Skip to main content

Ethical Hacking - Cisco HSRP with Kali linux - Example Demonstration and Security precautions


The Hot Swappable Router Protocol (HSRP) is a way to build redundancy into your network by allowing two or more routers to continuously test each other for connectivity, and take over if a router fails.As multiple routers can participate in the HSRP group, there has to be an election to determine who's the primary router.

This HSRP election is based on a priority value (0 to 255) that is configured on each router in the group. By default, the priority is 100. The router with the highest priority value (255 is highest) becomes the active router for the group. If all router priorities are equal or set to the default value, the router with the highest IP address on the HSRP interface becomes the active router.

In this post, we are going to make our Kali machine a HSRP participant and to become the active router by setting the highest priority to it. Yersinia tool (in built in Kali) helps us to perform this test with ease. For more information on HSRP, please refer RFC 2281

Yersinia

Yersinia is a layer 2- attack toolkit designed to take advantage of weaknesses in various network protocols. One of these protocols is HSRP, with yersinia you can perform below attacks on a HSRP environment.

<0> NONDOS attack sending raw HSRP packet
<1> NONDOS attack becoming ACTIVE router
<2> NONDOS attack becoming ACTIVE router (MITM)

These options are self explanatory, We are going with option 1 in this post.

Hacking HSRP with Kali (or) Backtrack

As illustrated in the snap below, I have crated a simple GNS3 topolgy with 2 HSRP enabled routers and a Kali linux machine which is connected to the same network.

And below are some of the outputs that are taken from the routers. As you can see R1 is acting as the HSRP active router with a priority value of 110 and R2 is the standby router.

Router 1: (Before Attempt)

R1#sh standby br
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Fa0/0 1 110 P Active local 120.0.0.12 120.0.0.13
R1#sh standby fastEthernet 0/0
FastEthernet0/0 - Group 1
State is Active
2 state changes, last state change 00:07:31
Virtual IP address is 120.0.0.13
Active virtual MAC address is 0000.0c07.ac01
Local virtual MAC address is 0000.0c07.ac01 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 1.300 secs
Preemption enabled
Active router is local
Standby router is 120.0.0.12, priority 100 (expires in 7.452 sec)
Priority 110 (configured 110)
Group name is "hsrp-Fa0/0-1" (default)

Router 2: (Before Attempt)

R2#sh standby br
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Fa0/0 1 100 Standby 120.0.0.11 local 120.0.0.13
R2#sh stand fa0/0
FastEthernet0/0 - Group 1
State is Standby
1 state change, last state change 00:07:09
Virtual IP address is 120.0.0.13
Active virtual MAC address is 0000.0c07.ac01
Local virtual MAC address is 0000.0c07.ac01 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 2.096 secs
Preemption disabled
Active router is 120.0.0.11, priority 110 (expires in 9.960 sec)
Standby router is local
Priority 100 (default 100)
Group name is "hsrp-Fa0/0-1" (default)

Let's begin,

Open Terminal window in your Kali machine. Type the below command and press enter,

yersinia -G

This opens the yerginia tool in a Graphical window, the same task can be performed by using interactive text based window also (yersinia -I). In this particular post, we'll go with -G.


Click on 'Launch Attack', Select the HSRP tab.

Note: If you have multiple network adapters in your Kali box, you may have to ensure which interface is selected by default (Click on Edit Interfaces).

As we have already mentioned this gives us three options, we'll go with option 2. Check Option 2 (becoming ACTIVE router), and press OK. A window would appear, you can enter and IP and press OK. This doesn't have to be on same subnet. You can enter any.


That's it, within seconds you'll see your routers becoming standby, your Kali will takeover and become the blackhole in your network.

Below are some of the logs taken after the attack,

Router 1 (After):

R1#
*Mar 1 00:12:43.567: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Speak -> Standby
R1#sh standby br
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Fa0/0 1 110 P Standby 1.1.1.1 local 120.0.0.13

Router 2 (After):

R2#
*Mar 1 00:12:33.587: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Standby -> Listen
R2#sh standby br
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Fa0/0 1 100 Listen 1.1.1.1 120.0.0.11 120.0.0.13

Mitigation:

You have two options to prevent these kind of attacks,

1) Use an ACL to drop HSRP messages from unknown IPs
2) Use HSRP Authentication

To enable HSRP authentication with a MD5 key-chain, enter the following configuration:

(config)# key chain <NAME>
(config-keychain)# key <ID_number>
(config-keychain-key)# key-string <passphrase>
(config-if)# standby 1 authentication md5 key-chain <NAME>

This has to be configured on all HSRP participants, Now when the attacker performs this attack, you'll see below logs on your routers.

