From b7a7c8e9a3048f8ffe08873f7a291c48b6c2510b Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Thu, 12 Mar 2026 16:25:27 +0000 Subject: [PATCH] Add content from: Research Update Enhanced src/generic-methodologies-and-resou... --- .../pentesting-network/eigrp-attacks.md | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/src/generic-methodologies-and-resources/pentesting-network/eigrp-attacks.md b/src/generic-methodologies-and-resources/pentesting-network/eigrp-attacks.md index bb64aa79696..b4fc1e4a2a9 100644 --- a/src/generic-methodologies-and-resources/pentesting-network/eigrp-attacks.md +++ b/src/generic-methodologies-and-resources/pentesting-network/eigrp-attacks.md @@ -4,6 +4,13 @@ **This is a summary of the attacks exposed in** [**https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9**](https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9). Check it for further information. + +## **Protocol Notes (Attacker View)** + +- EIGRP uses IP protocol number `88` and the IPv4 multicast group `224.0.0.10` (IPv6 `FF02::A`) for EIGRP routers. +- HELLO packets include the Parameter TLV with the EIGRP K-values and Hold Time. K-values must match for a neighborship to form. The default HELLO interval is 5 seconds and the default Hold Time is 3x the HELLO interval. +- Quick capture filter: `tcpdump -ni "ip proto 88"` + ## **Fake EIGRP Neighbors Attack** - **Objective**: To overload router CPUs by flooding them with EIGRP hello packets, potentially leading to a Denial of Service (DoS) attack. @@ -58,6 +65,35 @@ - `--as`: Defines the EIGRP AS number. - `--src`: Sets the attacker’s IP address. + +## **Scapy Packet Crafting** + +Scapy provides an EIGRP contrib layer with TLVs such as `EIGRPParam`, `EIGRPIntRoute`, and `EIGRPExtRoute` that can be used to build HELLOs and UPDATEs. + +```python +from scapy.all import * +load_contrib("eigrp") + +pkt = Ether()/IP(src="10.0.0.2", dst="224.0.0.10")/EIGRP( + opcode=5, + asn=1, + tlvlist=[EIGRPParam(k1=1, k3=1, holdtime=15)] +) +sendp(pkt, iface="eth0", count=5, inter=1) +``` + +- `EIGRPIntRoute` can advertise internal prefixes in UPDATE packets. +- `EIGRPExtRoute` can advertise external prefixes (including default routes) in UPDATE packets. + + + + +## References + +- [RFC 7868 - Cisco's Enhanced Interior Gateway Routing Protocol (EIGRP)](https://www.ietf.org/rfc/rfc7868.txt.pdf) +- [Scapy EIGRP contrib documentation](https://scapy.readthedocs.io/en/latest/api/scapy.contrib.eigrp.html) + + {{#include ../../banners/hacktricks-training.md}}