So I started this series on Network Reliability Mechanisms back in September ( http://isc.sans.edu/diary.html?storyid=9583 ), and with work and life and the rest, I realized that I've let the promised installments in this series slide a bit.
To configure the backup router, we'll update the interface configuration:
On Router R2:
And a packet from R1, the backup.
Note that everything is in clear text, my favourite two words !!
Let's mount the attack, using scapy. Scapy is written in python, and can be installed on may OS platforms, Windows, Linux and OS/X to name the top 3 - we'll use a Linux install today.
We’ll see some parameters here that look familiar (going back to the "sho standby" output), you can see the full parameter list for hsrp available in scapy by viewing the file scapy/layers/hsrp.py. This "check the sourcecode" method is a really nice feature in scapy !
Once the attack starts, we'll see packets on the wire from the attacker:
On R2 we'll see the primary router go to a standby state:
%HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Active -> Speak
R1 similarly transitions to Listen mode and stays there, as there can only be 1 active and 1 standby router
At this point, the HSRP primary is the attacking linux host. If HSRP is implemented to represent the default gateway on this subnet, all packets leaving the subnet now go to this host, which can capture or modify at will before forwarding packets on to their final destination. Note that you'll want to set this final routing up correctly if you plan to use this method in a penetration test !!
Remediation - How Can We Fix This ?
In a word, authentication. We need to authenticate each host in the HSRP relationship, so that unauthorized attackers are simply ignored - or better yet, their packets should be dropped and logged.
In HSRP, we do this with hashing, specifically MD5 Hashing. This is simply done in the configuration - an updated R2 configuration is below. Be sure to use a better key string than "secretstring" as shown in the example - I generally use an Excel sheet to generate stuff like this (a string of random characters, no zeros, o's, ones or l's - you get the idea).
In the packet captured below, you'll see that the plaintext in the HSRP packet is now scrambled. Part of the payload is now MD5 hashed using the key-string.
If an attacker mounts the attack we've shown here, the authentication will fail anyou'll see this message:
*Mar 1 02:11:14.650: %HSRP-4-BADAUTH: Bad authentication from 192.168.206.133, group 1, remote state Speak
Often we'll also see access lists to limit inbound HSRP traffic. This method is subject to ARP poisoning, so is more useful in controlling inbound HSRP when there are multiple HSRP router pairs on the same network.
Another way to get this done is to set up an IPSEC tunnel between the two HSRP participants, and direct all of the HSRP packets through this tunnel.
A final method of "fixing" HSRP is to implement VRRP, which has AH (Authentication Header) built into the protocol. Note that as a pentester, I see MD5 on HSRP much more often than I see AH implemented on VRRP. I attribute this to vendor documentation - Cisco discusses simple MD5 authentication in almost all of their HSRP documentation, and AH is not often so prominent in vendor documentation, maybe because it is deemed overly complex.
Stick around for our next installment in this series !
An as always, if you have any comments on this discussion of HSRP or of the use of the scapy tool, please use our comment form
=============== Rob VandenBrink Metafore ===============
Dec 21st 2010
|Thread locked Subscribe||
Dec 21st 2010
1 decade ago
The similar protocol CARP (*BSD native, and others with uCARP) is also susceptible to this type of attack, see the recent Bugtraq posting:
That attack affects authenticated CARP because not all fields are covered by the HMAC.
Dec 23rd 2010
1 decade ago