a) Experimental IKEv2 support (--ikev2)
b) RFC 3947 NAT traversal support (--nat-t)
c) Source IP spoofing (--sourceip) - Requires raw sockets.
d) Nortel proprietary pre-shared key cracking support.
e) psk-crack can read dictionary files from stdin (--dictionary=-)
f) Backoff patterns may contain only a single packet.
g) Two new packet display options: --timestamp and --shownum
h) ike-scan now uses the Mersenne twister PRNG, with new --randomseed option.
i) --rcookie option allows the responder cookie to be specified in outgoing packets.
j) Several new backoff patterns and vendor IDs added.
k) ike-scan wiki launched: http://www.nta-monitor.com/wiki/
Grab maintainership
From the ChangeLog (Summarised)
> * ike-backoff-patterns: Added backoff patterns for Netgear ProSafe
> and Netgear ADSL Firewall Router. Submitted by Paul Askew.
> * ike-scan.c, ike-scan.h, configure.ac: Added new --writepkttofile
> option. This option writes the output packet to the specified file
> rather than sending it to the remote host. It is intended for
> debugging and testing purposes, to allow the IKE packet to be
> easily checked. This option is not documented, because it is
> designed purely for testing.
> * check-packet: New test to check IKE scan packet data. Currently
> tests two sample packets: one default proposal, and one custom
> proposal.
> * ike-scan.c: Added --exchange option to allow the exchange field
> in the ISAKMP header to be set to arbitrary values.
> * ike-scan.c, isakmp.c: Added --hdrflags and --hdrmsgid options to
> allow Flags and MsgID fields in the ISAKMP header to be specified.
> * ike-scan.c: Added --cookie option to allow the initiator cookie in
> the ISAKMP header to be set to a static value.
> * ike-scan.c, isakmp.c: Add --spisize option to allow a random SPI
> of the specified size to be added to the proposal payload.
> * ike-vendor-ids: Added 16 new Vendor IDs, and revised some comments
> on existing entries.
> * ike-scan.c: Added --doi (-D) and --situation (-S) options to allow
> the DOI and Situation in the SA of the outbound packets to be changed
> from the default of DOI_IPSEC and SIT_IDENTITY_ONLY.
> * ike-scan.c: Added --protocol (-j) and --transid (-k) options to
> allow the proposal protocol and transform id of the outbound packets
> to be changed from the defaults.
> * ike-scan.c: Added --certreq (-C) option to add a
> CertificateRequest payload to the outgoing packet.
> * ike-scan.c: Added --headerlen (-L) option to allow the ISAKMP header
> length to be manually specified. Normally, ike-scan will
> automatically calculate the correct length; however, you can use this
> option if you want to use an incorrect length value instead.
> * ike-scan.c, isakmp.c: Added --mbz (-Z) option to allow the value for
> the reserved (MBZ) fields to be set to non-zero values. Doing so
> will make the outgoing packet non-RFC compliant.
> * ike-scan.c, isakmp.c: Added --headerver (-E) option to allow the
> version field in the ISAKMP header to be altered from the default of
> 0x10 (v1.0).
> * ike-scan.c: Added --bandwidth (-B) option to allow the outgoing
> bandwidth to be specified directly instead of using --interval.
> The --bandwidth option calculates the appropriate interval setting,
> taking into account the size of the packet.
> * ike-scan.c: Added --noncelen (-c) option to allow the length of the
> nonce data to be changed. This is only applicable to aggressive
> mode.
* Fixed bug which caused hostnames containing hyphens to fail with an error.
* Improved mapping of ID numbers to names in decode. This allows sparse IDs
ranges (e.g. 1,2,3,65000) to be supported, which means that we can now decode
XAUTH authentication method amongst other things.
* Added SO_BROADCAST option to UDP socket to allow sending to broadcast
addresses. Previously this gave a permission denied error.
- Add bl3 and openssl support
- Fix paths in man pages
- Install extra documentation
- Remove un-needed options from pkgsrc Makefile
Lots of changes/bugfixes from 1.6 including:
psk-crack.c: New program to crack Aggressive Mode Pre-Shared Keys
using dictionary attack. This uses the output from "ike-scan -P"
together with a dictionary.
---
ike-scan discovers IKE hosts and can also fingerprint them using the
retransmission backoff pattern.
ike-scan does two things:
a) Discovery: Determine which hosts are running IKE.
This is done by displaying those hosts which respond to the IKE requests
sent by ike-scan.
b) Fingerprinting: Determine which IKE implementation the hosts are using.
This is done by recording the times of the IKE response packets from the
target hosts and comparing the observed retransmission backoff pattern
against known patterns.
The retransmission backoff fingerprinting concept is discussed in more
detail in the UDP backoff fingerprinting paper which should be included
in the ike-scan kit as udp-backoff-fingerprinting-paper.txt.
The program sends IKE main mode requests to the specified hosts and displays
any responses that are received. It handles retry and retransmission with
backoff to cope with packet loss. It also limits the amount of bandwidth
used by the outbound IKE packets.
