ikedecrypt - Decrypt IKEv1 packets in libpcap formatted trace.
ikedecrypt [-e <encalg>] [-d <hashalg>] [-p <ikeport>] <in_trace> <keyfile> <out_trace>
Decrypt IKE packets in libpcap format trace <in_trace> using key information from <keyfile> and write them to <out_trace>.
-e : specify isakmp sa encryption algorithm (case insensitive, default 3DES) -d : specify isakmp sa hash algorithm (case insensitive, default SHA1) -p : specify UDP port number isakmp uses (default 500)
Supported encryption algorithms are DES, 3DES, AES128, AES192 and AES256.
Supported hash algorithms are MD5 and SHA1.
This script is ikedecrypt version 0.1.4.
This script decrypts IKE packets and DOES NOT decrypt ESP packets.
To decrypt ESP packets, use espdecrypt.
I recommend Ethereal to analyze decrypted traces.
Initiator cookie(CKY-I), responder cookie(CKY-R), SKEYID_e and material for first IV needs to be provided by keyfile in XML format.
Keyfile can contain these information about multiple different ISAKMP SAs and this is in the case, this script performs decryption of all packets through these SAs.
Additionally, each SA information can contain encryption algorithm and hash algorithm.
Following is an example of keyfile. In this example, only <FirstIV>, <iCookie>, <rCookie>, <EncAlg>, <HashAlg> and <SKeyId_e> tags are read and the other tags are ignored.
<SA> <FirstIV>8b72763ceab5c57e</FirstIV> <iCookie>ce157af88aa31018</iCookie> <rCookie>c830f246566c6240</rCookie> <EncAlg>3DES</EncAlg> <HashAlg>SHA1<HashAlg> <SKeyId>f1bdd138d4c1f56c4db9e122795db771c2f76bf6</SKeyId> <SKeyId_d>b53838392b96bc98384a8686013b05f320011751</SKeyId_d> <SKeyId_a>17056d0ef340eca270baa13e9be90043e19ebd7b</SKeyId_a> <SKeyId_e>8ae0ed9287b384f7cdb8fea88f000d01410179c9</SKeyId_e> <SKeyId_f>a441f79e44d485564381ad0f3aa5fdecf494f37d2aa0c7f4</SKeyId_f> </SA> <SA> <FirstIV>be834522b66a3e54</FirstIV> <iCookie>5149f93363b5a3f3</iCookie> <rCookie>660d7f19052f5504</rCookie> <SKeyId>2edcf5c290f71caf0325a88adeb7fe2569eef967</SKeyId> <SKeyId_d>2fd72561a8619d98b7992b9732e68f0784e5285b</SKeyId_d> <SKeyId_a>b59da45fa7f6a30dc92846adae33ae7e5997928d</SKeyId_a> <SKeyId_e>e8e9343160230a8b9ddd318ec159a63e3755f524</SKeyId_e> <SKeyId_f>1cd4968662dee62027a87008fbd77732d0d516ebd4dd2e89</SKeyId_f> </SA>
Algorithms actually used in decryption processes for each SA are decided in the following order of priority.
This script requires Net::Pcap, Getopt::Std, Carp, Digest::MD5, Digest::SHA1, Digest::HMAC_MD5, Digest::HMAC_SHA1 and Crypt::CBC.
And depend on encryption algorithm you want to use, Crypt::DES(ESP_DES), Crypt::DES_EDE3(ESP_3DES) and Crypt::Rijndael(ESP_AES) are also required.
I don't know exact Perl version which this script requires. Version of my Perl is 5.8.3.
This script decrypts only ISAKMP packets which have Eth->(IPv4|IPv6)->UDP->ISAMKP structure. Anyway, you can easily modify it to suppport other protocol headers.
Net::Pcap(3), Digest::MD5(3), Digest::SHA1(3), Digest::HMAC_MD5(3), Digest::HMAC_SHA1(3), Crypt::CBC(3), Crypt::DES(3), Crypt::DES_EDE3(3), Crypt::Rijndael(3)
Naoyoshi Ueda http://ikedecrypt.sourceforge.net
Cppuright (c) 2005 Naoyoshi Ueda <nueda@users.sourceforge.net>. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of ``GNU General Public License''.