Let's move on to somewhat higher layer Cisco-specific protocol attacks. Since both Generic Routing Encapsulation (GRE) and Point-to-Point Tunneling Protocol (PPTP) also belong to Layer 2, and they can carry different Layer 3 protocols, this division is somewhat artificial. Nevertheless, in our opinion they are somewhat higher on the "protocol ladder" than, for example, Spanning Tree Protocol (STP) and virtual LAN (VLAN) related protocols, in the way Link Layer Control (LLC) is higher than Media Access Control (MAC) on the Ethernet, even though they belong to the same OSI layer. For the purposes of this book, such division seems to work fine.
As in the previous chapter, some of the protocols described are not Cisco-specific, nor are they from Cisco Systems. However, they do frequently use Cisco-made devices and definitely deserve a mention here.
Here we discuss higher layer Cisco-specific protocol attacks. Hot Standby Router Protocol (HSRP) operates at the same layer with ARP and belongs to the First Hop Redundancy Protocol (FHRP) family.
A common scenario found in the larger enterprises is two or more Cisco routers or PIX firewalls using HSRP or its improved sibling, the PIX failover protocol, on routers or firewalls working in parallel to provide uninterrupted connection to the Internet. By sharing a virtual IP address and a MAC address via HSRP, two or more of these hosts can act as a single virtual host. This virtual host becomes the network gateway. The members of the virtual group continuously exchange status multicast messages sent to the address 220.127.116.11. This way, if one of the routers or firewalls fails for a planned or unplanned reason, the other can safely assume the active responsibility and continue to forward traffic with the change process being completely transparent to end users. The PIX failover protocol also exchanges the state table information between the involved devices, so that uninterrupted firewalling is provided as well as uninterrupted traffic forwarding and no temporary security gap is created.
A problem in Cisco HSRP (RFC 2881) protocol makes it possible to deny service to legitimate users of network resources and, under certain conditions, run successful man-in-the-middle attacks against the network gateway. By eavesdropping on the HSRP messages sent, an internal attacker can obtain the necessary information, such as authenticator and the group ID. Then, he can create a spoofed message with a highest priority (255), forcing the other participating parties in the group to withdraw active status and switch to the speak or listen state. In a case of a priority tie (another router with 255 as HSRP priority), a router with a higher IP address will win. Because no device is in the active state, the traffic would simply go to the blackhole. Providing the attacker is located in the same subnet with the inactive virtual IP, he can safely create a subinterface on a machine, giving it the same IP as the virtual IP of the gateway and setting up a static route via one of the known routers, thus executing an effective man-in-the-middle attack. The attacker must remember to continue sending the top priority HSRP packets to keep the other host inactive and set the highest IP possible on the attacked subnet for the attacking interface.
These attacks can succeed only if the attacking router has the preempt command configured, which is not a problem when a specific HSRP hacking tool is used.
HSRP-enabled devices operate by exchanging multicast messages among themselves every 3 seconds, advertising their priority levels. The default priority level is typically 100, so if one of the participating devices is configured to have a higher prioritysay, 101the other devices would have to obey this information and switch to standby mode. Since the authentication field is sent in cleartext, it is trivial for an attacker to send a fake HSRP message that would be obeyed by participating devices.
One of the tools that can send custom HSRP packets is hsrp from the IRPAS protocol exploitation suite written by the Phenoelit group.
arhontus / # ./hsrp -i <interface> -v <virtual IP> -d <router ip> -a <authword> -g <group> [-S <source>]
You need to know the correct authentication secret and the group ID so the other routers will accept and obey your packets. Since HSRP traffic advertisements are performed over multicast, sniffing them out is not difficult. The -d switch of the tool specifies the destination of the packet, and you can send it to a selected router to switch its state or fire straight away to the multicast group address to affect the whole HSRP group. Here's a simple example, in which a single HSRP packet is sent to the multicast address:
arhontus / # ./hsrp -d 18.104.22.168 -v 192.168.66.125 -a arhont -g 10 -i eth0
You can also use Yersinia to launch HSRP attacks. In the ncurses GUI, the HSRP mode is activated by pressing F4. As usual, enter e to edit the HSRP packet fields in accordance to the attacked network MAC and IP addressing, HSRP version, authentication password, hold time (default 10 seconds), and so on. In a client/server mode, the parameters are defined using the set hsrp command:
yersinia# set hsrp ? defaults Set all values to default dest Set destination MAC address dport Set UDP destination port group Set router group hello Set hsrp hello time hold Set hsrp hold time interface Set network interface to use ipdest Set destination IP address ipsource Set source IP address ipvirtual Set virtual IP address opcode Set hsrp operation code password Set auth password to use priority Set router priority version source Set source MAC address sport Set UDP source port state Set hsrp state version Set hsrp version
Yersinia implements three HSRP attack options:
yersinia# run hsrp attack <0> NONDOS attack sending raw HSRP packet <1> NONDOS attack becoming ACTIVE router <2> NONDOS attack becoming ACTIVE router (MITM) <cr>
The first option is simply sending a custom HSRP packet. This can be used to test different HSRP implementations . The second option is becoming the active router with a fake IP, which actually leads to a blackhole Denial of Service (DoS). The third attack offers a valid active router IP, turning the DoS attack into a man-in-the-middle. Don't forget to enable IP forwarding on the attacking machine and provide a valid static route to the legitimate gateway, so that the addition of your host into the HSRP group is seamless.
The old recommendation from Cisco Systems is to deploy HSRP with IPSec to protect sensitive information and acknowledge authentication of the messages. A newer recommendation is to use the latest HSRP implementation that supports authentication via MD5 hash; this was introduced in Cisco IOS 12.3(2)T and fully integrated into IOS 12.2(25)S.
To configure this feature, use the standby [group-number] authentication md5 key-string [0 7] key [timeout [seconds]] command. The keystring argument can be up to 64 characters in lengthat least 16 characters is recommended. Zero or no argument before the key would store the shared secret unencrypted. The timeout setting in seconds is the period of time that the original key string will be accepted before the configuration of all routers in the HSRP group with a new key is allowed.
Alternatively, you can use the IETF standard Virtual Router Redundancy Protocol (VRRP) instead of HSRP. Although the VRRP standard can support both IPSec Authentication Header (AH) and MD5 hash-based authentication, to our knowledge, Cisco IOS supports only the latter option. VRRP support was introduced into Cisco IOS release 12.2(13)T and integrated into IOS 12.2(14)S. You can read about configuring VRRP on Cisco routers at http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a008042fbd9.html .