Ghost Recon - 2008 - Ruxcon

Why?●●●●●Network SecurityInformation GatheringEavesdroppingMitMInvisibility

Objectives●Recon● LLDP● OSPF●MitM● VRRP● OSPF

Recon●●LLDPOSPF

Link Layer Discovery Protocol●●●IEEE 802.1AB-2005Vendor NeutralSimilar functionality to CDP, EDP, NDP● Layer 2●Multicast MAC 01:80:c2:00:00:0e

LLDP●TLV based protocol● Info includes: -●●●●System name & descPort name & descVLANIP Management address

LLDP Frame

LLDP TLVs● Mandatory TLVs: -●●●●●Chassis IDPort IDTTLEnd of LLDPDU TLVOptional TLVs between TTL and EoL

LLDPDU

LLDP TLV

LLDP Topology Discovery●●●SNMPLocal●LLDPDMultiple Hops●●NetDiscoWiremaps

Open Shortest Path First●Routing Protocol● RFC 2328● Link State●●Similar to IS-ISSimple Authentication● Plain-text Password● MD5

OSPF Hierarchy●Areas● Backbone == 0.0.0.0● Non-backbone != 0.0.0.0●●Routers●●●All areas connected to backboneInternal Routers (IRs)Area Border Routers (ABRs)Autonomous System BorderRouters (ASBRs)

OSPF

OSPF Link State●●Link State Database●Made up of LSAsLink State Advertisements (LSAs)●●●●TypeIDAdvertising RouterInstance (Seq, Chksum, Age)

OSPF LSAs●LSA Types● Router LSAs● Network LSAs● Summary LSAs● ASBR Summary LSAs● External LSAs

OSPF LSA Header

OSPF LSA Lookup

OSPF LSA Instance

OSPF Neighbourships●●●●Adjacent Routers form neighbourshipsExchange link state informationFlood updatesSynchronized LS Databases

OSPF Flooding

OSPF Flooding

OSPF Broadcast Networks●Broadcast networks● Multicast 224.0.0.5 and 224.0.0.6●●●Designated Router (DR)Backup Designated Router (BDR)DR originates Network LSA

OSPF Topology Discovery●●Passive●Active●●●LSRefreshTime (30 Mins)Subvert RouterRouge RouterSpoof LSA Requests

OSPF Active Topology Discovery●●●Router LSAs●ID == Advertising RouterNetwork LSAs●●ID == DR's IPAdv Rtr == DR RIDLimitation with BDR●Unknown DR RID

OSPF Forming an Adjacency

ghOSPF●●●PoCScapy Add-onDiscovery of topology● Passive● Active●RFC 3514 Compliance

Scapy●●●●●●Python Packet Manipulation ToolPhilippe BiondiDecodes rather than interpretsReplaces numerous toolsCombine functionalityAdd-ons

Demo●Recon●OSPF

MitM●●VRRPOSPF

Virtual Router Redundancy Protocol●●●First Hop RedundancyProvides Fault ToleranceBased off Cisco's HSRP● Layer 3● Standardized - RFC 3768● Current version 2●Uses Gratuitous ARP with BIA MAC

VRRP

VRRP Switchover

VRRP Security●●TTL 255 (directly connected)Authentication●●●●NonePlaintext passwordMD5 PSK (Non-standard)IPSEC AH● Truncated MD5 HMAC● Not supported by allimplementations

VRRP Pre-empting● Default Priority 100●●Priority 255 reserved for OwnerPre-empting is typical●●Owner always pre-emptsregardless of pre-empt settingPre-empt on by default

VRRP Switchover●New-Contestent pips IncumbentMaster iff: -●NC's Priority > IM's Priority● Tie-breaker: -●NC's Primary IP > IM's Primary IP

VRRP Hostile Takeover● Local ( mcast, TTL 255 )●●●Send Announcement (Win Election)● Priority == 255●Tie-breaker: IP > Incumbent's IPSend Gratuitous ARPs for virtual IPsPeriodically send advertisements

VRRP Hostile Takeover

OSPF Attacks●●●Compromised RouterCompromised Network SegmentOSPF Attack Shell● GomoR●ghOSPF

