As usual, if you're not interested in the theory just skip right to the end for the download link.
TCP MD5 Signatures
RFC 2385 states that the hash must be calculated over the following:
1. the TCP pseudo-header (in the order: source IP address, destination IP address, zero-padded protocol number, and segment length) 2. the TCP header, excluding options, and assuming a checksum of zero 3. the TCP segment data (if any) 4. an independently-specified key or password, known to both TCPs and presumably connection-specific
Now, maybe it's just me, but this raised a lot of questions in my mind. Zero padding usually means to fill the trailing space with zeros, but padding the second byte would effectively multiply the protocol number by 256 so should it be a leading zero? Which headers and options are included in the "segment length"? Should the pad bytes be copied with the TCP header?
Through a lot of trial and error I found that:
- The zero padding goes before the protocol number
- The "segment length" includes the TCP header, the TCP options (including room for the MD5 signature option being calculated) and the actual payload data
- The copied TCP header should be 20 bytes long, i.e. includes two padding bytes after the (zeroed out) checksum. The header length remains as-is, including the length of the options.
- The TCP segment data starts immediately after the TCP options and runs to the last byte indicated by the IP length field
- The null byte terminating the password is not passed to the hash algorithm
Checking / Attacking BGP Packets
Using the above method it is straightforward to run a dictionary attack as follows:
Provided the OpenSSL dev libraries are installed it should be possible to simply extract the source code, cd into the directory then run "make". I've only tested this under Ubuntu Linux but there are very few dependancies so I would imagine it will work on most distributions.
The usage is pretty straightforward - there are only two parameters and both are mandatory. Specify your capture file (original pcap format) with the -c flag and your word list with the -w flag. Here's an example:
lab@lab:~/dechap$ ./dechap -w mywords.txt -c bgp.cap
Found password "password1" for TCP from 10.0.0.2 to 10.0.0.1.
Found password "password1" for TCP from 10.0.0.1 to 10.0.0.2.
Found password "password1" for TCP from 10.0.0.2 to 10.0.0.1.lab@lab:~/dechap$
I'm not sure how quickly it runs but it doesn't seem quite as quick as the OSPF version. I suppose BGP packets tend to be a little bigger than OSPF so there's more to hash. You can improve the speed by only including one packet for each source / destination pair in each capture as, at present, it doesn't check for multiple packets between pairs and attacks each instance individually.
If you try this out, please leave a comment on this post with your experiences - good or bad. Any suggestions would also be welcome, particularly for other protocols to attack.
RFC1321 - The MD5 Message-Digest Algorithm
- Start with a sniffed BGP packet (see the original dechap blog post for info on how this is extracted).
- Extract and store the authentication hash (look for option kind 19) for later comparison
- Put together the "pseudoheader" as described above
- Append the TCP header without options
- Append the TCP payload
- Append the candidate password
- Calculate the MD5 hash over the complete data set and compare to the value seen in the sniffed packet. A matching hash indicates a matching password.
Obtaining the Tool
The C source code may be downloaded from: https://github.com/theclam/dechapProvided the OpenSSL dev libraries are installed it should be possible to simply extract the source code, cd into the directory then run "make". I've only tested this under Ubuntu Linux but there are very few dependancies so I would imagine it will work on most distributions.
Using the Tool
As usual - this is for legitimate audit and recovery purposes and must not be used for any kind of malicious activity.The usage is pretty straightforward - there are only two parameters and both are mandatory. Specify your capture file (original pcap format) with the -c flag and your word list with the -w flag. Here's an example:
lab@lab:~/dechap$ ./dechap -w mywords.txt -c bgp.cap
Found password "password1" for TCP from 10.0.0.2 to 10.0.0.1.
Found password "password1" for TCP from 10.0.0.1 to 10.0.0.2.
Found password "password1" for TCP from 10.0.0.2 to 10.0.0.1.lab@lab:~/dechap$
I'm not sure how quickly it runs but it doesn't seem quite as quick as the OSPF version. I suppose BGP packets tend to be a little bigger than OSPF so there's more to hash. You can improve the speed by only including one packet for each source / destination pair in each capture as, at present, it doesn't check for multiple packets between pairs and attacks each instance individually.
If you try this out, please leave a comment on this post with your experiences - good or bad. Any suggestions would also be welcome, particularly for other protocols to attack.
References
RFC2385 - Protection of BGP Sessions via the TCP MD5 Signature OptionRFC1321 - The MD5 Message-Digest Algorithm
Possible alternative might be using > tcpdump -M password -r capturefile.pcap
ReplyDelete(This only lets you check one password at a time, although I'm sure there's a way to insert more with xargs or something...)