* Router ID This is the IP of the router's loopback interface or the
highest IP address on the router.
* HELLO Interval This is the time between sending HELLO packets.
* Router Dead Interval After this time passes, a neighbor router is
considered to be unreachable.
* Neighbor This is the IP address of the neighbor router.
* Area ID This is the OSPF network area number, presented either
as decimal or in an IP-like notation (1 and 0.0.0.1, 10 and 0.0.0.10
are the same).
* Router Priority This is initially a Cisco proprietary value, now
outlined in RFC 2328, that allows you to set a higher priority on a
router without being dependent on the IP values.
* Designated Router This is the IP address of the Designated Router
(DR)—the main router in the OSPF area.
* Backup Designated Router This is the IP address of the Backup
Designated Router (BDR), selected to take the DR function in case
it goes down.
* Authentication This field defines a type of authentication used by
OSPF (none, plaintext password, or MD5 hash).
* Stub Area Flag When this flag is set, the network area is a stub
an OSPF cul-de-sac.
Every single parameter in this list is important for network enumeration.
The first thing you need to look at is whether authentication is used. If not, you can freely inject malicious routing updates into the network. Then, have a look at where DR and BDR are present, if they are present. A DR maintains all neighbor connections in the area to reduce the need for having the full mesh of connections. It is selected as a result of elections via the HELLO protocol and uses a specific multicast address 224.0.0.6, as well as "all OSPF routers" 224.0.0.5 address. This is the router a hacker who wants to reroute traffic would be after. If the network is correctly configured, this is the most powerful and resourceful router in the area. BDR should be the same in terms of its resources and configuration or come close to it. If the area ID is 0, you are on the OSPF backbone, where all network traffic is passing and can be attacked. If you are not in area 0, you want to get there. Have a look at various routing updates sniffed and see which ones have originated from area 0 and which IP range is the backbone.
In accordance to their position in the OSPF network hierarchy, routers also have specific roles. Area Border Routers (ABRs) connect two or more OSPF areas together and hold a full topological database for every area they connect. Autonomous System Boundary Routers (ASBRs) connect the OSPF domain to the outside world. ASBR is the only router that can redistribute OSPF routes into other routing protocols. It must reside in the area 0. In general, all routers positioned on area 0 are called backbone routers. All routers in other areas with all interfaces within one area are called internal routers. An internal router maintains a database of all subnets within the area and does not send routing updates outside of it. From the attackers' viewpoint, ABRs and ASBRs are the most interesting targets.
To determine the router's role and the area at which it is positioned, analyze linkstate advertisement (LSA) routing updates. Propagation of each of the seven LSA types is area-specific. By looking at which LSA types are present within an area and from which router they originate, you can determine the area type and router role:
* Type 1 LSA is called router link. It propagates routing data to all
other routers within a single area.
* Type 2 LSA is the network link. It is also flooded within a given
area but is sent only by the designated router to all routers with
which this router has a neighbor relationship.
* Type 3 LSA is the network summary link. These LSAs are sent by
ABR routers between the areas and summarize IP ranges from one
area to another.
* Type 4 LSA is an external ASBR summary link. The ABR sends this
LSA type to ASBR, and its purpose is to advertise the metric (cost)
between these two routers.
* Type 5 LSA is an external link LSA generated by the ASBR to
advertise routes to other OSPF domains, whether OSPF or static.
* Type 6 LSA is a group membership link entry generated by multicast
OSPF routers.
* Type 7 LSA (NSSA external LSA) is sent by ASBR in the NSSA. It is
very much like the type 5 LSA but is not propagated outside the not so
stubby area. Seeing Type 7 LSAs is a telltale sign that you are sniffing
within one.
To identify other areas, take the following into account:
* Stub area routers set a stub flag in HELLO packets. There are no LSA
types 4 and 5 within a stub area.
* Totally stubby areas block LSA types 3, 4, and 5.
* Not so stubby areas block LSA types 4 and 5 and propagate
LSA type 7.
Hopefully, by now you can make sense out of those tcpdump (or Kismet) dumps with OSPF packets in them and understand your position on the network and its topology, identify interesting routers for further exploitation, and determine whether OSPF itself is vulnerable to attacks. As with other IGPs, it pays to draw the network diagram as OSPF sees it and label OSPF areas, router roles, and bandwidth for each advertised interface.
[*] Hacking Exposed - Cisco
biOos
No comments:
Post a Comment