#!/usr/bin/env pythonimport osimport sysimport subprocessclass bcolors

1. #!/usr/bin/env python
2. import os
3. import sys
4. import subprocess
5.  
6. class bcolors:
7.  
8. HEADER = '\033[95m'
9. OKBLUE = '\033[94m'
10. OKGREEN = '\033[92m'
11. WARNING = '\033[93m'
12. FAIL = '\033[91m'
13. ENDC = '\033[0m'
14. BOLD = '\033[1m'
15. UNDERLINE = '\033[4m'
16.  
17.  
18. def help():
19.  
20. print " _ _ _ "
21. print " | | (_) | "
22. print " __ _ _ _| |_ ___ _| | _____ "
23. print " / _` | | | | __/ _ \| | |/ / _ \ "
24. print " | (_| | |_| | || (_) | | < __/ "
25. print " \__,_|\__,_|\__\___/|_|_|\_\___| "
26. print bcolors.OKGREEN + "[*] ike aggressive mode scan by kblaedel@deloitte.dk " + bcolors.ENDC
27. print ""
28. print bcolors.WARNING + "Usage: ./ike.py <company> <IP>" + bcolors.ENDC
29.  
30. # Create folder(s) if they don't exist.
31. def ensure_dir(path):
32. try:
33. os.makedirs(path)
34. except OSError as e:
35. pass
36.  
37. # Log findings in file
38. def log_positives(path, results):
39. with open("{}.txt".format(path), 'w') as fid:
40. for result in results:
41. fid.write(result + "\n")
42. print "\n" + bcolors.OKBLUE + "[*] Results stored in {}".format(path) + bcolors.ENDC
43. fid.close()
44.  
45. def find_aggressives(company, ip):
46. # Encryption algorithms: DES, Tripe-DES, AES/128, AES/192 and AES/256
47. encryptions = [1, 5, "7/128", "7/192", "7/256"]
48.  
49. #Hash algorithms: MD5 and SHA-1
50. hashes = [1, 2]
51.  
52. #Authentication methods: Pre-Shared Key, RSA Signatures, Hybrid Mode and XAUTH
53. auths = [1, 3, 64221, 65001]
54.  
55. #Diffie-Hellman groups: 1, 2 and 5
56. groups = [1, 2, 5]
57.  
58. transformations = []
59. aggressive_modes = []
60.  
61. for enc in encryptions:
62. for hash in hashes:
63. for auth in auths:
64. for group in groups:
65. transformations.append("--trans={},{},{},{}".format(enc,hash,auth,group))
66.  
67. for trans in transformations:
68. # XXX: this crashes if retcode is non-zero, so surrounded with try-catch
69. # yours, mfaerevaag
70. try:
71. res = subprocess.check_output(["timeout", "2", "ike-scan", "{}".format(trans), "-A", "--id={}".format(sys.argv[1]), "{}".format(sys.argv[2])])
72. if "Aggressive Mode Handshake returned" in res:
73. print "[*] Cisco aggressive mode found with {}".format(trans)
74. aggressive_modes.append(res)
75. except subprocess.CalledProcessError as e:
76. print "[!] ike-scan returned non-zero exit code {}".format(e.returncode)
77.  
78. res = subprocess.check_output(["timeout", "5", "ike-scan", "-M", "-A", "-y", "1", "{}".format(sys.argv[2])])
79. if "Aggressive Mode Handshake returned" in res:
80. print "[*] Sonic Wall aggressive mode found!"
81. aggressive_modes.append(res)
82.  
83. log_positives("{}/vpn_aggressive_{}".format(sys.argv[1], sys.argv[2]), aggressive_modes)
84.  
85. if len(sys.argv) != 3:
86. help()
87.  
88. else:
89. ensure_dir(sys.argv[1])
90. find_aggressives(sys.argv[1], sys.argv[2])