# The IKE Scanner (ike-scan) is Copyright (C) 2003-2005 Roy Hills,
# NTA Monitor Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
# 
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
# 
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
#
# If this license is unacceptable to you, I may be willing to negotiate
# alternative licenses (contact ike-scan@nta-monitor.com).
#
# $Id: ike-vendor-ids,v 1.13 2005/01/01 16:49:53 rsh Exp $
#
# ike-vendor-ids -- File containing known Vendor IDs for ike-scan
#
# Author: Roy Hills <Roy.Hills@nta-monitor.com>
#
# Format:
# Implementation_Name<Tab>Vendor_ID_Pattern
#
# The Vendor_ID_Pattern should be specified as a Posix extended regular
# expression that will match the hex value of the Vendor ID.  The Posix regular
# expression routines "regcomp" and "regexec" are used to compile and
# match the petterns.
#
# The hex value of the Vendor ID can only contain the characters [0-9a-f].
# The regular expression match is case insensitive, so you can use either
# upper or lower case letters [A-F] in the pattern.
#
# The pattern is not anchored by default.  If you want to match from the
# beginning of the vendor ID hex value (which is normally the case), you
# should start your pattern with "^" to anchor it at the beginning of the hex
# value.  If you don't want to allow any extra trailing data, you should end
# the pattern with "$" to anchor it at the end of the hex value.
#
# Each entry must be on one line.
#
# Lines beginning with '#' and blank lines are ignored.
#
# The input format is quite strict.  In particular, the separator between
# the implementation name and the VendorID pattern must be a single TAB and
# not a space, multiple tabs or spaces, or a mixture of tabs and spaces.
#
# If you have problems adding entries, run ike-scan as:
# ike-scan -v -v -v <any-target>
# To dump the VendorID pattern table.
#
# You are encouraged to send comments, improvements or suggestions to
# me at ike-scan@nta-monitor.com.
#

# Microsoft/Cisco IPsec implementation for Win-2000 and above.
# The first 16 bytes are the MD5 hash of "MS NT5 ISAKMPOAKLEY"
Windows-2000	^1e2b516905991c7d7c96fcbfb587e46100000002
Windows-XP	^1e2b516905991c7d7c96fcbfb587e4610000000300000000
Windows-2003	^1e2b516905991c7d7c96fcbfb587e461000000040d000014

# Checkpoint Firewall-1/VPN-1
# The first 20 bytes (40 hex chars) are the same for all versions.  I suspect
# that these first 20 bytes are an SHA1 hash of something.
# The second 20 bytes give the Firewall-1 version number and other info.
# Firewall-1 v4.0 didn't use Vendor IDs.  v3.0 didn't support IPsec.
# See http://www.nta-monitor.com/news/checkpoint2004/index.htm for full details
Firewall-1 4.1 Base	^f4ed19e0c114eb516faaac0ee37daf2807b4381f00000001000000020000000000000000....0000
Firewall-1 4.1 SP1	^f4ed19e0c114eb516faaac0ee37daf2807b4381f00000001000000030000000000000000....0000
Firewall-1 4.1 SP2-SP6	^f4ed19e0c114eb516faaac0ee37daf2807b4381f0000000100000fa20000000000000000....0000
Firewall-1 NG Base	^f4ed19e0c114eb516faaac0ee37daf2807b4381f00000001000013880000000000000000....0000
Firewall-1 NG FP1	^f4ed19e0c114eb516faaac0ee37daf2807b4381f00000001000013890000000000000000....0000
Firewall-1 NG FP2	^f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138a0000000000000000....0000
Firewall-1 NG FP3	^f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138b0000000000000000....0000
Firewall-1 NG AI R54	^f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138c0000000000000000....0000
Firewall-1 NG AI R55	^f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d0000000000000000....0000
Firewall-1 Unknown Vsn	^f4ed19e0c114eb516faaac0ee37daf2807b4381f

# Dead Peer Detection, detailed in RFC 3706.
# Last 2 bytes (4 hex chars) are major & minor version.
# Thanks to Hakan Olsson for clarifing this.
Dead Peer Detection	^afcad71368a1f1c96b8696fc7757....

