{"id":1516,"date":"2009-01-30T23:22:05","date_gmt":"2009-01-30T22:22:05","guid":{"rendered":"http:\/\/www.corelan.be:8800\/index.php\/2009\/01\/31\/nessus-wrapper-for-ike-scan\/"},"modified":"2009-01-30T23:22:05","modified_gmt":"2009-01-30T22:22:05","slug":"nessus-wrapper-for-ike-scan","status":"publish","type":"post","link":"https:\/\/www.corelan.be\/index.php\/2009\/01\/30\/nessus-wrapper-for-ike-scan\/","title":{"rendered":"Nessus\/OpenVAS wrapper for ike-scan"},"content":{"rendered":"<p>ike-scan is a great tool to audit VPN\/IPSec implementations.\u00a0 This tool, which runs under Lunix, Unix, MacOS and Windows, can be found at <cite><a href=\"http:\/\/www.nta-monitor.com\/tools\/ike-scan\/\">www.nta-monitor.com\/tools\/ike-scan\/<\/a> (Latest version at time of writing is 1.9). My Nessus ike-scan NASL wrapper may or may not work with earlier versions or newer versions, so test test test)<\/cite><\/p>\n<p>Some of the great features of ike-scan include extracting the PSK, or transform attributes to find all algorithms that are enabled on a device. Especially this last function may require some scripting and lots of time to go through the log files in order to see whether your solution is configured the way it should be configured.<\/p>\n<p>So I decided to write a nessus nasl plugin to run ike-scans.<\/p>\n<p>The plugin is in fact a wrapper around ike-scan and will parse the output, looking for specific settings :<\/p>\n<ul>\n<li>Does the VPN implementation allow aggressive mode ? (this will generate a security_warning)<\/li>\n<li>Can the PSK be extracted ? (and maybe brute-forced with psk-crack or other tools) (this will generate a security_hole, however if you must use a PSK as sole authentication mechanism, make sure it is very very very long)<\/li>\n<li>Is DES, MD5 or DH Group1 being used (which are considered to be a lot less safer and secure than for instance 3DES, SHA and DH Group2) (this will generate a security_hole, because it is not safe to use these algorithms\/selections at all)<\/li>\n<li>KeySize : if a keysize (f.i. keysize of AES) can be captured and is found below a given number of bits, a security_hole notification is generated. (Default audit will look for a keylength of less than 128 bits, but this is configurable)<\/li>\n<li>Display all proposals that were used in successfull handshake attempts<\/li>\n<\/ul>\n<p>In addition to this, the wrapper will attempt to find and display the device vendor. (will generate a security_warning)<\/p>\n<p>All of these tests are hardcoded in the script, so if you want to look for different things, feel free to edit the plugin.<\/p>\n<p>Both Nessus (<a href=\"http:\/\/www.nessus.org\">www.nessus.org<\/a>) and openVAS (<a href=\"http:\/\/www.openvas.com\">www.openvas.com<\/a>) are Network Vulnerability Scanner, free to download, offering various sets of plugins for Home Users and Professionals.\u00a0 My nasl plugin does not depend on existing or new plugins, so you can run the plugin with both free and paying plugin subscriptions.<\/p>\n<h3>Before you begin<\/h3>\n<p>I will explain some configuration specifications for Nessus, I\u2019m sure you can figure out yourself how to achieve the same goal in openVAS.