gecloud.ch/security-scripts
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
security-scripts/vpn/ike-scan-1.9/check-decode
Peter Baumann ec0003bfa8 added vpn scripts
2013-06-04 17:07:08 +02:00

266 lines
9.3 KiB
Bash
Executable file
Raw Permalink Blame History

#!/bin/sh
# $Id: check-decode 9882 2007-01-13 17:15:39Z rsh $
#
# check-decode -- Shell script to test ike-scan packet decoding
#
# Author: Roy Hills
# Date: 02 January 2007
#
# This script checks that ike-scan decodes and displays IKE packets correctly
# It uses the undocumented ike-scan option --readpktfromfile to read the
# packet from a file rather than from the network.
#
# The packet data files contain example responses from various VPN servers.
# In each case the initiator cookie is set to "deadbeefdeadbeef", so we
# specify this to ike-scan to ensure that the packet will be matched and
# displayed.
#
IKESCANOUTPUT=/tmp/ike-scan-output.$$.tmp
EXAMPLEOUTPUT=/tmp/example-output.$$.tmp
# Main Mode response from CheckPoint Firewall-1 NGX R60
SAMPLE01="$srcdir/pkt-main-mode-response.dat"
# Aggressive Mode response from Netscreen ScreenOS 5.4.0
SAMPLE02="$srcdir/pkt-aggr-mode-response.dat"
# Notify response from CheckPoint Firewall-1 NGX R60
SAMPLE03="$srcdir/pkt-notify-response.dat"
# IKEv2 SA_INIT response from strongSwan 4.0.5
SAMPLE04="$srcdir/pkt-v2-sainit-response.dat"
# IKEv2 notify response from strongSwan 4.0.5
SAMPLE05="$srcdir/pkt-v2-notify-response.dat"
# Aggressive Mode response with certificate from Borderware 3.8
SAMPLE06="$srcdir/pkt-aggr-cert-response.dat"
# Main Mode response with NAT-T from CheckPoint NGX
SAMPLE07="$srcdir/pkt-main-natt-response.dat"
# Checkpoint 9101 notify response from fw-1 4.0
SAMPLE08="$srcdir/pkt-checkpoint-notify.dat"
#
echo "Checking ike-scan main mode decode using $SAMPLE01 ..."
cat >$EXAMPLEOUTPUT <<_EOF_
127.0.0.1 (0.0.0.0) Main Mode Handshake returned
HDR=(CKY-R=636fa075dcf8ba90)
SA=(Enc=3DES Hash=SHA1 Auth=RSA_Sig Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00007080)
VID=f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d459becd70000000018000000 (Firewall-1 NGX)
_EOF_
IKEARGS="-s 0 -r 1 -N -M -I $srcdir/ike-vendor-ids --cookie=deadbeefdeadbeef"
$srcdir/ike-scan $IKEARGS --readpktfromfile=$SAMPLE01 127.0.0.1 | grep -v '^Starting ike-scan ' | grep -v '^Ending ike-scan ' >$IKESCANOUTPUT 2>&1
if test $? -ne 0; then
rm -f $IKESCANOUTPUT
rm -f $EXAMPLEOUTPUT
echo "FAILED"
exit 1
fi
cmp -s $IKESCANOUTPUT $EXAMPLEOUTPUT
if test $? -ne 0; then
rm -f $IKESCANOUTPUT
rm -f $EXAMPLEOUTPUT
echo "FAILED"
exit 1
fi
echo "ok"
rm -f $IKESCANOUTPUT
rm -f $EXAMPLEOUTPUT
#
echo "Checking ike-scan aggressive mode decode using $SAMPLE02 ..."
