500 - IKE

The Internet Key Exchange (IKE) service on UDP port 500 is used to set up and negotiate secure IPsec VPN connections. It handles key exchange, authentication, and security policy negotiation between two endpoints before any actual encrypted data is sent. We can use ike-scan to probe the VPN server and determine its supported IKE modes:

# Probe IKE service on the target
$ ike-scan <target-host>

IKE operates in two modes:

• Main Mode: Six messages are exchanged to protect peer identities. It is preferred for production VPNs due to security.

• Aggressive Mode: Only three messages are exchanged, making it faster but revealing the client’s identity. This mode is useful in lab environments or penetration tests for capturing information like PSKs.

If the latter mode is enabled, capturing its handshake will lets us extract the PSK and perform offline cracking:

# Check for Aggressive Mode support and capture client identity
$ sudo ike-scan -A <target-host>

If we are able to capture the handshake from the Aggressive Mode, we can generate a .psk hashfile for offline cracking using psk-crack:

# Generate file for PSK cracking
sudo ike-scan -A <target-host> --id=x7331@kali.com -Pike.psk

# Run dictionary attack to recover PSK
$ psk-crack ike.psk -d /usr/share/wordlists/rockyou.txt