Full Report
This is a summary of our BlackHat USA 2020 talk. Introduction On some of our engagements, Szymon and I found ourselves on various networks vulnerable to; insecure, misconfigured, and often overlooked networking protocols. These included dynamic routing protocols (referred to as DRP‘s) and first hop redundancy protocols (referred to as FHRP‘s). We decided to focus on these two classes of networking protocols to manipulate traffic flows and identify non-conventional ways of performing Person-in-the-Middle (PitM) attacks. This post details the results of that research and the tool we wrote to explore this attack surface. The tool is called Routopsy and is available on Github.
Analysis Summary
# Tool/Technique: Routopsy
## Overview
Routopsy is a custom tool developed to explore and exploit vulnerabilities in Dynamic Routing Protocols (DRPs) and First Hop Redundancy Protocols (FHRPs) on compromised networks. Its primary purpose is to manipulate traffic flows to perform non-conventional Person-in-the-Middle (PitM) attacks by targeting insecure or misconfigured networking protocols that are often overlooked.
## Technical Details
- Type: Tool
- Platform: Unspecified (Implied network-centric, likely Linux/Unix environment given its availability on Github and use in conjunction with Docker labs)
- Capabilities: Dynamic Routing Protocol (DRP) and First Hop Redundancy Protocol (FHRP) vulnerability analysis and exploitation, traffic flow manipulation, and execution of Man-in-the-Middle attacks.
- First Seen: August 2020 (Presented at BlackHat USA 2020)
## MITRE ATT&CK Mapping
Since Routopsy directly manipulates network infrastructure to intercept traffic, the relevant techniques fall under Command and Control, and Discovery/Impact, although direct mapping for a routing exploitation tool is less common:
- **TA0008 - Lateral Movement**
- T1090 - Proxy
- T1090.003 - Multi-hop Proxy (Leveraging manipulated routes to redirect traffic)
- **TA0007 - Discovery**
- T1046 - Network Service Scanning (Implicitly, by identifying active DRP/FHRP advertisements)
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (If HTTP redirection is the end goal of the PitM)
*(Note: Specific DRP/FHRP manipulation techniques might map to custom or less frequently cited MITRE techniques; the provided context focuses on the outcome (PitM) and underlying protocols.)*
## Functionality
### Core Capabilities
- **Protocol Identification:** Identifying the presence of DRPs (like RIP, EIGRP, OSPF, BGP) and FHRPs on the network segment.
- **Traffic Manipulation:** Utilizing vulnerabilities in these protocols to alter routing tables.
- **PitM Execution:** Performing non-conventional Man-in-the-Middle attacks by hijacking the default gateway (via FHRP manipulation) or rerouting network paths (via DRP manipulation).
- **Lab Setup:** Providing Docker Compose files to create pre-configured lab environments mirroring vulnerable network topologies for practice.
### Advanced Features
- **Authentication Bypass/Cracking:** Analysis indicates the capability to exploit protocols even when authentication is present, specifically by targeting plaintext passwords or attempting to crack common hash types (e.g., mentioning tools like `EtterCap` and `JohnTheRipper` in the context of cracked hashes).
- **FHRP Exploitation:** Specifically targeting FHRPs (which use virtual IP/MAC pairs) to forcibly take over the primary gateway role.
## Indicators of Compromise
No specific file hashes, C2 domains, or registry keys were provided in the context snippet for the tool itself, as the focus was on the research and the tool's availability on GitHub.
- File Hashes: N/A (Tool is publicly available on GitHub)
- File Names: `routopsy` (Tool name)
- Registry Keys: N/A
- Network Indicators: Traffic related to DRPs (OSPF, BGP, etc.) and FHRPs (VRRP implied) within the local broadcast/multicast domain.
- Behavioral Indicators: Unexpected changes in router advertisements, priority changes in FHRP groups, or sudden shifts in network traffic flow.
## Associated Threat Actors
No specific threat actors were explicitly linked to the use of Routopsy in this summary; the work was presented by researchers (Szymon and the author) at BlackHat USA 2020.
## Detection Methods
Detection relies on monitoring the network infrastructure for anomalous routing behavior:
- Signature-based detection: Signatures for known routing protocol traffic if abnormal/malformed packets are used by the tool.
- Behavioral detection: Monitoring for unauthorized state changes in routing tables or unexpected changes in FHRP priority assignments.
- **Recommended Detection:** Sending syslog data to a central log collector or SIEM and specifically monitoring for routing protocol state changes.
## Mitigation Strategies
Mitigation focuses on hardening DRPs and FHRPs:
**For DRPs:**
1. Limit broadcasts/multicasts to necessary network segments.
2. Utilize passive-interfaces where routing protocol advertisements are not required.
3. Configure stricter `network statements` to control which interfaces advertise routing updates.
4. Configure strong authentication algorithms (e.g., keyed-MD5, HMAC-SHA) and use long, complex passwords.
**For FHRPs:**
1. Limit broadcasts/multicasts to necessary network segments.
2. Configure strong authentication algorithms and use long, complex passwords.
3. Configure higher priorities to prevent rogue devices from becoming the active/primary gateway.
## Related Tools/Techniques
- **Protocol Categories Targeted:** Dynamic Routing Protocols (RIP, EIGRP, OSPF, BGP), First Hop Redundancy Protocols (e.g., VRRP, mentioned via example).
- **Other Implied Tools (Used for cracking authentication):** EtterCap, JohnTheRipper.
- **Similar Attack Type:** Traditional Man-in-the-Middle via protocol manipulation.