Re: [PEN-TEST] Route Poisoning

[Dario Ciccarone <dciccaro () EMPLOYEES ORG>]

> I was wondering whether it was possible for someone to spoof routing update
> tables being exchanged by routers to keep their routing tables current. As
> far as I know the routing table updates are multicast packets which can be
> sent to the Ethernet port of the router. In a scenario where someone has
> access to the traffic using a Ethernet sniffer on a hub LAN, I think it
> would be possible for someone to capture the update packets. This would
> first of all give the intruder knowledge about the network and also ip
> spoofing can be used to generate fake update packets.

a) can be multicast (OSPF,EIGRP), local broadcast (RIPv1 and V2), unicast (BGP, also RIP if so configured)
b) multicast on a switched network would go to all ports (if the switch doesn't do IGMP snooping) or some ports. 
broadcast, all ports. unicast, only the port where the destination L3 address is connected to, but it's easy to do ARP 
spoofing using tools as arpredirect or ettercap & get the packets. on a flat network as you describe, only using hubs, 
you're going to receive the packets by default.
c) by reading the routing updates packets the intruder would know what hosts are routers (like Cisco routers), what 
hosts has been configured to work as routers, and what networks are those routers connected to. good info all of it, to 
discover the topology of the network


> By sending a wrong update the intruder can direct traffic through the
> network through whatever route he /she desires. In RIP there is no
> authentication done to check the source of the packet.In OSPF a MD5 checksum
> of a password provided is used to check the authenticity of the update. ( I
> am not 100% sure on this part,please correct me if I am wrong here.)However
> i have been informed that normally nobody bothers with this password!!

a) can send the data packets in transit to himself, capture the data and then forward the packets toward the final 
destination (it has to, or else someone would notice that the network isn't working as expected)
b) RIPv2, EIGRP, OSPF and BGP all offer the feature of authenticating routing updates, by using a plaintext password or 
an MD-5 hash. don't know about IS-IS. don't remember about IGRP. but the issue is that many people doesn't configure 
authentication of routing updates at all . . .

> Now coming to the point which i am interested in, first of all is this all
> possible ??? or am I missing out on some very basic stuff!!! . second if
> possible can someone direct me to a site which has more info on this or may
> be share whatever he/she knows about all this.

it's possible.

more information available at http://www.cisco.com/public/cons/isp/documents/IOSEssentialsPDF.zip

                                                                                                        Dario