Despite its strength, IPsec is often misconfigured. Attackers don't usually try to 'break' AES; they attack the key exchange process (IKE) to steal the shared secret or force the server into a weaker state.
As we learned in the IKE module, Aggressive Mode is a disaster. In a standard Main Mode handshake, the identities are encrypted. In Aggressive Mode, the server sends the hashed PSK (the 'authentication hash') in the clear to the client. An attacker can simply capture this packet and take it offline.
๐ก This is exactly how many 'IoT' VPNs are compromised. They ship with Aggressive Mode enabled by default and a weak, guessable PSK.
Once the hash is captured, the attacker uses a tool like Hashcat. Since the hash is just `Hash(PSK + Nonce + ID)`, the attacker can guess millions of passwords per second until they find the one that produces that exact hash.
| Step | Action | Tool Used |
|---|---|---|
| Discovery | Identify IKE Aggressive Mode | ike-scan |
| Capture | Sniff the hashed PSK from the air | tcpdump / Wireshark |
| Cracking | Offline Brute-force / Dictionary | Hashcat / John the Ripper |
| Access | Connect as a valid VPN peer | VPN Client |
In a Downgrade Attack, the adversary interferes with the IKE negotiation. If the server is configured to support both `AES-256` and `DES` (for legacy reasons), the attacker can modify the 'ClientHello' to make it look like the client *only* supports `DES`. If the server accepts, the tunnel is established using a cipher that can be cracked in minutes.
โ ๏ธ This is why 'Proposal' lists in `ipsec.conf` should be strict. Never list `3DES` or `SHA1` as acceptable options.
# VULNERABLE: Allowing legacy ciphers
ike=aes256-sha256-modp2048, 3des-sha1-modp1024!
# SECURE: Only high-strength ciphers
ike=aes256-sha256-modp2048!The most dangerous vulnerability is a 'leaked config file'. If an attacker finds your `ipsec.secrets` file, they have the keys to your entire internal network.
Verify exercises to earn โ 200 XP and unlock next lab level.