mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-30 06:53:11 +00:00
204 lines
13 KiB
Markdown
204 lines
13 KiB
Markdown
# EIGRP Attacks
|
||
|
||
<details>
|
||
|
||
<summary><a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ HackTricks LIVE Twitch</strong></a> <strong>Wednesdays 5.30pm (UTC) 🎙️ -</strong> <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||
|
||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||
|
||
</details>
|
||
|
||
**This page was copied from** [**https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9**](https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9)\*\*\*\*
|
||
|
||
## Attacking EIGRP Protocol <a href="#0f82" id="0f82"></a>
|
||
|
||
**EIGRP (Enhanced Interior Gateway Routing Protocol)** is a dynamic routing protocol. **It is a distance-vector protocol.** **If there is no authentication and configuration of passive interfaces, an intruder can interfere with EIGRP routing and cause routing tables poisoning.** **Moreover, EIGRP network (in other words, autonomous system) is flat and has no segmentation into any zones.** What could this mean for an attacker? Well, if he injects a route, it is likely that this route will spread throughout the autonomous EIGRP system.
|
||
|
||
<figure><img src="../../.gitbook/assets/image (25) (1).png" alt=""><figcaption></figcaption></figure>
|
||
|
||
First and foremost, attacking a standalone EIGRP system requires establishing a neighborhood with a legitimate EIGRP router, which opens up a lot of possibilities, from basic reconnaissance to various injections.
|
||
|
||
For this I will use [**FRRouting**](https://frrouting.org/). This is an open-source software which is designed to create a router in Unix and Linux. **FRRouting** allows you to implement **a virtual router that supports BGP, OSPF, EIGRP, RIP and other protocols.** All you need to do is deploy it on your attacker’s system and you can actually pretend to be a legitimate router in the routing domain. I’ll show you how to deploy FRR on your system in the next section.
|
||
|
||
### Network Intelligence <a href="#41e6" id="41e6"></a>
|
||
|
||
**Connecting to the routing domain allows us to do enumeration and reconnaissance of networks and not spend a lot of time scanning.** This method saves you a lot of precious time. **Plus, by scanning, you can get burned in front of IPS/IDS security systems.** To me, connecting to the domain and enumeration is the attack vector on routing domains that gives you the most impact. But to do this you need to deploy **FRRouting**. Here we go.
|
||
|
||
**It is necessary to edit the configuration file daemons.** It contains the configurations of the daemons in the context of their activity. Either they are enabled (yes) or not (no). We need to activate the **eigrpd** daemon.
|
||
|
||
```
|
||
~# nano /etc/frr/daemons
|
||
eigrpd=yes
|
||
```
|
||
|
||
<figure><img src="../../.gitbook/assets/image (15) (1).png" alt=""><figcaption></figcaption></figure>
|
||
|
||
After that, you need to correct the **vtysh.conf** file by adding a line responsible for saving the configuration to one file, so that configurations of different protocols are not scattered into different files **(e.g. eigrpd.conf, staticd.conf).** It is configurable optionally.
|
||
|
||
```
|
||
~# nano /etc/frr/vtysh.conf
|
||
service integrated-vtysh-config
|
||
```
|
||
|
||
The FRRouting configuration is done. Now it’s time to run the FRR daemon. **And yes, we need to enable traffic routing. By default it is disabled in Linux distributions**
|
||
|
||
```
|
||
~$ sudo systemctl start frr
|
||
~$ sudo sysctl -w net.ipv4.ip_forward=1
|
||
```
|
||
|
||
<figure><img src="../../.gitbook/assets/image (32).png" alt=""><figcaption></figcaption></figure>
|
||
|
||
The **vtysh** command will take us to the FRR router control panel.
