Exploiting Cisco HSRP
HSRP provides redundancy for IP networks ensuring that traffic can transparently recover from first hop failures. Devices which share a common layer 2 domain participate in a virtual router environment ensuring that a single device assumes the egress routing role. By continually exchanging HSRP messages, eligible devices can automatically takeover routing responsibilities if issues arise with the active device.
Normal Operation
HSRP messages are sent as multicast with virtual MAC value of 0000.0c07.ac.** with ** being the relevant HSRP group number. Devices within the same group use these messages to perform an election of the Active and Standby routers based upon priority or highest IP if a tied value. The highest priority takes precedence with the default value being 100.
The below HSRP output shows normal operation with R1 having been elected with the Active role and R2 as Standby.
The following packet capture shows information contained within the HSRP message. Note the default clear-text authentication string as “cisco”.
Vulnerability
A malicious user can exploit HSRP to perform a denial of service (DOS) or man in the middle (MiTM) attack. By crafting and injecting HSRP messages with a higher priority value than the Active device, the attackers host machine would take over the Active role and receive all gateway bound traffic.
Exploitation
Let’s introduce a malicious PC to the existing LAN environment as detailed below. In this example, I’ll be using Scapy to craft HSRP messages with a priority value of 255 in order to assume the Active role.
Here I configure Scapy with a source IP of .111, set the HSRP multicast address as destination with a priority value of 255. I then instruct Scapy to inject this message every 3 seconds.
As you can see below, the logs of R1 indicate HSRP status changes as soon as the crafted messages have been ingested.
Now let’s take a deeper look at the HSRP status on R1:
As you can see, R1 is no longer the Active device and has been elected as Standby. The Active virtual MAC address is now 000c.2961.e5f3 which is the attacker’s PC along with IP of 111. You can also now see that the Active router has a priority value of 255. Each of these changes are a direct result of the crafted messages injected by Scapy so the malicious PC would now be receiving all gateway bound traffic.
Prevention
The first option is to configure HSRP with MD5 authentication so that unauthorised messages are ignored. With this option enabled, the default plain-text authentication string of “cisco” is removed and replaced with an MD5 hashed key string. If an attacker was to mount the same exploit as above, authentication would fail and malicious HSRP messages dropped.
Another option is to set priority to the highest available value of 255 instead of the default 100 and configure the highest available interface IP. This could prevent unauthorised devices from taking over the Active role.
Configuration examples are shown below:
A simple access list can also be used to control and limit inbound HSRP messages to authorised IP addresses only.
Now you can see how insecure HSRP really is and how easy it would be to exploit for malicious use. If you must implement redundancy within your environment then a better option would be to look at VRRP with makes use of cryptographic features within IPSEC Authentication Header.
References:
http://www.cisco.com/c/en/us/support/docs/ip/hot-standby-router-protocol-hsrp/9234-hsrpguidetoc.html
http://www.secdev.org/projects/scapy/doc/usage.html
https://isc.sans.edu/forums/diary/Network+Reliability+Part+2+HSRP+Attacks+and+Defenses/10120/
