Free ike software for linux

Fiked is a fake IKE daemon that supports just enough of the standards and Cisco extensions to attack commonly found insecure Cisco PSK+XAUTH VPN setups in what could be described as a semi-MitM attack.
Basically, knowing the pre-shared key, also known as shared secret or group password, the VPN gateway can be impersonated in IKE phase 1, in order to learn XAUTH user credentials in phase 2.
The configuration supported by fiked is IKE aggressive mode using pre-shared keys and XAUTH. FakeIKEd supports algorithms like DES, 3DES, AES128, AES192, AES256, MD5, SHA1, and DH groups 1, 2, and 5. Main mode is not supported.
Basically, if you know the pre-shared key, also known as shared secret or group password, you can play Man in the Middle, impersonate the VPN gateway in IKE phase 1, and learn XAUTH user credentials in phase 2.
This attack is not new. It has been known for a long time that IKE using PSK with XAUTH is insecure, and this is not the first actual implementation of the attack.
To successfully demostrate an attack on a VPN site, you need to know the shared secret, and you must be able to intercept the IKE traffic between the clients and the VPN gateway.
There are several ways to find out the shared secret, including being a legitimate user, grabbing it from some Cisco config file, using ike-crack, or layer 8 hackery.
There are also several ways to redirect the IKE traffic to your running fiked instance, including ARP spoofing, 802.11 hostap, or layer 1 hackery.
Usage:
Usage: fiked [-rdqhV] -g gateway -k id:psk [-k ...] [-l file] [-L file]
-r use raw socket: forge source address to match < gateway >
-d detach from tty and run as a daemon (implies -q)
-q be quiet, dont write anything to stdout
-h print help and exit
-V print version and exit
-g gw VPN gateway address to impersonate
-k i:k pre-shared key aka. group password, shared secret, prefixed
with its group/key id (first -k sets default)
-l file append results to credential log file
-L file verbous logging to file instead of stdout
Enhancements:
- Bugfixes, portability changes, and support for dropping privileges.

ETrace is a configurable static port network tracing tool, similar to traceroute, but supporting ICMP, TCP, UDP and other IP protocols.

Usage:

etrace [ -BbCcnv ] [ -p profile ] [ -F config ] [ -i interface ] [ -I icmp-type ] [ -T port ] [ -U port ] [ -P protocol ] [ -r probe-count ] [ -t timeout ] [ -1 hop ] [ -h hop ] [ -m hop ] [ -A address ] [ -s port ] [ -f flags ] [ -d data ] [ -D data-file ] [ -R count ] [ -q seq] [ -w window ] target [...]

Options:

etrace has a wealth of options ranging in function from controlling output to the detailed construction of trace packets.

Profile Options:

A profile is a pre-configured list of options stored in a shared, or user specific configuration file. By defining profiles, complex etrace option sets can be easily accessed with a single command line option.

-p, --profile
Specify a profile.
-C, --clear
Clear the current list of probes. This option can be used to allow a profile to inherit options from another profile, but specify its own list of probes.
-F, --config
Specify an alternative profiles file.

Interface options

-i, --interface
Specify interface. If unspecified, etrace will examine the routing table and select the most appropriate interface for each target address.
-c, --promisc
Put in interface into promiscuous mode. As this option increases the load on the system in general, it should only be used if spoofing of source packets address is enabled with the "-A" option.
Trace Type Options
-I, --icmp
Specify an ICMP trace and the packet type to use. ICMP traces may use Echo (E or P), Timestamp (T or S), Netmask (N or M) or Info (I). The default trace probe is an ICMP Echo.
-h, --hop
Specify a specific hop to investigate.
-m, --maximum
Specify the maximum number of hops.
-r, --probes
Set the maximum number of probes to send per hop. The default is 3.
-t, --timeout
Set the maximum amount of time, in milli-seconds, to wait for a response to a probe. The default is 3000 (three seconds).

Packet Construction Options

-A, --address
Specify the source IP address of generated packets.
-s, --source
Set the source port of the generated probe packets. If unspecified, etrace uses a random high port.
-f, --flags
Specify TCP and/or IP flags. Takes a comma delimitered list of any of the following flags: RF, DF, MF, FIN, SYN, RST, PSH, ACK, URG, ECE, CWR (Default: SYN)
-d, --data
Specify the data content of generated probe packets. Standard meta-characters are recognised (e.g. "nt") as are binary values given in octal (e.g. " 00x00");
-D, --data-file
Load the data content of the generated probe packets from the specified file. Filenames beginning with @ a loaded from the etrace shared data directory (usually /usr/local/share/etrace). etrace currently ships with the following predfined packet data files: dns, ike.
-R, --random
Fill the data content of the generated probe packets with the specified number of random bytes.
-b, --badcksum
Generate and send probe packets with bad checksums.
-q, --seq
Specify the TCP sequence number.
-w, --window
Specify the TCP window size.

Output Options

-v, --verbose
Increase output verbosity.
-B, --debug
Enable debugging output.
-n, --numeric
Disable name resolution.

