Kali Linux
About Lesson

IKE Scan is the number 2th tool used for information gathering. You will find it in the information Gathering section in Kali Linux

Here we are discussing the Information  Gathering Tools serially found on Kali Linux that comes pre-installed. 

What is IKE Scan?

IKE Scan tool is not so popular tool, but it is popular among pro users and pen-testers. It is available for both Windows and Linux. It is an open-source project available for free on the internet. You can also modify and develop it under the  GPL license.
IKE(Internet  Key  Exchange) Scan is used to discover IKE hosts and also fingerprints them using the re-transmission backoff pattern. IKE Scan discovers the hosts running by IKE. IKE scan sends requests to the IKE and shows the hosts who responded to the request from IKE.
It also does Fingerprinting which means it determines the implementation used by the IKE hosts. There are several ways to do this but mainly it uses a re-transmission backoff pattern.

How To Use IKE Scan

Fire up your Kali Linux, open up the terminal and type ike-scan, and hit enter to get the interface of the tool.

You can specify the hosts by their IP address or names. To do that simply use the command ike-scan Replace the IP address with your target host.

To specify all hosts together in a given network using the format IP network/bits(ex: It will scan all the hosts of a given network.
To scan hosts in a target range, use the format IPstart- IPend(

You can also use the –file command to specify a file where all hosts are saved.

How IKE Scan can be Taken in Use

We use IOT search engines to find the devices running the IKE server. Here we are using Shodan search engine which is very popular and very powerful. We got some IP addresses from the search results and picking the 1st IP address to do the test.
Now we will start the IKE Scan tool scan the IP address that we have picked up. To scan Hosts we use the command ike-scan the ip address which scans the hosts to know about their IKE sever.
It has shown the result. We can’t share the IP we scanned with you because probably it can be considered illegal. If it using IKE server you will get the possible report from 

IKE has two phases, phase 1 is responsible for setting up and establishing secure authenticated communication channel, and phase 2 encrypts and transports data.

Our focus of interest here would be phase 1; it uses two methods of exchanging keys:

  • Main mode
  • Aggressive mode

To scan a host for an aggressive mode handshake, use the following commands:

ike-scan x.x.x.x -M -A

Sometimes we will see the response after providing a valid group name like (vpn):

 ike-scan x.x.x.x -M -A id=vpn

We can even brute force the groupnames using the following script:https://github.com/SpiderLabs/groupenum.https://github.com/SpiderLabs/groupenum The command:./dt_group_enum.sh x.x.x.x groupnames.dic

Cracking the PSK

To learn how to crack the PSK follow the given steps:

  1. Adding a -P flag in the ike-scan command it will show a response with the captured hash.
  2. To save the hash we provide a filename along with the -P flag.
  3. Next we can use the psk-crack with the following command:
psk-crack -b 5 /path/to/pskkey
  1. Where -b is brute force mode and length is 5.
  2. To use a dictionary based attack we use the following command:
psk-crack -d /path/to/dictionary /path/to/pskkey

The following screenshot shows the output for the preceding command:


How it works…

In aggressive mode the authentication hash is transmitted as a response to the packet of the VPN client that tries to establish a connection Tunnel (IPSEC). This hash is not encrypted and hence it allows us to capture the hash and perform a brute force attack against it to recover our PSK.

This is not possible in main mode as it uses an encrypted hash along with a six way handshake, whereas aggressive mode uses only three way.

Hope this article helpful for you. Thank You

If You Appreciate What We Do Here On Hackonology, You Should Consider:

Hackonology is the fastest growing and most trusted community site where you can find lots of courses, articles about Technology/Hacking/Cracking. Millions of people visit Hackonology! to search or browse the thousands of published articles available FREELY to all.

Let's be a part of Hacker's Community! Join our Hacking Team

We Are Indian We Are Great


We are not sure about the law for scanning hosts for IKE server. Please read the law of your country and use the tool at your own risk. We are not responsible for any damage caused by illegal activity or misuse of the tool. The tutorial is only for educational purposes.