• Home
  • History
  • Annotate
Name Date Size #Lines LOC

..03-May-2022-

doc/H03-May-2022-

vpnc/H03-Aug-2009-2,1271,518

COPYINGH A D30-Oct-200517.6 KiB341281

GNUmakefileH A D03-May-20222.6 KiB9459

NEWSH A D03-Aug-2009686 2115

READMEH A D03-Aug-20093.2 KiB9766

TODOH A D12-Jan-2006519 1211

VERSIONH A D03-Aug-20096 21

bsd.hH A D03-Jan-20061 KiB318

config.cH A D18-Dec-20051.8 KiB9356

config.hH A D17-Dec-20051.4 KiB5022

datagram.cH A D18-Dec-20053.4 KiB14388

datagram.hH A D01-Nov-20051.4 KiB5022

fiked.1H A D03-Aug-20095.1 KiB142123

ike.cH A D24-Dec-200532.1 KiB1,150791

ike.hH A D30-Oct-20051,008 327

log.cH A D24-Dec-20052.2 KiB11280

log.hH A D31-Oct-20051,006 317

main.cH A D03-Aug-20097.3 KiB306237

mem.cH A D18-Dec-20051.1 KiB4016

mem.hH A D18-Dec-2005951 316

peer_ctx.cH A D18-Dec-20053.2 KiB143101

peer_ctx.hH A D06-Dec-20052.7 KiB11262

results.cH A D24-Dec-20051.7 KiB6842

results.hH A D30-Oct-2005998 317

send_dgm.cH A D17-Dec-20052.2 KiB8049

send_dgm.hH A D01-Nov-2005982 306

README

1/*
2 * fiked - a fake IKE PSK+XAUTH daemon based on vpnc
3 * Copyright (C) 2005,2009 Daniel Roethlisberger <daniel@roe.ch>
4 *
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation; either version 2 of the License, or
8 * (at your option) any later version.
9 *
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
13 * GNU General Public License for more details.
14 *
15 * You should have received a copy of the GNU General Public License
16 * along with this program; if not, see http://www.gnu.org/copyleft/
17 *
18 * $Id: README 122 2009-08-03 22:45:47Z roe $
19 */
20
21
22
23// Overview
24
25This is a fake IKE daemon supporting just enough of the standards and
26Cisco extensions to attack commonly found insecure Cisco PSK+XAUTH VPN
27setups.
28
29Basically, if you know the pre-shared key, also known as shared secret
30or group password, you can impersonate the VPN gateway in IKE phase 1,
31and learn XAUTH user credentials in phase 2.
32
33This attack [2,3] is not new.  It has been known for a long time that
34IKE using PSK with XAUTH is insecure, and this is not the first actual
35implementation of the attack.
36
37The configuration supported by fiked is IKE aggressive mode using
38pre-shared keys and XAUTH.  Supported algorithms are DES, 3DES, AES128,
39AES192, AES256; MD5, SHA1; and DH groups 1, 2 and 5.  Main mode is not
40supported.
41
42Based on this work, a full MITM attack could be implemented.
43
44
45
46// Attack Setup
47
48To successfully demostrate an attack on a VPN site, you need to know the
49shared secret, and you must be able to intercept the IKE traffic between
50the clients and the VPN gateway.
51
52There are several ways to find out the shared secret [4], and several
53ways to redirect the IKE traffic to your running fiked instance.
54
55With the -r option, you can control whether fiked should forge the
56source address on packets or not, depending on whether your particular
57attack setup needs it or not.
58
59
60
61// Installation
62
63You need these libraries to build and run fiked:
64 * libgcrypt >= 1.1.90
65   http://directory.fsf.org/security/libgcrypt.html
66 * libnet >= 1.1.0 (optional)
67   http://www.packetfactory.net/projects/libnet/
68
69You should be able to build and install fiked by just running GNU
70make install (gmake on BSD) on systems with a C99 capable GCC.
71
72Fiked has been developed on FreeBSD, but should build and run
73fine on other BSD and Linux boxes.  Please do send me patches.
74Reported to work fine are OpenBSD and Debian.
75
76By defining WITHOUT_LIBNET, you can omit libnet support, which will
77remove the dependency on libnet, and will give you a fiked which does
78not support sending replies with forged source address (-r option).
79
80
81
82// Credits
83
84Fiked is loosely based on vpnc [5].  The code borrowed from vpnc is
85found in the vpnc subdirectory, see vpnc/NOTICE.
86
87
88
89// References
90
91[1] http://www.roe.ch/FakeIKEd
92[2] http://www.cisco.com/warp/public/707/cisco-sn-20040415-grppass.shtml
93[3] http://www.ima.umn.edu/~pliam/xauth/
94[4] http://ikecrack.sourceforge.net/
95[5] http://www.unix-ag.uni-kl.de/~massar/vpnc/
96
97