|
||
|
||
```
|
||
~$ sudo vtysh
|
||
```
|
||
|
||
Example:
|
||
|
||
```
|
||
Inguz# show version
|
||
```
|
||
|
||
<figure><img src="../../.gitbook/assets/image (3) (2).png" alt=""><figcaption></figcaption></figure>
|
||
|
||
> **However, don’t forget that the EIGRP routing domain can be protected by authentication. But you still have a chance to connect to the routing domain. When hello packets are sent out, they also contain cryptographic hashes. If you can extract these hashes from the traffic dump and reset the password, you can log on to the routing domain with this password.**
|
||
|
||
Go to global configuration mode and start the **EIGRP** process, specify the autonomous system number — **1**
|
||
|
||
And we also need to declare the network we are in. We are at 10.10.100.0/24. My address is 10.10.100.50/32
|
||
|
||
```
|
||
Inguz# configInguz(config)# router eigrp 1Inguz(config-router) network 10.10.100.50/32
|
||
```
|
||
|
||
After that, the neighborhood between the legitimate EIGRP routers is established. There are two of them on my network:
|
||
|
||
* **GW1 (10.10.100.100)**
|
||
* **GW2 (10.10.100.200)**
|
||
|
||
EIGRP Neighborship with GW1 (10.10.100.100):
|
||
|
||
<figure><img src="../../.gitbook/assets/image (5) (1) (2).png" alt=""><figcaption></figcaption></figure>
|
||
|
||
EIGRP Neighborship with GW2 (10.10.100.200):
|
||
|
||
<figure><img src="../../.gitbook/assets/image (30) (1).png" alt=""><figcaption></figcaption></figure>
|
||
|
||
During the establishment and maintenance of the neighborhood between EIGRP routers, routers exchange their routing information. After the neighborhood is established, new routes will appear in our routing table of the attacking system, namely:
|
||
|
||
* **10.1.239.0/24 via 10.10.100.100;**
|
||
* **30.30.30.0/24 via 10.10.100.100;**
|
||
* **100.100.100.0/24 via 10.10.100.100;**
|
||
* **172.16.100.0/24 via 10.10.100.200**
|
||
|
||
<figure><img src="../../.gitbook/assets/image (29) (1).png" alt=""><figcaption></figcaption></figure>
|
||
|
||
Thus, after establishing the neighborhood, we know about the existence of these subnets, which makes it easier for us to pentest and save time. We can do without additional subnet scanning. Now we are in the EIGRP routing domain and we can develop some attack vectors. Let’s talk about them.
|
||
|
||
### Fake EIGRP Neighbors <a href="#51ee" id="51ee"></a>
|
||
|
||
**I have found that generating and quickly sending out mass EIGRP hello packets overloads the router’s CPU, which in turn can open the door to a DoS attack.** I have developed a little [**helloflooding.py**](https://github.com/in9uz/EIGRPWN/blob/main/helloflooding.py) \*\*\*\* script, but it seems to me that the script lacks the speed of sending out the packets. **It’s caused by GIL**, which prevents the **sprayhello** function from running in multiple threads per second. **Eventually I’ll rewrite the script in C.**
|
||
|
||
<figure><img src="../../.gitbook/assets/image (2) (6) (1).png" alt=""><figcaption></figcaption></figure>
|
||
|
||
Arguments of the script:
|
||
|
||
* **Interface of the attacking system (eth0);**
|
||
* **EIGRP autonomous system number (1);**
|
||
* **Subnet where the attacking system is located. In my case, the subnet is 10.10.100.0/24**
|
||
|
||
```
|
||
~$ sudo python3 helloflooding.py --interface eth0 --as 1 --subnet 10.10.100.0/24
|
||
```
|
||
|
||
<figure><img src="../../.gitbook/assets/image (26) (1).png" alt=""><figcaption></figcaption></figure>
|
||
|
||
### EIGRP Blackhole <a href="#5c04" id="5c04"></a>
|
||
|
||
The essence of this attack is a simple injection of a false route that will poison the routing table. Traffic to, **say, the** `10.10.100.0/24` **network will go nowhere, causing a denial of service. Such an attack is called a Blackhole.** The script [**routeinject.py**](https://github.com/in9uz/EIGRPWN/blob/main/routeinject.py) \*\*\*\* will be the tool used to perform it. For this example, I will send traffic destined for host `172.16.100.140/32` to the black hole.