# XAUTH
# This is a truncated MD5 hash of "draft-ietf-ipsra-isakmp-xauth-06.txt"
# Why "ipsra" and not "ipsec" as in the draft name I wonder?
XAUTH	^09002689dfd6b712

# SSH Communications Security IPSEC Express
# These VIDs are MD5 hashes of the text
# "SSH Communications Security IPSEC Express version x.y.z" or
# "Ssh Communications Security IPSEC Express version x.y.z"
# Where x.y.z is the version, e.g. 1.1.0
SSH IPSEC Express 1.1.0	^fbf47614984031fa8e3bb6198089b223
SSH IPSEC Express 1.1.1	^1952dc91ac20f646fb01cf42a33aee30
SSH IPSEC Express 1.1.2	^e8bffa643e5c8f2cd10fda7370b6ebe5
SSH IPSEC Express 1.2.1	^c1111b2dee8cbc3d620573ec57aab9cb
SSH IPSEC Express 1.2.2	^09ec27bfbc09c75823cfecbffe565a2e
SSH IPSEC Express 2.0.0	^7f21a596e4e318f0b2f4944c2384cb84
SSH IPSEC Express 2.1.0	^2836d1fd2807bc9e5ae30786320451ec
SSH IPSEC Express 2.1.1	^a68de756a9c5229bae66498040951ad5
SSH IPSEC Express 2.1.2	^3f2372867e237c1cd8250a75559cae20
SSH IPSEC Express 3.0.0	^0e58d5774df602007d0b02443660f7eb
SSH IPSEC Express 3.0.1	^f5ce31ebc210f44350cf71265b57380f
SSH IPSEC Express 4.0.0	^f64260af2e2742daddd56987068a99a0
SSH IPSEC Express 4.0.1	^7a54d3bdb3b1e6d923892064be2d981c
SSH IPSEC Express 4.1.0	^9aa1f3b43472a45d5f506aeb260cf214
SSH IPSEC Express 4.2.0	^6880c7d026099114e486c55430e7abee

# Cisco Unity compliant peer. VID is the MD5 hash of "CISCO-UNITY"
Cisco Unity	^12f5f28c457168a9702d9fe274cc0100

# IKE Fragmentation.  VID is the MD5 hash of the text "FRAGMENTATION"
# I've seen extra bytes on the end of a fragmentation VID payload, e.g.
# c0000000.  I don't know what these represent.
IKE Fragmentation	^4048b7d56ebce88525e7de7f00d6c2d3

# Various IKE internet drafts.  The VID payload is the MD5 hash of the
# implementation name given below.
draft-stenberg-ipsec-nat-traversal-01	^27bab5dc01ea0760ea4e3190ac27c0d0
draft-stenberg-ipsec-nat-traversal-02	^6105c422e76847e43f9684801292aecd
draft-huttunen-ipsec-esp-in-udp-00.txt	^6a7434c19d7e36348090a02334c9c805

# Extra data has been observed at the end of this VID payload.
SafeNet SoftRemote	^47bbe7c993f1fc13b4e6d0db565c68e5
# Extra data has been observed at the end of this VID payload.
Heartbeat Notify	^4865617274426561745f4e6f74696679
OpenPGP	^4f70656e5047503130313731

# VID is an MD5 hash of "ESPThruNAT"
ESPThruNAT	^50760f624c63e5c53eea386c685ca083

# SSH Sentinel.
# These VIDs are MD5 hashes of the implementation names given below.
SSH Sentinel	^054182a07c7ae206f9d2cf9d2432c482
SSH Sentinel 1.1	^b91623e693ca18a54c6a2778552305e8
SSH Sentinel 1.2	^5430888de01a31a6fa8f60224e449958
SSH Sentinel 1.3	^7ee5cb85f71ce259c94a5c731ee4e752
SSH Sentinel 1.4	^63d9a1a7009491b5a0a6fdeb2a8284f0
SSH Sentinel 1.4.1	^eb4b0d96276b4e220ad16221a7b2a5e6

