Skip to content

Research Update Enhanced src/generic-methodologies-and-resou... #1985

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
carlospolop wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Research Update Enhanced src/generic-methodologies-and-resou... #1985

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 36 additions & 0 deletions src/generic-methodologies-and-resources/pentesting-network/eigrp-attacks.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,13 @@

**This is a summary of the attacks exposed in** [**https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9**](https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9). Check it for further information.


## **Protocol Notes (Attacker View)**

- EIGRP uses IP protocol number `88` and the IPv4 multicast group `224.0.0.10` (IPv6 `FF02::A`) for EIGRP routers.
- HELLO packets include the Parameter TLV with the EIGRP K-values and Hold Time. K-values must match for a neighborship to form. The default HELLO interval is 5 seconds and the default Hold Time is 3x the HELLO interval.
- Quick capture filter: `tcpdump -ni <iface> "ip proto 88"`

## **Fake EIGRP Neighbors Attack**

- **Objective**: To overload router CPUs by flooding them with EIGRP hello packets, potentially leading to a Denial of Service (DoS) attack.
Expand Down Expand Up @@ -58,6 +65,35 @@
- `--as`: Defines the EIGRP AS number.
- `--src`: Sets the attacker’s IP address.


## **Scapy Packet Crafting**

Scapy provides an EIGRP contrib layer with TLVs such as `EIGRPParam`, `EIGRPIntRoute`, and `EIGRPExtRoute` that can be used to build HELLOs and UPDATEs.

```python
from scapy.all import *
load_contrib("eigrp")

pkt = Ether()/IP(src="10.0.0.2", dst="224.0.0.10")/EIGRP(
opcode=5,
asn=1,
tlvlist=[EIGRPParam(k1=1, k3=1, holdtime=15)]
)
sendp(pkt, iface="eth0", count=5, inter=1)
```

- `EIGRPIntRoute` can advertise internal prefixes in UPDATE packets.
- `EIGRPExtRoute` can advertise external prefixes (including default routes) in UPDATE packets.




## References

- [RFC 7868 - Cisco's Enhanced Interior Gateway Routing Protocol (EIGRP)](https://www.ietf.org/rfc/rfc7868.txt.pdf)
- [Scapy EIGRP contrib documentation](https://scapy.readthedocs.io/en/latest/api/scapy.contrib.eigrp.html)


{{#include ../../banners/hacktricks-training.md}}


Expand Down