<\/p>\n<p>This plugin requires some specific settings to be configured in nessus. First of all, since the plugin is not signed, you will need to edit nessusd.conf (\/opt\/nessus\/etc\/nessus\/) and all non-signed scripts :<\/p>\n<p><span style=\"font-family: 'Courier New';\"><strong>nasl_no_signature_check = yes<\/strong><\/span><\/p>\n<p>If you want to use the transform functionalities and vendor fingerprinting (via the backoff technique), you will need to configure nessus to allow a long plugin timeout. Both of these functionalities can take a long time to complete, so I would advise you to change the plugins_timeout value in nessusd.conf and set it to a high value (f.i. 1800 seconds)<\/p>\n<p><span style=\"font-family: 'Courier New';\"><strong>plugins_timeout = 1800<\/strong><\/span><\/p>\n<p><em><span style=\"color: #ff0000;\">(Note : starting from version 1.0.8, you don\u2019t need to do this anymore. The plugin timeout is now set to unlimited, so you don\u2019t need to worry about the scan not being able to complete in time)<\/span><\/em><\/p>\n<p>Finally, (and of course) \u201cike-scan\u201d must be installed on the system and must be in the \u201cpath\u201d.\u00a0 Nessus runs as root, so you must verify that you can run ike-scan as root.<\/p>\n<h3>Installing the plugin<\/h3>\n<p>Download the .nasl script (zip file) from the link at the bottom of this page, unzip it and place it in the nessus plugin folder (\/opt\/nessus\/lib\/nessus\/plugins)<\/p>\n<p>The plugin file is called ike-scan-wrapper.nasl<\/p>\n<p>Stop the nessus service<\/p>\n<p><strong><span style=\"font-family: 'Courier New';\">\/etc\/init.d\/nessusd stop<\/span><\/strong><\/p>\n<p>Start the service again, and load the new plugin at the same time<\/p>\n<p><strong><span style=\"font-family: 'Courier New';\">\/opt\/nessus\/sbin\/nessusd \u2013t \u2013D<\/span><\/strong><\/p>\n<h3>Using the plugin<\/h3>\n<p>In this post, I will use the Nessus client for Windows to illustrate the usage, but everything should work exactly the same way when running the client from a different OS<\/p>\n<p>Create a scan policy by clicking on the + sign at the right hand side<\/p>\n<p><a href=\"\/wp-content\/uploads\/2009\/01\/image147.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" style=\"display: inline; border-width: 0px;\" title=\"image\" src=\"\/wp-content\/uploads\/2009\/01\/image-thumb147.png\" border=\"0\" alt=\"image\" width=\"255\" height=\"239\" \/><\/a><\/p>\n<p>Set a name and enable \u201cshare this policy across multiple sessions\u201d if you want to keep the settings for future scans<\/p>\n<p><a href=\"\/wp-content\/uploads\/2009\/01\/image148.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" style=\"display: inline; border-width: 0px;\" title=\"image\" src=\"\/wp-content\/uploads\/2009\/01\/image-thumb148.png\" border=\"0\" alt=\"image\" width=\"259\" height=\"94\" \/><\/a><\/p>\n<p>Under \u201coptions\u201d, make sure to set the number of hosts and checks in parallel to 1. This is mandatory, because it is not possible to run multiple ike-scan instances at the same time if they use the same local port (udp\/500) (You can, however, set the source port to 0, which will force ike-scan to take a random high port, so you can run multiple tests simultaneously.\u00a0 On the other hand, the remote device may require that you use source port 500 as well, so you\u2019ll have to take this into account)<\/p>\n<p>The plugin does not rely on portscanner results, so disable the portscanners and host ping. So even hosts that do not respond to a UDP port scan to port 500 can be audited with this plugin<\/p>\n<p><a href=\"\/wp-content\/uploads\/2009\/01\/image149.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" style=\"display: inline; border-width: 0px;\" title=\"image\" src=\"\/wp-content\/uploads\/2009\/01\/image-thumb149.png\" border=\"0\" alt=\"image\" width=\"176\" height=\"170\" \/><\/a><\/p>\n<p>Go to the plugin selection page and click \u201cdisable all\u201d. Verify that all sections are disabled.<\/p>\n<p><a href=\"\/wp-content\/uploads\/2009\/01\/image150.