HSRP Manipulation
From Hakipedia
In HSRP, one physical router becomes the active router, which forwards any IP packets that are sent to the virtual router. The other physical routers are then used to store HSRP states, and if the active router fails, one of these routers takes on the role of the active router. These routers are known as standby routers within the HSRP process.
HSRP messages are sent to the multicast address of 224.0.0.2 for version 1, and 224.0.0.12 for version 2. These multicast addresses are part of the local link multicast space, and are limited to the local Ethernet network segment.
Routers that participate in the HSRP process use their own IP addresses as the source address for HSRP protocol packets; this ensures that participating routers can be identified by each other. When it comes to MAC addresses however, only standby routers use their own MAC addresses; the virtual MAC address is used by the active routers source address.
Contents |
[edit] Severity
Medium to High.
[edit] Exploit Likeliness
Low.
[edit] Description
According to the HSRP RFC, the protocol is not a secure protocol, and is therefore susceptible to Man in the Middle (MitM) attacks. From the RFC 2281:
The [HSRP] protocol is easily subverted by an active intruder on the LAN. This can result in a packet black hole and a denial-of-service attack.
Yersinia is a layer 2- attack toolkit designed to take advantage of weaknesses in various network protocols. One of these protocols is HSRP, which has several weaknesses which Yersinia addresses. These are:
<0> NONDOS attack sending raw HSRP packet <1> NONDOS attack becoming ACTIVE router <2> NONDOS attack becoming ACTIVE router (MITM)
Option <0> can be used as a reconnaissance tool as it allows attacker to gain information on the HSRP process within a network. Option <1> is actually a DoS attack, as it confuses HSRP into setting a non-existent router as the active router, essentially sending all frames to a black hole. Option <2> is much like Option <1> except that instead of sending all frames to nowhere, the attacker becomes the active router and all frames are sent through the attackers server.
user@nullity:~/$ sudo -s root@nullity:~/# aptitude install yersinia root@nullity:~/# yersinia -I
Note: the -I flag opens Yersinia in the ncurses interface mode. When in the Yersinia interface, follow these steps to begin a MitM attack:
1. Press “i" to bring up the interface settings; set the interface and press “q” to exit the Global Interfaces window. 2. Press “g” to bring up the “Choose Protocol Mode” window; highlight the HSRP entry and press Enter. 3. Press “x” to bring up the “Attack Panel” window; highlight option <2> and press Enter to begin the attack.
With this attack, Yersinia sends a HSRP packet with the maximum priority of 255. Provided that forwarding is enabled on the attacking machine and the static route is correctly set, all valid HSRP routers become standby routers, and the attacking machine will then forward all network traffic through its interfaces.
[edit] Mitigation
In order to mitigate a HSRP attack, a number of procedures have to take place. One is to prevent the attacker from forging valid HSRP packets, which can be done using authentication. The other is to prevent the attacker from sending HSRP packets, which can be done via access control lists (ACLs).
To enable HSRP authentication with a MD5 key-chain, enter the following configuration:
(config)# key chain <NAME> (config-keychain)# key <ID_number> (config-keychain-key)# key-string <passphrase> (config-if)# standby 1 authentication md5 key-chain <NAME>
This should be entered on all HSRP participating routers to ensure that each router is able to participate in the HSRP process.
Of course with Cisco key-chains, the accept lifetime can be set within the keychain-key configuration mode. Using this often depends on business needs, but Cisco recommends using it when using keychains. If accept lifetimes are used, ensure that all router clocks are synchronized.
%HSRP-4-BADAUTH: Bad authentication from 192.168.0.22, group 1, remote state Active
With MD5 keychains enabled, the attacker can no longer see the preshared key that is—by default—sent in clear text. However, the HSRP process is still susceptible to replay attacks, and if an attacker is able to sniff a packet with a very high priority, they can still become the active router. To stop this from happening, Cisco recommends the use of port security- as outlined earlier in this article.
Access Control Lists (ACLs), are also recommended to mitigate these attacks. By only allowing certain IP addresses to access 224.0.0.2 or 224.0.0.12, it becomes much harder for the attacker to pull off a successful strike. To enable an ACL that sets up these restrictions, use the following:
(config)# interface <interface> (config-if)# ip access-group 101 in (config-if)# access-list 101 permit udp host <ip> host 224.0.0.2 eq 1985 (config-if)# access-list 101 deny udp any any eq 1985 (config-if)# access-list 101 permit ip any any
Note: Replace <ip> with a valid host IP address. This line should be used for each router that participates in the HSRP process.
Note: 1985 is the UDP port number that HSRP runs on.
Once the ACL is set, attached hosts will be forbidden from sending HSRP messages (unless they are explicitly permitted). Of course, an anti-spoofing mechanism should probably be implemented as well; ensuring that no source spoofing can occur.
