[ipv6hackers] CIsco HSRP hijacking

Jim Small jim.small at cdw.com
Sun Dec 2 19:23:06 CET 2012

> > I'm assuming you mean if md5 authentication isn't used?  If not, then yes
> > you would be susceptible to spoofing attacks.
> >
> >
> Yes. MD5 authentication is not enabled.
> >
> > > For IPv6 network, HSRPv2 would be in placed. Would this HSRP hijacking
> > > technique works and applicable for IPv6 environment? Do anyone have a
> > > success test case for this?
> >
> > You should be able to use scapy to do the same attack for any FHRP (HSRP,
> > VRRP, GLBP) whether its v4 or v6 if the FHRP isn't using "secure"
> > authentication.  See:
> > http://packetlife.net/blog/2008/oct/27/hijacking-hsrp/
> > http://www.gotohack.org/2011/01/scapy-hsrp-md5-auth-dissecter-
> to.html
> >
> >
> I actually refer to these same sites as references ; )  I understand about
> the background mechanism how the hijacking process could work and
> HSRPv2
> packet dissector class is not exists in Scapy v2.2.0-dev. I tried to make a
> Proof of Concept with Raw() packet replay with higher Priority value, yet
> no luck.
> I am curios if you or anyone around have created such a success test case
> before? I know theoretically it should happen. Thanks!

I haven't personally tried it.  However, from looking at HSRPv2 packet captures the format looks pretty straight forward.  You could always setup GNS3 with 2 7200s and then connect your system to a virtual interface to inject scapy packets.  GNS3 even lets you do packet captures so you can do a hex comparison to validate you have the packet formatting correct.  I wouldn't think it would be that hard but I haven't done it personally.  So many cool ideas so little time...  :-)


More information about the Ipv6hackers mailing list