And Yet Another Weekend Post! (YAWP)
What is RIP?
Is it really Rested In Peace already ??!!!
RIP (Routing Information Protocol) is one of the oldest IGP (Interrior Gateway Protocol) and uses Hop-Count as its metric. It comes in fact in two different flavours: 1 and 2.
Version 1 is a distance vector protocol (RFC 1058) and Version 2 is a hybrid protocol (RFCs 1721 and 1722).
Routing Information Protocol Version 1 (RIPv1) RIPv1 uses local broadcasts to share routing information in a really dummy manner 😝
These updates are periodic and occurring, by default every 30 seconds.
To prevent packets from circling around a loop forever, both versions of RIP solve counting to infinity by placing a hop count limit of 15 hops on packets. Any packet that reaches the sixteenth hop will be killed.
RIPv1 is a Classfull protocol. RIP supports up to six equal-cost paths to a single destination. Equal-Cost load balancing will take place re for paths where the metric is same (Hop count).
Routing Information Protocol (RIPv2) is a distance vector routing protocol with some great updates and featues built into it, and it is based on RIPV1.
Therefore, it is commonly called as hybrid routing protocol.RIPv2 uses multicasts instead of broadcasts. RIPv2 supports triggered updates. when a change occurs, a RIPv2 router will immediately propagate its routing information to its connected neighbours. RIPv2 is a classless protocol and it supports variable-length subnet masking (VLSM). Both RIPv1 and RIPv2 uses hop count as the metric.
Differences between RIPv1 and RIPv2
Like in our CEH-Lab we also build this one in GNS3 and link it to a Virtual Box machine running Kali. Our objective is to build a network with three routers all using RIP for routing information exchange. We will then use the Attacker-box to inject a fake route into the network in this way divert traffic away from its real target.
If you are not familiar with RIP it is hop based system where each hop is a router in the path and traffic is routed across the shortest number of hops.
This is the topology I built:
I added an NM-4E module to each of the devices, this wasn't required technically but it gives four extra Ethernet interfaces that may come in handy later.
The following table shows the configuration of each router:
SW1 and SW2 are standard GNS3-image switches, I tried to use a 3660 with a switch module installed to give more flexibility in the future but for some reason this didn't work properly so stuck with the generic GNS3 one. C3 isn't really necessary but was useful just for connectivity verification reasons.
Here is the configuration on each router up to this point for the sake of illustration:
Once you have set up routers, you can verify that RIP is running correctly by using the
show ip route
As the help text explains, an R in the left-hand column means the device learned the route through RIP. Assuming you have the correct routes you can check connectivity by pinging other devices.
If everything works as expected, then the next step to do is to setup the virtual PCs and the VirtualBox machine.
To get out of our Subnet and see the world you need to to add a default gateway. You do this in the second parameter to the ip command. The gateway IP is the IP of the machine which connects the Subnet to the rest of the network so for C1 this is 192.168.0.1 and for C2 192.168.1.1.
Once you have set the IP of both machines you can check connectivity with some pings.
If your pings are not working , the best way to debug is to go back to the routers and check each of them can ping correctly, check R1 can talk to both IPs on R2, that R2 and can talk to R3 then R1 to R3. Check the routing table on each to make sure it knows where to send the traffic. If all that works then check C1 can talk to each of the routers. Break it all down and the mistakes tend to be a lot easier to find. This is where C3 can be useful to check that the mistake isn't with C1.
For the VirtualBox machine I'm using the same machine as in the VLAN lab. In here I set the IP and default route and again test connectivity.
After setting up all of this now it's finally show-time! The plan is to hijack traffic from C1 heading to C2 and have it delivered to the VBox instead. This will be done by injecting a new route into the network by generating our own RIP packets. We will need to send a packet advertising a route to the 192.168.1.0/24 subnet with a lower metric (number of hops) than the real router. Verifying the router table on R1 shows the metric to get to 192.168.1.0/24 is 2 so we will have to advertise our route with a lower number (metric of 1) to be successful.
I was initially thinking of using some kind of attack tool or creating custom packets in Scapy but while researching this project I came across Quagga, which is a linux routing software suite and implements a router in software. As this is specifically designed to talk the various routing protocols, including RIP, I figured it would be much better to use this than an "attack" tool.
Quagga is pretty simple to set up and can be installed on VBox with:
apt-get install quagga
The config files are stored in /etc/quagga and all we need to edit are the following two files:
This simply tells the router that it is talking RIP on eth0 and advertising the route to 192.168.1.0/24.
As we are planning to hijack traffic heading to C2 I also add a virtual interface to eth0 with the IP address of C2 which allows us to act as C2 once the traffic arrives. If all you want to do is to sniff traffic then you can create a dummy interface on the machine and give that the appropriate IP. I found that if I didn't have an interface on the machine with an IP in the right network then things didn't work as well as with it. This may just have been the way I was doing things but as setting up the interface is easy either way it is worth doing.
To create the virtual interface you can do:
ifconfig eth0.1 192.168.1.100 up
Type this command to create a dummy interface:
modprobe dummy ifconfig dummy0 192.168.1.100 up
Before starting Quagga lets start up Wireshark so we can see the packets we are creating and make sure they look right. To do this in GNS3 right click on the link between R1 and SW1 and select "Start capturing", in the capture list on the right hand side, right click on the capture and select "Start Wireshark". Add a RIP filter in Wireshark and put it to one side.
Now that everything is in place we can start Quagga.
Switch back to Wireshark and, if everything is setup correctly, you will start to see RIP packets coming from 192.168.0.101 advertising it's ability to route to 192.168.1.0 with a metric of 1.
To see if the poisoning is working check R1 to see what it thinks the best route to 192.168.1.0 is.
Comparing with the image above it can be seen that the route has changed from:
R 192.168.1.0/24 [120/2] via 10.0.0.2, 00:00:27, Ethernet1/0
R 192.168.1.0/24 [120/1] via 192.168.0.101, 00:00:02, Ethernet1/3
We are now in place, lets prove it by hijacking some traffic. On VBox start tcpdump listening for ICMP traffic then on C1 try to ping C2 (192.168.1.100)
And there we have it, VBox is receiving the pings from C1 (192.168.0.100) which are supposed to be for C2 (192.168.1.100).
You saw, that this attack is very simple to execute and does not require any special hacking tools. It is slightly limited in that once you have poisoned the route you are then not able to communicate with the original destination unless you have a second route to it as you have destroyed the valid route, this means ,that you can't easily do man-in-the-middle attacks. You are also limited over what areas of the network you can poison, in this example it was possible to have R1 accept the new route as VBox is only one hop away while whereas C2 is two hops. If there was another network connected to the right of R3 then the hop count from VBox would be higher than that from R3 so the poisoning would not affect it.
Lesson to learn from this:
In RIPv2 there is an authentication feature which provides a light defense mechanism against this type of attack.
TRADEMARK LEGAL NOTICE
All product names, logos, and brands are the property of their respective owners in Austria or other countries. All company, product and service names used in this website are for identification purposes only. Pheniix is not affiliated with or an official partner of Cisco, CompTIA,Dimension Data, VMware, Amazon, Microsoft, Certified Ethical Hacker, (ISC)², Juniper, Wireshark, Offensive Security,Google, GNS3, F5, Python, Linux, Java, OpenStack, Vagrant, Ansible, Docker, GIT, , Blockchain or other companies. Use of these names, logos, and brands does not imply endorsement. The opinions expressed in Pheniix are personal perspectives and not those of Cisco, Dimension Data or any other company. Pheniix runs as an independent blog.