Overview
ike-scan is a network utility that discovers and fingerprints IKE (Internet Key Exchange) hosts and services. It sends specially crafted IKE Phase 1 packets to identify VPN servers, determine their implementation type, supported encryption algorithms, and potential misconfigurations. The tool is essential for identifying VPN endpoints during reconnaissance and assessing the security posture of IPsec deployments.
ike-scan operates at the network layer (UDP port 500) and can detect various VPN implementations including Cisco, Juniper, Nortel, and many others. It’s included in Kali Linux and is invaluable for authorized network security assessments.
Installation
# Kali Linux (pre-installed)
ike-scan --version
which ike-scan
# Debian/Ubuntu
sudo apt-get install ike-scan
# macOS
brew install ike-scan
# From source
git clone https://github.com/royhills/ike-scan
cd ike-scan
./configure
make
sudo make install
Basic Usage
Command Syntax
ike-scan [options] <target> [<target2> ...]
Simple VPN Discovery
| Command | Description |
|---|
ike-scan <ip> | Scan single IP for IKE service |
ike-scan <ip>/24 | Scan entire subnet |
ike-scan -l | List all supported algorithms |
ike-scan --help | Display help information |
ike-scan --version | Show version number |
Basic Examples
# Scan single IP
ike-scan 192.168.1.1
# Scan subnet
ike-scan 10.0.0.0/24
# Scan with verbose output
ike-scan -v 192.168.1.1
# Scan multiple targets
ike-scan 192.168.1.1 192.168.2.1 10.0.0.1
Common Options
Discovery and Scanning
| Option | Description | Example |
|---|
-r | Number of retries | ike-scan -r 3 192.168.1.1 |
-t | Timeout per host (ms) | ike-scan -t 500 192.168.1.1 |
-d | Delay between packets | ike-scan -d 100 192.168.1.0/24 |
-M | Monolithic display | ike-scan -M 192.168.1.1 |
Encryption and Algorithm Specification
| Option | Description | Example |
|---|
-e | Encryption algorithm | ike-scan -e 1 192.168.1.1 |
-a | Authentication algorithm | ike-scan -a 1 192.168.1.1 |
-g | DH group | ike-scan -g 2 192.168.1.1 |
-l | List algorithms | ike-scan -l |
Output and Analysis
| Option | Description | Example |
|---|
-v | Verbose output | ike-scan -v 192.168.1.1 |
-q | Quiet output | ike-scan -q 192.168.1.1 |
-s | Source IP | ike-scan -s 192.168.100.1 192.168.1.1 |
-S | Source port | ike-scan -S 500 192.168.1.1 |
Advanced Options
Fingerprinting VPN Implementations
# Detailed fingerprinting with verbose output
ike-scan -v --aggressive 192.168.1.1
# Test specific encryption suites
ike-scan -e 3des -a sha1 -g 2 192.168.1.1
# List available encryption algorithms
ike-scan -l
# Test multiple encryption combinations
for enc in 1 3 5; do
for hash in 1 2 3; do
ike-scan -e $enc -a $hash -g 2 192.168.1.1
done
done
Subnet Scanning
# Scan entire class C subnet
ike-scan 192.168.1.0/24
# Scan with custom timeouts
ike-scan -t 1000 -r 2 10.0.0.0/24
# Aggressive scanning
ike-scan --aggressive 192.168.0.0/23
# Scan and save results
ike-scan -v 192.168.1.0/24 > ike_scan_results.txt
Aggressive Fingerprinting