OSPF Security●●●●MulticastGTSM (optional)Authentication●●Plaintext PasswordMD5Fight Back

ghOSPF●●●PoCScapy Add-onDiscovery of topology● Passive● Active●●Route Manipulation/InjectionRFC 3514 Compliance

OSPF Route Manipulation● Routing ← SPF ← LSDB ← LSAs●●●●Intra > Inter > E1 > E2LSA's metrics – costPartitioned LSAs won't go into SPFMust spoof LSA(s)●Must Fight Fightback

OSPF Fight Back●●Router receives “wrong” LSA●●Same Advertising Router IDWrong details thoughOriginates new LSA●●Correct detailsNewer Seq

OSPF Fight Back

OSPF Fight Back

Defeating OSPF Fight Back●●●MinLSInterval●●5 secondsMin time before originating LSAMinLSArrival●●1 secondMin time before processing LSARace condition●Transmit LSAs @ 1s with > Seq

Defeating OSPF Fight Back

Fingerprinting●●●●●LLDPScapy/P0fPADSNetworkMinerSatori

Demo●●VRRP TakeoverOSPF RouteManipulation

Game Over

Summary●●●●LLDP reveals the L2 TopologyOSPF reveals the L3 TopologyHostile take-overs in VRRPOSPF Route-manipulation

Conclusions●●Use strong authentication●●Use long passwordsTime to replace MD5Monitor logs

Thank You●Berne Campbell●

Appendix

References●●●IEEE 802.1AB-2005RFC 2328 OSPFRFC 3768 VRRP

References (2)●Feiyi Wang and S. Felix Wu, "On theVulnerabilities and Protection of OSPFRouting Protocols," In IEEE 7thInternational Conference on ComputerCommunication and Network (IC3N),October 1998http://www.cs.ucsb.edu/~seclab/projects/ro

References (3)●●Emanuele Jones and Olivier LeMoigne, "OSPF Security VulnerabilitiesAnalysis," draft-ietf-rpsecospfvuln-02.txt,16 June 2006.A. Babir, S. Murphy, Y. Yang, “GenericThreats to Routing Protocols”, draftietf-rpsec-routing-threats-07,25October 2004

References (4)●Ayikudy Srikanth; Adnan Onart,“VRRP: Increasing Reliability andFailover with the Virtual RouterRedundance Protocol”, ISBN-13978-0-201-71500-2

Tools●●●Scapy●http://trac.secdev.org/scapy/wikiScapy_OSPF●http://trac.secdev.org/scapy/wiki/OSPFScapy VRRP●http://trac.secdev.org/scapy/ticket/60● P0f● http://lcamtuf.coredump.cx/p0f.shtml

Tools (2)●Vyatta●http://www.vyatta.org/

Special Thanks●●●telljoolzpemkyRuxcon Organisers and Staff

RemovedSlides

Demo OSPF Topology Discovery

Original Route(shortest path)Demo ghOSPF Re-route

Demo ghOSPF Re-routeRouter's LSA isbeing repeatedlyspoofed with highmetrics for itsinterfacesNew Route“shortest path”

Vyatta●●Open source RouterBased off Debian Lenny and Quagga

Click to add title

Why?●●●●●Network SecurityInformation GatheringEavesdroppingMitMInvisibilityWho needs it?

Objectives●Recon● LLDP● OSPF●MitM● VRRP● OSPF

Recon●●LLDPOSPF

Link Layer Discovery Protocol●●●IEEE 802.1AB-2005Vendor NeutralSimilar functionality to CDP, EDP, NDP● Layer 2●Multicast MAC 01:80:c2:00:00:0e

LLDP●TLV based protocol● Info includes: -●●●●System name & descPort name & descVLANIP Management address

LLDP Frame●Click to add an outline

● Mandatory TLVs: -LLDP TLVs●●●●●Chassis IDPort IDTTLEnd of LLDPDU TLVOptional TLVs between TTL and EoL

LLDPDU●Click to add an outline

LLDP TLV●Click to add an outline

LLDP Topology Discovery●●●SNMPLocal●LLDPDMultiple Hops●●NetDiscoWiremaps

Open Shortest Path First●Routing Protocol● RFC 2328● Link State●●Similar to IS-ISSimple Authentication● Plain-text Password● MD5Link State routing protocols were born out ofARPANETOSPF is ~ 20 years oldThe maths its based off (Dijkstra's Algorithm) is50 years oldMD5 Authentcation is not HMAC­MD5MAC = MD5 ( OSPF || Key )Note: key is padded to 16 bytes with nulls

