widely recognized as the principal technology for securing communications between networks (LAN-to-LAN) and from remote users to the network gateway (remote access), serving as the backbone for enterprise VPN solutions.

The establishment of a security association (SA) between two points is managed by IKE, which operates under the umbrella of ISAKMP, a protocol designed for the authentication and key exchange. This process unfolds in several phases:

• Phase 1: A secure channel is created between two endpoints. This is achieved through the use of a Pre-Shared Key (PSK) or certificates, employing either main mode, which involves three pairs of messages, or aggressive mode.

• Phase 1.5: Though not mandatory, this phase, known as the Extended Authentication Phase, verifies the identity of the user attempting to connect by requiring a username and password.

• Phase 2: This phase is dedicated to negotiating the parameters for securing data with ESP and AH. It allows for the use of algorithms different from those in Phase 1 to ensure Perfect Forward Secrecy (PFS), enhancing security.

Default port: 500/udp

Enumertion

Scan for IPsec VPN Services

Start by scanning the target for UDP port 500, which is used by the IKE (Internet Key Exchange) protocol in IPsec VPNs.

nmap -sU -p 500 --script ike-version <target_ip>

What it does:

• -sU → Scans UDP ports

• -p 500 → Scans IKE service

• --script ike-version → Detects IKE version (IKEv1 or IKEv2)

Output

arduinoCopyEdit500/udp open isakmp
| ike-version: 
|   1.0 (ISAKMP 1.0)
|   2.0 (IKEv2)

Identify VPN Vendor & Configuration

Use ike-scan to fingerprint the VPN system.

Passive Fingerprinting

ike-scan -M -A <target_ip>

What it does:

• -M → Main mode scanning

• -A → Aggressive mode detection

Output

Starting ike-scan against <target_ip>
Responder matches: Cisco VPN 3000 Concentrator (IKEv1)

Aggressive Mode Detection

ike-scan -A --trans=1,2,3,4,5 <target_ip>

Why this matters:

• If Aggressive Mode is enabled, the VPN may leak the group name and be vulnerable to credential brute-force attacks.

Extract VPN Group Name & Hash

If aggressive mode is enabled, use ike-scan to grab the pre-shared key (PSK) hash.

ike-scan -A --pskcrack <target_ip>

If a PSK hash is found, crack it using pskcrack:

pskcrack hashfile.txt

Brute-Force IKE Authentication

Try brute-forcing VPN credentials using Hydra.

hydra -L userlist.txt -P passlist.txt -e ns -u <target_ip> ike

What it does:

• -L userlist.txt → List of possible usernames

• -P passlist.txt → List of passwords

• -e ns → Tries null and same-as-username passwords

• -u → Tries usernames one by one instead of parallel requests

Intercept and Analyze VPN Traffic

If you have access to network traffic, use Wireshark to capture and analyze IKE packets.

Filter for VPN Traffic

Apply the Wireshark filter:

udp.port == 500

Why this matters:

• Helps detect IKE negotiations, key exchanges, and potential misconfigurations.

• If Aggressive Mode is used, you may see the group name in plaintext.

Exploit Weak VPN Configurations

Check for CVE Vulnerabilities

Search for known VPN-related vulnerabilities:

searchsploit ike

or

msfconsole
msf> search ike

Exploit Weak Pre-Shared Keys (IKEv1)

If weak pre-shared keys are detected, use Metasploit to exploit them:

use auxiliary/scanner/ipsec/ike_enum
set RHOSTS <target_ip>
exploit

Mitigation & Hardening Recommendations

Disable Aggressive Mode (Only use Main Mode) Use strong Pre-Shared Keys (PSKs) and avoid weak passwords Implement Certificate-Based Authentication instead of PSK Limit VPN Access to Known IPs Use IKEv2 instead of IKEv1 for better security