IKE
Nmap scan reports shows that the target host is running the ISAKMP (Internet Security Association and Key Management Protocol) service for secure communication using the Internet Key Exchange (IKE) protocol.
internet key exchange (IKE) is a protocol used to establish a secure connection between two devices, typically a router and a VPN client. It is used to authenticate the devices and establish a shared security policy. IKE is typically used in conjunction with the IPsec protocol to secure network communications.
internet security association and key management protocol (ISAKMP) is a framework for the secure exchange of security information between devices. It is used to establish, modify, and delete security associations (SAs) between devices. ISAKMP is the key management protocol used in conjunction with IKE to establish the secure connection.
In summary, IKE is a protocol that establishes a secure connection between two devices, and ISAKMP is a framework used to establish, modify, and delete SAs between devices, and it is the key management protocol that is used in conjunction with IKE.
It is highly likely that the host is configured as a VPN server, enabling remote clients to establish a secure connection to the host’s network. Additionally, the host supports multiple versions of the IKE protocol, which suggest that it has the capability to establish a secure connection with a wide range of VPN clients.
However, it is important to note the Nmap scan output is not the definitive proof that the IKE service on UDP 500 is being used for a VPN server and further testing and review of IKE traffic would be needed to confirm this.
the tool for the job is ike-scan.
ike-scan is a command-line tool that uses the IKE protocol to discover, fingerprint and test IPsec VPN servers. It scans IP addresses for VPN servers by sending a specially crafted IKE packet to each host within a network. Most hosts running IKE services will respond, identifying their presence. ike-scan then remains silent and monitors retransmission packets. These retransmission responses are recorded, displayed and matched against a known set of VPN product fingerprints. ike-scan can identify VPNs from manufacturers including Checkpoint, Cisco, Microsoft, Nortel, and Watchguard.
ike-scan
┌──(kali㉿kali)-[~/archive/htb/labs/conceal]
└─$ ike-scan -d 500 -M $IP
Starting ike-scan 1.9.5 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.10.10.116 Main Mode Handshake returned
HDR=(CKY-R=7ba04bca439ab4c5)
SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080)
VID=1e2b516905991c7d7c96fcbfb587e46100000009 (Windows-8)
VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)
VID=90cb80913ebb696e086381b5ec427b1f (draft-ietf-ipsec-nat-t-ike-02\n)
VID=4048b7d56ebce88525e7de7f00d6c2d3 (IKE Fragmentation)
VID=fb1de3cdf341b7ea16b7e5be0855f120 (MS-Negotiation Discovery Capable)
VID=e3a5966a76379fe707228231e5ce8652 (IKE CGA version 1)
Ending ike-scan 1.9.5: 1 hosts scanned in 0.040 seconds (24.94 hosts/sec). 1 returned handshake; 0 returned notifyI supplied the -d flag to specify the port, -M flag to display the output in multiline for better viewing
Based on the output, the IKE service on UDP port 500 uses a SA(security association) that utilizes:
- 3DES encryption
- SHA1 hashing
2:modp1024as the Diffie-Hellman group- Pre-Shared Key (PSK) for authentication method
LifeTypein this case is “Seconds”LifeDurationin this case is 0x00007080, which is equal to 28800 seconds or 8 hours
The first line starting with “VID” show the vendor ID
The other VIDs show that the device supports different IKE extensions, such as NAT-T, IKE Fragmentation, MS-Negotiation Discovery Capable
It also shows that the IKE service uses the IKE version 1