VPN(IKE) enumeration Link to heading
isakmp service( port-500 related to ipsec VPN) only opened on server.There are some inbuilt scanners in Kali linux to enumerate IPSEC VPN
$ ike-scan -M 10.10.10.116
Starting ike-scan 1.9.4 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.10.10.116 Main Mode Handshake returned
HDR=(CKY-R=8ec1706b5f6632a8)
SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080)
VID=1e2b516905991c7d7c96fcbfb587e46100000009 (Windows-8)
VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)
VID=90cb80913ebb696e086381b5ec427b1f (draft-ietf-ipsec-nat-t-ike-02\n)
VID=4048b7d56ebce88525e7de7f00d6c2d3 (IKE Fragmentation)
VID=fb1de3cdf341b7ea16b7e5be0855f120 (MS-Negotiation Discovery Capable)
VID=e3a5966a76379fe707228231e5ce8652 (IKE CGA version 1)
Ending ike-scan 1.9.4: 1 hosts scanned in 0.325 seconds (3.08 hosts/sec). 1 returned handshake; 0 returned notify
The tunnel uses IKE-V1 as per above results.To confirm its not running on IKE-V2
ike-scan -M -2 10.10.10.116 130 ⨯
Starting ike-scan 1.9.4 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
Ending ike-scan 1.9.4: 1 hosts scanned in 2.594 seconds (0.39 hosts/sec). 0 returned handshake; 0 returned notify
Install “strongswan” to create a tunnel between “conceal” machine and Kali
sudo apt install strongswan 127 ⨯
[sudo] password for rocky:
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages will be upgraded:
strongswan
1 upgraded, 0 newly installed, 0 to remove and 1662 not upgraded.
Need to get 101 kB of archives.
After this operation, 3,072 B of additional disk space will be used.
Get:1 http://ftp.harukasan.org/kali kali-rolling/main amd64 strongswan all 5.9.5-2 [101 kB]
Fetched 101 kB in 2s (40.6 kB/s)
(Reading database ... 353790 files and directories currently installed.)
Preparing to unpack .../strongswan_5.9.5-2_all.deb ...
Unpacking strongswan (5.9.5-2) over (5.9.1-1) ...
Setting up strongswan (5.9.5-2) ...
It creates a config file like below. To establish a VPN connection we need to add the parameters in this file.
The lifetime of ipsec is displayed in hex which can be converted to decimal
cat /etc/ipsec.conf
c─$ sudo cat /etc/ipsec.conf 1 ⨯
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
charondebug="all"
strictcrlpolicy=no
uniqueids = yes
# Add connections here.
# Sample VPN connections
conn rchitect-to-conceal
authby=secret
auto=add
ike=3des-sha1-modp1024!
esp=3des-sha1!
type=transport
keyexchange=ikev1
left=10.10.14.12
right=10.10.10.116
rightsubnet=10.10.10.116[tcp]
Add the PSK in similiar way “/etc/ipsec.secrets”
$ sudo cat /etc/ipsec.secrets 1 ⨯
# This file holds shared secrets or RSA private keys for authentication.
# RSA private key for this host, authenticating it to any other host
# which knows the public part.
10.10.14.12 10.10.10.116 : PSK "Dudecake1!"
VPN tunnel establishment Link to heading
└─$ sudo ipsec start 4 ⨯
[sudo] password for rocky:
Starting strongSwan 5.9.1 IPsec [starter]...
┌──(rocky㉿kali)-[~/hckbox/conceal]
└─$ sudo ipsec up rchitect-to-conceal
initiating Main Mode IKE_SA rchitect-to-conceal[2] to 10.10.10.116
There is some error due to some alogorithsm not supported by Kali machine.
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ] ENCRYPTION_ALGORITHM 3DES_CBC (key size 0) not supported! key derivation for pre-shared key failed generating INFORMATIONAL_V1 request 1886222546 [ HASH N(INVAL_KE) ]
Installing some more additinal pacakges which support these encryptions
sudo apt install libstrongswan-standard-plugins libstrongswan-extra-plugins
Then reconnect again after making after reviweing the in /etc/ipsec.conf and /etc/ipsec.secrets.
IPSEC.Secrets ( final file)
10.10.14.12 10.10.10.116 : PSK "Dudecake1!"
IPSEC.conf ( final file)
config setup
charondebug="all"
strictcrlpolicy=no
uniqueids = yes
conn rchitect-to-conceal
authby=secret
auto=add
ike=3des-sha1-modp1024!
esp=3des-sha1!
type=transport
keyexchange=ikev1
left=10.10.14.12
right=10.10.10.116
rightsubnet=10.10.10.116[tcp]
fragmentation=yes
ikelifetime=8h
closeaction=restart
$─$ sudo ipsec status rchitect-to-conceal
Security Associations (1 up, 0 connecting):
rchitect-to-conceal[1]: ESTABLISHED 9 seconds ago, 10.10.14.12[10.10.14.12]...10.10.10.116[10.10.10.116]
rchitect-to-conceal{1}: INSTALLED, TRANSPORT, reqid 1, ESP SPIs: cf332116_i fbc5fa16_o
rchitect-to-conceal{1}: 10.10.14.12/32 === 10.10.10.116/32[tcp]
sudo ipsec start
Starting strongSwan 5.9.5 IPsec [starter]...
