[PEN-TEST] Route Poisoning

[Shrikanth Shetty <shrikanths () HCLCOMNET CO IN>]

Hello,

I was thinking about how a hacker can utilise spoofed route update packets
to compromise a router network. I would like the list readers to tell me if
the logic I have used is right or wrong.
Ok here I go :)

I was wondering whether it was possible for someone to spoof routing update
tables being exchanged by routers to keep their routing tables current. As
far as I know the routing table updates are multicast packets which can be
sent to the Ethernet port of the router. In a scenario where someone has
access to the traffic using a Ethernet sniffer on a hub LAN, I think it
would be possible for someone to capture the update packets. This would
first of all give the intruder knowledge about the network and also ip
spoofing can be used to generate fake update packets.

By sending a wrong update the intruder can direct traffic through the
network through whatever route he /she desires. In RIP there is no
authentication done to check the source of the packet.In OSPF a MD5 checksum
of a password provided is used to check the authenticity of the update. ( I
am not 100% sure on this part,please correct me if I am wrong here.)However
i have been informed that normally nobody bothers with this password!!

Now coming to the point which i am interested in, first of all is this all
possible ??? or am I missing out on some very basic stuff!!! . second if
possible can someone direct me to a site which has more info on this or may
be share whatever he/she knows about all this.

thanks

shetty