Mad Router

RIPv2 Injection with a simple password authentication

by Alex on Dec.04, 2007, under Cisco, Video

A few days ago, a friend talked to me about a python packet forger. I thought it will be interesting using it to inject RIPv2 informations in a router.

So i make a tool to try to inject RIPv2 updates in my Linksys router. Here’s the result.

Well it was working but the funny part start now… With RIPv2, you can use an authentication to guarantee the source of your packets. Two authentication type are available :

  • A simple password ( Clear text pass through the network )
  • A md5-hashed-password

Watching the packet forger source code, there was no way to inject RIP Update with authentication, so i added a little part of code to use this feature. Let’s check what the RIPv2 RFC is telling us…

   Since authentication is a per message function, and since there is
   only one 2-octet field available in the message header, and since any
   reasonable authentication scheme will require more than two octets,
   the authentication scheme for RIP version 2 will use the space of an
   entire RIP entry.  If the Address Family Identifier of the first (and
   only the first) entry in the message is 0xFFFF, then the remainder of
   the entry contains the authentication.  This means that there can be,
   at most, 24 RIP entries in the remainder of the message.  If
   authentication is not in use, then no entries in the message should
   have an Address Family Identifier of 0xFFFF
   Currently, the only Authentication Type is simple password and it is
   type 2.  The remaining 16 octets contain the plain text password.  If
   the password is under 16 octets, it must be left-justified and padded
   to the right with nulls (0x00).

So i’ve just had to add to the source code this part :

class RIPAuth(Packet):
        name = "RIP Clear Authentication"
        fields_desc = [
                           ShortField("header",0xFFFF),
                           ShortField("authtype",2),
                           StrFixedLenField("password","",16),
                           ]

Click here to watch the video
http://www.madrouter.com/tutoriaux/RIPInjection/RIPInjection.htm

4 comments for this entry:
  1. Florent
    December 5th, 2007 on 1:00 pm

    miam miam :D

  2. pello
    December 6th, 2007 on 12:04 am

    trop leet!
    Si tu continues comme ça tu vas gagner un stage chez Cisco
    :-)

  3. Alex
    December 6th, 2007 on 12:25 pm

    j’ai pas beaucoup de chance à la loterie :D mais p**** qu’est-ce que ça serait le pied :D ty pour le feedback :p

  4. Python et Scapy ! | Mad Router
    December 16th, 2007 on 11:05 pm

    [...] faisait lontemps que j’avais envie de faire du python, et l’article d’Alex m’a poussé à m’y mettre. Je cherchais donc à créer un petit script [...]

Leave a Reply

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!

Visit our friends!

A few highly recommended friends...

Archives

All entries, chronologically...