Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Penetration Testing: Re: [PEN-TEST] Route Poisoning

Re: [PEN-TEST] Route Poisoning

From: Dario Ciccarone <dciccaro_at_EMPLOYEES.ORG>
Date: Thu, 8 Mar 2001 01:49:51 -0800

>I was wondering whether it was possible for someone to spoof routing update
>tables being exchanged by routers to keep their routing tables current. As
>far as I know the routing table updates are multicast packets which can be
>sent to the Ethernet port of the router. In a scenario where someone has
>access to the traffic using a Ethernet sniffer on a hub LAN, I think it
>would be possible for someone to capture the update packets. This would
>first of all give the intruder knowledge about the network and also ip
>spoofing can be used to generate fake update packets.

a) can be multicast (OSPF,EIGRP), local broadcast (RIPv1 and V2), unicast (BGP, also RIP if so configured)
b) multicast on a switched network would go to all ports (if the switch doesn't do IGMP snooping) or some ports. broadcast, all ports. unicast, only the port where the destination L3 address is connected to, but it's easy to do ARP spoofing using tools as arpredirect or ettercap & get the packets. on a flat network as you describe, only using hubs, you're going to receive the packets by default.
c) by reading the routing updates packets the intruder would know what hosts are routers (like Cisco routers), what hosts has been configured to work as routers, and what networks are those routers connected to. good info all of it, to discover the topology of the network

>By sending a wrong update the intruder can direct traffic through the
>network through whatever route he /she desires. In RIP there is no
>authentication done to check the source of the packet.In OSPF a MD5 checksum
>of a password provided is used to check the authenticity of the update. ( I
>am not 100% sure on this part,please correct me if I am wrong here.)However
>i have been informed that normally nobody bothers with this password!!

a) can send the data packets in transit to himself, capture the data and then forward the packets toward the final destination (it has to, or else someone would notice that the network isn't working as expected)
b) RIPv2, EIGRP, OSPF and BGP all offer the feature of authenticating routing updates, by using a plaintext password or an MD-5 hash. don't know about IS-IS. don't remember about IGRP. but the issue is that many people doesn't configure authentication of routing updates at all . . .

>Now coming to the point which i am interested in, first of all is this all
>possible ??? or am I missing out on some very basic stuff!!! . second if
>possible can someone direct me to a site which has more info on this or may
>be share whatever he/she knows about all this.

it's possible.

more information available at http://www.cisco.com/public/cons/isp/documents/IOSEssentialsPDF.zip

                                                                                                        Dario
Received on Mar 08 2001

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos