Exploiting the Core

Posted on February 23, 2008. Filed under: Auditing | Tags: Cisco, exploit, HSRP, Man in the Middle, MiTM, Router, security, VRRP, Yersinia |

This is the first in a two part blog about utilizing Yersinia to check out the security of your routers and switches. While there are many different exploits and areas of concerns in the routing infrastructures and designs of today, I am going to focus on two areas. Today’s blog is focused on man in the middle attacks (MITM) against routers, specifically, utilizing Yersinia to insert your attack machine in the middle of an HSRP configuration.

——————-

WARNING****Audit Notes

I wanted to put this early on in this post to ensure everyone knows how destructive this tool can be to ones network. This is a very invasive and dangerous exploit for the network. My usual approach is to talk with the IT manager about multiple exploits in this class and to inform them that in my belief it is better to receive a hard copy of the configs and document a simulated attack. If the customer wants us to proceed with a live attack, I always have signed documentation that ensures they know and accept the risks.

A little background on Yersinia here, if you know the story or don’t care skip ahead to the next paragraph. Yersinia was developed by a couple of guys from Spain, David Barroso and Alfredo Andres. There site and the tool can be found at http://www.yersinia.net . Yersinia is *nix based only and can be found on most major auditing distros (Backtrack, Helix, etc).

Now on to what you all have been so patiently waiting for. It is quite easy to find two or more Cisco routers using HSRP on routers working in parallel to provide uninterrupted connection to the Internet. With this enabled they can create virtual IP address that is utilized by both devices. By sharing a virtual IP address and a MAC address via HSRP, two or more of these hosts can act as a single virtual host. This virtual host becomes the network gateway. The members of the virtual group continuously exchange status multicast messages sent to the address 224.0.0.2. This way one of the devices can safely assume the active responsibility and continue to send traffic if one of the routers fails for any reason.

A problem in Cisco HSRP (RFC 2881) protocol makes it possible to deny service to legitimate users of network resources and, under certain conditions, run successful man-in-the-middle attacks against the network gateway.

To accomplish this you will need Yersinia. Now the first thing you will need to do is to access the ncurse GUI associated with Yersinia. Once there, the HSRP mode is activated by pressing F4. Now enter e to edit the HSRP packet fields in accordance to the attacked network MAC and IP addressing, HSRP version, authentication password, hold time (default 10 seconds), and so on. In a client/server mode, the parameters are defined using the set hsrp command:

yersinia# set hsrp ?

defaults Set all values to default

dest Set destination MAC address

dport Set UDP destination port

group Set router group

hello Set hsrp hello time

hold Set hsrp hold time

interface Set network interface to use

ipdest Set destination IP address

ipsource Set source IP address

ipvirtual Set virtual IP address

opcode Set hsrp operation code

password Set auth password to use

priority Set router priority version

source Set source MAC address

sport Set UDP source port

state Set hsrp state

version Set hsrp version

Yersinia implements three HSRP attack options:

yersinia# run hsrp attack

<0> NONDOS attack sending raw HSRP packet

<1> NONDOS attack becoming ACTIVE router

<2> NONDOS attack becoming ACTIVE router (MITM)

<cr>

The first option is simply sending a custom HSRP packet. This can be used to test different HSRP implementations. The second option is becoming the active router with a fake IP, which actually leads to a blackhole Denial of Service (DoS). The third attack offers a valid active router IP, turning the DoS attack into a man-in-the-middle. Don’t forget to enable IP forwarding on the attacking machine and provide a valid static route to the legitimate gateway, so that the addition of your host into the HSRP group is seamless

Countermeasures against HSRP Attacks

One recommendation from Cisco Systems is to deploy HSRP with IPSec to protect sensitive information and acknowledge authentication of the messages. A newer recommendation is to use the latest HSRP implementation that supports authentication via MD5 hash; this was introduced in Cisco IOS 12.3(2)T and fully integrated into IOS 12.2(25)S.

To configure this feature, use the standby [group-number] authentication md5 key-string [0 | 7] key [timeout [seconds]] command. The keystring argument can be up to 64 characters in length—at least 16 characters are recommended. Zero or no argument before the key would store the shared secret unencrypted. The timeout setting in seconds is the period of time that the original key string will be accepted before the configuration of all routers in the HSRP group with a new key is allowed.

Alternatively, you can use the IETF standard Virtual Router Redundancy Protocol (VRRP) instead of HSRP. Although the VRRP standard can support both IPSec Authentication Header (AH) and MD5 hash-based authentication, to our knowledge, Cisco IOS supports only the latter option. VRRP support was introduced into Cisco IOS release 12.2(13)T and integrated into IOS 12.2(14)S. You can read about configuring VRRP on Cisco routers at http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a008042fbd9.html.

Here are the technical differences in considering a switch from HSRP to VRRP:

Cisco Hot-Standby Router Protocol (HSRP):