BGP Hijacking Attack

BGP Hijacking Attack

by Nairuz Abulhul


Last year in April, I read about the BGP hijacking incident by Rostelecom — a Russian state-owned telecommunication provider. The incident affected 8,800 IPs and lasted an hour, impacting big companies like Google, Amazon, Akamai, and Cloudflare.

 

 

As I was doing the Carrier machine on Hack The Box by Snowscan, I came across the BGP Hijacking in the privilege escalation part. It was an excellent learning opportunity to do something that we often hear about in the media but hard to simulate in a lab with a realistic spin.

Today we will talk about the BGP protocol and how to hijack the traffic to sniff the credentials of FTP session.

Without further ado., Let’s start…

  • BGP Overview
  • BGP Hijacking Attack
  • Demo
  • Resources

$_Border_Gateway_Protocol_(BGP)

BGP is a routing protocol that connects larger groups of networks worldwide known as Autonomous Systems such as ISP providers, large tech enterprises, or government agencies.

It is simply the glue that connects the Internet together 🌐.

 

Cloudflare — https://www.cloudflare.com/en-gb/learning/network-layer/what-is-an-autonomous-system/

 

Every large Autonomous System is assigned a unique number by IANA (Internet Assigned Numbers Authority), such as AS7922 for ComcastCable Communications, LLC, which controls a specific set of IP ranges or spaces known as prefixes.

$_How_BGP_works_?

BGP is used for reachability information and routing data packets from one large network to another.

⛳️Its goal is to provide directions to the traffic as efficiently as possible by favoring the shortest paths and specific IP ranges.

Each Autonomous System advertises their list of IP addresses and the neighboring Autonomous Systems (routers) they can connect to — the neighboring routers known as Peers.

The list of the advertised IPs and Peers information is stored in the routing tables of the Autonomous Systems. These tables are regularly updated to include new networks, IP spaces, and the shortest paths.

😑Unfortunately, BGP protocol can’t discern modified or rogue information when falsely advertised by these systems. A mistake in configuring the routs either intentionally or part of a malicious act can lead to poisoning the traffic and send the packets to the wrong destination.- hijacking.

$_BGP_Hijacking

BGP hijacking is sending traffic to a different destination than the real intended one to intercept the packets . For the “hijack’’ to work, there are three main factors:

📜Requirements

1- The malicious announcement of BGP routes has to come from a legitimate Autonomous System, either a compromised one or an operator. Not anyone can announce BGP routes to the global network peers.

2- The IP ranges chosen for the advertisement have to be more specific than the legitimate ones.

3- The routes have to claim that they offer the shorter path since BGP relies on that for fast and efficient packet delivery.

😈 Attackers frequently target unused prefixes on legitimate ASes for the hijacking attacks to fly under the radar.

🔥 $_Demo_Time

Now we have an overview of the BGP protocol, we will go through the hijacking process.

As I mentioned earlier, we are going to use the Carrier box to demonstrate the attack. In the below diagram, there are 3 Autonomous systems for different fictitious ISP providers:

  • LyghtSpeed Networks owns AS100 (R1) — We compromised this router and have a full control (root).
  • Zaza Telecom owns AS200 (R2)
  • Castcom owns AS300 (R3)
Network Diagram on Carrier Box

 

🎯Our task to perform a BGP hijacking attack that intercepts traffic between the FTP client on AS200 and the FTP server on AS300 and sniff the credentials through transmitted packets.

The hijack would route the packets from the AS200 system(the FTP client) through us on AS100, then the FTP server on the (AS300) system.

❓How does the hijack happen?

Remember earlier that BGP prefers short paths and specific IP ranges (prefixes). The current BGP configuration on AS200 (R2) has AS300 (R3) as the shortest path to send traffic to the FTP server.

To get the packets sent to us, we can change the configuration on our AS100 to advertise us as the shortest path to AS300, where the FTP server resides. Then AS200(R2) will favor us over AS300 routes and send the traffic to us thinking that it is the right short path.

https://snowscan.io/htb-writeup-carrier/#

🔧Configurations

Let’s take a look at the BGP configuration and try to understand it. In the box, the BGP is managed by Quagga and Zebra software to manage the routers’ connections using the Vtysh shell.

📌Quagga is a network routing software for Unix-like platforms, particularly Linux, Solaris, FreeBSD, and NetBSD.

📌Zebra is a routing software package that provides TCP/IP based routing services with routing protocols support such as RIP, OSPF, and BGP.

📌Vtysh is an integrated shell for Quagga routing software

As we see in the screenshots, our compromised machine is attached to the eth2 interface on the AS100router. Its neighbors are AS200 and AS300.

BGP Configuration
IP Information on the Carrier machine

 

We also can see the neighboring systems by running the below command in the vtysh terminal “show bgp neighbors.”

The FTP server we want to intercept is on 10.120.15.0/24 on the AS300. Currently, the traffic hops from AS200 (FTP client ) to AS300 (FTP server).

For the hijack to occur as intended, we need to advertise a specific network than 10.120.15.0/24 on AS100 to get the traffic routed to us.

FTP network was given as a hint on the ticketing system

 

⚠️Configuring AS100

We will configure the AS100 to advertise a specific network range of 10.120.15.0/25 that offers a smaller range than the current /24.

1- Open the Vtysh terminal and run the command “configure terminal.” This command will write the configuration to the BGP config file.

2- Declare we are on AS100 router

declare we are AS100

 

3- Add the network range we want to advertise, in our case, 10.120.15.0/25

new network advertisement on 10.120.15.0/25

 

4- Once we add the interned range, run the command “exit” twice to get out of the configuration mode, followed by the “write” command to save the new configuration to bgpd.conf file on /etc/quagga/

Saving the new configuration to bgpd.conf file on /etc/quagga/

 

5- Next step, clear up the routes and re-advertise the new network by running the below command.

6- To verify the new configs were saved, check the bgpd file.
As we see below, the router added the new network we want to advertise.

We can also see that the advertised routes on 10.178.10.2 have our network /25 added. It means that AS200 now knows AS100 is the next best and shortest route to send packets to 😆.

7- Add the network to our eth2 interface and start sniffing

🔎Sniffing the FTP Session for Credentials— Man In Middle Attack

1- For sniffing FTP traffic, we will run tcpdump dump on port 21 on interface eth2 and save the output to a pcap file for Wireshark Analysis.

2- Afterwards, we transfer the file to our system with netcat and analyze it with Wireshark to find the password for FTP server.

As we see above, we were able to sniff the credentials through the FTP packets.

About the author

Nairuz Abulhul

I spend 70% of the time reading security stuff and 30% trying to make it work !!! aka Pentester >>Security Researcher

March 2, 2021
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Inline Feedbacks
View all comments

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013