OSPF Hierarchy●Areas● Backbone == 0.0.0.0● Non-backbone != 0.0.0.0●●Routers●●●All areas connected to backboneInternal Routers (IRs)Area Border Routers (ABRs)Autonomous System BorderRouters (ASBRs)

OSPF

OSPF Link State●●Link State Database●Made up of LSAsLink State Advertisements (LSAs)●●●●TypeIDAdvertising RouterInstance (Seq, Chksum, Age)

OSPF LSAs●LSA Types● Router LSAs● Network LSAs● Summary LSAs● ASBR Summary LSAs● External LSAs

OSPF LSA Header●Click to add an outline

OSPF LSA Lookup●Click to add an outlineType, Link State ID and Advertising Router arethe three fields that are used to look up LSAsIf a router receives a request for a Type, ID,AdRouter tuple that does not exist in its databaseit will reset the neighborship. So to be stealthywhen spoofing LS Requests make sure you lookup known Type, ID, AdRouter tuples.

OSPF LSA Instance●Click to add an outlineAge, Sequence Number and ChkSum are the threefields used to determine the which instance of anLSA is the most recent.

OSPF Neighbourships●●●●Adjacent Routers form neighbourshipsExchange link state informationFlood updatesSynchronized LS Databases

OSPF Flooding●Click to add an outlineStep 1: An OSPF Router floods updates to all ofits neighbours (after a change in the topology forexample).

OSPF Flooding●Click to add an outlineStep 2: The receiving OSPF routers then flood theupdate to neighbours and so on throughout thenetwork.

OSPF Broadcast Networks●Broadcast networks● Multicast 224.0.0.5 and 224.0.0.6●●●Designated Router (DR)Backup Designated Router (BDR)DR originates Network LSAObviously since OSPF uses multicast, ARPPoisoning tricks cannot be used against it.

OSPF Topology Discovery●●Passive●Active●●●LSRefreshTime (30 Mins)Subvert RouterRouge RouterSpoof LSA RequestsJuniper routers actually refresh at 50 minutes, asan optimization (although this technically makesthem non­standard).

OSPF Active Topology Discovery●●●Router LSAs●ID == Advertising RouterNetwork LSAs●●ID == DR's IPAdv Rtr == DR RIDLimitation with BDR●Unknown DR RIDTo lookup a router LSA you only need theID/Adrouter as they are both the same, and ofcourse the type is “router”.To look up a Network LSA you need to know theDR's IP, and the DR's Router ID.Spoofing LS Requests to get the LSAs based offType, ID, Adrouter tuples that have beengleaned from passively monitoring the networkwill allow topology discovery with the limitationthat when hitting a BDR, you will know theDR's IP, but not the DR's RID, and therefore youwill be unable to make a valid request for theNetwork LSA of that network until the DR'sRID is learned.

OSPF Forming an Adjacency●Click to add an outlineThis is a simplified diagram of the OSPFAdjacency procedure.First the routers seach each others RID in eachothers Hellos. This means they havebidirectional communication.They then describe each others databases to eachother.Then they make LS Request of missing LSAs.

ghOSPF●●●PoCScapy Add-onDiscovery of topology● Passive● Active●RFC 3514 ComplianceAdd­on to scapy_ospf add­onPassive: ­SlowerFull topology after ~LSRefreshTime(30mins Standard – Juniper 50mins)More stealthyActive: ­QuickerLess stealthySpoof LS RequestsLimitations on discovery (DR/BDR)Kill a neighbourshipNoisy ­ logsPhantom RouterNoisy – logs – stop mid­way to reduce logs

Scapy●●●●●●Python Packet Manipulation ToolPhilippe BiondiDecodes rather than interpretsReplaces numerous toolsCombine functionalityAdd-onshttp://www.secdev.org/projects/scapy/

Demo●Recon●OSPF

MitM●●VRRPOSPF

Virtual Router Redundancy Protocol●●●First Hop RedundancyProvides Fault ToleranceBased off Cisco's HSRP● Layer 3● Standardized - RFC 3768● Current version 2●Uses Gratuitous ARP with BIA MAC

VRRPIn this example, the two routers are in the oneVRRP group with a floating virtual IP. The tworouters cooperate to create a Virtual Router. Ifthe master, who is currently performing theactions of the virtual router, should fail then theBackup will become master and start to performthe actions of the virtual router. The virtualrouter therefore has higher availablity due to theredundancy. The virtual IP is typically used as adefault route for hosts.

