Discussion:
[NSE] isakmp aggressive mode and version detection
Jesper Kückelhahn
2012-12-31 11:12:01 UTC
Permalink
Hi,

I've updated the fingerprint list and the version detection script. All
three needed files are attached.

Happy new year.

- Jesper
For the information extraction script I was thinking the output being
Okay. We're now waiting for a newly formatted fingerprints file and
script to match, and then we'll take another look.
David Fifield
Jesper Kückelhahn
2013-01-19 15:20:15 UTC
Permalink
Hi,

I've debugged and enhanced this script, so it should be more robust and
have better version detection on some systems.

- Jesper
Post by Jesper Kückelhahn
Hi,
I've updated the fingerprint list and the version detection script. All
three needed files are attached.
Happy new year.
- Jesper
For the information extraction script I was thinking the output being
Okay. We're now waiting for a newly formatted fingerprints file and
script to match, and then we'll take another look.
David Fifield
David Fifield
2013-01-21 06:39:34 UTC
Permalink
Post by Jesper Kückelhahn
I've debugged and enhanced this script, so it should be more robust and
have better version detection on some systems.
I'm getting this error against a dummy Ncat listener:
$ sudo ncat -l --udp 500 -k --sh-exec "cat > /dev/null"
$ sudo ./nmap -p 500 -sU localhost --script=ike-version -d
NSE: ike-version against 127.0.0.1:500 threw an error!
/home/david/nmap-git/nselib/ike.lua:183: bad argument #1 to 'pairs' (table expected, got nil)
stack traceback:
[C]: in function 'pairs'
/home/david/nmap-git/nselib/ike.lua:183: in function 'lookup'
/home/david/nmap-git/nselib/ike.lua:310: in function </home/david/nmap-git/nselib/ike.lua:290>
(...tail calls...)
scripts/ike-version.nse:58: in function 'get_version'
scripts/ike-version.nse:100: in function <scripts/ike-version.nse:99>
(...tail calls...)

I seem to get the same error when I try to install an IKE listener to
test against. I tried the Debian packages strongswan-ikev1 (pluto) and
strongswan-ikev2 (charon), and netstat says they are listening on port
500, but I get the same error as above. What do you recommend testing
against?

David Fifield
Jesper Kückelhahn
2013-01-21 18:16:18 UTC
Permalink
Hi David,

Thanks for testing.

I'm sorry that I didn't include instructions for the script and files. I've tried to follow the convention currently used for file locations, which means that the script assumes that the files 'ike.lua' and 'ike-fingerprints.lua' are placed in 'nmap/nselib/' and 'nmap/nselib/data/', respectively. I think the error you are seeing is a consequence of 'ike-fingerprints.lua' not being found and loaded correctly.

In my testing I've used the following syntax:

# nmap --script=ike-version -p500 -sUV --version-intensity=0 -dd TARGET

The script uses the same port as the an isakmp service is listening on (UDP port 500) for socket:bind, so running a isakmp service on localhost could be causing some issues ? This can be changed in line 332 in 'ike.lua'.

Does this help ?


- Jesper
Post by David Fifield
Post by Jesper Kückelhahn
I've debugged and enhanced this script, so it should be more robust and
have better version detection on some systems.
$ sudo ncat -l --udp 500 -k --sh-exec "cat > /dev/null"
$ sudo ./nmap -p 500 -sU localhost --script=ike-version -d
NSE: ike-version against 127.0.0.1:500 threw an error!
/home/david/nmap-git/nselib/ike.lua:183: bad argument #1 to 'pairs' (table expected, got nil)
[C]: in function 'pairs'
/home/david/nmap-git/nselib/ike.lua:183: in function 'lookup'
/home/david/nmap-git/nselib/ike.lua:310: in function </home/david/nmap-git/nselib/ike.lua:290>
(...tail calls...)
scripts/ike-version.nse:58: in function 'get_version'
scripts/ike-version.nse:100: in function <scripts/ike-version.nse:99>
(...tail calls...)
I seem to get the same error when I try to install an IKE listener to
test against. I tried the Debian packages strongswan-ikev1 (pluto) and
strongswan-ikev2 (charon), and netstat says they are listening on port
500, but I get the same error as above. What do you recommend testing
against?
David Fifield
David Fifield
2013-01-27 06:35:15 UTC
Permalink
Post by Jesper Kückelhahn
I'm sorry that I didn't include instructions for the script and files.
I've tried to follow the convention currently used for file locations,
which means that the script assumes that the files 'ike.lua' and
'ike-fingerprints.lua' are placed in 'nmap/nselib/' and
'nmap/nselib/data/', respectively. I think the error you are seeing is
a consequence of 'ike-fingerprints.lua' not being found and loaded
correctly.
# nmap --script=ike-version -p500 -sUV --version-intensity=0 -dd TARGET
The script uses the same port as the an isakmp service is listening on
(UDP port 500) for socket:bind, so running a isakmp service on
localhost could be causing some issues ? This can be changed in line
332 in 'ike.lua'.
I got isakmp running on an OS X host and the script is still not working
for me.