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" style=\"display: inline; border-width: 0px;\" title=\"image\" src=\"\/wp-content\/uploads\/2009\/01\/image-thumb150.png\" border=\"0\" alt=\"image\" width=\"175\" height=\"168\" \/><\/a><\/p>\n<p>Navigate to section <strong>\u201cService detection\u201d<\/strong>, open the section and select the ike-scan (nasl-wrapper) plugin.<\/p>\n<p>Go to the \u201cAdvanced\u201d tabsheet.<br \/>\nSelect the Ike-scan (nasl-wrapper) entry from the dropdown list<\/p>\n<p><a href=\"\/wp-content\/uploads\/2009\/01\/image152.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" style=\"display: inline; border-width: 0px;\" title=\"image\" src=\"\/wp-content\/uploads\/2009\/01\/image-thumb152.png\" border=\"0\" alt=\"image\" width=\"313\" height=\"83\" \/><\/a><\/p>\n<p>These are the default options :<\/p>\n<ul>\n<li>Scan mode : aggressive\u00a0 (you can select main mode as well, but testing for aggressive mode may be your first test, as this mode is less safe than main mode)<\/li>\n<li>Retries : 2 (if you increase this value, results will be more accurate (if you are auditing hosts via an unreliable link), but it will slow down the scan against non-responsive hosts.<\/li>\n<li>Backoff fingerprinting enabled (this will slow down the scan, but you will get a device vendor guess. If you are not interested in the vendor guess, disable this setting)<\/li>\n<li>Transform attributes disabled (this will also slow down the scan, but it will give you the most accurate results). The default setting is set to disabled, but it may be a good idea to enable it.<\/li>\n<li>Encryption algorithms, Hashing Algorithms, Authentication Methods and Diffie-Hellman groups : please visit the ike-scan website to understand what these strings are and how to use them. Just make sure to separate entries with a comma and not to use any spaces.\u00a0\u00a0 You can use these fields to limit the algo\u2019s\/methods while transforming attributes.<\/li>\n<li>Try default transform set and variate auth methods : this options is disabled by default, because it will slow down the scan.\u00a0 Using this option can be enough to already identify a VPN vendor (and\/or find some obvious proposals).<\/li>\n<li>Try custom transform : you can specify a set of encryption\/auth\/hash\/dh group parameters to further audit one particular proposal. Have a look at the ike-scan wiki to find more information about these values and what they mean.<\/li>\n<li>Extract PSK is enabled by default. (PSK extracting will only work in aggressive mode. So even if the option is enabled for main mode, no output will be returned)<\/li>\n<li>Source and destination port are set to UDP 500 (for maximum compatibility). As stated earlier, if you set the source port to 0, ike-scan will take a random high port number, allowing to run multiple scans at the same time, but you have to verify that the remote device supports this.<\/li>\n<li>If you have a UDP scanner in Nessus, you can enable \u201conly audit if destination port is open\u201d, but generally this is not needed.<\/li>\n<li>IKE lifetime set to 28800<\/li>\n<li>IKE lifesize set to 0Kb (= disabled)<\/li>\n<li>ID and ID Type : see the ike-scan wiki for more information on these fields\u00a0 (ID = Group ID. You can specify multiple group IDs by separating them with a comma.\u00a0 Note : ID only works in aggressive mode)<\/li>\n<li>Send custom vendor ID : if you want to send specific vendor ID or ID\u2019s, you can enable this option and enter the hexadecimal vendor ID in the custom Vendor ID field. If you want to try multiple vendor ID\u2019s, then enter the various IDs and separate them with a comma. Make sure not to use any spaces in this field.<\/li>\n<li>Enable NAT-Traversal (disabled by default)<\/li>\n<li>Show scan output in report : disabled by default. Especially if you scan with most options enabled, this report may become quite lengthy, but on the other hand, you\u2019ll have the output of all handshakes that were encountered during the scan, together with the transform that was used.