Hash cracked
It is astonishingly easy to attack such a vulnerable VPN gateway. Cain & Abel, a password sniffing and cracking tool, can monitor whilst IKEProbe is running and extract the hash with its IKE parser [4].
![image 1 [489 x 133 Pixel @ 16,8 KB]](/security/imgs/46/3/7/1/0/4/1/766c3e4674f94c70.jpg)
Cain sniffs the hash value during the IKE handshake between IKEProbe and the gateway
But Cain & Abel can do more: it uses its password cracker to get the right key for the hash, either by means of a dictionary attack or a brute-force attack depending on the configuration. In principle, a good key cannot be cracked within a reasonable timeframe. However, good pre-shared keys are surprisingly rare in practice.
One reason for this is that people still think that such attacks are harder than they actually are. For instance, it takes less than one minute to try out a list of one million words. Even a somewhat old PC with a 1.2GHz processor would only need around two hours to try out all combinations of lowercase letters for a six-character key. Adding two more characters would mean the computer needs 55 days. If uppercase letters and numbers are allowed, the operation would take 148 years.
![image 2 [490 x 179 Pixel @ 21,9 KB]](/security/imgs/46/3/7/1/0/4/1/c558a34404f8db9a.jpg)
Cain has succeeded in calculating the pre-shared key
All you need to get a cracked key to enable a connection to a VPN gateway is a normal VPN client, such as PGPNet in PGP or Sentinel [5]. To get actual access to the enterprise network, hackers still have to guess the right IP subnetworks behind the gateway -- but that is just a matter of time. A firewall behind the gateway would, however, limit access to network resources. VPN gateways are therefore often placed in a separate, demilitarized zone (DMZ) so the unencrypted connections to the LAN can be filtered again.
Safety net
Whether a VPN gateway uses the risky aggressive mode depends on the settings. In some products, it is even the standard setting, such as in some Cisco equipment and old versions of Checkpoint's Firewall-1. In contrast, other implementations such as FreeS/Wan do without it altogether and restrict IKE to the conservative main mode, which all IPSec implementations have to support.
The easiest way to prevent the security risks described here is to forego pre-shared keys completely and use Smartcards, HardwareTokens, and X.509 certificates instead. If you have to use PSKs for authentication because your network budget gives you no option and it would be too much trouble to switch, use keys that are at least 20 characters long and consist of letters, numbers and special characters. And be sure to stay clear of aggressive mode. (dab)
[1] IKE-Scan
[2] heise Security article: Brute Force - Attacks on passwords in Windows networks
[3] IKEProbe
[4] Cain & Abel
[5] PSK Cracking using IKE Aggressive Mode
[6] Cisco Security Notice: Response to BugTraq - Internet Key Exchange Issue
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