VRRP SwitchoverOn a switch­over the Backup sends out a VRRPAnnouncement and gratuituous ARPs for theVirtual IP Address(es).

VRRP Security●●TTL 255 (directly connected)Authentication●●●●NonePlaintext passwordMD5 PSK (Non-standard)IPSEC AH● Truncated MD5 HMAC● Not supported by allimplementationsAs the TTL must be 255, remote hosts trying tomanipulate VRRP will fail as the TTL will bedecremented at each hop. Only local hosts willbe able to attack VRRP.

VRRP Pre-empting● Default Priority 100●●Priority 255 reserved for OwnerPre-empting is typical●●Owner always pre-emptsregardless of pre-empt settingPre-empt on by default

VRRP Switchover●New-Contestent pips IncumbentMaster iff: -●NC's Priority > IM's Priority● Tie-breaker: -●NC's Primary IP > IM's Primary IP

VRRP Hostile Takeover● Local ( mcast, TTL 255 )●●●Send Announcement (Win Election)● Priority == 255●Tie-breaker: IP > Incumbent's IPSend Gratuitous ARPs for virtual IPsPeriodically send advertisementsLocal● IP DST = 224.0.0.18● IP TTL == 225VRRP Version 2Type 1 Advertisement – The only type.

VRRP Hostile Takeover●Click to add an outlineA malicous host could perform a hostile take overof the VRRP group by sending a VRRPannouncement with a higher priority (forexample 255 – the highest) and gratuitous ARPsfor the virtual IP address(es).If the incumbent master has a priority of 255 themalicious host could use a higher primary IP towin the tie­breaker.

OSPF Attacks●●●Compromised RouterCompromised Network SegmentOSPF Attack Shell● GomoR●ghOSPFOSPF attacks may come from a legitimate that iscompromised or from a network segment withOSPF router(s) running on it that iscompromised.One existing tool to attack OSPF is the OSPFAttack Shell by GomoR. And now there is alsoghOSPF.

OSPF Security●●●●MulticastGTSM (optional)Authentication●●Plaintext PasswordMD5Fight BackRouting security is a hard problem: ­● Highly Distributed● Routing is a cooperative process, withmany nodes involved● Highly Dynamic● Nodes need to trust each other● Protocol must be secure● Protocol flaw­free● Implementation Bug­free● Authentication●MD5 Authentication is not HMAC­MD5● MAC = MD5 ( OSPF || Key )●IPsec/HMAC­SHA1 is on the road­map (haha)● draft­gupta­ospf­ospfv2­sec­00● draft­ietf­ospf­hmac­sha­03.txt

ghOSPF●●●PoCScapy Add-onDiscovery of topology● Passive● Active●●Route Manipulation/InjectionRFC 3514 ComplianceOne additional feature of ghOSPF is RouteManipulation / Injection.

OSPF Route Manipulation● Routing ← SPF ← LSDB ← LSAs●●●●Intra > Inter > E1 > E2LSA's metrics – costPartitioned LSAs won't go into SPFMust spoof LSA(s)●Must Fight FightbackThe routing table is derived from the results ofShortest Path First algorithm applied to the LinkState Database. The LSDB contains all thecurrent LSAs.Intra­Area routes are prefered over Inter­Arearoutes, which are prefered over external routes.External Type 1 routes are prefered overExternal Type 2 routes.(Maliciously injected) LSAs that are partitionedfrom the area will not go into the SPF andtherefore the routing table. Therefore we mustspoof LSA(s) to manipulate the routing table –unless you are advertising new networks with aphantom router.If spoofing existing LSAs then you must fightfight back from the legit originating router.

OSPF Fight Back●●Router receives “wrong” LSA●●Same Advertising Router IDWrong details thoughOriginates new LSA●●Correct detailsNewer Seq

OSPF Fight Back●Click to add an outlineThe malicious router, Mallory, is sending LSUpdates with that contain a spoofed LSApurporting to be originated by the router Bob.

OSPF Fight Back●Click to add an outlineAlice when receiving the new “Bob” LSA willinstall it and flood it as per normal, completelyunaware of any nefarious activity.Bob when receiving the new “Bob” LSA howeverwill originate a new update with the correctinformation. This is termed fight back.

Defeating OSPF Fight Back●●●MinLSInterval●●5 secondsMin time before originating LSAMinLSArrival●●1 secondMin time before processing LSARace condition●Transmit LSAs @ 1s with > SeqIn practice OSPF routers seem to breach theMinLSInterval when fighting back.

Defeating OSPF Fight Back●Click to add an outline

Fingerprinting●●●●●LLDPScapy/P0fPADSNetworkMinerSatoriLLDP obviously includes lots of information thatcan be very useful for topology discovery aswell as information about the host.Tools such as (scapy/)p0f, PADS, NetworkMiner,and Satori can be used to passively guestimatethe OS and versions from (re­routed) traffic.

Demo●●VRRP TakeoverOSPF RouteManipulation

Game Over

Summary●●●●LLDP reveals the L2 TopologyOSPF reveals the L3 TopologyHostile take-overs in VRRPOSPF Route-manipulation

Conclusions●●Use strong authentication●●Use long passwordsTime to replace MD5Monitor logs

Click to add title●Click to add an outline

Thank You●Berne Campbell●

Appendix

References●●●IEEE 802.1AB-2005RFC 2328 OSPFRFC 3768 VRRP

References (2)●Feiyi Wang and S. Felix Wu, "On theVulnerabilities and Protection of OSPFRouting Protocols," In IEEE 7thInternational Conference on ComputerCommunication and Network (IC3N),October 1998http://www.cs.ucsb.edu/~seclab/projects/routing/referen

References (3)●●Emanuele Jones and Olivier LeMoigne, "OSPF Security VulnerabilitiesAnalysis," draft-ietf-rpsecospfvuln-02.txt,16 June 2006.A. Babir, S. Murphy, Y. Yang, “GenericThreats to Routing Protocols”, draftietf-rpsec-routing-threats-07,25October 2004

References (4)●Ayikudy Srikanth; Adnan Onart,“VRRP: Increasing Reliability andFailover with the Virtual RouterRedundance Protocol”, ISBN-13978-0-201-71500-2

Tools●●●Scapy●http://trac.secdev.org/scapy/wikiScapy_OSPF●http://trac.secdev.org/scapy/wiki/OSPFScapy VRRP●http://trac.secdev.org/scapy/ticket/60● P0f● http://lcamtuf.coredump.cx/p0f.shtml

Tools (2)●Vyatta●http://www.vyatta.org/

Special Thanks●●●telljoolzpemkyRuxcon Organisers and Staff

RemovedSlides●Click to add anoutline

Demo OSPF Topology Discovery●Click to add an outlineFor those who missed the demo, this is what theresults of ghOSPF's topology discovery looklike.In this demo ghOSPF was a host in the10.1.45.0/24 network.For time­constraint reasons the demo used thephantom router active attack

Demo ghOSPF Re-route●Click to add an outlineOriginal Route(shortest path)In the lab that I am using for the demo, all linksare Ethernet, with the same default metric.Traffic between the two stub networks 10.1.1.0/24and 10.1.3.0/24 will take the left­hand­side, as itis the shortest­path.

Router's LSA isbeing repeatedlyspoofed with highmetrics for itsinterfacesDemo ghOSPF Re-route● Click to add an outlineNew Route“shortest path”GhOSPF running in the 10.1.45.0/24 subnet isrepeatedly spoofing LS Updates with an LSAclaiming to be a Router LSA for 10.1.0.2.This spoofed LSA has much higher metrics thanthe legitimate Router LSA does.Because the updates are repeatedly injected, therouters in the network install the spoofed LSA,and during their SPF calculations the right­handsideis the shortest due to the left­hand­sidesartificially high metrics.

Vyatta●●Open source RouterBased off Debian Lenny and Quagga