Penetration Testing mailing list archives

Re: [PEN-TEST] Route Poisoning

From: Curt Wilson - Netw3 Consulting <netw3 () NETW3 COM>
Date: Thu, 8 Mar 2001 01:16:46 -0600

I did some research in this area for a SANS practical paper. It's not
an exhaustive document, but is a pretty good collection of routing
protocol security issues with RIP, BGP, and OSPF. Evidently, OSPF
can be used in a mode that does not take advantage of the MD5 checksum
and therefore any credentials can be easily sniffed. I don't know how
common it is to use plaintext since I've not had the chance to test
these in the field to any large degree. There are several apps,
like the various aspects of the Nemesis tool such as nemesis-ospf (by
obecian)
and some of the functions of the irpas (internet routing protocol attack
suite,
written by fx www.phenoelit.de) that would be useful for these purposes.
I'd guess that those two apps would be a good place to start. For RIP
spoofing,
there are various tools mentioned in Hacking Exposed that are also
mentioned in the paper.

You can read the HTML version online in the Netw3 security reading room at:

http://www.netw3.com/documents/Protecting_Network_Infrastructure.htm

Someone else recently wrote a paper on OSPF security features but I can't
recall where I saw this. In any event, routing protocol security is an
interesting topic and I'd be glad to correspond privately about your
research. But please be careful, since messing with routing can cause
big problems.

By sending a wrong update the intruder can direct traffic through the
network through whatever route he /she desires. In RIP there is no
authentication done to check the source of the packet.In OSPF a MD5 checksum
of a password provided is used to check the authenticity of the update. ( I
am not 100% sure on this part,please correct me if I am wrong here.)However
i have been informed that normally nobody bothers with this password!!

Now coming to the point which i am interested in, first of all is this all
possible ??? or am I missing out on some very basic stuff!!! . second if
possible can someone direct me to a site which has more info on this or may
be share whatever he/she knows about all this.

thanks

shetty




=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
| Curt R. Wilson   *   Netw3 Consulting  *   www.netw3.com    |
|    Internet Security, Networking, PC tech,  WWW hosting     |
| Netw3 Security Reading Room : www.netw3.com/documents.html  |
|  Serving Southern Illinois locally and the world virtually  |
|            netw3 () netw3 com     618-303-NET3                 |
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Current thread:

[PEN-TEST] Route Poisoning Shrikanth Shetty (Mar 07)
- Re: [PEN-TEST] Route Poisoning Enno Rey (Mar 07)
- Re: [PEN-TEST] Route Poisoning Curt Wilson - Netw3 Consulting (Mar 08)
- Re: [PEN-TEST] Route Poisoning Dario Ciccarone (Mar 08)
- <Possible follow-ups>
- Re: [PEN-TEST] Route Poisoning J C (Mar 10)