Monday 5 October 2015

Ethical Hacking - Cisco HSRP with Kali linux - Example Demonstration and Security precautions


The Hot Swappable Router Protocol (HSRP) is a way to build redundancy into your network by allowing two or more routers to continuously test each other for connectivity, and take over if a router fails.As multiple routers can participate in the HSRP group, there has to be an election to determine who's the primary router.

This HSRP election is based on a priority value (0 to 255) that is configured on each router in the group. By default, the priority is 100. The router with the highest priority value (255 is highest) becomes the active router for the group. If all router priorities are equal or set to the default value, the router with the highest IP address on the HSRP interface becomes the active router.
In this post, we are going to make our Kali machine a HSRP participant and to become the active router by setting the highest priority to it. Yersinia tool (in built in Kali) helps us to perform this test with ease. For more information on HSRP, please refer RFC 2281

Yersinia

Yersinia is a layer 2- attack toolkit designed to take advantage of weaknesses in various network protocols. One of these protocols is HSRP, with yersinia you can perform below attacks on a HSRP environment.

<0> NONDOS attack sending raw HSRP packet
<1> NONDOS attack becoming ACTIVE router
<2> NONDOS attack becoming ACTIVE router (MITM)

These options are self explanatory, We are going with option 1 in this post.

Hacking HSRP with Kali (or) Backtrack

As illustrated in the snap below, I have crated a simple GNS3 topolgy with 2 HSRP enabled routers and a Kali linux machine which is connected to the same network.

And below are some of the outputs that are taken from the routers. As you can see R1 is acting as the HSRP active router with a priority value of 110 and R2 is the standby router.

Router 1: (Before Attempt)

R1#sh standby br
                     P indicates configured to preempt.
                     |
Interface   Grp  Pri P State   Active          Standby         Virtual IP
Fa0/0       1    110 P Active  local           120.0.0.12      120.0.0.13
R1#sh standby fastEthernet 0/0
FastEthernet0/0 - Group 1
  State is Active
    2 state changes, last state change 00:07:31
  Virtual IP address is 120.0.0.13
  Active virtual MAC address is 0000.0c07.ac01
    Local virtual MAC address is 0000.0c07.ac01 (v1 default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 1.300 secs
  Preemption enabled
  Active router is local
  Standby router is 120.0.0.12, priority 100 (expires in 7.452 sec)
  Priority 110 (configured 110)
  Group name is "hsrp-Fa0/0-1" (default)

Router 2: (Before Attempt)

R2#sh standby br
                     P indicates configured to preempt.
                     |
Interface   Grp  Pri P State   Active          Standby         Virtual IP
Fa0/0       1    100   Standby 120.0.0.11      local           120.0.0.13
R2#sh stand fa0/0
FastEthernet0/0 - Group 1
  State is Standby
    1 state change, last state change 00:07:09
  Virtual IP address is 120.0.0.13
  Active virtual MAC address is 0000.0c07.ac01
    Local virtual MAC address is 0000.0c07.ac01 (v1 default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 2.096 secs
  Preemption disabled
  Active router is 120.0.0.11, priority 110 (expires in 9.960 sec)
  Standby router is local
  Priority 100 (default 100)
  Group name is "hsrp-Fa0/0-1" (default)

Let's begin,

Open Terminal window in your Kali machine. Type the below command and press enter,

yersinia -G

This opens the yerginia tool in a Graphical window, the same task can be performed by using interactive text based window also (yersinia -I). In this particular post, we'll go with -G.


Click on 'Launch Attack', Select the HSRP tab.

Note: If you have multiple network adapters in your Kali box, you may have to ensure which interface is selected by default (Click on Edit Interfaces).

As we have already mentioned this gives us three options, we'll go with option 2. Check Option 2 (becoming ACTIVE router), and press OK. A window would appear, you can enter and IP and press OK. This doesn't have to be on same subnet. You can enter any.


That's it, within seconds you'll see your routers becoming standby, your Kali will takeover and become the blackhole in your network.

Below are some of the logs taken after the attack,

Router 1 (After):

R1#
*Mar  1 00:12:43.567: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Speak -> Standby
R1#sh standby br              
                     P indicates configured to preempt.
                     |
Interface   Grp  Pri P State   Active          Standby         Virtual IP
Fa0/0       1    110 P Standby 1.1.1.1         local           120.0.0.13

Router 2 (After):

R2#
*Mar  1 00:12:33.587: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Standby -> Listen
R2#sh standby br    
                     P indicates configured to preempt.
                     |
Interface   Grp  Pri P State   Active          Standby         Virtual IP
Fa0/0       1    100   Listen  1.1.1.1         120.0.0.11      120.0.0.13

Mitigation:

You have two options to prevent these kind of attacks,

1) Use an ACL to drop HSRP messages from unknown IPs
2) Use HSRP Authentication

To enable HSRP authentication with a MD5 key-chain, enter the following configuration:

(config)# key chain <NAME>
(config-keychain)# key <ID_number>
(config-keychain-key)# key-string <passphrase>
(config-if)# standby 1 authentication md5 key-chain <NAME>

This has to be configured on all HSRP participants, Now when the attacker performs this attack, you'll see below logs on your routers.

