#!/bin/sh # $Id: check-decode 9882 2007-01-13 17:15:39Z rsh $ # # check-decode -- Shell script to test ike-scan packet decoding # # Author: Roy Hills # Date: 02 January 2007 # # This script checks that ike-scan decodes and displays IKE packets correctly # It uses the undocumented ike-scan option --readpktfromfile to read the # packet from a file rather than from the network. # # The packet data files contain example responses from various VPN servers. # In each case the initiator cookie is set to "deadbeefdeadbeef", so we # specify this to ike-scan to ensure that the packet will be matched and # displayed. # IKESCANOUTPUT=/tmp/ike-scan-output.$$.tmp EXAMPLEOUTPUT=/tmp/example-output.$$.tmp # Main Mode response from CheckPoint Firewall-1 NGX R60 SAMPLE01="$srcdir/pkt-main-mode-response.dat" # Aggressive Mode response from Netscreen ScreenOS 5.4.0 SAMPLE02="$srcdir/pkt-aggr-mode-response.dat" # Notify response from CheckPoint Firewall-1 NGX R60 SAMPLE03="$srcdir/pkt-notify-response.dat" # IKEv2 SA_INIT response from strongSwan 4.0.5 SAMPLE04="$srcdir/pkt-v2-sainit-response.dat" # IKEv2 notify response from strongSwan 4.0.5 SAMPLE05="$srcdir/pkt-v2-notify-response.dat" # Aggressive Mode response with certificate from Borderware 3.8 SAMPLE06="$srcdir/pkt-aggr-cert-response.dat" # Main Mode response with NAT-T from CheckPoint NGX SAMPLE07="$srcdir/pkt-main-natt-response.dat" # Checkpoint 9101 notify response from fw-1 4.0 SAMPLE08="$srcdir/pkt-checkpoint-notify.dat" # echo "Checking ike-scan main mode decode using $SAMPLE01 ..." cat >$EXAMPLEOUTPUT <<_EOF_ 127.0.0.1 (0.0.0.0) Main Mode Handshake returned HDR=(CKY-R=636fa075dcf8ba90) SA=(Enc=3DES Hash=SHA1 Auth=RSA_Sig Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00007080) VID=f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d459becd70000000018000000 (Firewall-1 NGX) _EOF_ IKEARGS="-s 0 -r 1 -N -M -I $srcdir/ike-vendor-ids --cookie=deadbeefdeadbeef" $srcdir/ike-scan $IKEARGS --readpktfromfile=$SAMPLE01 127.0.0.1 | grep -v '^Starting ike-scan ' | grep -v '^Ending ike-scan ' >$IKESCANOUTPUT 2>&1 if test $? -ne 0; then rm -f $IKESCANOUTPUT rm -f $EXAMPLEOUTPUT echo "FAILED" exit 1 fi cmp -s $IKESCANOUTPUT $EXAMPLEOUTPUT if test $? -ne 0; then rm -f $IKESCANOUTPUT rm -f $EXAMPLEOUTPUT echo "FAILED" exit 1 fi echo "ok" rm -f $IKESCANOUTPUT rm -f $EXAMPLEOUTPUT # echo "Checking ike-scan aggressive mode decode using $SAMPLE02 ..." cat >$EXAMPLEOUTPUT <<_EOF_ 127.0.0.1 (0.0.0.0) Aggressive Mode Handshake returned HDR=(CKY-R=61a878367079dd35) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) VID=166f932d55eb64d8e4df4fd37e2313f0d0fd84510000000000000000 (Netscreen-15) VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0) VID=4865617274426561745f4e6f74696679386b0100 (Heartbeat Notify) KeyExchange(128 bytes) Nonce(20 bytes) ID(Type=ID_IPV4_ADDR, Value=62.3.105.251) Hash(20 bytes) IKE PSK parameters (g_xr:g_xi:cky_r:cky_i:sai_b:idir_b:ni_b:nr_b:hash_r): 