Timestep	^54494d4553544550
# VID is MD5 hash of "KAME/racoon"
KAME/racoon	^7003cbc1097dbe9c2600ba6983bc8b35

# Negotiation of NAT-Traversal in the IKE - Currently IETF draft.
# The VID is the MD5 hash of the implementation name given below.
# The trailing newline (\n) on one entry is explained in
# http://www.sandelman.ottawa.on.ca/ipsec/2002/04/msg00233.html
# If this becomes an RFC, the VID should be an MD5 hash of "RFC XXXX"
# Where XXXX will be the RFC number that is assigned.
draft-ietf-ipsec-nat-t-ike-00	^4485152d18b6bbcd0be8a8469579ddcc
draft-ietf-ipsec-nat-t-ike-01	^16f6ca16e4a4066d83821a0f0aeaa862
draft-ietf-ipsec-nat-t-ike-02\n	^90cb80913ebb696e086381b5ec427b1f
draft-ietf-ipsec-nat-t-ike-02	^cd60464335df21f87cfdb2fc68b6a448
draft-ietf-ipsec-nat-t-ike-03	^7d9419a65310ca6f2c179d9215529d56
Testing NAT-T RFC	^c40fee00d5d39ddb1fc762e09b7cfea7

# A GSS-API Authentication Method for IKE - draft-ietf-ipsec-isakmp-gss-auth
# This is used by Windows 2000 and later.  Specific Windows VIDs are in a
# seperate section.
# Note that the MD5 hash for "A GSS-API ..." in draft version 07 is given as
# the hash of the string with a newline appended.  I think that this is an
# error, so I've added patterns both with and without the trailing newline.
MS NT5 ISAKMPOAKLEY	^1e2b516905991c7d7c96fcbfb587e461
A GSS-API Authentication Method for IKE	^ad2c0dd0b9c32083ccba25b8861ec455
A GSS-API Authentication Method for IKE\n	^b46d8914f3aaa3f2fedeb7c7db2943ca
GSSAPI	^621b04bb09882ac1e15935fefa24aeee

# Other things I've seen but not fully classified yet.
# If anyone can confirm any of these, please let me know.
Cisco IOS	^bdb41038a7ec5e5534dd004d0f91f927
# I've seen Unknown 1 from a Cisco VPN Concentrator with a trailing 500400
# I've also seen it from an unknown device with a trailing 500306
Unknown 1	^1f07f70eaa6514d3b0fa96542a
# Unknown 2 was classified as Windows-2000
Unknown 3	^edea53a3c15d45cafb11e59ea68db2aa99c1470e0000000400000303
Unknown 4	^bedc86dabf0ab7973870b5e6c4b87d3ee824de310000001000000401
Unknown 5	^ac5078c25cabb9523979978e76a3d0d2426bc9260000000400000401
# Unknown 6 was classified as SSH IPSEC Express 4.1.0
Unknown 7	^69b761a173cc1471dc4547d2a5e94812
Unknown 8	^4c5647362e303a627269636b3a362e302e353732
Unknown 9	^3499691eb82f9eaefed378f5503671debd0663b4000000040000023c
# I've seen Unknown 10 sent from SonicWall Global VPN Client
Unknown 10	^975b7816f69789600dda89040576e0db
Netscreen	^9b096d9ac3275a7d6fe8b91c583111b09efed1a0
# The "Safenet or Watchguard" Vendor ID has also been seen sent from SonicWall
# Global VPN client.  It is normally followed by 80010000 which looks like a
# version number.
Safenet or Watchguard	^da8e9378
Unknown-cisco	^e23ae9f51a46876ff93d89ba725d649d
