$Id: NEWS,v 1.10 2004/12/21 16:22:34 rsh Exp $
This file gives a brief overview of the major changes between each ike-scan
release. For more details please read the ChangeLog file.
* Improved "make check" tests, so they now check more areas including Pre-
Shared Key cracking, HMAC and Hash speeds, and HMAC and Hash test vectors.
* Added --nodns (-N) option to prevent DNS lookups. With this option,
target hosts are not processed with gethostbyname(), which can avoid
delays when the system running ike-scan does not have functioning DNS.
* Added additional authentication methods and hash algorithms to the output
decoding functions in isakmp.c
* Added new psk-crack program to perform offline aggressive mode pre-shared
key cracking using the output from ike-scan with the --pskcrack option.
This psk-crack program supports both dictionary and brute-force cracking
modes against MD5 and SHA1-based HMAC hashes.
* Added ability to output aggressive mode pre-shared key (PSK) parameters
for later offline cracking with the --pskcrack (-P) option. This option
outputs the pre-shared key parameters as colon-separated hex-encoded values
in the following format:
These parameter details can be used by the psk-crack program (which is
supplied as part of the ike-scan package) to attempt to crack the pre-
* Added support for IKE over TCP with the --tcp (-T) option. Two TCP
variants are supported:
--tcp=1 (-T1) specifies raw IKE over TCP as used by Checkpoint; and
--tcp=2 (-T2) specifies encapsulated IKE over TCP as used by Cisco.
Note that you can only scan one host at a time when using IKE over TCP.
When using TCP, you can modify the connect() timeout with the
--tcptimeout (-O) option. Default timeout is 10 seconds.
* Added experimental timing error smoothing code, which is based on the TCP RTT
smoothing algorithm in RFC 793. This is disabled by default; to enable it,
#define ALPHA in ike-scan.h
* Allow the ID (Identity) payload that is specified with the --id option to
be specified as either a string e.g. --id=test or a hex value with a leading
0x e.g. --id=0xdeadbeef. Note that you will probably need to change previous
ID payload strings because of this change, as previously they were always
interpreted as hex.
* Added support for OpenSSL MD5 and SHA1 hash functions. These are generally
faster than the hash functions supplied with ike-scan, which is of benefit
when performing pre-shared key cracking.
To compile with OpenSSL, use the --with-openssl option to configure. With
this option, configure will search for the OpenSSL libraries in several
* Added --random (-R) option to randomise the host list before scanning.
This causes the hosts to be scanned in a random order, which may be less
obvious than the default sequential scanning. The Knuth shuffle algorithm
is used to randomise the list.
* Changed host entry from a linked-list to a dynamic array which decreases the
memory required from 56 bytes per target host to 45 bytes.
* Added several new Vendor ID patterns.
* Added several new UDP backoff patterns.
* ike-scan will now display multiple Vendor ID payloads if the server sends
more than one. Previously, it would only display the first Vendor ID and
ignore the others.
* Added support for ISAKMP lifetime size transform attribute with the
--lifesize (-z) option. This is specified as kilobytes. The default is
0 which means don't include the lifetime size attribute.
* Added support for GSS IDs with --gssid (-G) option. GSS IDs are described in
draft-ietf-ipsec-isakmp-gss-auth-07.txt. This is used by Windows-2000
IPsec for Kerberos authentication.
* Allow target hosts to be specified as IPnet/bits to include all hosts in
the given network, or IPstart-IPend to include all hosts in the inclusive
range as well as single hostnames or IP addresses.
* Added support for Vendor ID fingerprinting. The file "ike-vendor-ids"
contains a list of known Vendor ID patterns, specified as Posix extended
regular expressions. These are used to match against the ascii hex
representation of any returned Vendor IDs, and the name of the entry is
displayed if a match is found.
* SA transform attributes and ID payloads are now decoded, and basic details
(name and size) are displayed for payload types that we don't decode yet.
Added --quiet option to prevent this decoding if it's not required.
Added --multiline option to split the decode over multiple lines - one line
per payload. With --multiline, each payload decode line starts with a TAB.
* Fixed a bug which could cause a negative value to be passed to select()
when collecting backoff fingerprints. This would result in select()
* Aggressive mode is now supported. The --aggressive (-A) option specifies
* The --trans option can be specified multiple times to generate an arbitary
number of custom transforms in the ISAKMP SA Proposal.
* The --vendor option can be specified multiple times to generate an arbitary
number of Vendor ID payloads.
* UDP engine improvements: Dynamically adjust select() timeout, removing the
need for a --selectwait argument; keep track of cumulative timing error, and
use this to adjust the timing to compensate; calculate timings in
microseconds rather than milliseconds to improve accuracy; and some minor
* Two additions to permit Vendor ID fingerprinting.
1. Allow the specification of an arbitary Vendor ID payload using the
2. Display any Vendor ID payload returned by the target host.
ike-scan v1.3: (Unofficial release)
* Added support for per-pattern-entry fuzz values in the backoff patterns
file which allows more complex backoff patterns to be matched.
* Added new backoff patterns for "watchguard-soho" and "sonicwall-pro".
* Fixed format string vulnerability in syslog() call.
* ike-scan now builds and runs on HP Tru64 Unix.
* Added new backoff patterns for Cisco Concentrator and isakmpd.
* ike-scan now builds and runs on Windows/Cygwin, old libc5 Linux systems, and
Solaris 2.8 / SPARC.
* Windows command-line binary released.
ike-scan v1.0: (Initial release)
* Compiles and runs on Debian Linux 2.2 "potato" and 3.0 "woody", FreeBSD 4.3,
and OpenBSD 3.1.