<\/li>\n<\/ul>\n<p><a href=\"\/wp-content\/uploads\/2009\/01\/image158.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" style=\"display: inline; border-width: 0px;\" title=\"image\" src=\"\/wp-content\/uploads\/2009\/01\/image-thumb158.png\" border=\"0\" alt=\"image\" width=\"351\" height=\"329\" \/><\/a><\/p>\n<p><em>(note : this screenshot may be somewhat outdated \u2013 depending on the version that you are using)<\/em><\/p>\n<p>Click Save<\/p>\n<p>On the main page, on the left hand side, add the hosts\/networks you want to audit<\/p>\n<p>Then, select the new policy on the right hand side again and click \u201cScan now\u201d<\/p>\n<p><a href=\"\/wp-content\/uploads\/2009\/01\/image154.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" style=\"display: inline; border-width: 0px;\" title=\"image\" src=\"\/wp-content\/uploads\/2009\/01\/image-thumb154.png\" border=\"0\" alt=\"image\" width=\"257\" height=\"234\" \/><\/a><\/p>\n<p>Now wait<\/p>\n<p><a href=\"\/wp-content\/uploads\/2009\/01\/image155.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" style=\"display: inline; border-width: 0px;\" title=\"image\" src=\"\/wp-content\/uploads\/2009\/01\/image-thumb155.png\" border=\"0\" alt=\"image\" width=\"256\" height=\"222\" \/><\/a><\/p>\n<p>You can follow up on the scan process by looking at the following files (tail \u2013f ) :<\/p>\n<p><span style=\"font-family: 'Courier New';\">\/opt\/nessus\/var\/nessus\/logs\/nessusd.dump<\/span><\/p>\n<p><span style=\"font-family: 'Courier New';\">\/opt\/nessus\/var\/nessus\/logs\/nessusd.messages<\/span><\/p>\n<p><span style=\"font-family: 'Courier New';\">\/var\/log\/messages<\/span><\/p>\n<p>As soon as the scan kicks in, you should get something like this (in nessusd.dump) :<\/p>\n<p><span style=\"font-family: 'Courier New'; font-size: xx-small;\">Initiating IKE audit<br \/>\n--------------------------------------<br \/>\nike-scan-wrapper.nasl[12037.14]&gt;[+] Source port set to UDP 500<br \/>\nike-scan-wrapper.nasl[12037.14]&gt;[+] Destination port set to UDP 500<br \/>\nike-scan-wrapper.nasl[12037.14]&gt;[+] Target ip : 1.1.1.1<br \/>\nike-scan-wrapper.nasl[12037.14]&gt;[+] Nr of retries set to 1<br \/>\nike-scan-wrapper.nasl[12037.14]&gt;[+] PSK Dump\/Extract enabled<br \/>\nike-scan-wrapper.nasl[12037.14]&gt;[+] IKE Aggressive mode scan enabled<br \/>\nike-scan-wrapper.nasl[12037.14]&gt;[+] Transform attributes enabled (scan will be slow, please wait)<br \/>\nike-scan-wrapper.nasl[12037.14]&gt;[+] Running ike-scan against 1.1.1.1:500<br \/>\nike-scan-wrapper.nasl[12037.14]&gt;\u00a0\u00a0\u00a0 -&gt; Aggressive mode<\/span><\/p>\n<p>You can follow the scan process (including all ike-scan parameters) in \/var\/log\/messages<\/p>\n<p><span style=\"font-family: 'Courier New'; font-size: xx-small;\">Feb\u00a0 1 11:40:55 router-3 ike-scan[25601]: Starting: --retry=1 --sport=500 --dport=500 --lifetime=28800 --pskcrack -A --showbackoff --multiline --trans=7\/192,5,4,7 1.1.1.1<br \/>\nFeb\u00a0 1 11:40:55 router-3 ike-scan[25601]: Ending: 1 hosts scanned in 0.041 seconds (24.68 hosts\/sec). 0 returned handshake; 1 returned notify<br \/>\nFeb\u00a0 1 11:40:55 router-3 ike-scan[25602]: Starting: --retry=1 --sport=500 --dport=500 --lifetime=28800 --pskcrack -A --showbackoff --multiline --trans=7\/192,5,4,8 1.1.1.1<br \/>\nFeb\u00a0 1 11:40:55 router-3 ike-scan[25602]: Ending: 1 hosts scanned in 0.038 seconds (26.21 hosts\/sec). 