┌──(rocky㉿kali)-[~/hckbox/conceal]
└─$ sudo ipsec up rchitect-to-conceal
initiating Main Mode IKE_SA rchitect-to-conceal[1] to 10.10.10.116
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 10.10.14.12[500] to 10.10.10.116[500] (176 bytes)
received packet: from 10.10.10.116[500] to 10.10.14.12[500] (208 bytes)
parsed ID_PROT response 0 [ SA V V V V V V ]
received MS NT5 ISAKMPOAKLEY vendor ID
received NAT-T (RFC 3947) vendor ID
received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
received FRAGMENTATION vendor ID
received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 10.10.14.12[500] to 10.10.10.116[500] (244 bytes)
received packet: from 10.10.10.116[500] to 10.10.14.12[500] (260 bytes)
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
sending packet: from 10.10.14.12[500] to 10.10.10.116[500] (100 bytes)
received packet: from 10.10.10.116[500] to 10.10.14.12[500] (68 bytes)
parsed ID_PROT response 0 [ ID HASH ]
IKE_SA rchitect-to-conceal[1] established between 10.10.14.12[10.10.14.12]...10.10.10.116[10.10.10.116]
scheduling reauthentication in 9817s
maximum IKE_SA lifetime 10357s
generating QUICK_MODE request 2535544478 [ HASH SA No ID ID ]
sending packet: from 10.10.14.12[500] to 10.10.10.116[500] (164 bytes)
received packet: from 10.10.10.116[500] to 10.10.14.12[500] (188 bytes)
parsed QUICK_MODE response 2535544478 [ HASH SA No ID ID ]
selected proposal: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
CHILD_SA rchitect-to-conceal{1} established with SPIs cfaffc4f_i f5082174_o and TS 10.10.14.12/32 === 10.10.10.116/32[tcp]
connection 'rchitect-to-conceal' established successfully
─$ sudo ipsec status rchitect-to-conceal
Security Associations (1 up, 0 connecting):
rchitect-to-conceal[1]: ESTABLISHED 9 seconds ago, 10.10.14.12[10.10.14.12]...10.10.10.116[10.10.10.116]
rchitect-to-conceal{1}: INSTALLED, TRANSPORT, reqid 1, ESP SPIs: cf332116_i fbc5fa16_o
rchitect-to-conceal{1}: 10.10.14.12/32 === 10.10.10.116/32[tcp]
If still some issues are occuring due the mismatch refer this[ blog](Setup a Site to Site IPsec VPN With Strongswan and PreShared Key Authentication - Ruan Bekker’s Blog).
Recon over IPSEC VPN Link to heading
The results after running the nmap port scans after connected to VPN.
└─$ sudo nmap -sT -p- -min-rate 10000 -Pn -oN alltcp.txt 10.10.10.116
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-03-01 00:40 EST
Warning: 10.10.10.116 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.116
Host is up (0.054s latency).
Not shown: 63985 closed ports, 1538 filtered ports
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
49669/tcp open unknown
49670/tcp open unknown
nmap -p 21,80,135,139,445,49664-49670 -Pn -sC -sV -oN detailed.txt 10.10.10.116
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-03-01 00:44 EST
Nmap scan report for 10.10.10.116
Host is up (0.057s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-03-01T05:45:28
|_ start_date: 2022-02-28T00:21:39
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 67.45 seconds
sudo nmap -p 21,80,135,139,445,49664-49670 -script VULN 10.10.10.116 130 ⨯
Starting Nmap 7.91 ( https://nmap.org ) at 2022-03-01 00:47 EST
Nmap scan report for 10.10.10.116
Host is up (0.054s latency).
PORT STATE SERVICE
21/tcp filtered ftp
80/tcp filtered http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
49664/tcp filtered unknown
49665/tcp filtered unknown
49666/tcp filtered unknown
49667/tcp filtered unknown
49668/tcp filtered unknown
49669/tcp filtered unknown
49670/tcp filtered unknown
Host script results:
| firewall-bypass:
|_ Firewall vulnerable to bypass through ftp helper. (IPv4)
udo nmap -p 139,135,445 -script smb-enum-shares.nse 10.10.10.116
Starting Nmap 7.91 ( https://nmap.org ) at 2022-03-01 00:48 EST
Nmap scan report for 10.10.10.116
Host is up (0.056s latency).
PORT STATE SERVICE
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
Nmap done: 1 IP address (1 host up) scanned in 2.27 seconds
┌──(rocky㉿kali)-[~/hckbox/conceal]
└─$ sudo nmap -p 135,139,445 -script smb-enum-users.nse 10.10.10.116
Starting Nmap 7.91 ( https://nmap.org ) at 2022-03-01 00:48 EST
Nmap scan report for 10.10.10.116
Host is up (0.055s latency).
PORT STATE SERVICE
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
Nmap done: 1 IP address (1 host up) scanned in 2.30 seconds
Now we have IPSEC tunnel established between Kali machine and the HTB machine.