network – cisco gns3 router idea

Network pen test idea with regards to testing the security of dynamic routing on Cisco devices.
This would work perfectly in an environment were layer three design has been commissioned.

Dynamic routing protocols chat. They send out updates regularly to see if new routes or routers are been advertised.
Layer three switches are very common today used even as access switches bringing layer three to the desk!
It should be secured and often is not, this allows you to sniff using wireshark and see all of these dynamic request, cdp and other Cisco chat flying across your network. This shows how this can be used to your advantage while on a pen test.

Using GNS3 simulator it is possible to connect a VR router and see all the dynamic and distributed routes. And add routes!

The fix to this problem can be found at the very bottom.

http://www.gns3.net/

backtrack 5 R1 this will not work if backtrack is a vm it needs to be a physical machine.

This is also easy (if honest easier) to create in windows, if it was ab

create tap interface you need to install uml-utilities
apt-get install uml-utilities

create a bridge group so you can connect GNS3 Virtual router to real LAN
Bridge interface instructions used were found at http://www.blindhog.net/linux-bridging-for-gns3-lan-communications/

1. tunctl -t tap0
Remove ip addressing and set eth0 and tap0 to promiscuous mode
2. ifconfig tap0 0.0.0.0 promisc up
3. ifconfig eth0 0.0.0.0 promisc up
Create a new bridge interface
4. brctl addbr br0
Add tap0 and eth0 to the bridge group
5. brctl addif br0 tap0
6. brctl addif br0 eth0
Enable the bridge interface and give it a static ip address if using dhcp ignore and jump to option 10.
7. ifconfig br0 up
8. ifconfig br0 10.10.10.99/24
Configure the default route
9.route add default gw 10.10.10.254 (not required if using dhcp jump to option 10.)
10. dhclient br0 (Don’t do this if using static address)

11. try ping out of the network it should ping.

Here are the steps to reverse the changes (these can be copied and pasted in)
======================================

sudo ifconfig br0 down

sudo brctl delif br0 eth0
sudo brctl delif br0 tap0

sudo brctl delbr br0

sudo tunctl -d tap0

sudo ifconfig eth0 up
sudo ifconfig eth0 10.10.10.99/24

sudo route add default gw 10.10.10.254

######################################################

wireshark

1. Start wireshark open a new command shell root@bt:~# wireshark

Capture / Interface list / br0 (this will sniff all traffic going to and from this interface)

######################################################

Install GNS3

http://www.gns3.net/
GNS3, the Graphical Network Simulator. Run Cisco, Juniper and open-source virtual networks on your PC!

apt-get install gns3

Once downloaded and installed go to Applications / Education / GNS3

1. Applications / Education / GNS3
2. Setup Wizard / 1 / Dynamips / Test (should see Dynamips successfully started) if not check the path to dynamips. / Apply / OK
3. Setup Wizard / 2 / Add IOS images. / locate / Save / Close / Back on Setup Wizard / OK
4. Under Node Types drag Router to the middle screen then drab a Cloud.
5. Right click Cloud / Configure / CO / NIO TAP (Tab) / type into tap interface box tap0 / click Add / Click Apply / OK
6. Top bar under File Edit View Help bar click on the network cable pic in between abc and the clock pic. Choose FastEthernet.
7. Left Click on router and move mouse to Cloud. Left click on Cloud and you will see you nic name appear, left click the mouse again to attach.
8. Top bar under File Edit View Help bar click on the network cable pic un click it to turn off cable.
9. Right click router / start
10. Right click on the middle of cable / Capture / Choose source = f0/0 / OK

#####################################################

Wireshark should now show some interesting information

bellow is example of what you may see

Cisco EIGRP
Version: 2
Opcode: Hello/Ack (5)
Checksum: 0xee42
Flags: 0x00000000
…. …. …. …. …. …. …. …0 = Init: False
…. …. …. …. …. …. …. ..0. = Conditional Receive: False
…. …. …. …. …. …. …. .0.. = Restart: False
…. …. …. …. …. …. …. 0… = End Of Table: False
Sequence: 0
Acknowledge: 0
Autonomous System: 90
EIGRP Parameters
Software Version: IOS=12.4, EIGRP=1.2

###################################################################
With regards to the above.
This is great as shows you that Dynamic routing protocol Enhanced Interior Gateway Routing Protocol – (EIGRP) is been used. It’s Autonomous System number is 90.
EIGRP uses autonomous system numbers to identify areas of the network that are under a single administrative domain. In other words, these network areas are under the control of a single part of the company or a certain group.

With this information above you could configure your virtual router to use the same dynamic routing protocol this would allow you to see and add routes.

Router#conf t
Router(config)#router eigrp 90
Router(config-router)#network 192.168.1.0 (network range can be found in cdp packets which can also be seen in wireshark. You need to summarize i.e an address of 192.168.1.1 = 192.168.1.0.)
Router(config-router)#no auto-summary
Router(config-router)#exit
Router(config)#exit
Router#sh ip route

##################################################################

Found from network using ospf Open Shortest Path First (OSPF) is an adaptive routing protocol for Internet Protocol (IP) networks.

Cisco Discovery Protocol

No.     Time        Source                Destination           Protocol Length Info
85 212.381000  192.168.1.1           224.0.0.5             OSPF     90     Hello Packet

Frame 85: 90 bytes on wire (720 bits), 90 bytes captured (720 bits)
Ethernet II, Src: cc:00:0e:bc:00:00 (cc:00:0e:bc:00:00), Dst: IPv4mcast_00:00:05 (01:00:5e:00:00:05)
Internet Protocol Version 4, Src: 192.168.1.1 (192.168.1.1), Dst: 224.0.0.5 (224.0.0.5)
Open Shortest Path First
OSPF Header
OSPF Version: 2
Message Type: Hello Packet (1)
Packet Length: 44
Source OSPF Router: 192.168.1.1 (192.168.1.1)
Area ID: 0.0.0.0 (Backbone)
Packet Checksum: 0x2af5 [correct]
Auth Type: Null
Auth Data (none)

This information tells you that to converge you would need to type

Router#conf t
Router(config)#router ospf 22 (the number is of no relevance with regards to ospf unlike eigrp were it does count)
Router(config-router)#network 192.168.1.0 0.0.0.255 area 0
Router(config-router)#exit
Router(config)#exit
Router#sh ip route

#############################################

Fix 1

passive-interface default command. This command turns off dynamic router protocol updates on all interfaces apart from strictly allowed interfaces. If your using a 48 port layer three switch you don’t need all interfaces to advertise dynamic updates.

router eigrp 12
passive-interface default
no passive-interface FastEthernet0/0
auto-summary

the  no passive-interface FastEthernet0/0 allows router updates on this interface.

Fix 2

EIGRP_authentication so only authenticated devices can communicate with each other.

First create the key chain with the name cisco used in this example.
(config) # key chain test

Now set the key number 1 used in this example.
(config-keychain) # key 1

Now set the key string for the key name champion used in this example.
(config-keychain-key) # key-string champion
(config-keychain-key) # end

Now specify the interface that you want to configure EIGRP message authentication.

(config) # interface fa0/0
(config-if) # ip authentication key-chain eigrp 1 test
(config-if) # ip authentication mode eigrp 1 md 5
(config-if) # end

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s