Skip to content

Instantly share code, notes, and snippets.

@claudijd

claudijd/harvest.rb

Last active March 27, 2023 16:48
Show Gist options
  • Save claudijd/5976192 to your computer and use it in GitHub Desktop.
Save claudijd/5976192 to your computer and use it in GitHub Desktop.
Download ZIP
IKE-Scan Mode/TransformSet/VID Enumeration Helper
Raw
harvest.rb
# An quick and dirty ike-scan wrapper to enumerate
# supported transform sets and vendor ID fingerprints
# on IPSec VPN Endpoints.
#
# Example Targeted Run Output
#
#$ rvmsudo ruby harvest.rb --targets 192.168.1.1 --enc-types 5 --hash-types 2 --dh-types 2 --auth-types 1
#I, [2013-08-12T23:53:14.490138 #27197] INFO -- : 5 transform combinations to try
#D, [2013-08-12T23:53:14.490221 #27197] DEBUG -- : Trying ike-scan --multiline 192.168.1.1
#I, [2013-08-12T23:53:14.726363 #27197] INFO -- : Found a new VID VID=5b362bc820f60001
#D, [2013-08-12T23:53:14.726580 #27197] DEBUG -- : Trying ike-scan -M --multiline 192.168.1.1
#D, [2013-08-12T23:53:14.875583 #27197] DEBUG -- : Trying ike-scan -A --multiline 192.168.1.1
#D, [2013-08-12T23:53:15.020898 #27197] DEBUG -- : Trying ike-scan -M --multiline --trans=5,2,1,2 192.168.1.1
#D, [2013-08-12T23:53:15.162350 #27197] DEBUG -- : Trying ike-scan -A --multiline --trans=5,2,1,2 192.168.1.1
#
################ Start Scan Summary ###############
#### SUCCESSFUL IKE-SCAN CMDs w/ SAs
#ike-scan --multiline 192.168.1.1
#ike-scan -M --multiline 192.168.1.1
#ike-scan -M --multiline --trans=5,2,1,2 192.168.1.1
#### ENUMERATED VENDOR IDS
#VID=5b362bc820f60001
################ End Scan Summary ###############
require 'optparse'
require 'open3'
require 'set'
require 'logger'
enc_types = {
"1" => "DES",
"2" => "DEA",
"3" => "BLOWFISH",
"4" => "RC5",
"5" => "3DES",
"6" => "CAST",
"7/128" => "AES128",
"7/192" => "AES192",
"7/256" => "AES256",
"8" => "Camellia"
}
hash_types = {
"1" => "MD5",
"2" => "SHA1",
"3" => "Tiger",
"4" => "SHA2-256",
"5" => "SHA2-384",
"6" => "SHA2-512",
}
auth_types = {
"1" => "Preshared Key",
"2" => "DSS Signature",
"3" => "RSA Signature",
"4" => "RSA Encryption",
"5" => "Revised RSA Encryption",
"6" => "EIGAMEL Encryption",
"7" => "Revised EIGAMEL Encryption",
"8" => "ECDSA Signature",
"64221" => "Hybrid Mode (common on check point Fws)",
"65001" => "XAUTH"
}
dh_types = {
"1" => "MODP768",
"2" => "MODP1024",
"5" => "MODP1536",
"14" => "MODP2048"
}
modes = {
"M" => "Main Mode",
"A" => "Aggressive Mode"
}
options = {
:enc_types => enc_types.keys,
:hash_types => hash_types.keys,
:auth_types => auth_types.keys,
:dh_types => dh_types.keys,
:modes => modes.keys
}
OptionParser.new do |opts|
opts.banner = "Usage: ruby harvest.rb [options]"
opts.on("--targets x,y,z", Array, "List of IPs to Scan") do |targets|
options[:targets] = targets
end
opts.on("--enc-types x,y,z", Array, "List of Encryption Types") do |e|
options[:enc_types] = e
end
opts.on("--hash-types x,y,z", Array, "List of Hash Types") do |h|
options[:hash_types] = h
end
opts.on("--auth-types x,y,z", Array, "List of Auth Types") do |a|
options[:auth_types] = a
end
opts.on("--dh-types x,y,z", Array, "List of Diffie Types") do |d|
options[:dh_types] = d
end
opts.on("--modes x,y,z", Array, "List of Modes") do |m|
options[:modes] = m
end
opts.on_tail("-h", "--help", "Show this message") do
puts opts
puts ""
puts "Examples:"
puts ""
puts "A Specific Transform Set"
puts "sudo ruby harvest.rb --targets 192.168.1.1 --enc-types 5 --hash-types 2 --dh-types 2 --auth-types 1"
puts ""
puts "Just Aggressive PSK Auth Transform Sets"
puts "sudo ruby harvest.rb --targets 192.168.1.1 --auth-types 1 --modes A"
puts ""
puts "All Transform Sets"
puts "sudo ruby harvest.rb --targets 192.168.1.1"
puts ""
exit
end
end.parse!
# Generate a list of ike-scan commands via transform combos
def generate_command_list(enc_types, hash_types, auth_types, dh_types, modes, targets)
cmds = []
targets.each do |target|
modes.each do |mode|
enc_types.each do |enc_type|
hash_types.each do |hash_type|
auth_types.each do |auth_type|
dh_types.each do |dh_type|
cmds << "ike-scan " +
"-#{mode} " +
"--multiline " +
"--trans=#{enc_type},#{hash_type},#{auth_type},#{dh_type} " +
target
end
end
end
end
end
end
return cmds
end
def generate_default_command_list(targets, modes)
cmds = []
targets.each do |target|
# Default Command
cmds << "ike-scan " +
"--multiline " +
target
# Default Command per Mode
modes.each do |mode|
cmds << "ike-scan " +
"-#{mode} " +
"--multiline " +
target
end
end
return cmds
end
command_list = generate_default_command_list(
options[:targets],
options[:modes]
)
command_list += generate_command_list(
options[:enc_types],
options[:hash_types],
options[:auth_types],
options[:dh_types],
options[:modes],
options[:targets]
)
successful_cmds = Set.new
unique_vendor_ids = Set.new
#Stand up some logging
log = Logger.new(STDERR)
log.level = Logger::DEBUG
log.info("#{command_list.size.to_s} transform combinations to try")
command_list.each do |cmd|
log.debug("Trying #{cmd}")
stdin, stdout, stderr, thread = Open3.popen3(cmd)
#Make sure command completes
thread.join
#Read stderr and stdout
error = stderr.read
output = stdout.read
# Check for errors and bomb hard if we see them
# This is to prevent people from running concurrent
# ike-scans, which is unsupported
if error.match(/^ERROR:/)
puts "Received Fatal Error from ike-scan: \n#{error}"
exit 1
end
# Check for successful SA
if output.match(/SA=/)
successful_cmds << cmd
#Snatch out the VIDs
vids = output.scan(/(VID=[0-9a-z]+ ?(.*)?)/)
vids.each do |vid|
unless unique_vendor_ids.include?(vid[0])
log.info("Found a new VID #{vid[0]}")
unique_vendor_ids << vid[0]
end
end
end
end
puts ""
puts "############### Start Scan Summary ###############"
puts "\n"
puts "### SUCCESSFUL IKE-SCAN CMDs w/ SAs"
successful_cmds.each do |cmd|
puts cmd
end
puts "\n"
puts "### ENUMERATED VENDOR IDS"
unique_vendor_ids.each do |vid|
puts vid
end
puts "\n"
puts "############### End Scan Summary ###############"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment