IKECrack – IKE/IPSec Authentication Cracking Tool

IKECrack is an open source IKE/IPSec authentication crack tool. This tool is designed to bruteforce or dictionary attack the key/password used with Pre-Shared-Key [PSK] IKE authentication. The open source version of this tool is to demonstrate proof-of-concept, and will work with RFC 2409 based aggressive mode PSK authentication.

IKE Agressive Mode BruteForce Summary

Aggressive Mode IKE authentication is composed of the following steps:

  1. Initiating client sends encryption options proposal, DH public key, random number [nonce_i], and an ID in an un-encrypted packet to the gateway/responder.
  2. Responder creates a DH public value, another random number [nonce_r], and calculates a HASH that is sent back to the initiator in an un-encrypted packet. This hash is used to authenticate the parties to each other, and is based on the exchange nonces, DH public values, the initiator ID, other values from the initiator packet, and the Pre-Shared-Key [PSK].
  3. The Initiating client sends a reply packet also containing a HASH, but this response is normally sent in an encrypted packet.

IKECrack utilizies the HASH sent in step 2, and attempts a realtime bruteforce of the PSK. This involves a HMAC-MD5 of the PSK with nonce values to determine the SKEYID, and a HMAC-MD5 of the SKEYID with DH pubkeys, cookies, ID, and SA proposal. In practice, SKEYID and HASH_R are calculated with the Hash cipher proposed by the initiator, so could actually be either SHA1 or MD5 in HMAC mode.

Project Details

IKECrack utilizes components from the following OpenSource/PublicDomain programs:

  • MDCrack
  • Ron Rivest’s MD5
  • Simeon Pilgrim’s Reverse MD5
  • MD5 and HMAC-MD5 PerlMods
  • libpcap

Performance

Initial testing with Perl based IKECrack shows numbers of 18,000 tests per second with a PIII 700, and can bruteforce 3 chars of ucase/lcase/0-9 in 13 seconds.

MDCrack [a MD5 bruteforce tool] can achieve 1.5 million keys per second with pure MD5 and a PIII 700. PSK bruteforcing consists of 4 MD5’s, and 4 64 byte XORs….but should still be able to achieve 375,000 IKE keys per second. Preliminary tests in C have shown 26,000 keys per second with un-optimized routines. I’m hoping that Simeon Pilgrim’s MD5 routines will speed this up a bit more.

You can download IKECrack here:

ikecrack-snarf-1.00.pl

Or read more here.

Labels:

Stoned Bootkit – Windows XP, 2003, Vista, 7 MBR Rootkit

What is Stoned Bootkit?

A bootkit is a boot virus that is able to hook and patch Windows to get load into the Windows kernel, and thus getting unrestricted access to the entire computer. It is even able to bypass full volume encryption, because the master boot record (where Stoned is stored) is not encrypted. The master boot record contains the decryption software which asks for a password and decrypts the drive. This is the weak point, the master boot record, which will be used to pwn your whole system. No one’s secure!

For whom is Stoned Bootkit interesting?

  1. Black Hats
  2. Law enforcement agencies
  3. Microsoft

Why is Stoned something new? Because it is the firts bootkit that..

  • attacks Windows XP, Sever 2003, Windows Vista, Windows 7 with one single master boot record
  • attacks TrueCrypt full volume encryption
  • has integrated FAT and NTFS drivers
  • has an integrated structure for plugins and boot applications (for future development)

A bootkit is a rootkit that is able to load from a master boot record and persist in memory all the way through the transition to protected mode and the startup of the OS. It’s a very interesting type of rootkit.” – Robert Hensing about bootkits

You can download Stoned Bootkit here:

Open Source Framework – Stoned Bootkit Framework.zip
Infector file – Infector.exe

Or you can read more here.

Labels:

Xplico – Network Forensic Analysis Tool

The goal of Xplico is extract from an internet traffic capture the applications data contained. For example, from a pcap file Xplico extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), FTP, TFTP, and so on. Xplico isn’t a network protocol analyzer. Xplico is an open source Network Forensic Analysis Tool (NFAT). Xplico is released under the GNU General Public License (see License for more details).

Xplico Features

  • Protocols supported: HTTP, SIP, IMAP, POP, SMTP, TCP, UDP, IPv6, …;
  • Port Independent Protocol Identification (PIPI) for each application protocol;
  • Multithreading;
  • Output data and information in SQLite database or Mysql database and/or files;
  • At each data reassembled by Xplico is associated a XML file that uniquely identifies the flows and the pcap containing the data reassembled;
  • Realtime elaboration (depends on the number of flows, the types of protocols and by the performance of computer -RAM, CPU, HD access time, …-);
  • TCP reassembly with ACK verification for any packet or soft ACK verification;
  • Reverse DNS lookup from DNS packages contained in the inputs files (pcap), not from external DNS server;
  • No size limit on data entry or the number of files entrance (the only limit is HD size);
  • IPv4 and IPv6 support
  • Modularity. Each Xplico component is modular. The input interface, the protocol decoder (Dissector) and the output interface (dispatcer) are all modules
  • The ability to easily create any kind of dispatcer with which to organize the data extracted in the most appropriate and useful to you

You can download Xplico 0.5.2 here:

xplico-0.5.2.tgz

Or read more here.

Labels: ,
Subscribe to: Posts (Atom)