Penetration Testing mailing list archives
Re: [PEN-TEST] Route Poisoning
From: Dario Ciccarone <dciccaro () EMPLOYEES ORG>
Date: Thu, 8 Mar 2001 01:49:51 -0800
I was wondering whether it was possible for someone to spoof routing update tables being exchanged by routers to keep their routing tables current. As far as I know the routing table updates are multicast packets which can be sent to the Ethernet port of the router. In a scenario where someone has access to the traffic using a Ethernet sniffer on a hub LAN, I think it would be possible for someone to capture the update packets. This would first of all give the intruder knowledge about the network and also ip spoofing can be used to generate fake update packets.
a) can be multicast (OSPF,EIGRP), local broadcast (RIPv1 and V2), unicast (BGP, also RIP if so configured) b) multicast on a switched network would go to all ports (if the switch doesn't do IGMP snooping) or some ports. broadcast, all ports. unicast, only the port where the destination L3 address is connected to, but it's easy to do ARP spoofing using tools as arpredirect or ettercap & get the packets. on a flat network as you describe, only using hubs, you're going to receive the packets by default. c) by reading the routing updates packets the intruder would know what hosts are routers (like Cisco routers), what hosts has been configured to work as routers, and what networks are those routers connected to. good info all of it, to discover the topology of the network
By sending a wrong update the intruder can direct traffic through the network through whatever route he /she desires. In RIP there is no authentication done to check the source of the packet.In OSPF a MD5 checksum of a password provided is used to check the authenticity of the update. ( I am not 100% sure on this part,please correct me if I am wrong here.)However i have been informed that normally nobody bothers with this password!!
a) can send the data packets in transit to himself, capture the data and then forward the packets toward the final destination (it has to, or else someone would notice that the network isn't working as expected) b) RIPv2, EIGRP, OSPF and BGP all offer the feature of authenticating routing updates, by using a plaintext password or an MD-5 hash. don't know about IS-IS. don't remember about IGRP. but the issue is that many people doesn't configure authentication of routing updates at all . . .
Now coming to the point which i am interested in, first of all is this all possible ??? or am I missing out on some very basic stuff!!! . second if possible can someone direct me to a site which has more info on this or may be share whatever he/she knows about all this.
it's possible. more information available at http://www.cisco.com/public/cons/isp/documents/IOSEssentialsPDF.zip Dario
Current thread:
- [PEN-TEST] Route Poisoning Shrikanth Shetty (Mar 07)
- Re: [PEN-TEST] Route Poisoning Enno Rey (Mar 07)
- Re: [PEN-TEST] Route Poisoning Curt Wilson - Netw3 Consulting (Mar 08)
- Re: [PEN-TEST] Route Poisoning Dario Ciccarone (Mar 08)
- <Possible follow-ups>
- Re: [PEN-TEST] Route Poisoning J C (Mar 10)