2020-07-05 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c: Remove unused variables "idfile" and "idstrings", and
the associated options -F and --idfile. These were never used, and
were causing warnings with GCC 10.2
* ike-scan.c: Add "break" statement after call to usage() in options
switch statement. This isn't required as usage() never returns,
but it's harmless and prevents a "this statement may fall through"
compiler warning with GCC 8.3.0.
* utils.c: Use labs() rather than abs() when computing time
difference as time_t is normally "long" and using abs() generates
a compiler warning with GCC 10.2
2020-07-05 Roy Hills <Roy.Hills@nta-monitor.com>
* README.md, ike-backoff-patterns, ike-scan.1, ike-vendor-ids: Update
wiki references to use new URL http://www.royhills.co.uk/wiki/
2014-05-23 Richard Moore <rich@...>
* ika-scan.c, ike-scan.c: Added option to bind to a specific interface.
2014-03-21 Roy Hills <Roy.Hills@nta-monitor.com>
* isakmp.c: Added fclose call to fix the potential file pointer
resource leak in print_psk_crack_values().
2013-12-01 Roy Hills <Roy.Hills@nta-monitor.com>
* configure.ac, .gitignore: Added configure option --enable-gcov to
enable gcov code coverage.
2013-11-12 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c: Disallow the use of both --aggressive and --ikev2 options.
This fixes debian bug #512962.
2013-11-10 Roy Hills <Roy.Hills@nta-monitor.com>
* isakmp.c: Updated attribute maps with new values and updated
RFC references.
* TODO: Removed items that have been addressed or are no longer
required.
2013-10-27 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c, ike-scan.h, isakmp.c: Use payload type 43 instead of
13 for vendor ID payloads with ikev2. This implementation requires
that the --ikev2 or -2 option be specified before the --vendor or -e
option to work correctly.
* isakmp.c: Updated maps from RFC 5996 (new IKEv2 RFC which replaces
4306), RFC 5282, RFC 5114, and RFC 6467.
* ike-vendor-ids, check-deocde: Minor change to Firewall-1 NGX vendor
id name.
2013-10-26 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c: Add support for sending key exchange payload for ECP
Diffie-Hellman groups 19, 20 and 21 with --dhgroup=n. The Key
Exchange payload length for these groups is as detailed in RFC 4753.
DH groups 19 and 20 tested in aggressive mode with Checkpoint VPN-1
R77.
2013-09-04 Roy Hills <Roy.Hills@nta-monitor.com>
* Added references to the github repository in README, *.c and *.h
in place of the ike-scan email address and the pattern submission
URL.
* configure.ac: Change the bug-report string in AC_INIT from the
ike-scan email address to the github URL.
2013-08-17 Roy Hills <Roy.Hills@nta-monitor.com>
* check-vendor-ids, Makefile.am: New check script to validate the
vendor ID patterns as part of "make check" from Jonathan Claudius.
2013-08-16 Roy Hills <Roy.Hills@nta-monitor.com>
* .travis.yaml: New file to enable autobuild on Travis CI.
* .gitignore: New file listing patterns to exclude from the repository.
* COPYING: New file.
* check-decode: Modified so "make check" works with new
HeartBeat_Notify VID name.
* configure.ac: Incremented version to 1.9.4 to distinguish new
version under git revision control.
* ike-vendor-ids: Merged in vendor ID additions from Jonathan Claudius.
* Removed $Id$ keywords from all files, and associated rcsid variable
from C sources.
2013-08-15 Roy Hills <Roy.Hills@nta-monitor.com>
* Final SVN revision before migration to git.
2012-12-14 Jesper Kückelhahn <(email withheld)>
* ike-vendor-ids: Added new vendor IDs from research while developing
script for nmap.
2011-09-22 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c: Removed most occurances of set but unused variables as
reported by -Wunused-but-set-variable in gcc 4.6. There is one
occuurance of this error remaining, because the --idstrings
option has not been fully implemented.
2011-04-04 Roy Hills <Roy.Hills@nta-monitor.com>
* configure.ac: incremented version number to 1.9.3
* configure.ac: Remove version number from AM_INIT_AUTOMAKE macro,
as this usage is obsolete now.
* ike-scan.c, ike-scan.h: Modify add_host_pattern() and add_host() so
we always use the more efficient inet_aton() rather than
get_host_address() for IPnet/bits, IPnet:mask and IPstart-IPend
patterns.
* ike-scan.c: Add support for IPnet:netmask format in
add_host_pattern().
* ike-scan.c: Change all uses of sprintf() to snprintf().
2011-03-30 Roy Hills <Roy.Hills@nta-monitor.com>
* acinclude.m4: Removed #include <features.h> from GCC_FORTIFY_SOURCE
macro, as this header is not portable.
* configure.ac: Added GCC_WEXTRA macro if we are compiling with GCC
to enable extra warnings, and define ATTRIBUTE_UNUSED to the
appropriate pragma depending on whether we are using GCC or not.
* utils.c: Added ATTRIBUTE_UNUSED to sig_alarm parameter to avoid
unused parameter warning.
* ike-scan.c: Add some casts to unsigned to avoid "comparison between
signed and unsigned" warnings.
2010-12-07 Roy Hills <Roy.Hills@nta-monitor.com>
* acinclude.m4: Added GCC_WEXTRA macro to determine if the C compiler
supports the -Wextra switch to enable extra warnings.
* ike-scan.c, isakmp.c, utils.c, psk-crack.c: Addressed some of the
unsigned/signed comparisons flagged up with -Wextra.
2009-08-15 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c, utils.c: Improve handling of --bandwidth and
--interval options: Allow either upper or lowercase
multiplier letters and give an error if an unknown multiplier
character is used. Previously an unknown multiplier character
or one with the wrong case was silently ignored and treated as
no multiplier at all.
* wrappers.c: Change Strtoul so it gives an error if the
underlying strtoul function finishes at an unconvertable
character other than NULL or whitespace.
* configure.ac: Added extra warnings "-Wshadow -Wwrite-strings"
for gcc.
2009-08-14 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c, ike-scan.h, psk-crack.h, configure.ac, error.c: Removed
syslog functionality as this is not used and has been #ifdef'ed out
for some time.
2009-05-06 Roy Hills <Roy.Hills@nta-monitor.com>
* configure.ac: Upgraded for autoconf 2.61
2009-03-06 Roy Hills <Roy.Hills@nta-monitor.com>
* acinclude.m4: Added macros to detect compiler support for
-fstack-protect, -D_FORTIFY_SOURCE and -Wformat-security.
* configure.ac: Conditionally enable compiler flags for
-fstack-protect, -D_FORTIFY_SOURCE and -Wformat-security using
the new acinclude.m4 autoconf macros.
* configure.ac: Incremented version to 1.9.2
2008-09-01 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c: Improved the description of the --trans option in
the help output.
* wrappers.c: Modified Strtoul so it only permits fully convertable
strings. This avoids the problem mentioned by ML with 1=7/128
in an advanced transform specification.
* ike-scan.c: Corrected those calls to Strtoul that assumed the old
behaviour, where a string could be terminated by any non convertable
character.
* check-packet, pkt-custom-proposal.dat: Corrected the advanced
transform specification, and added an additional transform using
variable length attributes.
2008-03-07 Roy Hills <Roy.Hills@nta-monitor.com>
* isakmp.c: Added additional XAUTH authentication methods to auth_map.
