Penetration Testing mailing list archives
Re: Possible hi-jacking of ospf chain.
From: Syv Ritch <syv () 911networks com>
Date: Thu, 4 Jan 2007 10:31:36 -0800
On Wed, 3 Jan 2007 20:46:08 -0800 "Xiaoyong Wu" <xiaoyong.wu () gmail com> wrote:
I was involved in one of DARPA projects called JiNao which was an intrusion detection system for network architectures. There are several papers on this project that might be helpful. Here are some of them with some information regarding OSPF issues and attacks: http://citeseer.ist.psu.edu/jou00design.html http://citeseer.ist.psu.edu/387416.html
First you should always use MD5 as an encryption, instead of plain-text. Now, in theory it's possible, but not easy or simple to hijack OSPF. 1. The routing table is ONLY local to the local router. In OSPF the routing table is never sent across. The routing table is calculated by each router according to it's LSA table that it has received from the DR [designated router] or the BDR [backup designated router] if the DR is down. 2. All routers establish a neighborship with the DR after the DR/BDR election, [as long as you don't use Point-to-Point relationship]. To inject so called bad LSAs in real life [not in a lab], you will need: A. Know the OSPF network design or if you intercept the packets, you will have to reverse engineer the LSA table from the Designated Router. B. Create the fake LSA packets, send them to the DR. C. Let OSPF do the rest. D. Every 30 minutes, resend the fake LSA packets. By default, OSPF resend the whole LSA table every 30 minutes.
Regards, -Xiaoyong On 1/3/07, Nikolaj <lorddoskias () gmail com> wrote:dhess () na cokecce com wrote:With this password you could create an OSPF neighbor on the target network and pollute the route table in whatever fashion you wish... you could begin routing traffic through you to do packet capture and analysis or you could route traffic to a black hole, thereby creating a DOS. Best practice is to use MD5 hashing for OSPF passwords. Dennis *Nikolaj <lorddoskias () gmail com>* Sent by: listbounce () securityfocus com 01/03/2007 06:07 AM To pen-test () securityfocus com cc Subject Possible hi-jacking of ospf chain. Hello, Happy New Year to everyone, that's first. :) I'm observing the traffic flow in my network and I see some strange behavior with the OSPF packets. All of them contain plain-text password. I was wondering whether it was possible to join the OSPF chain and route the traffic to /dev/null let's say and thus render the network traffic unavailable? Or what can be done with this password? It's in the OSPF LS Acknowledge and OSPF Hello packet. ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------Very interesting. I'm talking about a network based on the open-source package quagga. Can you give some links to paper that describe possible attaks, or the best way is to download and install quagga on my machine and start playing with the router tables? Regards. ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
-- Thanks http://www.911networks.com When the network has to work ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Possible hi-jacking of ospf chain. Nikolaj (Jan 03)
- <Possible follow-ups>
- Re: Possible hi-jacking of ospf chain. Nikolaj (Jan 03)
- Re: Possible hi-jacking of ospf chain. Xiaoyong Wu (Jan 04)
- Re: Possible hi-jacking of ospf chain. Syv Ritch (Jan 04)
- Re: Possible hi-jacking of ospf chain. Xiaoyong Wu (Jan 04)