|
||
|
||
<figure><img src="../../.gitbook/assets/image (16) (1).png" alt=""><figcaption></figcaption></figure>
|
||
|
||
Arguments of the script:
|
||
|
||
* **interface of the attacking system**
|
||
* **EIGRP AS number**
|
||
* **IP address of the attacker**
|
||
* **IP address of the target subnet whose traffic will be sent to the black hole**
|
||
* **target subnet mask**
|
||
|
||
```
|
||
~$ sudo python3 routeinject.py --interface eth0 --as 1 --src 10.10.100.50 --dst 172.16.100.140 --prefix 32
|
||
```
|
||
|
||
<figure><img src="../../.gitbook/assets/image (20) (1).png" alt=""><figcaption></figcaption></figure>
|
||
|
||
**Our host seems to be in trouble :)**
|
||
|
||
<figure><img src="../../.gitbook/assets/image (6) (1).png" alt=""><figcaption></figcaption></figure>
|
||
|
||
As you can see, the host loses connectivity to host **172.16.100.140/32** due to route injection.
|
||
|
||
### Abusing K-Values <a href="#25aa" id="25aa"></a>
|
||
|
||
To establish EIGRP neighbors, **routers use special K-values.** They must be the same among all EIGRP neighbors. If at least one K-value does not match, the EIGRP domain will crash and the neighborhood will be broken. We will use [**relationshipnightmare.py**](https://github.com/in9uz/EIGRPWN/blob/main/relationshipnightmare.py) \*\*\*\* to perform this attack\*\*.\*\*
|
||
|
||
<figure><img src="../../.gitbook/assets/image (12) (2).png" alt=""><figcaption></figcaption></figure>
|
||
|
||
Script arguments:
|
||
|
||
* **network interface**
|
||
* **EIGRP AS number**
|
||
* **IP Address of legitimate router**
|
||
|
||
**On behalf of the specified IP and will be sent an inject on the multicast EIGRP IP address, in which the K-values are different.** In my case, I will break the neighborhood on behalf of router GW1 **(address is 10.10.100.100)**.
|
||
|
||
```
|
||
~$ sudo python3 relationshipnightmare.py --interface eth0 --as 1 --src 10.10.100.100
|
||
```
|
||
|
||
<figure><img src="../../.gitbook/assets/image (9) (1).png" alt=""><figcaption><p>Dump of traffic during a neighborhood disruption</p></figcaption></figure>
|
||
|
||
<figure><img src="../../.gitbook/assets/image (27) (1).png" alt=""><figcaption><p>GW1 router endlessly disconnects and reconnects EIGRP</p></figcaption></figure>
|
||
|
||
**A DoS attack can be carried out in this way. During operation, endless breakups and neighborhood attempts occur, paralyzing part of the EIGRP routing domain.**
|
||
|
||
### Routing table overflow <a href="#1d0c" id="1d0c"></a>
|
||
|
||
The essence of this attack is to provoke the sending of a huge number of false routes, which will overflow the routing table. This depletes the computing resources of the router, namely the CPU and RAM, since the injections occur at enormous speed. This attack is implemented [**routingtableoverflow.py**](https://github.com/in9uz/EIGRPWN/blob/main/routingtableoverflow.py) **script**
|
||
|
||
<figure><img src="../../.gitbook/assets/image (3) (4).png" alt=""><figcaption></figcaption></figure>
|
||
|
||
Script arguments
|
||
|
||
* **network interface**
|
||
* **EIGRP AS Number**
|
||
* **Attacker’s IP address**
|
||
|
||
```
|
||
in9uz@Inguz:~$ sudo python3 routingtableoverflow.py --interface eth0 --as 1 --src 10.10.100.50
|
||
```
|
||
|
||
After running the script, the routing table starts overflowing with routes. The random addresses of the target networks are due to the use of **RandIP()** in [**Scapy**](https://github.com/secdev/scapy).
|
||
|
||
<figure><img src="../../.gitbook/assets/image (4) (4).png" alt=""><figcaption><p>Routing table overflows on GW1 router</p></figcaption></figure>
|
||
|
||
<figure><img src="../../.gitbook/assets/image (21) (1).png" alt=""><figcaption><p>Overloaded router CPU</p></figcaption></figure>
|
||
|
||
<details>
|
||
|
||
<summary><a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ HackTricks LIVE Twitch</strong></a> <strong>Wednesdays 5.30pm (UTC) 🎙️ -</strong> <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||
|
||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||
|
||
</details>
|