%HSRP-4-BADAUTH: Bad authentication from 192.168.0.22, group 1, remote state Active

Access Control Lists (ACLs), are also recommended to mitigate these attacks. By only allowing certain IP addresses to access 224.0.0.2 or 224.0.0.12, it becomes much harder for the attacker to pull off a successful strike. To enable an ACL that sets up these restrictions, use the following:

(config)# interface <interface>
(config-if)# ip access-group 101 in
(config-if)# access-list 101 permit udp host <ip> host 224.0.0.2 eq 1985
(config-if)# access-list 101 deny udp any any eq 1985
(config-if)# access-list 101 permit ip any any

Note: Replace <ip> with a valid host IP address. This line should be used for each router that participates in the HSRP process.
Note: 1985 is the UDP port number that HSRP runs on.

I hope this post is helpful, let me know if you have any queries through comments section.

Share:

26 comments:

  1. Good article but you got the acronym wrong. it should say "Hot Standby Router Protocol"

    ReplyDelete
  2. Hey Admin Sperb Lab.

    Make Some Lab about IP Multicast with Real Time Audio Video Sharing..
    I'm waiting further labs.

    Plz carry On.....:)

    ReplyDelete
  3. pl post some real base setups with Multicast.

    ReplyDelete
  4. This comment has been removed by the author.

    ReplyDelete
  5. Thanks for sharing this kind usefull blogs. it is wonderfull. such a great article. keep going.
    Ethical Hacking Training in Chennai
    Certified Hacking Course in Chennai

    ReplyDelete
  6. Someone can helps me explain how to use MiTM attack for this HSRP vulnerability in details

    Thank you so much

    ReplyDelete
  7. Healrun is a health news blog we provide the latest news about health, Drugs and latest Diseases and conditions. We update our users with health tips and health products reviews. If you want to know any information about health or health product (Side Effects & Benefits) Feel Free To ask HealRun Support Team.

    ReplyDelete
  8. Pilpedia is supplying 100 percent original and accurate information at each moment of time around our site and merchandise, and the intent is to improve the usage of good and pure health supplement. For More Info please visit Pilpedia online store.

    ReplyDelete
  9. Supplements For Fitness retail products may be prosecuted. Unfortunate consumers who suffer physiological damage from consuming contaminated supplements were not the target of these manufacturers and distributors of unscrupulous supplements,

    ReplyDelete
  10. Revuesdefaits defines personal characteristics of various health merchandise together with skincare, weight loss, muscle and male enhancement. The study presented here is briefly described for reader convenience and to deliver them assurance with health standards. The best potential answers are given here concerning the selection of a perfect supplement or cream or serum that presumably remains to be safe for health and do not cause any facet effects.

    http://revuesdefaits.fr/testoultra/

    ReplyDelete
  11. The way you have presented the post with all the examples is also very impressive.Thank you for this article. I’m new at all this so, it’s good to be open to different opinions.
    Keto BodyTone

    ReplyDelete
  12. True Burn Keto is a weight loss supplement that improves the metabolism of fats in the body, by the way of acetosis. The supplement helps make you thin without much effort. True Burn Keto is a ketogenic weight reduction supplement that is truly ideal for every one of those individuals who have been confronting the shame of stoutness and who have been confronting complex conversing with thin individuals. You simply need to utilize it for several days and trust me that your concern will be tackled. Visit On http://www.theapexhealth.com/true-burn-keto-reviews-true-burn-keto-ketogenic-diet-pills

    ReplyDelete
  13. Ultra Keto Burn offers a dietary supplement which is supposed to assist in the wright loss process known as ketosis. When the body enters a state of metabolic ketosis, it is able to burn fat cells at a very quick pace. According to this product’s website, Ultra Keto Burn maximizes the efficiency of this diet. Visit On http://www.rushyourtrial.com/coupon/ultra-keto-burn-best-weight-loss-supplement/

    ReplyDelete
  14. Innov8 Infinite

    The foreign exchange market (forex) for international currencies is the largest and most liquid market in the world. A trustworthy indicator is difficult to find, but when located, Forex becomes easy. As with trading generally, use stop losses to limit the amount of money you're putting at risk on a given trade and use profit targets to set exit points for money-making trades. If you still want to try your hand at forex trading , it would be prudent to use a few safeguards: limit your leverage, keep tight stop-losses, and use a reputable forex brokerage. Forex Trading System For New, Intermediate And Advanced Traders. The great part concerning the system is that Nicola Delic does not release a lots of systems as well as revenue simply from it. Instead, he is trading real cash as well as most of the cash is originating from trading, not from selling products.

