RIPv2 Injection with a simple password authentication

By
Alex
Published: December 4, 2007Posted in: Cisco, VideoTags:

A few days ago, a friend talked to me about a python packet forger. I thought it will be interesting using it to inject RIPv2 informations in a router.

So i make a tool to try to inject RIPv2 updates in my Linksys router. Here’s the result.

Well it was working but the funny part start now… With RIPv2, you can use an authentication to guarantee the source of your packets. Two authentication type are available :

  • A simple password ( Clear text pass through the network )
  • A md5-hashed-password

Watching the packet forger source code, there was no way to inject RIP Update with authentication, so i added a little part of code to use this feature. Let’s check what the RIPv2 RFC is telling us…

   Since authentication is a per message function, and since there is
   only one 2-octet field available in the message header, and since any
   reasonable authentication scheme will require more than two octets,
   the authentication scheme for RIP version 2 will use the space of an
   entire RIP entry.  If the Address Family Identifier of the first (and
   only the first) entry in the message is 0xFFFF, then the remainder of
   the entry contains the authentication.  This means that there can be,
   at most, 24 RIP entries in the remainder of the message.  If
   authentication is not in use, then no entries in the message should
   have an Address Family Identifier of 0xFFFF
   Currently, the only Authentication Type is simple password and it is
   type 2.  The remaining 16 octets contain the plain text password.  If
   the password is under 16 octets, it must be left-justified and padded
   to the right with nulls (0x00).

So i’ve just had to add to the source code this part :

class RIPAuth(Packet):
        name = "RIP Clear Authentication"
        fields_desc = [
                           ShortField("header",0xFFFF),
                           ShortField("authtype",2),
                           StrFixedLenField("password","",16),
                           ]

Click here to watch the video
http://www.madrouter.com/tutoriaux/RIPInjection/RIPInjection.htm

About the Author