.\" fiked - a fake IKE PSK+XAUTH daemon based on vpnc .\" Copyright (C) 2005, Daniel Roethlisberger .\" .\" This program is free software; you can redistribute it and/or modify .\" it under the terms of the GNU General Public License as published by .\" the Free Software Foundation; either version 2 of the License, or .\" (at your option) any later version. .\" .\" This program is distributed in the hope that it will be useful, .\" but WITHOUT ANY WARRANTY; without even the implied warranty of .\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the .\" GNU General Public License for more details. .\" .\" You should have received a copy of the GNU General Public License .\" along with this program; if not, see http://www.gnu.org/copyleft/ .\" .\" $Id: fiked.1 112 2005-12-21 00:02:58Z roe $ .\" .TH FIKED 1 "18 December 2005" .SH NAME fiked \- a fake IKE PSK+XAUTH daemon based on vpnc .SH SYNOPSIS .na .B fiked [\fB-rdqhV\fP] \fB-g\fP \fIgateway\fP \fB-k\fP \fIid\fP\fB:\fP\fIsecret\fP [\fB-u\fP \fIuser\fP] [\fB-l\fP \fIfile\fP] [\fB-L\fP \fIfile\fP] .br .ad .SH DESCRIPTION .LP \fIFiked\fP impersonates a VPN \fIgateway\fP's IKE responder in order to capture XAUTH login credentials in insecure PSK+XAUTH setups, such as commonly found in Cisco based VPN sites. .LP \fIFiked\fP supports IKEv1 in aggressive mode, using pre-shared keys and XAUTH. Supported algorithms are DES, 3DES, AES-128, AES-192, AES-256; MD5, SHA1; and DH groups 1, 2 and 5. IKE main mode is not supported. .LP To actually implement an attack against a VPN site, you have to intercept the IKE traffic to the VPN \fIgateway\fP and redirect it to \fIfiked\fP. Your options include hostap or ARP poisoning, and usually will require some (eg.) .BR pf (4) redirection magic, depending on the situation. .LP Opening a socket on 500/udp requires root privileges on most systems. .SH OPTIONS .TP .B \-d Detach from TTY and run as a daemon. .TP .B \-g Impersonate \fIgateway\fP. This IP address is used in the responder ID payload, and as a source address if \fB-r\fP is used. .TP .B \-h Display help and exit. .TP .B \-k Use \fIsecret\fP with key/group id \fIid\fP as pre-shared key in phase 1 authentication. This option may be used multiple times, each time specifying a different \fIid\fP, \fIsecret\fP pair. \fIFiked\fP will use the key id specified by a client to choose a matching \fIsecret\fP, or the first one if none matches. .br Note that specifying \fIsecret\fP's on the command line exposes them to other users on the system. .TP .B \-u Drop privileges after opening sockets and files by setting the user ID to \fIuser\fP given by id or name. This may reduce the impact of security vulnerabilities in \fIfiked\fP, because the ISAKMP / IKE handling code will not be running with super user privileges. .br If \fB-u\fP is not given, \fIfiked\fP will drop privileges only if the real user ID is different from the effective user ID (ie. when called set-user-ID root). .TP .B \-l Append captured XAUTH user credentials to \fIfile\fP using a grep friendly format, including the \fIsecret\fP, group id, and \fIgateway\fP address. .TP .B \-L Append verbous logging to \fIfile\fP instead of just standard output. If \fB-q\fP is also given, log to \fIfile\fP only. .TP .B \-q Be quiet and do not log to standard output. .TP .B \-r Forge the source address on sent packets to match \fIgateway\fP. This uses a raw socket to send the packets. Use this option if your particular attack setup does not rewrite the packets travelling from \fIfiked\fP back to clients. .br Note that using \fI-r\fP prevents dropping privileges if \fIfiked\fP is installed set-user-ID root, since libnet requires root privileges to send packets through a raw socket. .br This option is not available if \fIfiked\fP was built without libnet support. .TP .B \-V Display version information and exit. .SH EXAMPLES .LP To impersonate \fIgateway\fP 10.0.0.1 using \fIsecret\fPs for group \fIid\fPs group1 and group2, writing results to \fIfile\fP account.log: .RS .nf \fBfiked -g 10.0.0.1 -k group1:g3h31m -k group2:s3kr3t -l account.log\fP .fi .RE .LP The same with only one key, and running as a daemon logging to \fIfile\fP fiked.log: .RS .nf \fBfiked -g 10.0.0.1 -k group1:g3h31m -l account.log -d -L fiked.log\fP .fi .RE .SH "SEE ALSO" arpspoof(8), ath(4), wi(4), pf(4), iptables(8), vpnc(8) .SH AUTHORS \fIFiked\fP was written by Daniel Roethlisberger , based in part on \fIvpnc\fP by Maurice Massar, Geoffrey Keating and contributors. .SH BUGS IKE protocol compliance is just good enough to attack Cisco VPN clients and clones like vpnc, but nowhere near complete, secure, or error free. .LP Main mode is not supported. .LP Only a single \fIgateway\fP address can be specified. .LP \fISecret\fPs can only be specified as command line arguments, which potentially exposes them to other users on the system, especially on systems which do not have setproctitle(3), such as Linux.