* ike-backoff-patterns: Added Cisco PIX 7.0
* ike-vendor-ids: Added Windows 2008 server
2007-06-09 Roy Hills <Roy.Hills@nta-monitor.com>
* check-error: new checking script to test response to error
conditions.
2007-04-22 Roy Hills <Roy.Hills@nta-monitor.com>
* utils.c: New function "dupstr", which is a local implementation
of the common but non-standard library function "strdup".
* ike-scan.c: Replace calls to malloc/strcpy with calls to the
new dupstr function. This makes the code tidier and also reduces
the number of calls to the potentially dangerous strcpy function.
2007-04-17 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.h: Undefined SYSLOG, as we don't use this any more, and I
doubt that anyone else needs it. The syslog functionality may be
removed in a future release.
2007-04-13 Roy Hills <Roy.Hills@nta-monitor.com>
* configure.ac: Added checks for strlcat and strlcpy, with
replacement functions using the OpenBSD implementations if they are
not present.
* strlcat.c, strlcpy.c: New source files from the OpenBSD source at
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/string
2007-03-06 Roy Hills <Roy.Hills@nta-monitor.com>
* configure.ac: Incremented version number to 1.9.1.
* ike-vendor-ids, ike-backoff-patterns: various minor changes and
additions.
2007-01-26 Roy Hills <Roy.Hills@nta-monitor.com>
* Released v1.9 Tarball size: 1412689, Zip size: 2260655.
tarball md5sum: bed63c7d2f54c482525a735be7b5e720
Zip md5sum: 5a224a60235189ba1b8882c98e09489c
2007-01-14 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c: Refactored display_packet() to ensure that payload
is correctly aligned.
2007-01-13 Roy Hills <Roy.Hills@nta-monitor.com>
* check-decode: New tests for pkt-main-natt-response,
pkt-aggr-cert-response, pkt-v2-notify-response and
pkt-checkpoint-notify.
* check-packet: New test for pkt-single-trans.
* ike-scan.c: Added conditional code to write received IKE packet to
a file. This is used to create data files for use with check-decode,
and is not intended for production use.
* psk-crack.h: Include <sys/time.h> and <time.h>.
* ike-scan.c: Added O_TRUNC option to writepkttofile open() call.
2007-01-02 Roy Hills <Roy.Hills@nta-monitor.com>
* check-psk-crack-4: New checking script to improve coverage of
psk-crack.c and hash_functions.h. Test coverage for these
source files is now:
96.88% of 64 lines executed in file hash_functions.h
95.28% of 318 lines executed in file psk-crack.c
* check-packet, check-decode: Added new tests to improve coverage of
ike-scan.c and isakmp.c. Test coverage for these files is
now:
71.18% of 1957 lines executed in file ike-scan.c
69.61% of 964 lines executed in file isakmp.c
* ike-scan.c, ike-scan.h: Added new --readpktfromfile option.
This option reads the packet from the specified file rather
than from the network. It is intended for debugging and
testing purposes, to allow the IKE packet decoding to be
easily checked. This option is not documented, because it is
designed purely for testing.
2006-12-30 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c, isakmp.c: Added support for IKEv2 with new --ikev2
option.
* configure.ac: Incremented version to 1.8.7.
2006-12-27 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c, isakmp.c: New option --rcookie to set the responder
cookie to the specified value. Modified make_isakmp_header() to
support specification of the responder cookie.
2006-12-23 Roy Hills <Roy.Hills@nta-monitor.com>
* psk-crack.c, psk-crack.h: Moved nortel_user into psk_entry struct
to permit cracking a mixture of Nortel and standard PSKs, although
the command line options do not currently permit this.
* psk-crack.c: Changed cracking loop order, so that the candidate
password selection (either the next work from the dictionary, or
the next brute-force string) is the outher loop, and the PSK entry
selection the inner one. This avoids having to rewind the
dictionary file, which permits the use of stdin for the
dictionary.
This also cured an as-yet unfound bug, which caused false positive
matches against the last candidate password when cracking multiple
PSK entries.
* psk-crack.c: Added support for using stdin for the dictionary file
with "--dictionary=-". This allows us to use other programs to
generate the candidate passwords, e.g:
john --incremental --stdout | psk-crack --dictionary=- psk-file
* hash_functions.h: New header file containing "inline static"
functions for MD5, SHA1, hmac_md5 and hmac_sha1.
* configure.ac: Incremented version to 1.8.6.
2006-12-21 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c: Added --nat-t option to enable RFC 3947 NAT Traversal.
This option adds the Non-ESP marker to outbound packets and
strips the marker from responses. It also changes the default
source and destination UDP ports to 4500.
2006-12-18 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c: Added experimental support for RFC 3947 NAT-Traversal.
2006-12-17 Roy Hills <Roy.Hills@nta-monitor.com>
* isakmp.c: Added CRACK (128) to auth map. This is defined in
draft-harkins-ipsra-crack-00 "IKE Challenge/Response for
Authenticated Cryptographic Keys", but I've not seen it used in
practice.
2006-11-30 Roy Hills <Roy.Hills@nta-monitor.com>
* isakmp.c: Moved all the ID/Name maps into isakmp.c as global
consts. Other source files that need to reference them do so
by declaring them as extern.
* utils.c: New functions name_or_number() and str_ccmp() which
allow a string containing either a number or a name from the
specified map to be used.
2006-11-25 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c: Changed --ranssrc option to --sourceip, and allow it
to take an IP address or the string "random". When --sourceip is
specified, we no longer attempt to read from the socket as reading
UDP from a raw socket doesn't work on all OSes and we are unlikely
to receive any return data if we've spoofed the source address
anyway.
* ike-vendor-ids: Update strongSwan vendor IDs based on stronSwan
4.0.5
2006-11-23 Roy Hills <Roy.Hills@nta-monitor.com>
* psk-crack.c: New function load_psk_params() to read the data from
the psk parameters file into a list of structures. This moves the
psk file reading loop out of main(), and also allows more flexible
selection of the psk cracking order as all the psks are in memory.
* psk-crack.c: New function compute_hash(), which does the real work
of computing the hash given the PSK parameters and a candidate
password. This function is defined as "static inline" because it
is called from a tight loop, and inlining significantly improves
performance.
* psk-crack.c: New function open_dict_file(), which opens the
dictionary file. This function reduces the size of main() to make
it more readable.
* configure.ac: Added AC_C_INLINE to check for compiler support for
function inlining and define "inline" accordingly in config.h.
2006-11-21 Roy Hills <Roy.Hills@nta-monitor.com>
* psk-crack.h: New header file for psk-crack.
This separates the psk-crack headers, defines, structures and
prototypes from ike-scan.
* ike-scan.h: Removed psk-crack specific stuff. Modified psk_crack
structure to improve storage efficiency.
2006-10-18 Roy Hills <Roy.Hills@nta-monitor.com>
* isakmp.c: Modified creation of proposal and SA payloads, so that
these payloads contain the transform and proposal payloads
respectively (previously, they only returned the header, and it
was down to the caller to add the rest). Also added add_prop()
function which allows for multiple proposals within an SA
payload (although ike-scan does not have any way to use this yet).
* ike-scan.c: Modified initialise_ike_packet() function to use
modified SA and proposal functions.
2006-10-10 Roy Hills <Roy.Hills@nta-monitor.com>
* check-psk-crack-3: New script to check Nortel Contivity PSK
cracking. Uses test data obtained from a Contivity 1600 running
software release 6.00.
* psk-crack.1: Added --username option description to psk-crack
manpage.
2006-10-01 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c: Show backoff patterns even if there was only a
single response. Some implementations, e.g. linksys, don't
retry at all, and this change allows these to be matched as
well. The lack of a pattern is sufficiently unusual to be a
pattern itself.
2006-09-23 Anonymous <l...e@gmail.com>
* psk-crack.c: Added code to allow cracking Nortel Contivity
pre-shared keys, which use a variation of Mamro's method. Thanks
to an anonymous benefactor.
2006-08-30 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-backoff-patterns: Added new PIX backoff pattern, with details
of the PIX versions for both patterns.
2006-08-22 Roy Hills <Roy.Hills@nta-monitor.com>
* udp.h: Removed unneeded BSD-flavour declarations and unneeded macros.
Changed types from u_int{8,16,32}_t to uint{8,16,32}_t. Added
definition of struct pseudo_hdr (moved from ike-scan.c).
Changed names of pseudo_hdr struct members to avoid problem due
to s_addr being defined as a macro on some systems (e.g. Solaris).
* ip.h: Changed types from u_int{8,16,32}_t to uint{8,16,32}_t.
Removed unneeded macros.
* utils.c: Change random_ip() so that it generates the same sequence
on both little-endian and big-endian systems.
* ike-scan.c: --randsrc option now works on Solaris 9 and FreeBSD 5.3
as well as Linux.
2006-08-14 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c, isakmp.c: Changed random number implementation to use
the mersenne twister functions from mt19937ar.c rather than the
standard rand() from the C library.
This improves the quality of the random numbers, as some C library
rand() functions are quite bad. More importantly, it makes the
random number generation process repeatable across different
platforms.
However, this change also means that packets created with the new
PRNG will not be the same as packets created with the old one, even
if the same random seed value is used.
* mt19937ar.c: New file - Mersenne Twister random number generator.
* utils.c: New functions random_byte() and random_ip(), which use
the mersenne twister random number functions.
* pkt-aggressive.dat: New file - sample aggressive mode packet.
* check-packet: Added aggressive mode packet check. This is possible
now that the random number generator is repeatable across platforms.
* configure.ac: Incremented version number to 1.8.4.
2006-08-04 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c, ike-scan.h: Added new --randsrc option for source IP
spoofing.
* ike-scan.c, ike-scan.h: Added new --shownum option to display the
return packet number. This is useful when looking for DoS
conditions.
2006-08-02 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c: Added experimental support for source IP spoofing.
Currently, this only works on Linux.
* ip.h, udp.h: New header files to support IP spoofing. Copied
from the GNU C Library.
* configure.ac: incremented version number to 1.8.2
2006-07-01 Roy Hills <Roy.Hills@nta-monitor.com>
* configure.ac, ike-scan.c: Removed initial lookup and configure
option --enable-lookup to control it. This is legacy code
that has never been required.
* ike-scan.h, ike-scan.c: Removed low-pass filter in timing
error correction code, and associated ALPHA macro. This had
never been used, and tests indicate that it performed worse
than the standard timing error correction code.
* psk-crack.c: Free malloc'ed data when we are finished with
each PSK to prevent a memory leak when cracking many PSKs.
Thanks to Antoine Brodin for finding and reporting this bug.
2006-06-24 Roy Hills <Roy.Hills@nta-monitor.com>
* utils.c: Changed printable() and hexstring() to make the first
arg "const unsigned char *" instead of "unsigned char *". This
change was integrated from the arp-scan source.
2006-06-06 Roy Hills <Roy.Hills@nta-monitor.com>
* Changed web URLs to correspond with the new layout of the NTA
website.
2006-05-14 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c: Add --timestamp option.
* isakmp.c: Improve decoding of notification payload. Tony has found
an IKE implementation which returnes a notification payload after
the SA payload, and this uncovered shortcomings in the notification
processing code.
2006-05-12 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c: Allow --interval to be expressed in seconds by
appending "s" to the value. This is useful if you want to send
packets very slowly, as it avoids having to add lots of trailing
zeros.
* ike-scan.c: Add experimental option to display packet received
time in %H:%M:%S.%u format before the packet details.
* Moved ike-scan source code from CVS to SVN revision control.
This changes the revision numbers from 1.x, where x is a relatively
small number, to y, where y is a larger number (currently four
digits).
2006-05-05 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c: Delay opening the file specified by --writepkttofile
until after we've dropped SUID to avoid security issues.
2006-03-22 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c: Added --randomseed option, which allows the PRNG seed
to be specified. This enables packets with payloads containing
random data, such as Key Exchange and Nonce, to be compared with
known good examples for testing. It also allows the packet data to
be exactly repeatable, which can be useful in some situations.
2006-03-19 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c: Use unsigned 64-bit integer arithmetic for interval
calculation instead of double-precision floating point. This
avoids the small rounding errors that can occur with floating point.
2006-03-14 Roy Hills <Roy.Hills@nta-monitor.com>
* Moved ike-scan source code from RCS to CVS revision control.
2005-12-07 Roy Hills <Roy.Hills@nta-monitor.com>
* Released v1.8 Tarball size: 1376995, Zip size: 2090803.
tarball md5sum: 961310e6f3c07d26c90447e392dfb97e
Zip md5sum: 884e1c3eb03ea1519ab7537e095d2c0b
* configure.ac: Incremented version number to 1.8.1 in preparation
for post 1.8 changes.
2005-12-06 Roy Hills <Roy.Hills@nta-monitor.com>
* configure.ac: Incremented version number to 1.8 in preparation
for release.
2005-12-04 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-backoff-patterns: Added backoff patterns for Netgear ProSafe
and Netgear ADSL Firewall Router. Submitted by Paul Askew.
2005-11-30 Roy Hills <Roy.Hills@nta-monitor.com>
* Removed automake boilerplace files, and ran automake --add-missing
--copy to obtain the latest versions as of automake 1.9. The updated
files were: missing, install-sh, depcomp and INSTALL. mkinstalldirs
is no longer installed by automake and is probably no longer needed.
However, I have kept the old version just in case.
2005-11-29 Roy Hills <Roy.Hills@nta-monitor.com>
* isakmp.h: Changed u_int8_t, u_int16_t and u_int32_t to uint8_t,
uint16_t and uint32_t in definition of delete payload.
* configure.ac: Improved OpenSSL detection by adding support for
libcrypto.so and libcrypto.dylib as well as libcrypto.a.
2005-11-25 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c, ike-scan.h, configure.ac: Added new --writepkttofile
option. This option writes the output packet to the specified file
rather than sending it to the remote host. It is intended for
debugging and testing purposes, to allow the IKE packet to be
easily checked. This option is not documented, because it is
designed purely for testing.
* check-packet: New test to check IKE scan packet data. Currently
tests two sample packets: one default proposal, and one custom
proposal.
* configure.ac: Added conditional #include <stdlib.h> to the
AC_LINK_IFELSE that checks if the OpenSSL headers and libraries
work. This is needed because the OpenSSL md5.h and sha1.h in
recent versions use size_t but don't include any header to
define it.
2005-11-24 Roy Hills <Roy.Hills@nta-monitor.com>
* configure.ac: Support the OpenSSL libcrypto.a library in either
$ssldir/lib or in $ssldir.
* configure.ac: Added --disable-lookup option which allows the
initial DNS lookup to be disabled. This is in response to
Debian bug ID 327220. Thanks to Florian Weimer for reporting this,
and to Benoit Mortier for forwarding the bug to me.
2005-10-22 Roy Hills <Roy.Hills@nta-monitor.com>
* wrappers.c: Added new wrapper function, Strtoul(), which
calls strtoul() and checks for errors.
* ike-scan.c: Change most calls to strtoul() to use the new
wrapper function Strtoul() instead, because this checks for
errors. Previously, a non-numeric value would be converted to
zero without any error, meaning something like "--sport=xxx"
would be silently accepted. Now, such invalid inputs result in
an error.
* ike-scan.c: Modify decode_trans_simple() to detect invalid values
which could previously result in an infinate loop. Now, invalid
values cause an error.
2005-09-08 Roy Hills <Roy.Hills@nta-monitor.com>
* Upgraded automake from 1.8 to 1.9. No code changes required.
2005-09-08 Roy Hills <Roy.Hills@nta-monitor.com>
* check-hash.c, check-sizes.c, error.c, ike-scan.c, isakmp.c,
psk-crack.c, utils.c, wrappers.c, ike-scan.h, isakmp.h: Added
OpenSSL exception to the copyright notice at the beginning of
these files. This allows linking of the program against OpenSSL
and distributing linked versions. This exception is intended to
allow the use of OpenSSL in this GPL v2 application. The added
text reads:
"In addition, as a special exception, the copyright holders give
permission to link the code of portions of this program with the
OpenSSL library, and distribute linked combinations including the two.
You must obey the GNU General Public License in all respects
for all of the code used other than OpenSSL. If you modify
file(s) with this exception, you may extend this exception to your
version of the file(s), but you are not obligated to do so. If you
do not wish to do so, delete this exception statement from your
version."
This text was taken from
http://www.gnome.org/~markmc/openssl-and-the-gpl.html
2005-08-02 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c, isakmp.c: Added support for advanced transform
creation using new functions add_transform() and make_transform().
These new functions take a pre-built attribute list, which has
previously been created with add_attr(), and can therefore create
transforms with arbitrary attributes.
The old add_trans() and make_trans() functions have been renamed
to add_trans_simple() and make_trans_simple() to reflect the fact
that they are simplified versions. These simple versions are now
wrappers that use the advanced functions.
Added support for advanced transform creation, which uses these new
functions. This involves an alternative syntax for the --trans
option: --trans=(attr=value, ...).
2005-08-01 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c, isakmp.c: Added Notification payload processing. We now
display details of an ISAKMP Notification payload if one is returned,
rather than just displaying generic payload information.
2005-07-21 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c, isakmp.c, utils.c: Added support for variable length
lifetime and lifesize transform attributes. Now, the --lifetime
and --lifesize options can take three options:
a) "none" - Do not add any lifetime or lifesize attribute
b) decimal integer, e.g. 86400 - Add a 4-byte value
c) hex number, e.g. 0xff - Add a variable length value
This allows arbitrary length lifetime and lifesize attributes to
be added using the hex notation.
2005-07-06 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c: Added --exchange option to allow the exchange field
in the ISAKMP header to be set to arbitrary values.
* ike-scan.c: Changed default packet rate calculation from interval
to bandwidth. The default bandwidth is 56000 bits per second. It's
still possible to set the interval instead for backwards
compatibility, and for those applications where it's important to
be able to specify the exact packet rate.
2005-06-21 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c, isakmp.c: Added --hdrflags and --hdrmsgid options to
allow Flags and MsgID fields in the ISAKMP header to be specified.
* ike-scan.c: Added --cookie option to allow the initiator cookie in
the ISAKMP header to be set to a static value.
* isakmp.c: Added support for Checkpoint notify code 9110. This was
observed when sending a large volume of requests to a VPN-1 system,
and is believed to be related to the Client Puzzles VPN DoS avoidance
mechanism.
* isakmp.c: Display the Version, flags, or msgid from the ISAKMP
header if they don't contain the expected value.
2005-06-21 Roy Hills <Roy.Hills@nta-monitor.com>
* make-win32-zipfile.sh: New file to create the Windows binary
zipfile. Used under Cygwin. Previously, I had manually created
the zip files using "winzip", which was error-prone.
2005-06-20 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c: Add 64-bit cast to calculation of microsecond-resolution
time differences to ensure that the calculation is performed with
64-bit quantities. Previously, the calculation was performed
with 32-bit quantities before being assigned to a 64-bit value.
2005-06-18 Roy Hills <Roy.Hills@nta-monitor.com>
* utils.c: Modify timeval_diff() to prevent it changing its input
arguments. Previously, it was sometimes changing its second
argument, b, because of the carry calculation; now it uses a
temporary value to perform the carry on.
2005-06-17 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c, isakmp.c: Added Delete payload processing. We now
display details of an ISAKMP Delete payload if one is returned,
rather than just displaying generic payload information.
2005-06-16 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c, isakmp.c: Add --spisize option to allow a random SPI
of the specified size to be added to the proposal payload.
2005-06-15 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c, isakmp.c: Display responder cookie value as a hex string
when displaying SA and Notify payloads, unless quiet is in effect.
* ike-scan.c: Added support for SIGUSR1 handling. Not fully
implemented. NOTE: This was removed later in June 2005, because the
bug we were looking for was found and fixed.
* isakmp.c: Print the SA Proposal SPI as hex if the SPI size in the
proposal header is non-zero. During Phase-1, the SPI size is
normally zero. However it has been observed to be non-zero on rare
occasions, and RFC 2408 allows this: "[during phase-1, the SPI is]
redundant and MAY be set to 0 or it MAY contain the transmitting
entity's cookie".
2005-05-31 Roy Hills <Roy.Hills@nta-monitor.com>
* psk-crack.c: Fixed error which caused psk-crack to incorrectly report
PSKs after finding a valid one, when processing multiple PSK records.
Solution was to ensure that "found" is cleared on every loop
iteration. Thanks to Daniel Lucq for finding this bug and suggesting
the solution.
2005-05-20 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c: Check return value from sendto() against size of
packet, and warn if they are different (meaning that not all of
the packet was sent). I've seen this occur when using TCP
encapsulation to send huge packets (which fragment into many TCP
segments), and the VPN server sends a RST back.
2005-05-12 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c: Use POSIX regex to split both the backoff pattern and
vendor id pattern entries into name and pattern in functions
add_pattern() and add_vid_pattern(). Previously, we manually
stepped through the strings using pointers. POSIX regex is more
complex, but it allows for more flexible and precise matching.
* ike-scan.c: Add SO_REUSEADDR option to TCP socket when performing
TCP scanning (--tcp option).
* ike-vendor-ids: Added 16 new Vendor IDs, and revised some comments
on existing entries.
2005-04-20 Roy Hills <Roy.Hills@nta-monitor.com>
* isakmp.c: Don't try to decode the SA in the returned packet if
it contains more than one transform. This cannot happen during
normal scanning, because the VPN server will only return one
transform, but can occur if you scan your own host, and ike-scan
sees its own packets which contain multiple transforms.
2005-04-09 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c: Modified usage() so that it can output either brief or
detailed help output depending on a new "detailed" argument. Now,
detailed output, including information on the available options, is
only displayed when ike-scan is run with the --help option. For
error conditions such as incorrect options, it only produces brief
output.
2005-03-19 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c: Changed initialise_ike_packet() function to use the
struct ike_packet_params rather than taking the various parameters
as separate arguments, as the argument count for this function was
up to 15 and growing (c89 std only guarantees up to 31 I believe).
Also removed some unnecessary global variables and placed these in
the new struct, which currently contains 18 members.
* ike-scan.c: Added --doi (-D) and --situation (-S) options to allow
the DOI and Situation in the SA of the outbound packets to be changed
from the default of DOI_IPSEC and SIT_IDENTITY_ONLY.
* ike-scan.c: Added --protocol (-j) and --transid (-k) options to
allow the proposal protocol and transform id of the outbound packets
to be changed from the defaults.
2005-03-10 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c, isakmp.c: Improved decoding of Certificate and
CertificateRequest payloads. These used to be decoded as
generic payloads, but now include the certificate type in the
decode output.
* ike-scan.c: Added --certreq (-C) option to add a
CertificateRequest payload to the outgoing packet.
2005-03-09 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c: Added --headerlen (-L) option to allow the ISAKMP header
length to be manually specified. Normally, ike-scan will
automatically calculate the correct length; however, you can use this
option if you want to use an incorrect length value instead.
* ike-scan.c, isakmp.c: Added --mbz (-Z) option to allow the value for
the reserved (MBZ) fields to be set to non-zero values. Doing so
will make the outgoing packet non-RFC compliant.
* ike-scan.c, isakmp.c: Added --headerver (-E) option to allow the
version field in the ISAKMP header to be altered from the default of
0x10 (v1.0).
2005-02-21 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c: Drop root privileges after binding the local port if we
are running SUID. We don't need enhanced privileges after this
point, and having effective UID root can cause problems on NFS
filesystems where the root user is squashed to nobody and we need
to write a PSK parameters file.
2005-02-18 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c: Make errors from gethostbyname or inet_aton when adding
hosts non-fatal. Now these errors elicit a warning and cause the
offending target to be ignored, but processing continues.
Thanks to Tony Lloyd for finding this bug.
* ike-scan.h, ike-scan.c, isakmp.c: Change structure definitions to
typedefs. i.e. change "struct foo {defs};" to
typedef struct {defs} foo;".
* ike-scan.h: Added extra data structure to the host entry structure.
This is designed to allow arbitrary extra data, such as an id string
or a transform specification, to be attached to a host entry.
2005-02-15 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c: Added --bandwidth (-B) option to allow the outgoing
bandwidth to be specified directly instead of using --interval.
The --bandwidth option calculates the appropriate interval setting,
taking into account the size of the packet.
* ike-scan.c: Added --noncelen (-c) option to allow the length of the
nonce data to be changed. This is only applicable to aggressive
mode.
2005-02-14 Roy Hills <Roy.Hills@nta-monitor.com>
* psk-crack.1: Updated psk-crack manpage to reflect current usage. The
manpage had fallen behind, and had become inaccurate.
2005-02-09 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c: Match ip range and slash notation using regular
expressions rather than single character matches in
add_host_pattern(). This fixes the bug which caused hostnames with
hyphens to fail because they were wrongly interpreted as IP ranges.
Thanks to Volker Stolz for reporting this bug.
2005-01-27 Roy Hills <Roy.Hills@nta-monitor.com>
* configure.ac: Make lack of Posix regular expression support a fatal
error. Previously, it was optional, and we used conditional
compilation based on HAVE_REGEX_H. However, this never worked, and
I've not found a system which lacks Posix regex support.
* ike-scan.h, ike-scan.c, isakmp.c: Remove HAVE_REGEX_H conditional
compilation. Note that we still use it to conditionally include
<regex.h> in ike-scan.h though.
2005-01-25 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c: Add SO_BROADCAST option to UDP socket to allow sending
to the broadcast address.
2005-01-20 Roy Hills <Roy.Hills@nta-monitor.com>
* utils.c: Added new id_to_name() function to replace the more
limited STR_OR_ID macro. This allows the use of sparse maps where
the IDs are not contiguous. For example, the authentication methods
map, where RFC-defined IDs are 1 to 5, but there are proprietary and
draft methods around 64,000.
* ike-scan.c, isakmp.c: Use new id_to_name() function rather than
STR_OR_ID macro. Change the various id to name maps from char *
arrays to id_name_map arrays.
* ike-scan.h: Remove STR_OR_ID macro, and add id_to_name() prototype.
2005-01-16 Roy Hills <Roy.Hills@nta-monitor.com>
* configure.ac: Incremented version number to 1.7.1 in preparation
for post 1.7 changes.
2005-01-14 Roy Hills <Roy.Hills@nta-monitor.com>
* Released v1.7 Tarball size: 1350170, Zip size: 2010303.
tarball md5sum: c06c6a3d78ba9b93c0abf79b3a3d2a11
Zip md5sum: 4e8c37775d541318e9841f17d22d492e
2005-01-13 Roy Hills <Roy.Hills@nta-monitor.com>
* README: Updated for ike-scan 1.6.7.
* ike-scan.h: Increased default pattern matching fuzz value from 100
to 500 ms.
* ike-scan.c: treat ECONNRESET the same as ECONNREFUSED. Some OSes
(e.g. Cygwin on Windows) return ECONNRESET from recvfrom() whereas
others return ECONNREFUSED.
2004-12-31 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c: Allow --interval argument to be specified as either
milliseconds or microseconds. Milliseconds is the default, unless
the argument ends in "u" in which case it is taken as microseconds.
2004-12-22 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c: Corrected pointer comparison in remove_host() so that
advance_cursor() is always called when the host being removed is the
current host. This bug sometimes caused ike-scan to hang.
2004-12-20 Roy Hills <Roy.Hills@nta-monitor.com>
* check-hash.c: Correct unsigned/signed char * pointers which were
giving warnings on Tru64 Alpha with Compaq C.
* psk-crack.c: Avoid division by zero if elapsed_seconds is zero.
I've seen this problem occur on Tru64/Alpha with few iterations,
probably because the granularity of gettimeofday() is not small
enough on this platform.
* sha1.c: Change "unsigned long" to "uint32_t" where a 32-bit
unsigned quantity is required. This allows sha1 to work on systems
where "unsigned long" is not 32-bits e.g. Alpha.
* psk-crack.c: cast argument to isspace() to unsigned char to avoid
"subscript has type char" warning on some OSes e.g. HP-UX.
* psk-crack.c: Correct spelling of "fnbuf_siz" variable used for
Cygwin.
* ike-scan.c, utils.c: Cast tv_sec and tv_usec timeval elements to
unsigned long before printing. This is done because different
vendors use different types (signed/unsigned int/long) for these
elements. As long is the widest type, and the values cannot be
negative, casting to unsigned long is safe.
2004-12-19 Roy Hills <Roy.Hills@nta-monitor.com>
* configure.ac: Improve detection and location of OpenSSL libraries.
configure will now search several standard locations for the
OpenSSL libraries if the --with-openssl option is supplied. If a
directory argument is given, then that will be added to the search
list.
2004-12-09 Roy Hills <Roy.Hills@nta-monitor.com>
* psk-crack.c: Remove options to manually specify hash type (MD5 or
SHA1), as these are never needed.
2004-12-08 Roy Hills <Roy.Hills@nta-monitor.com>
* psk-crack.c: Changed syntax for dictionary cracking. Now dictionary
cracking does not need the dictionary file to be specified as an
argument. It's possible to use a dictionary file other than the
default with the --dictionary option.
* psk-crack.c: Support cracking multiple hashes if the PSK parameters
file has more than one line.
2004-12-05 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c: Minor changes to usage() to improve description of
--pskcrack and --tcptimeout options.