# Full aggressive scan (discovers additional info)
ike-scan --aggressive 192.168.1.1
# Aggressive scan with verbose output
ike-scan -v --aggressive 192.168.1.0/24
# Save detailed output
ike-scan --aggressive --showid 192.168.1.1 > fingerprint.txt
Reconnaissance Workflows
VPN Endpoint Discovery
# Scan network for VPN endpoints
ike-scan 192.168.0.0/16 2>/dev/null | grep "Handshake returned"
# Extract responsive hosts
ike-scan -q 192.168.0.0/16 | grep -v "Timeout" > vpn_hosts.txt
# Get count of VPN servers
ike-scan -q 192.168.0.0/16 | grep "Handshake" | wc -l
VPN Implementation Identification
# Identify VPN vendor
ike-scan -v --aggressive 192.168.1.1 2>&1 | grep -i "implementation\|vendor\|version"
# Extract implementation details
ike-scan -v 192.168.1.1 | grep -i "Aggressive Mode Payload"
# Map VPN implementations in network
for ip in $(ike-scan -q 192.168.1.0/24 | cut -d' ' -f1); do
echo "=== $ip ==="
ike-scan -v $ip 2>&1 | grep -i "implementation"
done
Security Configuration Assessment
# Test weak encryption algorithms
echo "Testing DES (weak):"
ike-scan -e 1 -a 1 -g 1 192.168.1.1
# Test stronger algorithms
echo "Testing AES-256 (stronger):"
ike-scan -e 12 -a 5 -g 14 192.168.1.1
# Document supported algorithms
ike-scan -v 192.168.1.1 > vpn_capability_assessment.txt
Practical Examples
Example 1: Simple VPN Endpoint Discovery
# Scan for VPN servers on network
ike-scan 10.0.0.0/24
# Expected output:
# Starting ike-scan 1.9.4 with 256 hosts (https://www.nmap.org)
# 10.0.0.10 Main Mode Handshake returned
# 10.0.0.50 Main Mode Handshake returned
# Ending ike-scan 1.9.4: 256 hosts scanned in 2.56 seconds
Example 2: VPN Fingerprinting
# Detailed analysis of specific VPN endpoint
ike-scan -v --aggressive 10.0.0.10
# Output shows:
# - IKE implementation (Cisco, Juniper, etc.)
# - Supported encryption algorithms
# - Supported hash algorithms
# - Supported DH groups
# - Vendor ID information
Example 3: Subnet-Wide Assessment
# Scan entire subnet and save results
ike-scan -v 192.168.1.0/24 > vpn_assessment_$(date +%Y%m%d).txt
# Analyze results
echo "VPN Endpoints Found:"
grep "Handshake returned" vpn_assessment_*.txt
# Count implementations
echo "Total VPN Servers:"
grep "Handshake returned" vpn_assessment_*.txt | wc -l
Example 4: Encryption Algorithm Testing
# Create test script
cat > test_vpn_algorithms.sh << 'EOF'
#!/bin/bash
TARGET=$1
echo "Testing VPN encryption algorithms on $TARGET"
echo ""
# DES (weak)
echo "DES-CBC (weak):"
ike-scan -e 1 -a 1 -g 1 $TARGET 2>&1 | head -1
# 3DES (medium)
echo "3DES-CBC (medium):"
ike-scan -e 3 -a 1 -g 2 $TARGET 2>&1 | head -1
# AES-128 (strong)
echo "AES-128 (strong):"
ike-scan -e 7 -a 2 -g 5 $TARGET 2>&1 | head -1
# AES-256 (very strong)
echo "AES-256 (very strong):"
ike-scan -e 12 -a 5 -g 14 $TARGET 2>&1 | head -1
EOF
chmod +x test_vpn_algorithms.sh
./test_vpn_algorithms.sh 192.168.1.1
Output Interpretation
Handshake Responses
Handshake returned = VPN server is responding to IKE
Timeout = No response (not VPN, filtered, etc.)
