Auditing layer 3 routing protocols the Loki way

Loki allows auditing layer 3 routing protocols by abusing and highlighting configuration weaknesses.

I love new security testing tools. There is nothing quite like finding some magical bits of code allowing you to use and abuse protocols in unique and unnatural ways. I was introduced to Loki at Blackhat this year, and it was love at first sight. Here was a tool that I could use to not only identify weaknesses in layer 3 routing protocol deployments, but also show what an attacker could do if they were able to manipulate dynamic routing protocols. LOKI takes a number of separate command-line tools, slaps on a simple GUI, and makes even the most script kiddy among us look like a network ninja.

Many network security audits uncover weak security practices in regards to layer 3 protocols used to build corporate routing tables. For the most part these vulnerabilities are either ignored or put on a list of things to do after the more “serious” security holes are dealt with. If you have an ecommerce site with 50 SQL injection vulnerabilities staring you in the face, the last thing you are worried about is someone hacking OSPF. With the release of LOKI, these previously low risk network vulnerabilities go up a few notches from being unlikely, to I better deal with this before I get pwned.

Loki is a framework that enables the creation of modules, which provide protocol stack level support for a variety of layer 3 protocols. It’s like cramming a router inside of your laptop instead of carrying it around under your arm (walking around with a router IS considered an aphrodisiac in certain circles). With Loki, you can not only participate in network routing, but also reroute traffic to your laptop allowing you to capture sensitive traffic and perform man in the middle attacks. The current list of protocols supported and the protocol attacks implemented are:

• ARP- Spoofing, Scanning and sniffing
• HSRP, HSRPv2, VRRP, VRRPv3- IP address hijack
• RIP, BGP, OSPF- Route injection, MD5 auth cracking, Denial of Service
• EIGRP and WLCCP (not yet released, due to being Cisco proprietary) 
• BFD- DoS of BFD sessions
• LDP-Injection of label mapping messages
• MPLS- Rewrite of MPLS labels, MPLS-VPN networking stack

How do you defend against Loki? There are a number of good security practices that can be used to protect your dynamic routing infrastructure. The security researchers at Heidelberg Germany based ERNW that designed LOKI created a nice chart in their whitepaper that shows mitigation techniques with the potential security improvement value contrasted against the administrative burden of implementing the protective control. A five in both columns would provide strong security benefit with an easy to implement control. A one on the other hand would represent low security value and administratively burdensome to implement.

Source:ERNW Blackhat2010- An Introduction to the Tool Loki

The two most common, and relatively easy ways to defend against dynamic routing attacks is through authenticating routing updates with MD5 hashes and configuring the passive interface command on user segments. MD5 hashes apply a type of password to routing updates preventing devices without the password from participating in the dynamic routing process. Good password creation practices should be in place to prevent brute force or dictionary cracking of the MD5 hash. Loki can be used to test MD5 password strength through an integrated password-cracking module. The passive interface command is configured on any user-facing interface where routing updates are unnecessary. It prevents the router or switch from advertising routing updates through the interface where it is configured. For protocols like EIGRP and OSPF this command will prevent adjacencies from forming between devices on the network. With RIP it just prevents the advertisement of routes, and will still listen to incoming route advertisements reducing some of the protection this feature provides. Bottom line is, networks need to implement both of these features to help reduce the risks represented by this tool.

In my opinion Loki should be a welcome addition to any network auditor or penetration testers toolkit. My hope is that it can act as a catalyst to raise awareness to the impact of weak infrastructure security controls. Are you planning on using Loki in your network assessments? Hit the comment button below and tell us what you think.

Download Loki Here: http://ernw.de/content/e6/e180/index_eng.html

• Cisco
• Security
• auditing
• blackhat
• Defcon
• loki
• network security