Description
ike-scan discovers and fingerprints ISAKMP/IKE VPN endpoints. It sends IKE Phase 1 packets and records responses, enabling VPN vendor identification and PSK hash capture for offline cracking.
Installation
BASH
sudo apt install ike-scan
# From source
git clone https://github.com/royhills/ike-scan && cd ike-scan
autoreconf --install && ./configure && make && sudo make installBasic Usage
BASH
# Discover IKE endpoint
ike-scan <IP>
# Aggressive mode (captures PSK hash!)
ike-scan -A --id=vpngroup <IP>
# Show vendor IDs
ike-scan -M <IP>
# Fingerprint VPN
ike-scan --showbackoff <IP>Advanced Usage
BASH
# Enumerate transforms
ike-scan --trans=5,2,1,2 --trans=7,2,1,5 --trans=5,2,1,14 <IP>
# Capture PSK hash for cracking
ike-scan -A --id=vpngroup -P psk-hash.txt <IP>
# Crack with psk-crack
psk-crack -d /usr/share/wordlists/rockyou.txt psk-hash.txt
# IKEv2 scanning
ike-scan --ikev2 <IP>
# NAT-Traversal
ike-scan --nat-t <IP>
# Scan subnet
ike-scan 192.168.1.0/24Common Workflows
BASH
# Full VPN enumeration
ike-scan <IP> # Detect
ike-scan -M --showbackoff <IP> # Fingerprint
ike-scan -A --id=vpngroup -P hash.txt <IP> # Capture PSK
psk-crack -d rockyou.txt hash.txt # Crack