0 returned handshake; 1 returned notify<br \/>\nFeb\u00a0 1 11:40:55 router-3 ike-scan[25603]: Starting: --retry=1 --sport=500 --dport=500 --lifetime=28800 --pskcrack -A --showbackoff --multiline --trans=7\/192,5,4,12 1.1.1.1<br \/>\nFeb\u00a0 1 11:40:55 router-3 ike-scan[25603]: Ending: 1 hosts scanned in 0.040 seconds (25.16 hosts\/sec). 0 returned handshake; 1 returned notify<\/span><\/p>\n<p>When the scan has completed, you should see the report :<\/p>\n<p><a href=\"\/wp-content\/uploads\/2009\/01\/image156.png\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" style=\"display: inline; border-width: 0px;\" title=\"image\" src=\"\/wp-content\/uploads\/2009\/01\/image-thumb156.png\" border=\"0\" alt=\"image\" width=\"397\" height=\"362\" \/><\/a><\/p>\n<p>(don\u2019t pay attention to the Nessus-ID. I just used a random high number that is not linked or affiliated with Nessus in any way)<\/p>\n<p>You may notice that the plugin for vendor guessing may output the same string several times. This is caused by the fact that, for every proposal that was found, backoff fingerprinting was executed. Sometimes, you will only find the vendor after one of the backoff attempts, so I decided to show all strings in the output, so you can decide for yourself.<\/p>\n<h3><\/h3>\n<h3>Download<\/h3>\n<p>You need to be logged in to download this script. You can log in and\/or register using the \u201cLog In\u201d link on the right hand side of this blog.<\/p>\n<p>[download id=\"13\"]13[\/download]<\/p>\n<h3>Version updates<\/h3>\n<p>Current version : 1.0.9<\/p>\n<p><strong><em>Check back regularly to see if new updates are available.<\/em><\/strong><\/p>\n<p>Update history<\/p>\n<p>1.0.9 : 18 march 2009 : fixed reference to ike-scan wrapper from openvas, and family statement<\/p>\n<p>1.0.8 : Added reference to cve and set plugin timeout to unlimited<\/p>\n<p>1.0.7 : Fixed typo in Nessus\/OpenVAS family. Plugin now resides under \u201cService detection\u201d<\/p>\n<p>1.0.6 : cleaned up some code, fixed copyright statement<\/p>\n<p>1.0.5 : feb 4th, 2009 : Fixed some minor bugs, added options (such as allowing the auditor to specify the list of encryption\/hashing algo\u2019s, auth methods and dh groups that can be used when transforming attributes; and speeding up the backoff vendor guessing process). The plugin ID was changed to 60001. Many thanks to Tim Brown for working with me on getting this version released.<\/p>\n<p>1.0.4 : feb 1st, 2009 : Fixed a bug with hosts that do not respond anything at all<\/p>\n<p>1.0.3 : Added some options, moved the plugin from \u201cMisc\u201d section to \u201cPVE Custom\u201d section<\/p>\n<p>1.0.2 : First version released to public<\/p>\n<h3>Final notes<\/h3>\n<p><a href=\"https:\/\/www.corelan.be\/index.php\/forum\/\" target=\"_blank\" rel=\"noopener\">If you find bugs, let me know.<\/a> (support forum)<\/p>\n<p>If you like this plugin, let me know, and even more important : tell it to others !<\/p>\n","protected":false},"excerpt":{"rendered":"<p>ike-scan is a great tool to audit VPN\/IPSec implementations.\u00a0 This tool, which runs under Lunix, Unix, MacOS and Windows, can be found at www.nta-monitor.com\/tools\/ike-scan\/ (Latest version at time of writing is 1.9). My Nessus ike-scan NASL wrapper may or may not work with earlier versions or newer versions, so test test test) Some of the &hellip; <a href=\"https:\/\/www.corelan.be\/index.php\/2009\/01\/30\/nessus-wrapper-for-ike-scan\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> \"Nessus\/OpenVAS wrapper for ike-scan\"<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[488,64,164,127],"tags":[1478,1475,883,583,571,535,484],"class_list":["post-1516","post","type-post","status-publish","format-standard","hentry","category-corelan-free-tools","category-linux","category-networking","category-security","tag-plugin","tag-nessus","tag-security","tag-vpn","tag-ipsec","tag-encryption","tag-free-tool"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Nessus\/OpenVAS