cat >$EXAMPLEOUTPUT <<_EOF_
127.0.0.1 (0.0.0.0) Aggressive Mode Handshake returned
HDR=(CKY-R=61a878367079dd35)
SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
VID=166f932d55eb64d8e4df4fd37e2313f0d0fd84510000000000000000 (Netscreen-15)
VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
VID=4865617274426561745f4e6f74696679386b0100 (Heartbeat Notify)
KeyExchange(128 bytes)
Nonce(20 bytes)
ID(Type=ID_IPV4_ADDR, Value=62.3.105.251)
Hash(20 bytes)
IKE PSK parameters (g_xr:g_xi:cky_r:cky_i:sai_b:idir_b:ni_b:nr_b:hash_r):
9a1f1fce36808165e6b253df5845567aebe67bcbcfed3f3347ca6349926bbc9f9bdc2ce1a3297ae7ffaf0fe86b4ae05ae63e2bf084b7f78c19d154560067b9a1492259a203df7d3d286dc093e1ea64f0683fb7bc1bbdd98fd34cd6568a9547573a9933f0d44aab7b21499d5995797cf183392a3dac51cb320fa56c0c57cff1bd:745db39c98420dc9f9d777c58f7eacc7b1da54dc17a1c845e92490269a5cc6461e20d232ab7e47cd9e84aed0ec9e48f57c1fa8281a1f3de07635bb1dbae9995b78e84d0370374180dc1da17c456df7ae506dbd54c9a373b67fc979cdf6c0c85efe092719af8daa8f3296550ef00eca80fb5652714c5486032539ab0522f7d7c5:61a878367079dd35:deadbeefdeadbeef:00000001000000010000009801010004030000240101000080010005800200028003000180040002800b0001000c000400007080030000240201000080010005800200018003000180040002800b0001000c000400007080030000240301000080010001800200028003000180040002800b0001000c000400007080000000240401000080010001800200018003000180040002800b0001000c000400007080:011101f43e0369fb:2f6b0731d3e2667f2685429f35dc5dd1ccec0e70:8ffc97aebdf3ea384341f12392043badce30c230:950d8c8ea94a4af3d0b078372e81608890485b54
_EOF_
IKEARGS="-s 0 -r 1 -N -A -M --randomseed=1234 -I $srcdir/ike-vendor-ids --cookie=deadbeefdeadbeef --pskcrack"
$srcdir/ike-scan $IKEARGS --readpktfromfile=$SAMPLE02 127.0.0.1 | grep -v '^Starting ike-scan ' | grep -v '^Ending ike-scan ' >$IKESCANOUTPUT 2>&1
if test $? -ne 0; then
rm -f $IKESCANOUTPUT
rm -f $EXAMPLEOUTPUT
echo "FAILED"
exit 1
fi
cmp -s $IKESCANOUTPUT $EXAMPLEOUTPUT
if test $? -ne 0; then
rm -f $IKESCANOUTPUT
rm -f $EXAMPLEOUTPUT
echo "FAILED"
exit 1
fi
echo "ok"
rm -f $IKESCANOUTPUT
rm -f $EXAMPLEOUTPUT
#
echo "Checking ike-scan notify message decode using $SAMPLE03 ..."
cat >$EXAMPLEOUTPUT <<_EOF_
127.0.0.1 (0.0.0.0) Notify message 14 (NO-PROPOSAL-CHOSEN)
HDR=(CKY-R=0000000000000000, msgid=41a8534e)
_EOF_
IKEARGS="-s 0 -r 1 -N -M -I $srcdir/ike-vendor-ids --cookie=deadbeefdeadbeef"
$srcdir/ike-scan $IKEARGS --readpktfromfile=$SAMPLE03 127.0.0.1 | grep -v '^Starting ike-scan ' | grep -v '^Ending ike-scan ' >$IKESCANOUTPUT 2>&1
if test $? -ne 0; then
rm -f $IKESCANOUTPUT
rm -f $EXAMPLEOUTPUT
echo "FAILED"
exit 1
fi
cmp -s $IKESCANOUTPUT $EXAMPLEOUTPUT
if test $? -ne 0; then
rm -f $IKESCANOUTPUT
rm -f $EXAMPLEOUTPUT
echo "FAILED"
exit 1
fi
echo "ok"
rm -f $IKESCANOUTPUT
rm -f $EXAMPLEOUTPUT
#
echo "Checking ike-scan IKEv2 SA_INIT decode using $SAMPLE04 ..."
cat >$EXAMPLEOUTPUT <<_EOF_
127.0.0.1 (0.0.0.0) IKEv2 SA_INIT Handshake returned
HDR=(CKY-R=224bb31e5cd6a0db, IKEv2)
SA=(Encr=AES_CBC,KeyLength=128 Integ=HMAC_SHA1_96 Prf=HMAC_SHA1 DH_Group=14:modp2048)
KeyExchange(132 bytes)
Nonce(16 bytes)
_EOF_
IKEARGS="-s 0 -r 1 -N -M -I $srcdir/ike-vendor-ids --cookie=deadbeefdeadbeef"
$srcdir/ike-scan $IKEARGS --readpktfromfile=$SAMPLE04 127.0.0.1 | grep -v '^Starting ike-scan ' | grep -v '^Ending ike-scan ' >$IKESCANOUTPUT 2>&1
if test $? -ne 0; then
rm -f $IKESCANOUTPUT
rm -f $EXAMPLEOUTPUT
echo "FAILED"
exit 1
fi
cmp -s $IKESCANOUTPUT $EXAMPLEOUTPUT
if test $? -ne 0; then
rm -f $IKESCANOUTPUT
rm -f $EXAMPLEOUTPUT
echo "FAILED"
exit 1
fi
echo "ok"
rm -f $IKESCANOUTPUT
rm -f $EXAMPLEOUTPUT
#
echo "Checking ike-scan IKEv2 notify decode using $SAMPLE05 ..."
