A fake IKE daemon that supports just enough of the standards and Cisco extensions
Version: 0.0.5Fiked is a fake IKE daemon that supports just enough of the standards and Cisco extensions to attack commonly found insecure Cisco PSK+XAUTH VPN setups in what could be described as a semi-MitM attack.
License: BSD License
Operating System: Linux
Basically, knowing the pre-shared key, also known as shared secret or group password, the VPN gateway can be impersonated in IKE phase 1, in order to learn XAUTH user credentials in phase 2.
The configuration supported by fiked is IKE aggressive mode using pre-shared keys and XAUTH. FakeIKEd supports algorithms like DES, 3DES, AES128, AES192, AES256, MD5, SHA1, and DH groups 1, 2, and 5. Main mode is not supported.
Basically, if you know the pre-shared key, also known as shared secret or group password, you can play Man in the Middle, impersonate the VPN gateway in IKE phase 1, and learn XAUTH user credentials in phase 2.
This attack is not new. It has been known for a long time that IKE using PSK with XAUTH is insecure, and this is not the first actual implementation of the attack.
To successfully demostrate an attack on a VPN site, you need to know the shared secret, and you must be able to intercept the IKE traffic between the clients and the VPN gateway.
There are several ways to find out the shared secret, including being a legitimate user, grabbing it from some Cisco config file, using ike-crack, or layer 8 hackery.
There are also several ways to redirect the IKE traffic to your running fiked instance, including ARP spoofing, 802.11 hostap, or layer 1 hackery.
Usage: fiked [-rdqhV] -g gateway -k id:psk [-k ...] [-l file] [-L file]
-r use raw socket: forge source address to match < gateway >
-d detach from tty and run as a daemon (implies -q)
-q be quiet, don't write anything to stdout
-h print help and exit
-V print version and exit
-g gw VPN gateway address to impersonate
-k i:k pre-shared key aka. group password, shared secret, prefixed
with its group/key id (first -k sets default)
-l file append results to credential log file
-L file verbous logging to file instead of stdout