Monday, January 3, 2011

Network: Scapy HSRP dissector with md5 auth support!

I'm starting this new blog by posting a new script for Scapy.


summary


Some days ago a coworkers of mine has encountered some difficulties to dissect some HSRP packet with Wireshark. I had a look to that pcap and realized that this were not an usual HSRP packet with clear text authentication.
Actually some data were added to the regular HSRP packet. After few min looking in the wireshark source code and HSRP specification I developed this Scapy dissector based on HSRPv1 and HSRPv2 specifications. (The code is attached bellow).



Why using HSRP MD5 authentication?


If you wondering the reason to implement HSRP with md5 authentication on your network this is the answsers: To protects against HSRP-Spoofing/Hijacking software! : For more details checkout this blog Hijacking HSRP - Packet Life

How HSRP MD5 Authentication Works
MD5 authentication provides greater security than plain text authentication. This feature allows each HSRP group member to use a secret key to generate a keyed MD5 hash of the packet that is part of the outgoing packet. A keyed hash of an incoming packet is generated and if the generated hash does not match the hash within the incoming packet, the packet is ignored.

The key for the MD5 hash can either be given directly in the configuration using a key string or supplied indirectly through a key chain.

HSRP has two authentication schemes:
•Plain text authentication
•MD5 authentication

HSRP authentication protects against false HSRP hello packets causing a denial-of-service attack. For example, Router A has a priority of 120 and is the active router. If a host sends spoof HSRP hello packets with a priority of 130, then Router A stops being the active router. If Router A has authentication configured such that the spoof HSRP hello packets are ignored, Router A will remain the active router.

HSRP packets will be rejected in any of the following cases:
•The authentication schemes differ on the router and in the incoming packets.
•MD5 digests differ on the router and in the incoming packet.
•Text authentication strings differ on the router and in the incoming packet.

PS: I'm looking for a Cisco firmware which support HSRP with MD5 auth or Any Information about the Cisco HSRP MD5 implementation. so feel free to drop me a line...

Scapy Dissector Code:

[After copied the file in your scapy layers directory (/python26/Lib/site-packages/scapy/layers). the script is automatically loaded by scapy].


#############################################################################
##                                                                         ##
## hsrp.py --- HSRP  protocol support for Scapy                            ##
##                                                                         ##
## Copyright (C) 2010  dark(-at-)gotohack.org                              ##   
##                                                                         ##
## This program is free software; you can redistribute it and/or modify it ##
## under the terms of the GNU General Public License version 2 as          ##
## published by the Free Software Foundation; version 2.                   ##
##                                                                         ##
## This program is distributed in the hope that it will be useful, but     ##
## WITHOUT ANY WARRANTY; without even the implied warranty of              ##
## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU       ##
## General Public License for more details.                                ##
##                                                                         ##
#############################################################################
## HSRP Version 1
##  Ref. RFC 2281
## HSRP Version 2
##  Ref. http://www.smartnetworks.jp/2006/02/hsrp_8_hsrp_version_2.html
##
## $Log: hsrp.py,v $ 
## Revision 0.2  2011/05/01 15:23:34  drk
##   Cleanup code
##
##

from scapy.fields import *
from scapy.packet import *
from scapy.layers.inet import UDP

class HSRP(Packet):
name = "HSRP"
fields_desc = [
ByteField("version", 0),
ByteEnumField("opcode", 0, { 0:"Hello", 1:"Coup", 2:"Resign"}),
ByteEnumField("state", 16, { 0:"Initial",1:"Learn",2:"Listen",4:"Speak",8:"Standby",16:"Active"}),
ByteField("hellotime", 3),
ByteField("holdtime", 10),
ByteField("priority", 120),
ByteField("group", 1),
ByteField("reserved", 0),  
StrFixedLenField("auth","cisco"+"\00"*3,8),
IPField("virtualIP","192.168.1.1")]

def guess_payload_class(self, payload):
if self.underlayer.len > 28:
return HSRPmd5        
else:
return Packet.guess_payload_class(self, payload)     


class HSRPmd5(Packet): 
name = "HSRP MD5 Authentication"
fields_desc = [
ByteEnumField("type", 4, { 4:"MD5 authentication"}), 
ByteField("len", None),  
ByteEnumField("algo", 0, { 1:"MD5"}), 
ByteField("padding", 0x00), 
XShortField("flags", 0x00), 
IPField("sourceip",None), 
XIntField("keyid",0x00), 
StrFixedLenField("authdigest","\00"*16,16) ]  

def post_build(self, p, pay):
if self.len is None and pay:
l = len(pay)
p = p[:1] + hex(l)[30:]+ p[30:]
return p   

bind_layers( UDP,           HSRP,           dport=1985, sport=1985)       


Exemple :
from scapy.all import *
interact()
h=rdpcap("hsrpmd5.pcap")
>>> h[0].show2()
###[ Ethernet ]###
dst= 01:00:5e:00:00:02
src= 00:00:0c:03:2c:3b
type= 0x800
###[ IP ]###
version= 4L
ihl= 5L
tos= 0xc0
len= 78
id= 0
flags=
frag= 0L
ttl= 1
proto= udp
chksum= 0xdad6
src= 192.1.223.252
dst= 224.0.0.2
\options\
###[ UDP ]###
sport= 1985
dport= 1985
len= 58
chksum= 0xe334
###[ HSRP ]###
version= 0
opcode= Hello
state= Active
hellotime= 0
holdtime= 0
priority= 120
group= 15
reserved= 0
auth= ''
virtualIP= 192.1.223.254
###[ HSRP MD5 Authentication ]###
type= MD5 authentication
len= 28
algo= MD5
padding= 0
flags= 0x0
sourceIP= 192.1.223.252
keyid= 0x0
md5auth= '\x8f\xa2\x52\x4e\x3f\x34\x78\x86\x32\xa6\x8c\xd6\x44\x96\x78\x96'


Enjoy and please come back to me if you have any suggestion or encounters some difficulties to use this script.

4 comments:

  1. Great man!!! It looks good your blog. I hope for you to carry on posting ...

    ReplyDelete
  2. I know it's a bit late, but if you want HSRP with MD5 auth and, of course, not expensive, Cisco 3550 switchs. I have 4 for my practices to the CCNP Switch exam and are working fine :)

    IOS Version: "flash:c3550-ipservicesk9-mz.122-40.SE.bin"

    ReplyDelete
  3. Does anyone have an HSRPv2 pcap with MD5 password set and the clear text password ?

    ReplyDelete
  4. Hi, i`m working on HSRP hijacking/research and i need help from you to understand RFC 1828 and how Cisco sign own HSRP packets with shared secred :)

    Maybe you have some other code examples that can help me?
    At this moment, i have code that can build custom HSRP packets and real HSRP dumps with md5 auth in them and known shared secret.

    ReplyDelete