Sunday, March 18, 2007

Auditing Cisco Routing Protocols

I am very into cisco research but i am not very good in writing or finding exploits. What i did was to audit routing protocols that were available. Very sad to say that there isin't any routing protocol available here. Nevertheless, i managed to capture screen shots of what i did. The tool i used was IRPAS from Phenoelit. IRPAS itself has many tools inside which includes ASS, CDP, protos, hsrp, etc..I used ASS to test for RIPv1 and RIPv2 and i got nothing. For detail documentation, you can visit: http://www.phenoelit.de/fr/tools.html

As yall know, RIPv1 is susceptible to plaintext authentication. If yall company is using RIPv1 upgrade it to RIPv2. At least in v2, it is using md5 hash. If you run ASS in a environment where RIPv1 is used, along the scans, you will discover the passwords. ASS can be run in both passive and active mode and can be run only in the internal LAN. Below is what i got from the scans. :((

hAck3rs@cisco:~/ass$ sudo ./ass -i eth0
ASS [Autonomous System Scanner] $Revision: 1.24 $
(c) 2k++ FX
Phenoelit (http://www.phenoelit.de)
IRPAS build XXXIX
passive listen ... (hit Ctrl-C to finish)


>>>Results>>>
*** glibc detected *** double free or corruption (!prev): 0x0805d1d0 ***
Aborted


hAck3rs@cisco:~/ass$ sudo ./ass -i eth0 -vv -A
ASS [Autonomous System Scanner] $Revision: 1.24 $
(c) 2k++ FX
Phenoelit (http://www.phenoelit.de)
IRPAS build XXXIX
Scanning
+ scanning IRDP ...
+ scanning RIPv1 ...
+ scanning RIPv2 ...
+ scanning IGRP ...
+ wainting for EIGRP HELLOs (12s) ...

Continuing capture ... (hit Ctrl-C to finish)

>>>Results>>>
*** glibc detected *** double free or corruption (!prev): 0x0805d1d0 ***
Aborted

The first scan is a Passive scan where it will listen for RIP updates. The second scan is an Active scan. The -A option will put the scanner into active state and the -v will be verbose.

For those of yall who use RIPv2, you can set the authentication using

1. config t
2. ip rip authentication mode md5

Using ASS in active mode, it will sent out ICMP type 10 message to discover IRDP in the network, but sadly to say, no implementation of any IRDP protocol is seen here as it is susceptible to DoS attacks.



I found STP!!!!!!! This show that there is a Cisco switch. Soon, i am going to see if i can make myself the STP root



Not to mention for OSPF protocol. This protocol has a lot of juicy info. For me the best tool to gather OSPF info is using wireshark. I am always looking out for backbone area 0 which is the main area that connect all other areas.

1 comment:

Anonymous said...

Great Blog..Your Point Of View..is really good
Payday cheques
Cheque Cashing UK