cat >$EXAMPLEOUTPUT <<_EOF_
127.0.0.1 (0.0.0.0) Notify message 14 (NO_PROPOSAL_CHOSEN)
HDR=(CKY-R=16d65a5a981a7c48, IKEv2)
_EOF_
IKEARGS="-s 0 -r 1 -N -M -I $srcdir/ike-vendor-ids --cookie=deadbeefdeadbeef"
$srcdir/ike-scan $IKEARGS --readpktfromfile=$SAMPLE05 127.0.0.1 | grep -v '^Starting ike-scan ' | grep -v '^Ending ike-scan ' >$IKESCANOUTPUT 2>&1
if test $? -ne 0; then
rm -f $IKESCANOUTPUT
rm -f $EXAMPLEOUTPUT
echo "FAILED"
exit 1
fi
cmp -s $IKESCANOUTPUT $EXAMPLEOUTPUT
if test $? -ne 0; then
rm -f $IKESCANOUTPUT
rm -f $EXAMPLEOUTPUT
echo "FAILED"
exit 1
fi
echo "ok"
rm -f $IKESCANOUTPUT
rm -f $EXAMPLEOUTPUT
#
echo "Checking ike-scan certificate decode using $SAMPLE06 ..."
cat >$EXAMPLEOUTPUT <<_EOF_
127.0.0.1 (0.0.0.0) Aggressive Mode Handshake returned
HDR=(CKY-R=94403c1b3fcacf94)
SA=(Enc=3DES Hash=SHA1 Auth=RSA_Sig Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00007080)
KeyExchange(128 bytes)
Nonce(20 bytes)
ID(Type=ID_IPV4_ADDR, Value=172.16.3.27)
Certificate(Type=X.509 Certificate - Signature, Length=1376 bytes)
Signature(256 bytes)
_EOF_
IKEARGS="-s 0 -r 1 -N -A -M -I $srcdir/ike-vendor-ids --cookie=deadbeefdeadbeef"
$srcdir/ike-scan $IKEARGS --readpktfromfile=$SAMPLE06 127.0.0.1 | grep -v '^Starting ike-scan ' | grep -v '^Ending ike-scan ' >$IKESCANOUTPUT 2>&1
if test $? -ne 0; then
rm -f $IKESCANOUTPUT
rm -f $EXAMPLEOUTPUT
echo "FAILED"
exit 1
fi
cmp -s $IKESCANOUTPUT $EXAMPLEOUTPUT
if test $? -ne 0; then
rm -f $IKESCANOUTPUT
rm -f $EXAMPLEOUTPUT
echo "FAILED"
exit 1
fi
echo "ok"
rm -f $IKESCANOUTPUT
rm -f $EXAMPLEOUTPUT
#
echo "Checking ike-scan NAT-T decode using $SAMPLE07 ..."
cat >$EXAMPLEOUTPUT <<_EOF_
127.0.0.1 (0.0.0.0) Main Mode Handshake returned
HDR=(CKY-R=f92704e8a4245b38)
SA=(Enc=3DES Hash=SHA1 Auth=RSA_Sig Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00007080)
VID=f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d459d15d80000000018000000 (Firewall-1 NGX)
_EOF_
IKEARGS="--nat-t -s 0 -r 1 -N -M -I $srcdir/ike-vendor-ids --cookie=deadbeefdeadbeef"
$srcdir/ike-scan $IKEARGS --readpktfromfile=$SAMPLE07 127.0.0.1 | grep -v '^Starting ike-scan ' | grep -v '^Ending ike-scan ' >$IKESCANOUTPUT 2>&1
if test $? -ne 0; then
rm -f $IKESCANOUTPUT
rm -f $EXAMPLEOUTPUT
echo "FAILED"
exit 1
fi
cmp -s $IKESCANOUTPUT $EXAMPLEOUTPUT
if test $? -ne 0; then
rm -f $IKESCANOUTPUT
rm -f $EXAMPLEOUTPUT
echo "FAILED"
exit 1
fi
echo "ok"
rm -f $IKESCANOUTPUT
rm -f $EXAMPLEOUTPUT
#
echo "Checking ike-scan CheckPoint Notify decode using $SAMPLE08 ..."
cat >$EXAMPLEOUTPUT <<_EOF_
127.0.0.1 (0.0.0.0) Notify message 9101 (Firewall-1) Message="User testing unknown.\000"
HDR=(CKY-R=0000000000000000)
_EOF_
IKEARGS="-s 0 -r 1 -N -M -I $srcdir/ike-vendor-ids --cookie=deadbeefdeadbeef"
$srcdir/ike-scan $IKEARGS --readpktfromfile=$SAMPLE08 127.0.0.1 | grep -v '^Starting ike-scan ' | grep -v '^Ending ike-scan ' >$IKESCANOUTPUT 2>&1
if test $? -ne 0; then
rm -f $IKESCANOUTPUT
rm -f $EXAMPLEOUTPUT
echo "FAILED"
exit 1
fi
cmp -s $IKESCANOUTPUT $EXAMPLEOUTPUT
if test $? -ne 0; then
rm -f $IKESCANOUTPUT
rm -f $EXAMPLEOUTPUT
echo "FAILED"
exit 1
fi
echo "ok"
rm -f $IKESCANOUTPUT
rm -f $EXAMPLEOUTPUT
Reference in a new issue View git blame Copy permalink