Pentest Externo
Escanear VPNs
ike-audit.sh
#!/bin/bash
# =========================================================
# VISUAL CONFIGURATION
# =========================================================
GREEN="\e[32m"
RED="\e[31m"
YELLOW="\e[33m"
BLUE="\e[34m"
RESET="\e[0m"
# =========================================================
# STATE VARIABLES & HELP
# =========================================================
# Execution states (False by default)
RUN_MAIN=false
RUN_AGGR=false
RUN_IDS=false
SPECIFIC_MODE=false # Detects if user selected a specific mode
show_help() {
echo -e "${BLUE}Usage:${RESET} sudo $0 -l <IP_LIST> [options]"
echo ""
echo -e "${YELLOW}Mandatory Options:${RESET}"
echo -e " -l <file> File containing the list of target IPs."
echo ""
echo -e "${YELLOW}Scan Modes (Select one or multiple):${RESET}"
echo -e " -M Run Main Mode (Transform Brute-force)."
echo -e " -A Run Aggressive Mode (Handshake/PSK Capture)."
echo -e " -I Run Group ID Enumeration."
echo -e " ${BLUE}* If no mode is selected, ALL modes will run by default.${RESET}"
echo ""
echo -e "${YELLOW}Customization:${RESET}"
echo -e " -o <file> Output report filename."
echo -e " -t <file> Custom Transform dictionary file."
echo -e " -n <file> Custom Group ID dictionary file."
echo -e " -h Show this help message."
echo ""
echo -e "${BLUE}Example:${RESET} sudo $0 -l targets.txt -A -I (Only Aggressive and IDs)"
exit 1
}
# =========================================================
# ARGUMENT PROCESSING
# =========================================================
FILE_IPS=""
OUTPUT_FILE="audit_results_$(date +%Y%m%d_%H%M).txt"
TRANS_FILE=""
IDS_FILE=""
GENERATE_TRANS=true
GENERATE_IDS=true
# Parse flags M, A, I, l, o, t, n, h
while getopts "l:o:t:n:MAIh" opt; do
case $opt in
l) FILE_IPS="$OPTARG" ;;
o) OUTPUT_FILE="$OPTARG" ;;
t) TRANS_FILE="$OPTARG"; GENERATE_TRANS=false ;;
n) IDS_FILE="$OPTARG"; GENERATE_IDS=false ;;
M) RUN_MAIN=true; SPECIFIC_MODE=true ;;
A) RUN_AGGR=true; SPECIFIC_MODE=true ;;
I) RUN_IDS=true; SPECIFIC_MODE=true ;;
h) show_help ;;
\?) echo -e "${RED}Invalid option: -$OPTARG${RESET}" >&2; show_help ;;
esac
done
# If user didn't select a specific mode, enable ALL
if [ "$SPECIFIC_MODE" = false ]; then
RUN_MAIN=true
RUN_AGGR=true
RUN_IDS=true
fi
# =========================================================
# BASIC VALIDATIONS
# =========================================================
if [ "$EUID" -ne 0 ]; then
echo -e "${RED}[Error] Please run this script as root (sudo).${RESET}"
exit 1
fi
if [ -z "$FILE_IPS" ]; then
echo -e "${RED}[Error] Missing IP list file (-l)${RESET}"
show_help
fi
if [ ! -f "$FILE_IPS" ]; then
echo -e "${RED}[Error] File '$FILE_IPS' does not exist.${RESET}"
exit 1
fi
# =========================================================
# ENVIRONMENT PREPARATION
# =========================================================
# Prepare output file
echo "--- IKE Audit Report ---" > "$OUTPUT_FILE"
echo "Date: $(date)" >> "$OUTPUT_FILE"
echo "Targets: $FILE_IPS" >> "$OUTPUT_FILE"
echo "Modes: M=$RUN_MAIN, A=$RUN_AGGR, I=$RUN_IDS" >> "$OUTPUT_FILE"
cleanup() {
tput cnorm
echo -e "\n${RED}[!] Script cancelled by user.${RESET}"
exit
}
trap cleanup SIGINT
log_success() {
local ip="$1"
local msg_screen="$2"
local msg_file="$3"
echo -ne "\033[2K\r"
echo -e " ${GREEN}[!] $msg_screen${RESET}"
echo "[$(date '+%T')] IP: $ip - $msg_file" >> "$OUTPUT_FILE"
}
tput civis # Hide cursor
echo -e "${BLUE}--- Configuration ---${RESET}"
echo -e "Output File : $OUTPUT_FILE"
# =========================================================
# INTELLIGENT DICTIONARY MANAGEMENT
# =========================================================
# Only generate/load what is strictly necessary
TOTAL_TRANS=0
TOTAL_IDS=0
# 1. Transform Dictionary (Needed for Main or Aggressive)
if [ "$RUN_MAIN" = true ] || [ "$RUN_AGGR" = true ]; then
if [ "$GENERATE_TRANS" = true ]; then
TRANS_FILE="ike-dict-auto.txt"
echo -e "Transforms : ${YELLOW}Generating automatic...${RESET}"
> "$TRANS_FILE"
for ENC in 1 2 3 4 5 6 7/128 7/192 7/256 8; do
for HASH in 1 2 3 4 5 6; do
for AUTH in 1 2 3 4 5 6 7 8 64221 64222 64223 64224 65001 65002 65003 65004 65005 65006 65007 65008 65009 65010; do