Examples:

etrace www.sample.com

Launches a trace ICMP Echo, the default, trace to www.sample.com. Specifiying the options "-I E" whould accomplish the same results.

etrace -T 80 www.sample.com

Similar to the previous example, except the trace is performed on TCP port 80.

etrace --udp 53 --data-file @dns ns.sample.com

Starts are trace to ns.sample.com on UDP port 53 with the trace packets containing data loaded from the file /usr/local/share/etrace/dns (a file supplied with etrace that contains a simple dns request to resolve 127.0.0.1).

etrace -p dns -p fast ns.sample.com

The default profiles shipped with etrace include "dns" (which equates to the options shown in the previous example) and "fast" (which decreases both timeouts and the number of probes sent for each hop, as well as disabling name resolution). Profiles are stackable, with latter options overriding those specified in earlier profiles.

Openswan is an implementation of IPsec for the Linux operating system.
It provides IPSEC (IP Security, which is both encryption and authentication) kernel extensions and an IKE (Internet Key Exchange, keying and encrypted routing daemon), as well as various rc scripts and documentation.
It is known to interoperate with other IPSEC and IKE systems already deployed by other vendors such as OpenBSD, Cisco, and CheckPoint. It features Opportunistic Encryption, subnet extrusion, X.509 certificates, NAT Traversal support, XAUTH, and DNSSEC support.
Enhancements:
- Compile fixes for 2.6.16-2.6.18-rc2, a dpdaction=restart fix, and various miscellaneous fixes for ipcomp, nat-t, and rekeys.

The Net-Policy project allows system administrators to configure and manage their entire network at once. It is initially designed to configure firewall and IPsec connections across an entire network.

Net-policy contains the following components:
net-policy:
This is the core network manager. It is a generic SNMP-based manager and is capable of managing any information configurable via SNMP. It is currently web based with a few more interfaces (Tk, CLI, ...) planned or partially implemented. Its SNMP engine is based on the OpenSNMP and Net-SNMP toolkits. It runs on top of a PostgreSQL database.

After checking out the SVN source code or downloading the tar ball for the net-policy project, run ./np-install as root to help guide you through a complete installation using our graphical installer.

Configurable optional pieces
The net-policy manager is capable of managing the following modules. The management system above is already capable of managing
np-cerberus: A IPsec implementation for linux based on the 2.4 kernel. This code is derived from NISTs IPsec reference project. We ported the code to the 2.4 kernel and added some IPtables specific pieces and re-released it here (with their permission).
np-plutoplus: A IKE implementation which runs on top of np-cerberus. This is code is derived from NISTs IKE reference project. It has been instrumented with SNMP support using the Net-SNMP toolkit.

m0n0wall is a project aimed at creating a complete, embedded firewall software package that, when used together with an embedded PC, provides all the important features of commercial firewall boxes (including ease of use) at a fraction of the price (free software).
m0n0wall is based on a bare-bones version of FreeBSD, along with a web server, PHP and a few other utilities. The entire system configuration of m0n0wall is stored in one single XML text file to keep things transparent.
m0n0wall is probably the first UNIX system that has its boot-time configuration done with PHP, rather than the usual shell scripts, and that has the entire system configuration stored in XML format.
Main features:
- web interface (supports SSL)
- serial console interface for recovery
- set LAN IP address
- reset password
- restore factory defaults
- reboot system
- wireless support (access point with PRISM-II/2.5/3 cards, BSS/IBSS with other cards including Cisco)
- captive portal
- 802.1Q VLAN support
- stateful packet filtering
- block/pass rules
- logging
- NAT/PAT (including 1:1)
- DHCP client, PPPoE, PPTP and Telstra BigPond Cable support on the WAN interface
- IPsec VPN tunnels (IKE; with support for hardware crypto cards and mobile clients)
- PPTP VPN (with RADIUS server support)
- static routes
- DHCP server
- caching DNS forwarder
- DynDNS client
- SNMP agent
- traffic shaper
- SVG-based traffic grapher
- firmware upgrade through the web browser
- Wake on LAN client
- configuration backup/restore
- host/network aliases
Enhancements:
- added voucher support to captive portal (mwiget); wireless LAN improvements; allow dashes in alias names; added hidden option to disable auto-generation of PPTP rules on WAN; fixed ATA hard disk spin down feature; ipfilter TCP window scaling bug fix; synced with changes from 1.23 branch; increased mfsroot size to 14 MB (from 13 MB); updated base system to FreeBSD 6.2-RELEASE-p6; updated PHP to 4.4.7, ipsec-tools to 0.6.7, isc-dhcpd to 3.0.5, Dnsmasq to 2.39; added kernel patch for fragment bug in ipfilter; modified kernel patch to handle ipnat+dummynet in ip_input....

Pyjamas is a toolkit and library designed to enable writing AJAX applications in Python. Pyjamas is based on Googles GWT, which does the same thing for Java.
ike GWT, pyjamas involves the translation of the application and libraries (including UI widgets and DOM classes) to Javascript and the packaging up of that Javascript code.
There are two core developer tools included with pyjamas. pyjs translates Python code to Javascript by walking the Python abstract syntax tree and generating Javascript.
In many cases, built-in Python types require a custom Javascript implementation. For example, even though Python lists are similar to Javascript arrays, Python lists are converted to custom objects that implement methods like append. These custom objects required for translation by pyjs are defined in a library called pyjslib.
Like GWT, pyjamas comes with a set of UI widgets as well as a library for DOM manipulation. These libraries are written in Python but are, like everything else, translated to Javascript for deployment.
The overall translation of individual components is managed by build which also creates the necessary boilerplate code. The result is a set of .html and .js files that can be served up by a Web server.
There are other components planned which have not been covered here such as server-side code for communication in client-server applications.
Enhancements:
- All the GWT examples have been ported and work in Firefox.