From 50e4fa39cf51b8a9bbe39ccd25b29470bebe7c3c Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Thu, 12 Mar 2026 16:52:25 +0000 Subject: [PATCH] Add content from: Research Update Enhanced src/generic-methodologies-and-resou... --- .../pentesting-network/eigrp-attacks.md | 38 ++++++++++++++++++- 1 file changed, 37 insertions(+), 1 deletion(-) diff --git a/src/generic-methodologies-and-resources/pentesting-network/eigrp-attacks.md b/src/generic-methodologies-and-resources/pentesting-network/eigrp-attacks.md index bb64aa79696..7ac66469eef 100644 --- a/src/generic-methodologies-and-resources/pentesting-network/eigrp-attacks.md +++ b/src/generic-methodologies-and-resources/pentesting-network/eigrp-attacks.md @@ -4,6 +4,14 @@ **This is a summary of the attacks exposed in** [**https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9**](https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9). Check it for further information. + +## Protocol Notes Useful for Attacks + +- EIGRP uses five packet types to handle session management and DUAL messaging: **HELLO/ACK**, **QUERY** (includes SIA-QUERY), **REPLY** (includes SIA-REPLY), **REQUEST**, and **UPDATE**. +- DUAL message types are **UPDATE**, **QUERY**, and **REPLY**. When a route stays **ACTIVE** too long, EIGRP uses **SIA-QUERY/SIA-REPLY** to probe neighbors before declaring the route stuck-in-active. +- EIGRP relies on **TLVs** (Parameter, Authentication, Sequence, Software Version, Route TLVs). If authentication TLVs are present (MD5/SHA2), forged packets must carry valid auth data to be accepted. + + ## **Fake EIGRP Neighbors Attack** - **Objective**: To overload router CPUs by flooding them with EIGRP hello packets, potentially leading to a Denial of Service (DoS) attack. @@ -58,7 +66,35 @@ - `--as`: Defines the EIGRP AS number. - `--src`: Sets the attacker’s IP address. -{{#include ../../banners/hacktricks-training.md}} +## **SIA / Query Exhaustion (DoS)** + +- **Objective**: Force neighbors into **Stuck-in-Active (SIA)** by driving routes ACTIVE and preventing timely REPLYs, causing adjacency resets and route loss. +- **High-level idea**: Inject or perturb many prefixes so neighbors enter ACTIVE and issue QUERYs, then prevent/blackhole REPLYs so the SIA timer expires; repeat to keep the domain unstable and CPU-bound. + +## **Packet Crafting with Scapy** + +Scapy ships an EIGRP contrib layer (`scapy.contrib.eigrp`) with common TLVs (Parameter, Auth, Internal/External Route). You can build custom packets for lab validation or controlled injection. + +```python +from scapy.all import IP, send +from scapy.contrib.eigrp import EIGRP, EIGRPParam, EIGRPSwVer, EIGRPIntRoute + +pkt = IP(dst="10.0.0.1")/EIGRP(asn=1, tlvlist=[ + EIGRPParam(k1=1, k3=1, holdtime=15), + EIGRPSwVer(), + EIGRPIntRoute(dst="10.10.10.0", prefixlen=24, nexthop="10.0.0.2"), +]) + +# Set the correct opcode for the packet type you need (UPDATE/QUERY/REPLY) before sending. +send(pkt, iface="eth0") +``` + +## References + +- [https://datatracker.ietf.org/doc/html/rfc7868](https://datatracker.ietf.org/doc/html/rfc7868) +- [https://scapy.readthedocs.io/en/latest/api/scapy.contrib.eigrp.html](https://scapy.readthedocs.io/en/latest/api/scapy.contrib.eigrp.html) + +{{#include ../../banners/hacktricks-training.md}}