An often-overlooked area of network security are the routing and redundancy protocols used between routing endpoints. Specifically, Dynamic Routing Protocols (DRP) such as OSPF, RIP, EIGRP, and First Hop Redundancy Protocols (FHRP) such as VRRP and HSRP are poorly understood by InfoSec attackers and defenders, have limited tooling that is either aging and unmaintained or hard to understand without first having a mastery of the protocols. This talk will showcase several common misconfigurations of these protocols on networks, and how this can be used for Person-in-the-Middle attacks and network discovery. Additionally, Kubernetes Network Providers are reliant on some of these protocols and these misconfigurations could also be present. We'll be releasing new research into how these protocols and their weaknesses can be exploited leveraging a virtual router and orchestration that we've created for defenders to test their network for such vulnerabilities or pentesters to demonstrate the weaknesses.
Most DRP's, such as OSPF, rely on multicasting to initiate the process of establishing neighbor adjacencies and are often configured without a proper authentication method or clear separation from the control plane. These vulnerabilities allow an attacker to introduce a rogue neighbor, allowing them to observe networks which are abstracted from computing end points, or to tamper with routing table entries. A malicious route can be used to cause DNS/SMB redirection to conduct Person-in-the-Middle attacks. DRP's are not the only protocols which could be configured insecurely. Layer three, FHRP's such as VRRP are often configured insecurely, where exploitation allows person-in-the-middle attacks similar to ARP spoofing.
These attacks typically required either a virtual firewall bridged onto a target network, or use of a dated open source tool such as Loki or Yersinia. A modern alternative to solve these problems will be released during this talk.