wrapper for ike-scan - Corelan | Exploit Development &amp; Vulnerability Research<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.corelan.be\/index.php\/2009\/01\/30\/nessus-wrapper-for-ike-scan\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Nessus\/OpenVAS wrapper for ike-scan - Corelan | Exploit Development &amp; Vulnerability Research\" \/>\n<meta property=\"og:description\" content=\"ike-scan is a great tool to audit VPN\/IPSec implementations.\u00a0 This tool, which runs under Lunix, Unix, MacOS and Windows, can be found at www.nta-monitor.com\/tools\/ike-scan\/ (Latest version at time of writing is 1.9). My Nessus ike-scan NASL wrapper may or may not work with earlier versions or newer versions, so test test test) Some of the &hellip; Continue reading &quot;Nessus\/OpenVAS wrapper for ike-scan&quot;\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.corelan.be\/index.php\/2009\/01\/30\/nessus-wrapper-for-ike-scan\/\" \/>\n<meta property=\"og:site_name\" content=\"Corelan | Exploit Development &amp; Vulnerability Research\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/corelanconsulting\" \/>\n<meta property=\"article:published_time\" content=\"2009-01-30T22:22:05+00:00\" \/>\n<meta name=\"author\" content=\"corelanc0d3r\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@corelanc0d3r\" \/>\n<meta name=\"twitter:site\" content=\"@corelanc0d3r\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"TechArticle\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2009\\\/01\\\/30\\\/nessus-wrapper-for-ike-scan\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2009\\\/01\\\/30\\\/nessus-wrapper-for-ike-scan\\\/\"},\"author\":{\"name\":\"corelanc0d3r\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/person\\\/3be5542b9b0a0787893db83a5ad68e8f\"},\"headline\":\"Nessus\\\/OpenVAS wrapper for ike-scan\",\"datePublished\":\"2009-01-30T22:22:05+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2009\\\/01\\\/30\\\/nessus-wrapper-for-ike-scan\\\/\"},\"wordCount\":1997,\"publisher\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#organization\"},\"keywords\":[\"plugin\",\"nessus\",\"security\",\"vpn\",\"ipsec\",\"encryption\",\"free tool\"],\"articleSection\":[\"Corelan Free Tools\",\"Linux and Unix\",\"Networking\",\"Security\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2009\\\/01\\\/30\\\/nessus-wrapper-for-ike-scan\\\/\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2009\\\/01\\\/30\\\/nessus-wrapper-for-ike-scan\\\/\",\"name\":\"Nessus\\\/OpenVAS wrapper for ike-scan - Corelan | Exploit Development &amp; Vulnerability Research\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#website\"},\"datePublished\":\"2009-01-30T22:22:05+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2009\\\/01\\\/30\\\/nessus-wrapper-for-ike-scan\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2009\\\/01\\\/30\\\/nessus-wrapper-for-ike-scan\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2009\\\/01\\\/30\\\/nessus-wrapper-for-ike-scan\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.corelan.be\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Nessus\\\/OpenVAS wrapper for ike-scan\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#website\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/\",\"name\":\"Corelan CyberSecurity Research\",\"description\":\"Corelan publishes in-depth tutorials on exploit development, Windows exploitation, vulnerability research, heap internals, reverse engineering and security tooling used by professionals worldwide.