Routopsy: Modern Routing Protocol Vulnerability Analysis and Exploitation

Presented at Black Hat USA 2020 Virtual, Aug. 6, 2020, 1:30 p.m. (40 minutes)

An often-overlooked area of network security are the routing and redundancy protocols used between routing endpoints. Specifically, Dynamic Routing Protocols (DRP) such as OSPF, RIP, EIGRP, and First Hop Redundancy Protocols (FHRP) such as VRRP and HSRP are poorly understood by InfoSec attackers and defenders, have limited tooling that is either aging and unmaintained or hard to understand without first having a mastery of the protocols. This talk will showcase several common misconfigurations of these protocols on networks, and how this can be used for Person-in-the-Middle attacks and network discovery. Additionally, Kubernetes Network Providers are reliant on some of these protocols and these misconfigurations could also be present. We'll be releasing new research into how these protocols and their weaknesses can be exploited leveraging a virtual router and orchestration that we've created for defenders to test their network for such vulnerabilities or pentesters to demonstrate the weaknesses.

Most DRP's, such as OSPF, rely on multicasting to initiate the process of establishing neighbor adjacencies and are often configured without a proper authentication method or clear separation from the control plane. These vulnerabilities allow an attacker to introduce a rogue neighbor, allowing them to observe networks which are abstracted from computing end points, or to tamper with routing table entries. A malicious route can be used to cause DNS/SMB redirection to conduct Person-in-the-Middle attacks. DRP's are not the only protocols which could be configured insecurely. Layer three, FHRP's such as VRRP are often configured insecurely, where exploitation allows person-in-the-middle attacks similar to ARP spoofing.

These attacks typically required either a virtual firewall bridged onto a target network, or use of a dated open source tool such as Loki or Yersinia. A modern alternative to solve these problems will be released during this talk.


Presenters:

  • Tyron Kemp - Analyst, SensePost
    Tyron Kemp is a pentester at SensePost with a network and security engineering background. Tyron has been in the industry for over seven years with a strong focus on security for the past three years. He previously built insecure networks, now he spends his times breaking them.
  • Szymon Ziolkowski - Analyst, SensePost
    Szymon Ziolkowski is a information security analyst at SensePost. Szymon went straight from university into hacking organizations and has been doing so for a few years. Whenever he presents internally, he often takes the opportunity to lobby for an office in Poland.

Links:

Similar Presentations: