IKE-Crack (HMAC_MD5 an d HMAC_SHA1)
Posted: Thu Dec 15, 2011 10:47 amHi Bitweasil, hi all,
While cheap GPU crackers are evolving, a lot of promising projects and tools have been started.
What I am sadly missing in all those tools is the possibility to brute force RFC 2409 based IKE aggressive mode PSK authentication.
This is still a common and whitespread VPN flaw - as our penetration tests reveal regularly (more info here: http://www.nta-monitor.com/posts/2005/0 ... epaper.pdf).
Tools like psk-crack address this issue with traditional CPU based brute-forcing or dictionary attacks: http://www.nta-monitor.com/wiki/index.p ... o_ike-scan
A always liked the idea of a GPU accelerated IKE-Crack, but never found a suitable project to avoid starting from scratch, until I stumbled over your Multiforcers.
To make it short: I am really interested in implementing the psk-crack part of the above mentioned ike-scan into your Multiforcers. Basically we need HMAC_MD5 and HMAC_SHA1 and another fIletype to deal with the PSK hash data.
The HMAC_SHA1 and HMAC_MD5 transforms basically look like this:
MD5(K XOR opad, MD5(K XOR ipad, cleartext))
SHA1(K XOR opad, SHA1(K XOR ipad, cleartext))
* ipad is the byte 0x36 repeated 64 times
* opad is the byte 0x5c repeated 64 times
For IKE-cracking you first need to calculate an SKEYID with either HMAC_MD5 or HMAC_SHA1 using some of the PSK parameters and the password and then calculate HASH_R using SKEYID and the other PSK parameters using the same transform as before.
Since I am not an experienced developer (and never designed any parallel GPU code), it would take me a lot of effort to learn from your existing CUDA HashType implementations to add the two new HashTypes, even though it might be a lot of copy and paste. Hence I'd like to know if you are interested in extending your project and implementing the needed HashTypes. If you can imagine any kind of cooperation, just let me know. If you like to dig into the topic a little deeper just grab a copy of IKE-Scan: http://www.nta-monitor.com/tools/ike-scan/index.html and look at psk-crack.c and hash_functions.h
Best regards,
-marek
While cheap GPU crackers are evolving, a lot of promising projects and tools have been started.
What I am sadly missing in all those tools is the possibility to brute force RFC 2409 based IKE aggressive mode PSK authentication.
This is still a common and whitespread VPN flaw - as our penetration tests reveal regularly (more info here: http://www.nta-monitor.com/posts/2005/0 ... epaper.pdf).
Tools like psk-crack address this issue with traditional CPU based brute-forcing or dictionary attacks: http://www.nta-monitor.com/wiki/index.p ... o_ike-scan
A always liked the idea of a GPU accelerated IKE-Crack, but never found a suitable project to avoid starting from scratch, until I stumbled over your Multiforcers.
To make it short: I am really interested in implementing the psk-crack part of the above mentioned ike-scan into your Multiforcers. Basically we need HMAC_MD5 and HMAC_SHA1 and another fIletype to deal with the PSK hash data.
The HMAC_SHA1 and HMAC_MD5 transforms basically look like this:
MD5(K XOR opad, MD5(K XOR ipad, cleartext))
SHA1(K XOR opad, SHA1(K XOR ipad, cleartext))
* ipad is the byte 0x36 repeated 64 times
* opad is the byte 0x5c repeated 64 times
For IKE-cracking you first need to calculate an SKEYID with either HMAC_MD5 or HMAC_SHA1 using some of the PSK parameters and the password and then calculate HASH_R using SKEYID and the other PSK parameters using the same transform as before.
Since I am not an experienced developer (and never designed any parallel GPU code), it would take me a lot of effort to learn from your existing CUDA HashType implementations to add the two new HashTypes, even though it might be a lot of copy and paste. Hence I'd like to know if you are interested in extending your project and implementing the needed HashTypes. If you can imagine any kind of cooperation, just let me know. If you like to dig into the topic a little deeper just grab a copy of IKE-Scan: http://www.nta-monitor.com/tools/ike-scan/index.html and look at psk-crack.c and hash_functions.h
Best regards,
-marek