\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.corelan.be\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#organization\",\"name\":\"Corelan CyberSecurity Research\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/corelanlogo2_small-20.png\",\"contentUrl\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/corelanlogo2_small-20.png\",\"width\":200,\"height\":200,\"caption\":\"Corelan CyberSecurity Research\"},\"image\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/corelanconsulting\",\"https:\\\/\\\/x.com\\\/corelanc0d3r\",\"https:\\\/\\\/x.com\\\/corelanconsulting\",\"https:\\\/\\\/instagram.com\\\/corelanconsult\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/person\\\/3be5542b9b0a0787893db83a5ad68e8f\",\"name\":\"corelanc0d3r\",\"pronouns\":\"he\\\/him\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x\",\"caption\":\"corelanc0d3r\"},\"description\":\"Peter Van Eeckhoutte is the founder of Corelan and a globally recognized expert in exploit development and vulnerability research. With over two decades in IT security, he built Corelan into a respected platform for deep technical research, hands-on training, and knowledge sharing. Known for his influential exploit development tutorials, tools, and real-world training, Peter combines a strong research mindset with a passion for education\u2014helping security professionals understand not just how exploits work, but why.\",\"sameAs\":[\"https:\\\/\\\/www.corelan-training.com\",\"https:\\\/\\\/instagram.com\\\/corelanc0d3r\",\"https:\\\/\\\/www.linkedin.com\\\/in\\\/petervaneeckhoutte\\\/\",\"https:\\\/\\\/x.com\\\/corelanc0d3r\"],\"url\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/author\\\/admin0\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Nessus\/OpenVAS wrapper for ike-scan - Corelan | Exploit Development &amp; Vulnerability Research","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.corelan.be\/index.php\/2009\/01\/30\/nessus-wrapper-for-ike-scan\/","og_locale":"en_US","og_type":"article","og_title":"Nessus\/OpenVAS wrapper for ike-scan - Corelan | Exploit Development &amp; Vulnerability Research","og_description":"ike-scan is a great tool to audit VPN\/IPSec implementations.\u00a0 This tool, which runs under Lunix, Unix, MacOS and Windows, can be found at www.nta-monitor.com\/tools\/ike-scan\/ (Latest version at time of writing is 1.9). My Nessus ike-scan NASL wrapper may or may not work with earlier versions or newer versions, so test test test) Some of the &hellip; Continue reading \"Nessus\/OpenVAS wrapper for ike-scan\"","og_url":"https:\/\/www.corelan.be\/index.php\/2009\/01\/30\/nessus-wrapper-for-ike-scan\/","og_site_name":"Corelan | Exploit Development &amp; Vulnerability Research","article_publisher":"https:\/\/www.facebook.com\/corelanconsulting","article_published_time":"2009-01-30T22:22:05+00:00","author":"corelanc0d3r","twitter_card":"summary_large_image","twitter_creator":"@corelanc0d3r","twitter_site":"@corelanc0d3r","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"TechArticle","@id":"https:\/\/www.corelan.be\/index.php\/2009\/01\/30\/nessus-wrapper-for-ike-scan\/#article","isPartOf":{"@id":"https:\/\/www.corelan.be\/index.php\/2009\/01\/30\/nessus-wrapper-for-ike-scan\/"},"author":{"name":"corelanc0d3r","@id":"https:\/\/www.corelan.be\/#\/schema\/person\/3be5542b9b0a0787893db83a5ad68e8f"},"headline":"Nessus\/OpenVAS wrapper for ike-scan","datePublished":"2009-01-30T22:22:05+00:00","mainEntityOfPage":{"@id":"https:\/\/www.corelan.be\/index.php\/2009\/01\/30\/nessus-wrapper-for-ike-scan\/"},"wordCount":1997,"publisher":{"@id":"https:\/\/www.corelan.be\/#organization"},"keywords":["plugin","nessus","security","vpn","ipsec","encryption","free tool"],"articleSection":["Corelan Free Tools","Linux and