Exploitationciscovpnikexauthpskmitmipsec

fiked

FakeIKEd (fiked) is a fake IKE daemon that impersonates Cisco VPN gateways to capture XAUTH login credentials in a semi MitM attack against insecure PSK+XAUTH IPsec setups. It supports just enough IKE standards and Cisco extensions for this purpose.

Description

Fiked is designed as a Cisco VPN attack tool targeting commonly insecure PSK+XAUTH based IPsec authentication setups. It acts as a fake IKE responder, impersonating the VPN gateway to trick clients into revealing their XAUTH credentials. This enables credential capture without performing a full MitM attack, as it does not currently handle the client side.

Use cases include penetration testing of Cisco VPN deployments vulnerable to IKE responder impersonation. It is particularly effective against setups using pre-shared keys (PSK) combined with XAUTH, which are widespread but often insecure when not properly configured. The tool requires specifying the target gateway address and PSK details to successfully spoof the responder.

Based on the vpnc codebase, fiked provides a lightweight daemon for these attacks, with options for logging credentials and running detached. It is installed via standard Kali package management and depends on common libraries like libgcrypt20 and libnet9.

How It Works

Fiked operates as a fake IKE daemon using raw sockets to forge IP source addresses matching the impersonated VPN gateway. It implements minimal IKE protocol support, including Cisco extensions, sufficient to respond to client initiations in PSK+XAUTH authentication flows. Upon receiving IKE requests, it impersonates the gateway, completes the handshake to solicit XAUTH username/password credentials, and logs them without forwarding traffic to the real gateway, achieving a semi-MitM credential theft.

Installation

bash

sudo apt install fiked

Flags

-ruse raw socket: forge ip src addr to match <gateway> (disables -u)

-ddetach from tty and run as a daemon (implies -q)

-qbe quiet, don't write anything to stdout

-hprint help and exit

-Vprint version and exit

-g gwVPN gateway address to impersonate

-k i:kpre-shared key aka. group password, shared secret, prefixed with its group/key id (first -k sets default)

-u userdrop privileges to unprivileged user account

-l fileappend results to credential log file

-L fileverbous logging to file instead of stdout

Examples

Display usage information and available options

fiked --help

Impersonate VPN gateway at 192.168.1.1 using PSK group 1 with key 'secretkey' (first -k sets default)

fiked -g 192.168.1.1 -k 1:secretkey

Impersonate gateway with multiple PSK groups and append captured credentials to creds.txt

fiked -g 10.0.0.1 -k 1:group1 -k 2:group2 -l creds.txt

Use raw socket to forge IP source address matching gateway (disables -u)

fiked -r -g 192.168.1.1 -k 1:secret

Detach and daemonize (-q implied), verbose logging to file

fiked -d -g 10.0.0.1 -k 1:key -L debug.log

Run quietly without stdout output, impersonating gateway with default PSK

fiked -q -g 172.16.0.1 -k default:psk

Drop privileges to user 'nobody' after startup

fiked -u nobody -g 192.168.1.1 -k 1:secret

Updated 2026-04-16kali.org ↗