* check-run-1, check-run-2: Add --nodns --retry=1 to reduce delay.
* check-psk-crack-2: Add dictionary cracking tests.
2004-11-29 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c: Added optional filename argument to --pskcrack (-P)
option to allow the PSK data to be written to a file for later
cracking with psk-crack.
2004-11-19 Roy Hills <Roy.Hills@nta-monitor.com>
* sha1.c: define SHA1HANDSOFF to 1 to prevent the SHA1 functions from
modifying the input buffer. If this is not defined, then pre-shared
key cracking for SHA1 hashes using this SHA1 function fails.
* Wrote two new tests for "make check": check-psk-crack-1 which tests
psk-crack --help and --version, and check-psk-crack-2 which tests
psk-crack bruteforce for both MD5 and SHA1 hashes.
2004-11-18 Roy Hills <Roy.Hills@nta-monitor.com>
* utils.c: printable() should quote the backslash itself to make
"\\n" (backslash, en) distinguishable from "\n" (newline).
This fix contributed by Pavel Kankovsky <kan(at)dcit.cz>
* psk-crack.c: Changed loop counters from 32-bit to 64-bit integers
to cope with very large iteration counts, e.g. when brute-forcing
8-character passwords with 36-element character set.
* ike-scan.c: Change 64-bit unsigned integer types from the fixed-
width uint64_t type to the "at least 64-bit" type UINT64 which is
determined by autoconf.
* configure.ac: Determine 64-bit integer type and snprintf format
string using code from postgresql autoconf. Previously we used
the fixed-width 64-bit types, but we never need exactly 64-bits,
only at least 64-bits.
2004-10-29 Roy Hills <Roy.Hills@nta-monitor.com>
* Internal release of 1.6.4. NTA Monitor internal use only.
2004-10-05 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c: Added --nodns (-N) option.
Added "ERROR:" to error messages that were missing this prefix.
Corrected buffer length calculation that could result in a segv with
long argument lists.
2004-09-28 Roy Hills <Roy.Hills@nta-monitor.com>
* psk-crack.c: Added bruteforce support. New options:
--bruteforce and --charset.
* ike-scan.c: Added missing "=" to help text for --id option.
2004-09-20 Roy Hills <Roy.Hills@nta-monitor.com>
* isakmp.c: Added additional authentication method names and group
names from http://www.iana.org/assignments/ipsec-registry
2004-09-20 Roy Hills <Roy.Hills@nta-monitor.com>
* isakmp.c: Added SHA2 algorithms to auth_names[].
2004-07-19 Roy Hills <Roy.Hills@nta-monitor.com>
* psk-crack.c: New program to crack Aggressive Mode Pre-Shared Keys
using dictionary attack. This uses the output from "ike-scan -P"
together with a dictionary. This program is not very polished, but
it works OK.
2004-07-16 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c: Display the rcsid for all important source files
for the --version option rather than just for ike-scan.c.
2004-07-12 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c: Added new --tcptimeout (-O) option. TCP Connect()
timeout can now be changed without having to change the #define.
2004-07-09 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c: Added experimental support for Aggressive Mode
Pre-Shared Key (PSK) cracking with --pskcrack (-P) option.
This outputs the PSK parameters as colon-separated hex values
for input into a separate cracking program (which has not yet
been written).
2004-07-08 Roy Hills <Roy.Hills@nta-monitor.com>
* configure.ac: Incremented version number from 1.6.2 to 1.6.3 in
preparation for next batch of changes.
* Internal release on 1.6.2. NTA Monitor internal use only.
No tarballs generated.
* configure.ac: Incremented version number from 1.6.1 to 1.6.2.
* configure.ac: Added checks for headers netinet/tcp.h and signal.h
for TCP support.
* ike-scan.c: Added experimental support for Cisco encapsulated
IKE over TCP as used by Cisco VPN Concentrator. Changed --tcp (-T)
option to take an optional numeric argument: 1 (default) meaning
raw IKE over TCP, and 2 meaning Cisco proprietary encapsulation.
* ike-scan.c: Add timeout for TCP connect() when using the --tcp (-T)
option. This uses the alarm() call to interrupt connect() which
has a granularity of seconds. Currently, the timeout is defined
by the macro TCP_CONNECT_TIMEOUT in ike-scan.h.
2004-06-23 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c: Added experimental support for TCP with --tcp (-T)
option.
2004-06-16 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-vendor-ids: Added several new Vendor ID patterns bringing the
total to 68.
* ike-scan.h, ike-scan.c: Merge in timing error smoothing code. This
is based on the TCP RTT smoothing algorithm in RFC 793. It is only
used if ALPHA is defined in ike-scan.h. Currently, this is disabled
because ALPHA is #undef'ed in ike-scan.h.
2004-05-25 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c: Allow identification value specified with --id option
to be either a string e.g. --id=test or a hex value with a leading
0x e.g. --id=0xdeadbeef. Note that because previous versions always
interpreted the value as hex, you will need to add a leading 0x to
the values or re-code them as text strings.
2004-05-19 Roy Hills <Roy.Hills@nta-monitor.com>
* Makefile.am: updated for automake 1.8.
* configure.ac: updated for autoconf 2.59.
* configure.ac: Support the use of OpenSSL hash functions.
If --with-openssl=PATH option is specified, then the OpenSSL
functions will be used; otherwise the built-in functions will be
used.
* check-hash.c: New file to check MD5, SHA1 and HMAC functions for
"make check".
2004-04-15 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.h, ike-scan.c: Changed host entry list to use dynamic array
grown with realloc rather than a linked list using malloc for each
entry, plus an additional array of pointers. This reduces the amount
of memory required from 56bytes per host to 45bytes per host.
* ike-scan.c: Added --random (-R) option to randomise the host entry
list. This uses the Knuth shuffle algorithm to shuffle the array of
pointers.
2004-04-05 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.h: Changed num_sent and num_rcvd fields from unsigned to
unsigned short to save space.
* ike-scan.c: Moved the various utility functions that are not IKE
related to the new file utils.c.
* Makefile.am: Added new source file: utils.c
2004-03-29 Roy Hills <Roy.Hills@nta-monitor.com>
* configure.ac: Incremented version number from 1.6 to 1.6.1 for next
version.
* ike-scan.h: Re-arranged struct host_entry for better alignment -
moved "live" to end of structure.
* ike-scan.c: Included host name in error message from gethostbyname().
* ike-backoff-patterns: Added Linksys router pattern, submitted by
Bob Davis.
2004-01-16 Roy Hills <Roy.Hills@nta-monitor.com>
* Released v1.6 Tarball size: 141847, Zip size: 648717.
tarball md5sum: 5cdc5633a2a7484805d76b3952b8cef6
Zip md5sum: 86c417529af55b2e201e77f2f617dc95
2004-01-13 Roy Hills <Roy.Hills@nta-monitor.com>
* Makefile.am: Added new shell-script-based tests check-run1,
check-run2, and check-run3.
* ike-scan.1: Updated man page OPTIONS section and added FILES
section.
* Added Russ Allbery's inet_aton replacement function for systems
like Solaris which don't have inet_aton in the standard library.
Added inet_aton check to configure.ac.
* ike-scan.c: Cast char * to unsigned char * before passing to
isdigit(). isdigit can have problems with char if char is signed
and value >127, esp. when it's implemented as a macro that indexes
into an array as on Solaris 8.
* Use hexstring() to print cookie values rather than using htonl()
on the two 32-bit pieces. Some systems define htonl() to return
unsigned long while others return unsigned int making it impossible
to use the same printf format string on all systems.
