A Python3 Script for Auditing IKE VPN Servers
- Detects IKEv2 VPN servers
- Detects IKEv1 VPN servers + Aggressive Mode
- Detects supported transforms (ENC, HASH, AUTH, GROUP)
- Saves results as JSON, XML and HTML report
- Risk rates findings with summary and recommendations
- Support for fingerprinting via vendor ID (VID)
- Support for fingerprinting via backoff pattern (optional)
Caution
This script requires the binary ike-scan and must be run as root
usage: ikess [-h] [--fullalgs] [--fingerprint] [--enc ENC] [--hash HASH] [--auth AUTH] [--group GROUP] [--onlycustom] targets [targets ...]
ikess - IKE Security Scanner (Sequential Mode)
Scans targets with ike-scan, detects IKEv1/IKEv2, tests transforms,
and generates XML/JSON/HTML reports.
Scan flow per host:
1) IKEv1 discovery
2) IKEv2 discovery
3) Aggressive Mode tests (if IKEv1)
4) Transform tests:
- default: curated common+legacy combos
- --fullalgs: brute-force all ENC/HASH/AUTH/DH combos
5) Optional backoff fingerprinting (--fingerprint)
Transform format: ENC[/bits],HASH,AUTH,GROUP
Example: '7/256,5,1,14' = AES256 / SHA256 / PSK / MODP2048.
positional arguments:
targets One or more IPv4 addresses or CIDR ranges to scan. Examples: 192.0.2.10 192.0.2.0/28
All usable hosts in a CIDR are enumerated.
options:
-h, --help show this help message and exit
--fullalgs Try every ENC/HASH/AUTH/DH combination (full cartesian set).
You can still limit via --enc/--hash/--auth/--group. Very noisy. (default: False)
--fingerprint Enable backoff fingerprinting (ike-scan --showbackoff). If no fingerprint is obtained from a
generic probe, ikess retries using the first accepted transform to improve accuracy. (default: False)
--enc ENC Comma separated encryption list to try or restrict. Accepts numeric codes or aliases.
Examples: --enc AES256,3DES or --enc 7/256,5 (default: None)
--hash HASH Comma separated hash list. Accepts numeric codes or aliases.
Examples: --hash SHA1,SHA256 or --hash 2,5 (default: None)
--auth AUTH Comma separated IKE authentication methods. Accepts numeric codes or aliases.
Examples: --auth PSK,RSA or --auth 1,3 or --auth HYBRID (default: None)
--group, --dh GROUP Comma separated DH groups. Accepts numeric codes or aliases. '--dh' is an alias.
Examples: --group G14,G16 or --dh MODP2048,MODP4096 or --group 14,16 (default: None)
--onlycustom Scan only the transforms built from your custom --enc/--hash/--auth/--group lists. Without this
flag, custom items are merged into the curated or expanded set. (default: False)
Aliases you can use for --enc, --hash, --auth, --group:
ENC: DES=1, 3DES=5, AES=7/128, AES128=7/128, AES192=7/192, AES256=7/256
HASH: MD5=1, SHA1=2, SHA-1=2, SHA 1=2, SHA256=5, SHA-256=5, SHA 256=5
AUTH: PSK=1, RSA=3, RSA_SIG=3, RSA-SIG=3, RSA SIG=3, HYBRID=64221, HYBRID_RSA=64221
DH: G1=1, G2=2, G5=5, G14=14, G15=15, G16=16
MODP768=1, MODP1024=2, MODP1536=5, MODP2048=14, MODP3072=15, MODP4096=16
Examples:
sudo ./ikess.py 10.0.0.1
sudo ./ikess.py 10.0.0.0/24 --fullalgs --fingerprint
sudo ./ikess.py 10.0.0.1 --enc DES,3DES --onlycustom
sudo ./ikess.py 10.0.0.1 --enc AES128,3DES,1,7/256 --hash SHA1,SHA256,1 --auth PSK,RSA --group G2,G14,16
sudo ./ikess.py 203.0.113.5 --enc AES256 --hash SHA256 --auth PSK --group MODP2048 --onlycustomYou can also run via Docker:
docker run --rm -v ./results:/app/results ghcr.io/l4rm4nd/ikess:latest <IP>