The Internet Key Exchange (IKE) protocol is used in IPsec VPNs to authenticate users and establish the shared key of a VPN session. IKE can operate in either main mode or aggressive mode. Main mode protects the identity of the user and securely establishes a shared secret for the VPN session. Users must provide a client certificate if connecting from a dynamic or non-whitelisted IP address. In aggressive mode the handshake takes less time, but the user's identity is transmitted in plaintext. The server responds with an MD5 or SHA1 hash of the user's password and information that is already sent in plaintext. An attacker could obtain the hash by intercepting packets or initiating an aggressive mode handshake with a valid username. After obtaining the hash, it is possible to crack the password offline in a short time, depending on the password's length and complexity. Note: There is one more VPN server at 199.102.177.4 supporting IKE but has aggressive mode authentication disabled.
Impact An attacker may exploit this vulnerability when a victim connects to the VPN on an insecure WiFi network using aggressive mode authentication. An attacker performing a man-in-the- middle (MiTM) attack can capture the network traffic and perform a password brute force attack to crack the Medallia user's VPN password.
Disable aggressive mode authentication on the target servers. See the Cisco documentaion (https://www.cisco.com/en/US/docs/ios/security/command/reference/sec_c4.pdf) for instructions for how to disable it on Cisco IOS. Only use IKE main mode combined with client certificates for VPN authentication.
- ike-scan: Discover and fingerprint IKE hosts (IPsec VPN Servers).
Command
ike-scan --aggressive --multiline --id=nonexisting_user <server ip>
Vulnerable Output
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan)
<server ip> Aggressive Mode Handshake returned
HDR=(CKY-R=4ec8e4d12a479ae9)
SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
KeyExchange(128 bytes)
Nonce(20 bytes)
ID(Type=ID_IPV4_ADDR, Value=<server ip>)
Hash(20 bytes)
VID=12f5f28c457168a9702d9fe274cc0100 (Cisco Unity)
VID=09002689dfd6b712 (XAUTH)
VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
VID=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation)
VID=1f07f70eaa6514d3b0fa96542a500100 (Cisco VPN Concentrator)
Ending ike-scan 1.9: 1 hosts scanned in 0.157 seconds (6.35 hosts/sec). 1 returned handshake; 0 returned notify