2004-01-10 Roy Hills <Roy.Hills@nta-monitor.com>
* iks-scan.c, isakmp.c: Added regular expression support for
Vendor ID pattern matching. Patterns in ike-vendor-ids
are now Posix basic regular expressions which are compiled
with "regcomp" and matched against the hex representation
of the Vendor ID data with "regexec".
* configure.ac: Added check for Posix regular expression
support.
2003-12-30 Roy Hills <Roy.Hills@nta-monitor.com>
* isakmp.c: Added transform attribute generation functions make_attr()
and add_attr(). Use these functions in make_trans() to improve
readability and allow for future flexibility.
* ike-scan.c: Free various bits of malloc'ed storage when they are
no longer used. The pointers involved are: vid_data, patcopy,
id_data, gss_data, hdr, sa, prop, transforms, ke, nonce, id and vid.
These are all used only at initialisation time. We don't save much
memory by free'ing these, but it's better to be neat & tidy.
* check-sizes.c: New test program which checks the sizes of structures
and types. This is referenced by the TESTS target in Makefile.am,
so it gets run by "make check".
* ike-scan.c: check_struct_sizes() is now obsolete and has been
removed.
2003-12-29 Roy Hills <Roy.Hills@nta-monitor.com>
* isakmp.c: Fixed bug which caused the data length for ID and VID
payloads to be 8 bytes more than it really was (we were not
subtracting the length of the header structure).
* isakmp.c: Only check the returned VID against a candidate pattern if
the VID data length is >= the candidate pattern length.
* isakmp.c: Moved notification_msg[] from global to process_notify()
function. Use STR_OR_ID macro to display appropriate string from
notification_msg[] which avoids a hard-coded constant. Changed
format of "Firewall-1" 9101 notify message.
2003-12-24 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c: Modified error message if bind() fails to be more
specific depending on the value of errno.
* ike-scan.c: Added --quiet option to prevent packet decode and thus
shorten the output if required and --multiline option to split the
decode over multiple lines (one line per payload).
* ike-scan.c: Improved protocol decode. SA and ID payloads are now
decoded. For SA, the various transform attributes are shown.
* ike-scan.c: Added utility functions printable() and hexstring() to
provide escaped-printable and hex representations of data.
* isakmp.c: New process_id() function to process ID payload. Improved
process_sa() function to decode transforms. Transform decoding is
no longer experimental.
2003-12-19 Roy Hills <Roy.Hills@nta-monitor.com>
* isakmp.c: Added experimental support for displaying transform
attributes. This code is only enabled if the --experimental option is
specified. New attribute parsing function process_attr(),
new macro STR_OR_ID, and new function numstr() as well as additional
code in process_sa() function.
2003-12-11 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c: Added support for Vendor ID fingerprinting using
fingerprints loaded from the file "ike-vendor-ids". Added
--vidpatterns (-I) option to specify Vendor ID patterns file
location if it's not the default.
* isakmp.c: Modified process_vid() to check for known Vendor ID
and print entry from database if found.
2003-12-10 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c: Allow target hosts to be specified as IPnet/bits or
IPstart-IPend as well as the traditional single host or IP address.
The new function add_host_pattern() deals with these new formats.
Added details to usage() to explain these additional formats.
This functionality was first requested by Chris Gripp in Jan 2003.
2003-11-28 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c: Removed unnecessary gethostbyname() call.
2003-11-23 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c: Removed many global variables and made them local to
main(). Only 4 global variables left now, all of which have
some reason to stay global.
2003-11-22 Roy Hills <Roy.Hills@nta-monitor.com>
* isakmp.c: Added support for GSS ID attribute in make_trans()
function.
2003-11-21 Roy Hills <Roy.Hills@nta-monitor.com>
* isakmp.c: Added support for lifesize (KB) to add_trans() and
make_trans() functions.
* ike-scan.h: Modified function definitions for add_trans(),
make_trans(), and initialise_ike_packet() to take lifesize
argument.
* ike-scan.c: Added support for --lifesize (-z) option. Default
is not to include this attribute.
2003-11-18 Roy Hills <Roy.Hills@nta-monitor.com>
* isakmp.c: Wrote ISAKMP packet parsing routines: skip_payload,
process_isakmp_hdr, process_sa, process_vid, process_notify.
These are used by the new display_packet() routine in ike-scan.c
* ike-scan.c: Re-wrote display_packet() function to parse ISAKMP
packet in a flexible way using functions in isakmp.c. This
allows us to display multiple Vendor ID payloads (previously we
could only display the first), and also to detect and print
vendor ID payloads anywhere in the packet (previously it had to be
immediately after the SA payload, which may not be the case with
aggressive mode).
2003-11-14 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c: Fixed bug which could cause select() to be passed a
negative timeout when collecting backoff fingerprints.
* Released v1.5.1. Tarball size: 122595, Zip size: 632736.
tarball md5sum: 6425534104fd9f6f644c6f7286ed40e1
Zip md5sum: 52cf28982532030b2e7faf26dde8fb1d
2003-11-13 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c: Added support for IKE Aggressive Mode. New options:
--aggressive, --id, --idtype, --dhgroup.
* isakmp.c: Added functions to build id, nonce and ke payloads for
Aggressive Mode.
* ike-scan.1: Added details of Aggressive Mode options.
* Released V1.5.
2003-11-08 Roy Hills <Roy.Hills@nta-monitor.com>
* wrappers.c: New file containing system/library call wrappers
for those calls which are not expected to fail. Wrappers have
the same name as the underlying call but with initial capital
letter. This convention is from W. Richard Stevens' Unix Network
Programming book.
* ike-scan.c: Changed to use wrapper functions for Gettimeofday,
Malloc and Realloc.
* isakmp.c: Changed to use wrapper function for Malloc.
* isakmp.c: Wrote new add_trans() function. This allows a multi-
transform payload to be built, it calls make_trans.
* ike-scan.c: Use new add_trans() function in initialise_ike_packet()
rather than manually building the transform payload using
make_trans().
* isakmp.c: Add new add_vid() function.
* ike-scan.c: Use new add_vid() function to allow multiple VIDs to
be specified.
* ike-scan.c: Add new function decode_trans. Use this function to
parse the --trans argument which allows the specification of
encryption key length.
2003-11-07 Roy Hills <Roy.Hills@nta-monitor.com>
* isakmp.c: Wrote ISAKMP payload construction functions.
* ike-scan.c: Use functions from isakmp.c to construct ISAKMP
payloads rather than manually filling in structures.
2003-10-30 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c: Change loop timing units from ms to us to improve
accuracy. This requires a 64-bit integer type.
2003-10-30 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c: Added elapsed time statistics to "Ending:" line.
* ike-scan.c: Changed atoi(optarg) to
strtoul(optarg, (char **)NULL, 10) for unsigned options to allow
full unsigned range.
* ike-scan.c: Dynamically adjust select_timeout based on requested
interval and cumulative error.
* ike-scan.c: Removed --selectwait option as it is now unneccesary.
* ike-scan.c: Renamed backoff variable to backoff_factor and changed
type from float to double.
* ike-scan.c: Timeout hosts immediately if possible when
starting the timeout pass. This reduces the scanning time,
especially when scanning a large number of hosts. Previously, the
scanning time tended to <retries+1> * <num-hosts>; now it tends
towards <retries> * <num-hosts>.