for GROUP in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18; do
echo "--trans=$ENC,$HASH,$AUTH,$GROUP" >> "$TRANS_FILE"
done
done
done
done
else
echo -e "Transforms : ${GREEN}Using custom ($TRANS_FILE)${RESET}"
fi
TOTAL_TRANS=$(wc -l < "$TRANS_FILE")
fi
# 2. ID Dictionary (Needed for IDs)
if [ "$RUN_IDS" = true ]; then
if [ "$GENERATE_IDS" = true ]; then
IDS_FILE="vpnIds-auto.txt"
echo -e "Group IDs : ${YELLOW}Generating automatic...${RESET}"
cat << 'EOF' > "$IDS_FILE"
GroupVPN
Group-VPN
EZ
ez
3000
5000
abc
ABC
RemoteAccess
RemoteAccessVPN
remoteaccessvpn
access
asa
ASA
pix
PIX
asa_vpn
ASA_vpn
ASA_VPN
PIX_VPN
pix_vpn
vpn_asa
vpn_pix
VPN_ASA
VPN_PIX
aimatch
asset
assetlink
backup
backup1
backup-server
cisco
clientvpn
client-vpn
data
dataflux
DefaultL2LGroup
DefaultRAGroup
DefaultWEBVPNGroup
dfltgrppolicy
DfltGrpPolicy
dmz
dmzvpn
enter
ENTER
external
externalvpn
extvpn
ext-vpn
ezvpn
ezVPN
EZvpn
EZVPN
ezvpn-client
EZVPN_GROUP
failover
group
Group
group1
Group1
group2
Group2
group3
Group3
group4
Group4
group5
GROUP_EZVPN
groupnew
GroupPolicy
GroupPolicy1
GroupPolicy2
GroupPolicy3
GroupPolicy4
GroupPolicy5
groupvpn
group-vpn
hq
hqvpn
ideas
ike
inside
internal
internalvpn
internal-vpn
intvpn
int-vpn
ipsec
ipsec-ra
ipsec-tuneglgroup1
ipsec-tunnelgroup
ipsec-tunnelgroup2
jmp
link
mygroup
myGroup
myGROUP
MyGroup
new
newgroup
old
outside
picosearch
primary
primary-vpn
private
public
ravpn
ra-vpn
remote
Remote
remote-access
remotevpn
remote-vpn
rename
root
sa
secondary
secondary_vpn
secondary-vpn
Secondary_VPN
Secondary-VPN
secure
superteam
teragram
test
testvpn
test-vpn
tunnel
vpn
vpngroup
vpn-group
VPNGroup
vpnint
vpn-int
vpn_primary
vpn-primary
VPN_primary
VPN_Primary
VPN-Primary
vpnremote
vpn-remote
vpntest
vpn-test
VPNtest
VPN-test
VPN-Test
vpntunnel
vsticorp
webvpn
xxx
XXX
manualVPN
TunnelGroup1
TunnelGroup2
TunnelGroup3
WAN GROUP
WAN
WANVPN
VPNGROUP
EOF
else
echo -e "Group IDs : ${GREEN}Using custom ($IDS_FILE)${RESET}"
fi
TOTAL_IDS=$(wc -l < "$IDS_FILE")
fi
echo -e "------------------------------------------"
# =========================================================
# MAIN LOOP
# =========================================================
while read -r IP_TARGET; do
-z "$IP_TARGET" && continue
echo -e "\n${BLUE}>>> ANALYZING TARGET: ${YELLOW}$IP_TARGET${RESET}"
# -----------------------------------------------------
# PHASE 1: Main Mode
# -----------------------------------------------------
if [ "$RUN_MAIN" = true ]; then
echo -e " ${YELLOW}[A] Main Mode (Transforms)...${RESET}"
count=0
while read line; do
((count++))
percent=$((count * 100 / TOTAL_TRANS))
echo -ne " Progress: $count / $TOTAL_TRANS ($percent%) \r"
res=$(ike-scan -M $line $IP_TARGET 2>/dev/null)
if echo "$res" | grep -q "1 returned handshake"; then
log_success "$IP_TARGET" "FOUND: $line" "Main Mode: $line"
fi
done < "$TRANS_FILE"
fi
# -----------------------------------------------------
# PHASE 2: Aggressive Mode
# -----------------------------------------------------
if [ "$RUN_AGGR" = true ]; then
echo -e "\n ${YELLOW}[B] Aggressive Mode (PSK)...${RESET}"
PSK_FILE="handshake_${IP_TARGET}.txt"
count=0
while read line; do
((count++))
percent=$((count * 100 / TOTAL_TRANS))
echo -ne " Progress: $count / $TOTAL_TRANS ($percent%) \r"
if ike-scan -M --aggressive -P "$PSK_FILE" $line $IP_TARGET 2>/dev/null | grep -q "SA="; then
log_success "$IP_TARGET" "PSK CAPTURED: $line" "Aggressive: $line (PSK saved)"
echo -e " ${GREEN}[+] Saved to: $PSK_FILE${RESET}"
fi
done < "$TRANS_FILE"
fi
# -----------------------------------------------------
# PHASE 3: VPN Group IDs
# -----------------------------------------------------
if [ "$RUN_IDS" = true ]; then
echo -e "\n ${YELLOW}[C] VPN Group IDs...${RESET}"
count=0
while read line; do
((count++))
percent=$((count * 100 / TOTAL_IDS))
echo -ne " Progress: $count / $TOTAL_IDS ($percent%) \r"
res=$(ike-scan -M -A -n $line $IP_TARGET 2>/dev/null)
if echo "$res" | grep -q "1 returned handshake"; then
log_success "$IP_TARGET" "VALID ID: $line" "VPN ID: $line"
fi
done < "$IDS_FILE"
fi
done < "$FILE_IPS"
tput cnorm
echo -e "\n\n${GREEN}Audit finished. Report saved in: $OUTPUT_FILE${RESET}"