Skip to content

ike-scan 1.8
Compare
Choose a tag to compare
@royhills royhills released this 24 Nov 18:54
· 194 commits to master since this release
1.8
55a1bca

  • Added many new vendor ID and UDP backoff patterns. There are now a total of 29 backoff patterns, and 135 vendor ID patterns.

  • Several bugs fixed in both psk-crack and ike-scan. Notable fixes include:

    • Numeric arguments are now checked for validity
    • Perform 64-bit time calculations correctly
    • Correct psk-crack handling of multiple PSK records
    • Fixed bug which caused hostnames containing hyphens to fail with an error.
    • Name lookup errors are now non-fatal.

  • Added support for more flexible transform specification, which allows an arbitary number of transform attributes to be specified in any order.

    This new method is specified by using an alternative syntax for the --trans option: --trans=(attr=value, ...). The old syntax of --trans=a,b,c,d is still available. Note that the brackets are special to some shells, and may need to be quoted.

  • Made the specification of the lifetime and lifesize transform attributes with the --lifetime and --lifesize options more flexible. Now, the argument to these options can take three different forms:

    • The string "none" - Do not add any lifetime or lifesize attribute.
    • A decimal integer, e.g. 86400 - Add a 4-byte value.
    • A hex number, e.g. 0xff - Add a variable length value. The hex notation allows arbitrary length lifetime and lifesize attributes to be added

  • Changed default packet-rate calculation from interval to bandwidth. The default outgoing bandwidth is 56000 bits per second, and can be changed with the --bandwidth option. It is still possible to specify an inter-packet interval instead with the --interval option.

  • Display the version, flags and msgid from the ISAKMP header if they don't contain the expected value.

  • Decode and display CERTIFICATE, DELETE and NOTIFICATION payloads if they are received.

  • Display the responder cookie from the ISAKMP header unless quiet is in effect.

  • Display the SPI if its size is non-zero. Normally, the SPI size is zero during Phase-1, but I've observed some implementations to use a non-zero length, which is permitted by RFC 2408.

  • Added new options to allow more control of the outgoing packet. Note that some of these options can make the outgoing packet non RFC compliant:

    • --spisize Adds a random SPI of the specified length to the proposal payload
    • --cookie Sets the initiatior cookie to the specified static value
    • --hdrflags Sets the flags field in the ISAKMP header
    • --hdrmsgid Sets the MsgID field in the ISAKMP header
    • --exchange sets the exchange field in the ISAKMP header to the specified value
    • --noncelen (-c) allows the length of the nonce data to be specified
    • --bandwidth (-B) specify desired outgoing bandwidth usage
    • --certreq (-C) Adds a CertificateRequest payload to the outgoing packet
    • --headerlen (-L) allows the ISAKMP header length to be manually specified
    • --mbz (-Z) allows the value for the reserved fields that "must be zero" to be sent to a specified non-zero value
    • --headerver (-E) allows the header version in the ISAKMP header to be changed from the default of 0x10 (v1.0)
    • --protocol (-j) allows the proposal protocol to be changed from the default
    • --transid (-k) allows the transform id to be changed from the default
    • --doi (-D) allows the DOI in the SA to be changed from the default
    • --situation (-S) allows the Situation in the SA to be changed from the default

  • The full help output is now only displayed if it is specifically requested by running ike-scan with the --help (-h) option. Usage errors now result in a smaller help output. This avoids outputting a multi-screen usage message just because of a typo on the command line.

  • drop root privilege after binding the local port if we are running SUID. This improves security somewhat.

  • Make POSIX regular expression support mandatory. Previously, it was optional, but I'm not aware of any supported systems that lack it, and we are using it in more and more places.

  • Improved mapping of ID numbers to names in decode. This allows sparse IDs ranges (e.g. 1,2,3,65000) to be supported, which means that we can now decode XAUTH authentication method amongst other things.

  • Added SO_BROADCAST option to UDP socket to allow sending to broadcast addresses. Previously this gave a permission denied error, even for root.

  • Added OpenSSL exception to the copyright notice, which permits linking of the program against OpenSSL. This is to allow the use of OpenSSL in this GPL v2 licensed program.

Assets 4
Loading