* ike-scan.c: Added pass number which is displayed if verbose >= 1.
2003-10-29 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c: Don't call advance_cursor() if we can't send to a host
yet because the next host won't be ready either.
* ike-scan.c: Start the search for a matching cookie at cursor->prev
rather than cursor.
2003-08-05 Roy Hills <Roy.Hills@nta-monitor.com>
* Released version v1.4. Tarball size 114410 bytes, Zip size 622630.
tarball md5sum: d8755044a041859cde12d111973bb541
zip md5sum: 7871aead615b88e3fd6a516f60ac63d0
2003-07-17 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c: Print any vendor ID payload in hex if it follows an SA
payload.
* ike-scan.c: allocate vid_data using malloc rather than having a
fixed-length array. This allows the supplied vendor id to be of
arbitrary length.
2003-07-16 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c: Changed --vendor option to use a hex string of arbitrary
length (up to MAXLINE) rather than an md5 hash of the supplied
string. This allows us to specify any vendor ID e.g. the one that
SecuRemote uses with main mode.
2003-07-10 Roy Hills <Roy.Hills@nta-monitor.com>
* Released version v1.3. Tarball size 113350 bytes.
tarball md5sum: 3fc330e97017ac93bd35fd2973d14e58
Note: this is not an official release and no Windows (zip) version
was produced. It is for internal use to test the new pattern
matching code. However, it is available in the public download
directory if anyone wants to use it.
2003-07-10 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-backoff-patterns: Added new patterns "watchguard-soho" and
"sonicwall-pro". These both use the new "/" notation to represent
per-entry fuzz values.
* ike-scan.c: Add fact that per-pattern fuzz entries override the
values specified with --fuzz to the help output.
* Created detached GPG sigs (.asc) for *.tar.gz and *.zip using DSA
key ID 567B9F3A Roy Hills <Roy.Hills@nta-monitor.com>.
2003-07-10 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c: Added check_struct_sizes() to check the size of the
ISAKMP structure sizes.
* ike-scan.h: Added definition of check_struct_sizes().
2003-07-04 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c: Added support for per-pattern-entry fuzz specification
in the patterns file.
* ike-scan.h: New structure to support per-pattern-entry fuzz.
2003-06-27 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c: Improved backoff pattern display in dump_backoff().
Use integer arithmetic in add_pattern() to avoid rounding errors.
* ike-scan.h: Remove math.h include. Not needed now that we use
integer arithmetic in add_pattern().
* configure.ac: Removed check for maths library. Not needed now that
we use integer arithmetic in add_pattern().
2003-06-17 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.1: Created man page ike-scan.1. This is required by some
Linux distributions e.g. Debian.
* Makefile.am: Added support for new man page.
* NEWS: Added info for v1.0, v1.1 and v1.2.
* Makefile.am: Changed location of "ike-backoff-patterns" from
$datadir to $pkgdatadir.
2003-06-11 Roy Hills <Roy.Hills@nta-monitor.com>
* Released version v1.2. Tarball size 108137 bytes, Zip size 620292.
tarball md5sum: 25777051bb09306cb0b86e0cf1c48caa
zip md5sum: 5c02090900dc3fda7fa374fe99f48af5
2003-06-11 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-backoff-patterns: Minor comment changes.
2003-05-10 Roy Hills <Roy.Hills@nta-monitor.com>
* configure.ac: Added package name and version to AC_INIT.
* ike-scan.c: Use PACKAGE_STRING and PACKAGE_BUGREPORT symbols rather
than hard-coded strings.
2003-05-09 Roy Hills <Roy.Hills@nta-monitor.com>
* configure.ac, acinclude.m4: Wrote macro AC_NTA_NET_SIZE_T to
determine the best type to use for the 3rd argument to accept().
This is normally socklen_t, but is sometimes int or size_t.
This change allows the program to compile on HP Tru64 Unix.
2003-05-08 Roy Hills <Roy.Hills@nta-monitor.com>
* configure.ac: Renamed configure.in to configure.ac to comply with
new autoconf naming scheme and ran autoupdate to update from
autoconf 2.13 to 2.53. No C code changes.
2003-02-21 Roy Hills <Roy.Hills@nta-monitor.com>
* error.c: Changed "syslog(level, buf)" to "syslog(level, "%s", buf)"
to fix syslog format string vulnerability.
2003-02-18 Roy Hills <Roy.Hills@nta-monitor.com>
* Released version v1.1. Tarball size 91606 bytes, Zip size 578034.
tarball md5sum: b87fe14043c43c2897cf309c364574b7
zip md5sum: 59db0f1f170aaf50dfb2c05f4f950d00
* Corrected typo in README-WIN32: know -> known.
2003-02-03 Roy Hills <Roy.Hills@nta-monitor.com>
* Makefile.am: Changed DATADIR to IKEDATADIR.
* ike-scan.h: Include <windows.h> if compiling under Cygwin.
* ike-scan.c: Use ike-scan.exe dir as default patterns file dir
if compiling under Cygwin.
* ike-scan now compiles under Cygwin and can be used as a Windows EXE
if CYGWIN1.DLL is present.
2003-01-30 Roy Hills <Roy.Hills@nta-monitor.com>
* Minor changes to --help output to make use of <> brackets
consistent.
2003-01-29 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-scan.c: Added output of "Ending:" line showing number of hosts
scanned and number of responders after scan completes.
* ike-scan.c: Only show backoff table if there is at least one
handshake responder.
* ike-scan.c: Don't bother waiting for extra packets after all host
entries have been removed if there are no handshake responders.
* ike-scan.c: Show that notify message 9101 is Firewall-1 4.x or NG
in output message.
* ike-scan.c: Cast value from htonl to uint32_t when used in printf
statement to avoid warnings on those platforms which define htonl
as returning unsigned long (like FreeBSD).
* ike-backoff-patterns: Added OpenBSD-isakmpd, discovered by Thomas
Walpuski.
2003-01-27 Roy Hills <Roy.Hills@nta-monitor.com>
* Fixed possible buffer overflow in code which joined argv elements
into a fixed-length string which is then written to syslog.
* Removed RSA 1991 MD5 implementation and replaced with
L. Peter Deutsch's MD5 implementation dated 2002.
2003-01-25 Roy Hills <Roy.Hills@nta-monitor.com>
* Moved all #includes to ike-scan.h.
* ike-scan.c, ike-scan.h: Changed host_entry element "n" from int to
unsigned.
* ike-scan.c: Changed printf format for unsigned from %d to %u.
* ike-scan.c: Added exchange type (Main Mode or Aggressive Mode) to
"handshake returned" message.
* ike-scan.h: Make all #includes conditional based on configure findings
* configure.in: Check for uint_8, uint_16 and u_int32 types using
custom macro AC_NTA_CHECK_TYPE (defined in acinclude.m4). If the
types are not defined, then #define them to values that will work on
most systems.
* ike-scan now builds and runs on two new platforms:
- Debian Linux 1.3.1 (old libc5 based Linux system with 2.0 kernel)
- Cygwin on Windows NT Workstation (only under the cygwin
environment; this doesn't produce a standalone windows exe).
2003-01-23 Roy Hills <Roy.Hills@nta-monitor.com>
* ike-backoff-patterns: Changed Cisco Concentrator entry to 0,8,8,8
2003-01-20 Roy Hills <Roy.Hills@nta-monitor.com>
* Released initial version v1.0. Tarball size 86434 bytes,
md5sum: 7299777c7d67d1cea82d9594867b4806