9a1f1fce36808165e6b253df5845567aebe67bcbcfed3f3347ca6349926bbc9f9bdc2ce1a3297ae7ffaf0fe86b4ae05ae63e2bf084b7f78c19d154560067b9a1492259a203df7d3d286dc093e1ea64f0683fb7bc1bbdd98fd34cd6568a9547573a9933f0d44aab7b21499d5995797cf183392a3dac51cb320fa56c0c57cff1bd:745db39c98420dc9f9d777c58f7eacc7b1da54dc17a1c845e92490269a5cc6461e20d232ab7e47cd9e84aed0ec9e48f57c1fa8281a1f3de07635bb1dbae9995b78e84d0370374180dc1da17c456df7ae506dbd54c9a373b67fc979cdf6c0c85efe092719af8daa8f3296550ef00eca80fb5652714c5486032539ab0522f7d7c5:61a878367079dd35:deadbeefdeadbeef:00000001000000010000009801010004030000240101000080010005800200028003000180040002800b0001000c000400007080030000240201000080010005800200018003000180040002800b0001000c000400007080030000240301000080010001800200028003000180040002800b0001000c000400007080000000240401000080010001800200018003000180040002800b0001000c000400007080:011101f43e0369fb:2f6b0731d3e2667f2685429f35dc5dd1ccec0e70:8ffc97aebdf3ea384341f12392043badce30c230:950d8c8ea94a4af3d0b078372e81608890485b54 _EOF_ IKEARGS="-s 0 -r 1 -N -A -M --randomseed=1234 -I $srcdir/ike-vendor-ids --cookie=deadbeefdeadbeef --pskcrack" $srcdir/ike-scan $IKEARGS --readpktfromfile=$SAMPLE02 127.0.0.1 | grep -v '^Starting ike-scan ' | grep -v '^Ending ike-scan ' >$IKESCANOUTPUT 2>&1 if test $? -ne 0; then rm -f $IKESCANOUTPUT rm -f $EXAMPLEOUTPUT echo "FAILED" exit 1 fi cmp -s $IKESCANOUTPUT $EXAMPLEOUTPUT if test $? -ne 0; then rm -f $IKESCANOUTPUT rm -f $EXAMPLEOUTPUT echo "FAILED" exit 1 fi echo "ok" rm -f $IKESCANOUTPUT rm -f $EXAMPLEOUTPUT # echo "Checking ike-scan notify message decode using $SAMPLE03 ..." cat >$EXAMPLEOUTPUT <<_EOF_ 127.0.0.1 (0.0.0.0) Notify message 14 (NO-PROPOSAL-CHOSEN) HDR=(CKY-R=0000000000000000, msgid=41a8534e) _EOF_ IKEARGS="-s 0 -r 1 -N -M -I $srcdir/ike-vendor-ids --cookie=deadbeefdeadbeef" $srcdir/ike-scan $IKEARGS --readpktfromfile=$SAMPLE03 127.0.0.1 | grep -v '^Starting ike-scan ' | grep -v '^Ending ike-scan ' >$IKESCANOUTPUT 2>&1 if test $? -ne 0; then rm -f $IKESCANOUTPUT rm -f $EXAMPLEOUTPUT echo "FAILED" exit 1 fi cmp -s $IKESCANOUTPUT $EXAMPLEOUTPUT if test $? -ne 0; then rm -f $IKESCANOUTPUT rm -f $EXAMPLEOUTPUT echo "FAILED" exit 1 fi echo "ok" rm -f $IKESCANOUTPUT rm -f $EXAMPLEOUTPUT # echo "Checking ike-scan IKEv2 SA_INIT decode using $SAMPLE04 ..." cat >$EXAMPLEOUTPUT <<_EOF_ 127.0.0.1 (0.0.0.0) IKEv2 SA_INIT Handshake returned HDR=(CKY-R=224bb31e5cd6a0db, IKEv2) SA=(Encr=AES_CBC,KeyLength=128 Integ=HMAC_SHA1_96 Prf=HMAC_SHA1 DH_Group=14:modp2048) KeyExchange(132 bytes) Nonce(16 bytes) _EOF_ IKEARGS="-s 0 -r 1 -N -M -I $srcdir/ike-vendor-ids --cookie=deadbeefdeadbeef" $srcdir/ike-scan $IKEARGS --readpktfromfile=$SAMPLE04 127.0.0.1 | grep -v '^Starting ike-scan ' | grep -v '^Ending ike-scan ' >$IKESCANOUTPUT 2>&1 if test $? -ne 0; then rm -f $IKESCANOUTPUT rm -f $EXAMPLEOUTPUT echo "FAILED" exit 1 fi cmp -s $IKESCANOUTPUT $EXAMPLEOUTPUT if test $? -ne 0; then rm -f $IKESCANOUTPUT rm -f $EXAMPLEOUTPUT echo "FAILED" exit 1 fi echo "ok" rm -f $IKESCANOUTPUT rm -f $EXAMPLEOUTPUT # echo "Checking ike-scan IKEv2 notify decode using $SAMPLE05 ..." cat >$EXAMPLEOUTPUT <<_EOF_ 127.0.0.1 (0.0.0.0) Notify message 14 (NO_PROPOSAL_CHOSEN) HDR=(CKY-R=16d65a5a981a7c48, IKEv2) _EOF_ IKEARGS="-s 0 -r 1 -N -M -I $srcdir/ike-vendor-ids --cookie=deadbeefdeadbeef" $srcdir/ike-scan $IKEARGS --readpktfromfile=$SAMPLE05 127.0.0.1 | grep -v '^Starting ike-scan ' | grep -v '^Ending ike-scan ' >$IKESCANOUTPUT 2>&1 if test $? -ne 0; then rm -f $IKESCANOUTPUT rm -f $EXAMPLEOUTPUT echo "FAILED" exit 1 fi cmp -s $IKESCANOUTPUT $EXAMPLEOUTPUT if test $? -ne 0; then rm -f $IKESCANOUTPUT rm -f $EXAMPLEOUTPUT echo "FAILED" exit 1 fi echo "ok" rm -f $IKESCANOUTPUT rm -f $EXAMPLEOUTPUT # echo "Checking ike-scan certificate decode using $SAMPLE06 ..." cat >$EXAMPLEOUTPUT <<_EOF_ 127.0.0.1 (0.0.0.0) Aggressive Mode Handshake returned HDR=(CKY-R=94403c1b3fcacf94) SA=(Enc=3DES Hash=SHA1 Auth=RSA_Sig Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00007080) KeyExchange(128 bytes) Nonce(20 bytes) ID(Type=ID_IPV4_ADDR, Value=172.16.3.27) Certificate(Type=X.509 Certificate - Signature, Length=1376 bytes) Signature(256 bytes) _EOF_ IKEARGS="-s 0 -r 1 -N -A -M -I $srcdir/ike-vendor-ids --cookie=deadbeefdeadbeef" $srcdir/ike-scan $IKEARGS --readpktfromfile=$SAMPLE06 127.0.0.1 | grep -v '^Starting ike-scan ' | grep -v '^Ending ike-scan ' >$IKESCANOUTPUT 2>&1 if test $? -ne 0; then rm -f $IKESCANOUTPUT rm -f $EXAMPLEOUTPUT echo "FAILED" exit 1 fi cmp -s $IKESCANOUTPUT $EXAMPLEOUTPUT if test $? -ne 0; then rm -f $IKESCANOUTPUT rm -f $EXAMPLEOUTPUT echo "FAILED" exit 1 fi echo "ok" rm -f $IKESCANOUTPUT rm -f $EXAMPLEOUTPUT # echo "Checking ike-scan NAT-T decode using $SAMPLE07 ..." cat >$EXAMPLEOUTPUT <<_EOF_ 127.0.0.1 (0.0.0.0) Main Mode Handshake returned HDR=(CKY-R=f92704e8a4245b38) SA=(Enc=3DES Hash=SHA1 Auth=RSA_Sig Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00007080) VID=f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d459d15d80000000018000000 (Firewall-1 NGX) _EOF_ IKEARGS="--nat-t -s 0 -r 1 -N -M -I $srcdir/ike-vendor-ids --cookie=deadbeefdeadbeef" $srcdir/ike-scan $IKEARGS --readpktfromfile=$SAMPLE07 127.0.0.1 | grep -v '^Starting ike-scan ' | grep -v '^Ending ike-scan ' >$IKESCANOUTPUT 2>&1 if test $? -ne 0; then rm -f $IKESCANOUTPUT rm -f $EXAMPLEOUTPUT echo "FAILED" exit 1 fi cmp -s $IKESCANOUTPUT $EXAMPLEOUTPUT if test $? -ne 0; then rm -f $IKESCANOUTPUT rm -f $EXAMPLEOUTPUT echo "FAILED" exit 1 fi echo "ok" rm -f $IKESCANOUTPUT rm -f $EXAMPLEOUTPUT # echo "Checking ike-scan CheckPoint Notify decode using $SAMPLE08 ..." cat >$EXAMPLEOUTPUT <<_EOF_ 127.0.0.1 (0.0.0.0) Notify message 9101 (Firewall-1) Message="User testing unknown.\000" HDR=(CKY-R=0000000000000000) _EOF_ IKEARGS="-s 0 -r 1 -N -M -I $srcdir/ike-vendor-ids --cookie=deadbeefdeadbeef" $srcdir/ike-scan $IKEARGS --readpktfromfile=$SAMPLE08 127.0.0.1 | grep -v '^Starting ike-scan ' | grep -v '^Ending ike-scan ' >$IKESCANOUTPUT 2>&1 if test $? -ne 0; then rm -f $IKESCANOUTPUT rm -f $EXAMPLEOUTPUT echo "FAILED" exit 1 fi cmp -s $IKESCANOUTPUT $EXAMPLEOUTPUT if test $? -ne 0; then rm -f $IKESCANOUTPUT rm -f $EXAMPLEOUTPUT echo "FAILED" exit 1 fi echo "ok" rm -f $IKESCANOUTPUT rm -f $EXAMPLEOUTPUT