%HSRP-4-BADAUTH: Bad authentication from 192.168.0.22, group 1, remote state Active

Access Control Lists (ACLs), are also recommended to mitigate these attacks. By only allowing certain IP addresses to access 224.0.0.2 or 224.0.0.12, it becomes much harder for the attacker to pull off a successful strike. To enable an ACL that sets up these restrictions, use the following:

(config)# interface <interface>
(config-if)# ip access-group 101 in
(config-if)# access-list 101 permit udp host <ip> host 224.0.0.2 eq 1985
(config-if)# access-list 101 deny udp any any eq 1985
(config-if)# access-list 101 permit ip any any

Note: Replace <ip> with a valid host IP address. This line should be used for each router that participates in the HSRP process.
Note: 1985 is the UDP port number that HSRP runs on.

I hope this post is helpful, let me know if you have any queries through comments section.

Comments

Popular posts from this blog

eXploit WP Themes Brainstorm Arbitrary File Upload Vulnerability

Hello World ; Malam Fans, Please Say Hello Haters :* xixixhi, Nuenomaru disini,  Sekarang Nue akan Share   Tutorial Deface dengan eXploit WP Themes Brainstorm Arbitrary File Upload Vulnerability * ini exploit lama sih wkwkw exploit ini salah satu bug/celah yang ada pada theme di CMS WordPress. iseng2 aja share, Kali aja masih  crotz  wkwkw * yg master minggir dlu ;* Lanjut intip tutor ae gaes :* mau sampai kapan ?! Dork: inurl:/wp-content/themes/brainstorm (Selebihnya kebangin lg menggunakan imajinasi vokepers kalian, biar dpt yg vuln n verawan) 1. Dorking di search Engine 2. pilih salah satu web target yg pengen ente tusb0l pak wkwk, lalu masukan exploitnya. exploit: /[path]/ /wp-content/themes/brainstorm/functions/jwpanel/scripts/uploadify/uploadify.php 3. Vulnerability ~ Blank Kurang lebih sih gituh awkkaw~ 4. Buat File Baru Berekstensi .php Contoh brain.php Dan Simpan Script Berikut Di Directory C:/XAMPP/php Masukan Script Berikut Edit-Edit Dikit dan t...

How to install CUCM 8.0.2 on Vmware | Call Manager Installation Guide

CUCM is a software-based call-processing component which serves as the main engine for Cisco VOIP infrastructure. This article can be used as a reference for your CUCM installation, This article can be used for any version of CUCM like 8.0, 8.6, 9.1 or 10.5. Let's jump to the installation directly. Make sure you have.. Before we begin, I want to make sure that you have the below softwares installed in your machine. Vmware Workstation Bootable Cisco Unified Call Manager ISO File GNS3 (Optional) - To Configure NTP Server A minimum of 2GB RAM and 80 GB HDD for Virtual Machine At this stage I assume that you have both Vmware Workstation and GNS3 installed. During installation you will be prompted to enter NTP server details. Follow the below steps to make a router to act as a NTP server in GNS3. Open ncpa.cpl from Run window. Find a Vmware network adapter. Double click the adapter and configure a private range IP, for example 120.0.0.1. Next open GNS3, Put a router and take console. Pa...

6 Url Shorteners Yang Menghasilkan Uang Selain AdF.ly

Salam sobat GBX nah di pertemuan kita kali ini ane akan membahas 6 Url Shorteners Yang Menghasilkan Uang Selain AdF.ly seperti yang anda tau adf.ly adalah url shortener terbaik yang membayar kita karena telah menggunakan jasannya, tapi selain adf.ly ternyata masih banyak lagi Url Shorteners Yang Menghasilkan Uang, sekarang kita lihat saja ulasan di bawah.  6 Url Shorteners Yang Menghasilkan Uang Selain AdF.ly 1. Adfly adf.ly Yup yang ini memang patut diletakkan di peringkat satu ya, Adfly sudah ada dan terpercaya sejak bertahu-tahun lalu dan sudah menjadi pemendek link / url terbaik selama ini.  Selain menyediakan fasilitas penyingkat url, adfly juga merupakan situs penghasil dollar yang sudah sangat terkenal (melalui Pay Per Click dan Referal). Banyak juga teman-teman di internet yang sudah sukses mendapatkan dollar lho. (adfly ini sudah terpercaya dan ya semoga terus aman begitu dech). Komisi yang telah anda dapatkan dari adfly ini bisa langsung di transfer ke pay...