    Pro: The forex market is traded 24 hours a day, five days a week—starting each day in Australia and ending in New York. The most popular account type at RoboForex, which is suitable for both beginners and experienced traders. Yet the foregoing, cati may fire this agreement at any time with a scripted notice to tradeology 30 (30) days ahead such expiration. These platforms allows you to learn the art and craft of trading in the forex market without all of the pressure, after which you can ease yourself into the live trades.

    Equity Futures, Forex,Currency and Options trading has large potential rewards, but also large potential risks. Currency trading, often referred to as foreign exchange or Forex, is the purchasing and selling of currencies in the foreign exchange marketplace, done with the objective of making profits. The mechanics of a trade are very similar to those found in other financial markets (like the stock market), so if you have any experience in trading, you should be able to pick it up pretty quickly. You must be aware of the risks of investing in Commodities, Equity futures, Forex ,Currency and options and be willing to accept them in order to trade in these markets.

    Many Forex traders do not like Forex scalping because they see no point in going for very small profits and being involved with this kind of high-pressure trading environment. 73.5% of retail investor accounts lose money when trading CFDs with this provider. Tradeology profigenics reviewblackstock with expertise weaves that together with how individuals at unlike places in their christian walk mightiness reply in. i besides looked at optionsanimal. These events can come suddenly and move the markets before most individual traders have an opportunity to react. https://www.reviewengin.com/infinite-profit-system-review/

    ReplyDelete
  15. You also need to choose what to bring, like clothes, food, and whatever else you may need. Obviously, there are many material items you’ll need to obtain just to physically get there and back. Even if you are entirely new to the game, you probably realize how trading just any old random stock, option, or forex pair is essentially gambling. To put the odds in your favor, you have to proceed systematically, and with forethought as to how you will create a trading system.

    The main thing to remember is to trade small and be patient. If you normally trade amini lot , use a micro lot instead, because the price differences for trades on a weekly scale can be significantly greater than when trading over shorter time periods.

    It is also practical to objectively analyse the reliability of your trading strategy and make any necessary changes to improve its efficiency before using real money on a live trading account with it. Once you know which kind of market analysis to use with your trading style, you have to spot and understand the market phases. There are different tools and indicators that work best under certain market conditions.

    It is a challenging method for beginners, but, with dedication and practice, it becomes quite easy to interpret and reap profits from it. Eventually, the price went to the support zone and took some time before rewarding us with a doji candlestick.

    STAR is just a process which is applied and yet it is the ESSENTIAL DIFFERENCE in the approach of FIRST MATCHING THE MARKET which gives it what you MUST have if you are to survive. Your analysis having been adjusted to the market is what gives you the crucial EDGE of consistency. Marketing hype may have gotten some hoping for instantaneous solutions to their problems but the same flaw exists in ALL of the other tools so they simply cannot deliver. This creates an expectation that there is some tool or strategy with some special sauce settings that will end their search. I find this system to give me more time freedom than anything I have used yet. Reason being that the signals begin to form a fair time ahead. https://www.reviewengin.com/trade-command-center-review/

    ReplyDelete
  16. Hi, may I ask... after we have become the active router, how are we able to forward users to a spoofed webpage when we do not have any more internet connection?

    ReplyDelete
  17. That said, if you’ve still got stuff to do on the product planning front, you don’t need to rush. You can wait until later to pull the trigger on setting up your store. Think about who will buy the product, and make sure it’s a name that your target audience can resonate with . A business offering health products might be bold and energetic. A company making toys for children might try for nurturing and welcoming. You’re obviously not buying ads yet, but if you create a free account, you can input keywords and get an idea of how much volume different search terms receive.
    The role of an email marketing consultant is to work with businesses to improve their email communication and step up their marketing campaigns. A good resume or cover letter needs to highlight an individual’s skills, be relevant to the position applied for and have a positive tone. It may seem outdated for Instagram users with personal accounts, but it’s a great way to play the algorithm on social media and make sure new people can find your account. Musicians can capitalise on their talent by selling their art online. There are lots of different ways to make money through your music online. The key to making money from a Chrome Extension is coming up with an innovative idea – it needs to be general enough to appeal to the majority of users, offering a universal function.
    There are many products that, even though you could legally sell online, you may want to avoid in order to give your brand credibility. Learning ecommerce for beginners is relatively simple, but knowing what design elements resonate with your audience takes a significant amount of experience. In addition to YouTube, there are many other alternative channels that may benefit your ecommerce business. For instance, social media is usually regarded as a great marketing channel, especially for Etsy stores.
    I won’t deny that business-to-customer subscription services are sprouting up everywhere. Nevertheless, there’s growth potential for new entrants. This ecommerce idea has been trending upwards for a while now. Start your online marketing first by analyzing the competitive space. https://www.reviewengin.com/10-ecommerce-business-ideas-2022/

    ReplyDelete