$ sudo ./nmap --script=ike-version -p500 -sUV --version-intensity=0 -dd 192.168.0.3
NSE: Starting 'ike-version' (thread: 0x17bf580) against 192.168.0.3:500.
Initiating NSE at 22:32
Fetchfile found /home/david/nmap-git/nmap-rpc
NSOCK INFO [5.3670s] nsi_new2(): nsi_new (IOD #1)
NSOCK INFO [5.3830s] nsock_connect_udp(): UDP connection requested to 192.168.0.3:500 (IOD #1) EID 8
NSE: Sending Aggressive mode packet ...
NSOCK INFO [5.3830s] nsi_new2(): nsi_new (IOD #2)
NSOCK INFO [5.3860s] nsock_connect_udp(): UDP connection requested to 192.168.0.3:500 (IOD #2) EID 16
NSOCK INFO [5.3860s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 8 [192.168.0.3:500]
NSOCK INFO [5.3860s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 16 [192.168.0.3:500]
NSOCK INFO [5.3860s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 27 [192.168.0.3:500]
NSOCK INFO [5.3860s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 35 [192.168.0.3:500]
NSOCK INFO [5.3860s] nsock_readbytes(): Read request for 1 bytes from IOD #1 [192.168.0.3:500] EID 42
NSOCK INFO [5.3860s] nsock_readlines(): Read request for 1 lines from IOD #2 [192.168.0.3:500] EID 50
NSOCK INFO [5.3970s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 50 [192.168.0.3:500] (285 bytes)
NSOCK INFO [5.4360s] nsi_delete(): nsi_delete (IOD #2)
NSE: IKE: Found IKE Header: 01: SA
NSE: IKE: Found IKE Header: 04: Key Exchange
NSE: IKE: Found IKE Header: 0A: Nonce
NSE: IKE: Found IKE Header: 05: ID
NSE: IKE: Found IKE Header: 08: Hash
NSE: 'ike-version' (thread: 0x17bf580) against 192.168.0.3:500 threw an error!
/home/david/nmap-git/nselib/ike.lua:183: bad argument #1 to 'pairs' (table expected, got nil)
stack traceback:
[C]: in function 'pairs'
/home/david/nmap-git/nselib/ike.lua:183: in function 'lookup'
/home/david/nmap-git/nselib/ike.lua:310: in function </home/david/nmap-git/nselib/ike.lua:290>
(...tail calls...)
/home/david/nmap-git/scripts/ike-version.nse:58: in function 'get_version'
/home/david/nmap-git/scripts/ike-version.nse:100: in function </home/david/nmap-git/scripts/ike-version.nse:99>
(...tail calls...)

NSOCK INFO [35.3860s] nsock_trace_handler_callback(): Callback: READ TIMEOUT for EID 42 [192.168.0.3:500]
NSE: rpc-grind: isRPC didn't receive response.
NSE: Target port 500 is not a RPC port.
NSE: Finished 'rpc-grind' (thread: 0x17ad180) against 192.168.0.3:500.
NSOCK INFO [35.3870s] nsi_delete(): nsi_delete (IOD #1)
Completed NSE at 22:33, 30.02s elapsed

I have the files where they should be, I think:

$ git st
# On branch master
# Untracked files:
# (use "git add <file>..." to include in what will be committed)
#
# nselib/data/ike-fingerprints.lua
# nselib/ike.lua
# scripts/ike-version.nse

ike-scan returns something:

$ sudo ike-scan 192.168.0.3
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.0.3 Main Mode Handshake returned HDR=(CKY-R=5cb2bd6e239aef89) SA=(Enc=3DES Hash=SHA1 Auth=PSK Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00007080) VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)

Ending ike-scan 1.9: 1 hosts scanned in 0.008 seconds (119.95 hosts/sec). 1 returned handshake; 0 returned notify

David Fifield
Jesper Kückelhahn
2013-01-27 10:23:30 UTC
Permalink
Hi David,

I see where things go wrong, and I've attached an updated 'ike.lua' file,
that now checks for the case you are seeing.