Unix","Networking","Security"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.corelan.be\/index.php\/2009\/01\/30\/nessus-wrapper-for-ike-scan\/","url":"https:\/\/www.corelan.be\/index.php\/2009\/01\/30\/nessus-wrapper-for-ike-scan\/","name":"Nessus\/OpenVAS wrapper for ike-scan - Corelan | Exploit Development &amp; Vulnerability Research","isPartOf":{"@id":"https:\/\/www.corelan.be\/#website"},"datePublished":"2009-01-30T22:22:05+00:00","breadcrumb":{"@id":"https:\/\/www.corelan.be\/index.php\/2009\/01\/30\/nessus-wrapper-for-ike-scan\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.corelan.be\/index.php\/2009\/01\/30\/nessus-wrapper-for-ike-scan\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.corelan.be\/index.php\/2009\/01\/30\/nessus-wrapper-for-ike-scan\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.corelan.be\/"},{"@type":"ListItem","position":2,"name":"Nessus\/OpenVAS wrapper for ike-scan"}]},{"@type":"WebSite","@id":"https:\/\/www.corelan.be\/#website","url":"https:\/\/www.corelan.be\/","name":"Corelan CyberSecurity Research","description":"Corelan publishes in-depth tutorials on exploit development, Windows exploitation, vulnerability research, heap internals, reverse engineering and security tooling used by professionals worldwide.","publisher":{"@id":"https:\/\/www.corelan.be\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.corelan.be\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.corelan.be\/#organization","name":"Corelan CyberSecurity Research","url":"https:\/\/www.corelan.be\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.corelan.be\/#\/schema\/logo\/image\/","url":"https:\/\/www.corelan.be\/wp-content\/uploads\/2026\/03\/corelanlogo2_small-20.png","contentUrl":"https:\/\/www.corelan.be\/wp-content\/uploads\/2026\/03\/corelanlogo2_small-20.png","width":200,"height":200,"caption":"Corelan CyberSecurity Research"},"image":{"@id":"https:\/\/www.corelan.be\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/corelanconsulting","https:\/\/x.com\/corelanc0d3r","https:\/\/x.com\/corelanconsulting","https:\/\/instagram.com\/corelanconsult"]},{"@type":"Person","@id":"https:\/\/www.corelan.be\/#\/schema\/person\/3be5542b9b0a0787893db83a5ad68e8f","name":"corelanc0d3r","pronouns":"he\/him","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x","url":"https:\/\/secure.gravatar.com\/avatar\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x","caption":"corelanc0d3r"},"description":"Peter Van Eeckhoutte is the founder of Corelan and a globally recognized expert in exploit development and vulnerability research. With over two decades in IT security, he built Corelan into a respected platform for deep technical research, hands-on training, and knowledge sharing. Known for his influential exploit development tutorials, tools, and real-world training, Peter combines a strong research mindset with a passion for education\u2014helping security professionals understand not just how exploits work, but why.","sameAs":["https:\/\/www.corelan-training.com","https:\/\/instagram.com\/corelanc0d3r","https:\/\/www.linkedin.com\/in\/petervaneeckhoutte\/","https:\/\/x.com\/corelanc0d3r"],"url":"https:\/\/www.corelan.be\/index.php\/author\/admin0\/"}]}},"views":14888,"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/posts\/1516","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/comments?post=1516"}],"version-history":[{"count":0,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/posts\/1516\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/media?parent=1516"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/categories?post=1516"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/tags?post=1516"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}