Error response = VPN server with restrictions
Verbose Output Analysis
# Examine vendor identification
ike-scan -v 192.168.1.1 | grep "Vendor"
# Check supported algorithms
ike-scan -v 192.168.1.1 | grep -i "encryption\|hash\|dh"
# Identify VPN implementation
ike-scan -v 192.168.1.1 | grep -i "aggressive mode"
Algorithm Reference
Encryption Algorithms
| ID | Algorithm | Strength |
|---|
| 1 | DES-CBC | Weak (deprecated) |
| 3 | 3DES-CBC | Medium |
| 7 | AES-128 | Strong |
| 8 | AES-192 | Strong |
| 12 | AES-256 | Very Strong |
Hash Algorithms
| ID | Algorithm | Usage |
|---|
| 1 | MD5 | Weak |
| 2 | SHA-1 | Medium |
| 3 | SHA-256 | Strong |
| 4 | SHA-384 | Very Strong |
| 5 | SHA-512 | Very Strong |
Diffie-Hellman Groups
| ID | Group | Key Size |
|---|
| 1 | 768-bit | Weak |
| 2 | 1024-bit | Medium |
| 5 | 1536-bit | Strong |
| 14 | 2048-bit | Strong |
| 19 | 256-bit ECC | Strong |
Network Reconnaissance Pipeline
# Discover VPN endpoints with nmap, then fingerprint with ike-scan
nmap -sU -p 500 192.168.0.0/16 -oG - | grep open | cut -d' ' -f2 > vpn_candidates.txt
# Fingerprint discovered endpoints
while read ip; do
ike-scan -v --aggressive "$ip"
done < vpn_candidates.txt > vpn_fingerprint_report.txt
Vulnerability Assessment
# Check for weak algorithms
ike-scan -e 1 192.168.1.1 && echo "VULNERABLE: DES encryption supported"
# Create comprehensive assessment
for algo_id in 1 3 7 12; do
result=$(ike-scan -q -e $algo_id 192.168.1.1)
if echo "$result" | grep -q "Handshake"; then
echo "Supported: Algorithm ID $algo_id"
fi
done
Practical Assessment Workflow
Complete VPN Security Assessment
#!/bin/bash
# Comprehensive VPN security assessment
NETWORK=$1
REPORT="vpn_assessment_$(date +%Y%m%d_%H%M%S).txt"
echo "VPN Security Assessment Report" > $REPORT
echo "Network: $NETWORK" >> $REPORT
echo "Date: $(date)" >> $REPORT
echo "---" >> $REPORT
# Phase 1: Discovery
echo "Discovery Phase:" >> $REPORT
ike-scan -q $NETWORK >> $REPORT
# Phase 2: Fingerprinting
echo -e "\nFingerprinting Phase:" >> $REPORT
for ip in $(ike-scan -q $NETWORK | grep Handshake | cut -d' ' -f1); do
echo "Host: $ip" >> $REPORT
ike-scan -v --aggressive $ip >> $REPORT
done
# Phase 3: Algorithm Testing
echo -e "\nAlgorithm Analysis:" >> $REPORT
for ip in $(ike-scan -q $NETWORK | grep Handshake | cut -d' ' -f1); do
echo "Testing: $ip" >> $REPORT
ike-scan -e 1 -a 1 -g 1 $ip >> $REPORT
done
echo "Assessment complete: $REPORT"
Troubleshooting
| Issue | Solution |
|---|
| Permission denied | Run with sudo: sudo ike-scan |
| Timeout on all hosts | Check network connectivity and firewall |
| No output | Verify target IP and network accessibility |
| Incomplete fingerprinting | Use aggressive mode: ike-scan --aggressive |
| Cannot find ike-scan | Check installation: which ike-scan |
Security Considerations
Responsible Testing
- Authorization: Only scan networks you own or have explicit permission to test
- Scope: Adhere to defined testing boundaries
- Timing: Conduct scans during approved testing windows
- Documentation: Maintain detailed records of discovery activities
- Confidentiality: Protect assessment results
Network Impact
- ike-scan generates minimal network traffic
- Safe for most production networks (verify with network team)
- Can help identify VPN availability issues
- Useful for inventory and compliance validation
- nmap: Network discovery and scanning
- Wireshark: Packet capture and analysis
- strongSwan: IPsec implementation
- OpenSwan: IPsec VPN toolkit
- openvpn: OpenVPN implementation
- Burp Suite: Web application security (for API endpoints)
VPN Security Best Practices
Recommended Configuration
Encryption: AES-256-GCM (minimum AES-256-CBC)
Hash: SHA-256, SHA-384, or SHA-512
DH Group: 14 (2048-bit) or higher
Protocol: IKEv2 (prefer over IKEv1)
Weak Ciphers: Disable DES, 3DES, MD5
Authentication: Strong certificates + optional pre-shared keys
Assessment Checklist
Further Learning
- RFC 2409: IKE Protocol
- RFC 3394: AES Key Wrap Algorithm
- RFC 3539: Authentication Protocol for PPP and IPsec IKE
- NIST Guidelines on IPsec VPN
- Vendor documentation for specific implementations