- Jesper
Post by David Fifield
Post by Jesper Kückelhahn
I'm sorry that I didn't include instructions for the script and files.
I've tried to follow the convention currently used for file locations,
which means that the script assumes that the files 'ike.lua' and
'ike-fingerprints.lua' are placed in 'nmap/nselib/' and
'nmap/nselib/data/', respectively. I think the error you are seeing is
a consequence of 'ike-fingerprints.lua' not being found and loaded
correctly.
# nmap --script=ike-version -p500 -sUV --version-intensity=0 -dd TARGET
The script uses the same port as the an isakmp service is listening on
(UDP port 500) for socket:bind, so running a isakmp service on
localhost could be causing some issues ? This can be changed in line
332 in 'ike.lua'.
I got isakmp running on an OS X host and the script is still not working
for me.
$ sudo ./nmap --script=ike-version -p500 -sUV --version-intensity=0 -dd 192.168.0.3
NSE: Starting 'ike-version' (thread: 0x17bf580) against 192.168.0.3:500.
Initiating NSE at 22:32
Fetchfile found /home/david/nmap-git/nmap-rpc
NSOCK INFO [5.3670s] nsi_new2(): nsi_new (IOD #1)
NSOCK INFO [5.3830s] nsock_connect_udp(): UDP connection requested to
192.168.0.3:500 (IOD #1) EID 8
NSE: Sending Aggressive mode packet ...
NSOCK INFO [5.3830s] nsi_new2(): nsi_new (IOD #2)
NSOCK INFO [5.3860s] nsock_connect_udp(): UDP connection requested to
192.168.0.3:500 (IOD #2) EID 16
NSOCK INFO [5.3860s] nsock_trace_handler_callback(): Callback: CONNECT
SUCCESS for EID 8 [192.168.0.3:500]
NSOCK INFO [5.3860s] nsock_trace_handler_callback(): Callback: CONNECT
SUCCESS for EID 16 [192.168.0.3:500]
NSOCK INFO [5.3860s] nsock_trace_handler_callback(): Callback: WRITE
SUCCESS for EID 27 [192.168.0.3:500]
NSOCK INFO [5.3860s] nsock_trace_handler_callback(): Callback: WRITE
SUCCESS for EID 35 [192.168.0.3:500]
NSOCK INFO [5.3860s] nsock_readbytes(): Read request for 1 bytes from IOD
#1 [192.168.0.3:500] EID 42
NSOCK INFO [5.3860s] nsock_readlines(): Read request for 1 lines from IOD
#2 [192.168.0.3:500] EID 50
NSOCK INFO [5.3970s] nsock_trace_handler_callback(): Callback: READ
SUCCESS for EID 50 [192.168.0.3:500] (285 bytes)
NSOCK INFO [5.4360s] nsi_delete(): nsi_delete (IOD #2)
NSE: IKE: Found IKE Header: 01: SA
NSE: IKE: Found IKE Header: 04: Key Exchange
NSE: IKE: Found IKE Header: 0A: Nonce
NSE: IKE: Found IKE Header: 05: ID
NSE: IKE: Found IKE Header: 08: Hash
NSE: 'ike-version' (thread: 0x17bf580) against 192.168.0.3:500 threw an error!
/home/david/nmap-git/nselib/ike.lua:183: bad argument #1 to 'pairs' (table
expected, got nil)
[C]: in function 'pairs'
/home/david/nmap-git/nselib/ike.lua:183: in function 'lookup'
/home/david/nmap-git/nselib/ike.lua:310: in function
</home/david/nmap-git/nselib/ike.lua:290>
(...tail calls...)
/home/david/nmap-git/scripts/ike-version.nse:58: in function 'get_version'
/home/david/nmap-git/scripts/ike-version.nse:100: in function
</home/david/nmap-git/scripts/ike-version.nse:99>
(...tail calls...)
NSOCK INFO [35.3860s] nsock_trace_handler_callback(): Callback: READ
TIMEOUT for EID 42 [192.168.0.3:500]
NSE: rpc-grind: isRPC didn't receive response.
NSE: Target port 500 is not a RPC port.
NSE: Finished 'rpc-grind' (thread: 0x17ad180) against 192.168.0.3:500.
NSOCK INFO [35.3870s] nsi_delete(): nsi_delete (IOD #1)
Completed NSE at 22:33, 30.02s elapsed
$ git st
# On branch master
# (use "git add <file>..." to include in what will be committed)
#
# nselib/data/ike-fingerprints.lua
# nselib/ike.lua
# scripts/ike-version.nse
$ sudo ike-scan 192.168.0.3
Starting ike-scan 1.9 with 1 hosts (
http://www.nta-monitor.com/tools/ike-scan/)
192.168.0.3 Main Mode Handshake returned HDR=(CKY-R=5cb2bd6e239aef89)
SA=(Enc=3DES Hash=SHA1 Auth=PSK Group=2:modp1024 LifeType=Seconds
LifeDuration(4)=0x00007080) VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer
Detection v1.0)
Ending ike-scan 1.9: 1 hosts scanned in 0.008 seconds (119.95 hosts/sec).
1 returned handshake; 0 returned notify
David Fifield
Jesper Kückelhahn
2013-01-27 21:22:36 UTC
Permalink
Hi David,

Thanks for testing, it's nice to see it's working. In order for the version detection to work, the service needs to send at least one known Vendor ID, which it doesn't in this case. In a successful scenario it will produce the following (debugging) output:

NSE: IKE: Found IKE Header: 01: SA
NSE: IKE: Found IKE Header: 0D: VID - 1e2b516905991c7d7c96fcbfb587e46100000002
NSE: IKE: Found IKE Header: 0D: VID - 4048b7d56ebce88525e7de7f00d6c2d3
NSE: IKE: Found IKE Header: 0D: VID - 90cb80913ebb696e086381b5ec427b1f
Fetchfile found /usr/local/bin/../share/nmap/nselib/data/ike-fingerprints.lua
NSE: ike: Loading fingerprints: /usr/local/bin/../share/nmap/nselib/data/ike-fingerprints.lua
NSE: IKE: Fingerprint: 1e2b516905991c7d7c96fcbfb587e46100000002 matches Microsoft Windows 2000
NSE: IKE: Attribute: 1e2b516905991c7d7c96fcbfb587e46100000002 matches MS NT5 ISAKMPOAKLEY
NSE: IKE: Attribute: 4048b7d56ebce88525e7de7f00d6c2d3 matches IKE FRAGMENTATION
NSE: IKE: Attribute: 90cb80913ebb696e086381b5ec427b1f matches draft-ietf-ipsec-nat-t-ike-02\n
NSE: Version: Microsoft

PORT STATE SERVICE REASON VERSION
500/udp open isakmp udp-response Microsoft Windows 2000
Service Info: OS: Windows 2000; CPE: cpe:/o:microsoft:windows:2000

There are additional methods that can be used for fingerprinting, such as analysing the backoff pattern, but this would take a couple of minutes to complete, so I haven't prioritised this approach.


- Jesper
Post by David Fifield
NSE: IKE: Found IKE Header: 01: SA
NSE: IKE: Found IKE Header: 04: Key Exchange
NSE: IKE: Found IKE Header: 0A: Nonce
NSE: IKE: Found IKE Header: 05: ID
NSE: IKE: Found IKE Header: 08: Hash
NSE: Version: nil
David Fifield
2013-01-28 03:07:13 UTC
Permalink
Post by Jesper Kückelhahn
Thanks for testing, it's nice to see it's working. In order for the
version detection to work, the service needs to send at least one
known Vendor ID, which it doesn't in this case. In a successful
Thanks, I have added your script and library now in r30564.

It seems a bit strange that ike.lua does most of its work using hex
strings. Is there a reason for that? Mightn't we prefer "\x0a\x00" to
bin.pack("H", "0a00")?

David FIfield
Jesper Kückelhahn
2013-01-28 16:33:36 UTC
Permalink
Hi David,

Thanks for the commit.

I used hex strings as I thought that it would improve the readability and easy of modification. I'd gladly change it if the other method is better suited.


- Jesper
Post by David Fifield
Post by Jesper Kückelhahn
Thanks for testing, it's nice to see it's working. In order for the
version detection to work, the service needs to send at least one
known Vendor ID, which it doesn't in this case. In a successful
Thanks, I have added your script and library now in r30564.
It seems a bit strange that ike.lua does most of its work using hex
strings. Is there a reason for that? Mightn't we prefer "\x0a\x00" to
bin.pack("H", "0a00")?
David FIfield
David Fifield
2013-01-28 18:00:30 UTC
Permalink
Post by Jesper Kückelhahn
Thanks for the commit.
I used hex strings as I thought that it would improve the readability
and easy of modification. I'd gladly change it if the other method is
better suited.
Yes, please do; the style otherwise stands out from other libraries.
Feel free to use hex for input or output, but the canonincal in-memory
format should be binary.

David Fifield
Jesper Kückelhahn
2013-01-29 21:22:30 UTC
Permalink
Hi,

Attached are two unified patches for ike.lua and ike-version.nse. The patch
for ike.lua changes hex strings to standard hex notation, and
ike-version.nse.patch corrects an error in the description of the script.

- Jesper
Post by David Fifield
Post by Jesper Kückelhahn
Thanks for the commit.
I used hex strings as I thought that it would improve the readability
and easy of modification. I'd gladly change it if the other method is
better suited.
Yes, please do; the style otherwise stands out from other libraries.
Feel free to use hex for input or output, but the canonincal in-memory
format should be binary.
David Fifield
David Fifield
2013-01-30 06:25:47 UTC
Permalink
Post by Jesper Kückelhahn
Attached are two unified patches for ike.lua and ike-version.nse. The patch
for ike.lua changes hex strings to standard hex notation, and
ike-version.nse.patch corrects an error in the description of the script.
Thanks, applied.

David Fifield

Loading...