Destroying the Internet (BGP routers) EP 1 // BGP Python scapy DoS script

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

this is one of multiple videos where i'm going to show you how to hack bgp or border gateway protocol bgp is the writing protocol that runs the internet [Music] if you send traffic across the internet so for example you go to facebook.com or you go to another website the decisions about where to route your traffic are made by a writing protocol called bgp so the internet relies on bgp how many people got a phone without a data plan how many people live their life like all the amish can well if you do then you don't need the internet at all but otherwise here's your protocol you're down with bgp yeah you know me so i'm going to show you in this series of videos how to reset a bgp neighbor relationship using python on scapy in this example i've got cali running on a windows computer within a virtual machine and we're going to send packets into the network to reset the neighbor relationship secondly i'm going to show you how to remove a route from the routing table of a bgp router so first script reset neighbor relationship second script find a route in the routing table and remove that and the third script is where we inject a fake route into the writing table of a bgp router [Music] now before we continue i need to warn you this is more of an advanced topic bgp isn't covered in much detail at all at ccna level you have to get to ccmp level if you want to learn about bgp so you typically learn about igps or interior gateway protocols such as ospf or eigrp or isis which run within an organization or within an autonomous system and then later on you learn about bgp which is run between autonomous systems so your isps or internet service providers are running bgp because they are advertising routes from customers across them or between isps so isps around the world will be receiving routes from other isps to basically enable connectivity across the global internet what we are trying to do here is inject fake routes or remove routes from a bgp writing table now in this example i'm running bgp locally in my home network i'm not going to try and attack the real internet because i don't particularly want to go to jail and i don't think you should do the same either be aware that there have been cases of isps around the world injecting rats into the global internet writing table that takes networks offline as an example they've been some famous cases where youtube has been taken offline and various other well-known websites because various isps have injected more specific routes into the bgp routing table and that's affected where packets go and isp wants to block certain routes they will not accept rfc 1918 addresses as an example or private ip address as well they shouldn't they should be limiting the rights that they receive they should be running authentication they should be doing various things to protect themselves from attacks such as what i'm going to demonstrate here now the scripts that i've written here are fairly simple but they've taken me a while to create because i've had to rewrite the code for python 3. you might find some examples on the internet for python 2.7 but they don't work anymore the code that i've written here is specifically for python 3. how do i learn this stuff i understand protocols i used wireshark to capture updates and then i basically forged packets similar to what i captured off the network one of the best ways to learn scapy is to basically capture packets and try and replicate what you've seen i'll cover a basic scape introduction in a separate video i've once again got cali running within a virtual machine on this windows laptop it's connected to this 3560 cx switch on gigabit zero three i've also got two cisco routers one over here with ip address one nine two one six eight one two forty six and this router one nine two one six eight one two forty nine is actually my router to get to the internet i'm running bgp between these two routers so there's a bgp relationship between those two routers now there's additional infrastructure here which i'm not showing in this topology that doesn't really matter from a bgp point of view because bgp uses tcp port 179 so there's essentially a bgp relationship across a bunch of devices between these two routers the layer 2 infrastructure doesn't really matter in this example i simply need a tcp session between those two routers which i've got and what i'm going to do is i'm going to sniff packets from those routers manipulate those packets and send them back into the network now this session is tcp it's a unicast session so switch by default would not forward the traffic to the kali virtual machine it would send the traffic directly between those two routers so this device would never see the traffic now to solve that we could do various things we could use wiretaps such as these here i've got a gigabit wiretap here i've got a 10 100 meg wiretap the problem with both these wiretaps is that on the monitoring port so on this one on the monitoring port over here it only sends traffic out of the interface it doesn't allow for traffic to be sent back into the network so i could plug two cables in here and then sniff the traffic and monitor the traffic out of that port i could do something very similar with this one again the problem with these wire taps is that they allow me to monitor traffic but they don't allow me to send traffic back into the network what we want to do is we want to monitor the traffic from these bgp routers receive the traffic and then manipulate the packets and send them back into the network to get the routers to do things so as an example i want to remove routes from the routing table of this router that means i need to send packets into the network pretending to be this router so i'm going to pretend to be 246 and send packets to 249 and get 249 to remove rats from its writing table or i'm going to add fake rats to the writing table or i'm going to reset the neighbor relationship that means that i need to either use a hub here so you could use a hub rather than a wiretap problem with hubs is they often only support 10 megabits per second or what i've done here is set up port mirroring and i'm gonna mirror traffic from gigabit zero one to the kali device and then configure this port to not only just mirror traffic but also receive traffic so i'll connect to the 3560 switch so on my 35 60 switch show run pipe include monitor on cisco devices we use these commands to determine which interfaces to monitor and where to mirror the traffic so monitor session one this is just a number source interface is gigabit zero one that's this interface which connects the switch to this router on my desk running bgp that's once again the source interface the destination of the mirrored traffic will be gigabit 0 3 that's this interface connecting the switch to the kali virtual machine so we are forwarding traffic from this interface out of this interface as untagged traffic in vlan 1 but we're also going to allow ingress traffic that's really important we want to allow the traffic from the kali machine back into the network so you either need to have a switch where you can configure it such as the following so that you can basically tap the network so tap the connection between the two routers or you need a hub or you need some type of wiretap to see the traffic between those two routers so that's the first thing that you need to do you need to have visibility of the traffic between the two routers and this gives me that visibility okay now that we've done that what we can do is bridge kelly to the ethernet adapter on the windows computer and that's what i've done here i'm bridging the virtual machine to this adapter which connects the laptop to port 3 on the cisco switch and now that you've done that you can actually inject traffic into the network so i've got three scripts once again first script is to reset the name relationships second script is to remove a route out of the writing table and the third script is to inject a fake rot into the bgp writing table let's start with the resetting of neighbor relationships okay so in my first script i'm going to import scapy i'm going to import bgp i've created a loop where i'm sniffing a packet off the wire so basically i'm looking for a tcp packet with a destination of 192.168.1 249. so i'm basically sniffing packets from this router that are going to my internet rider i'm going to capture one of those packets and then i'm going to create a forged packet i need to capture a packet of the wire from the actual bgp session because i don't know what the sequence numbers are that the routers are using so in all my scripts i'm capturing a packet off the wire so that i can see the tcp sequence numbers and act numbers that the routers are using i basically also need to know the source and destination ports bgp uses port 179 but it depends on which router initiates the session if router 1 talks to router 2 it might initiate the session to port 179 but if router 2 initiates the session to write a one the destination is 179 on this side so random port number initiate session to well-known port number 179 but if this side initiates the session it'll be a random port number going to 179 on this router so the direction of who set up the initial session determines which side is using port number 179 so i'm going to create a new ethernet frame i'm going to set the destination mac address to the mac address that was captured in the bgp frame i'm going to set the source mac address to the mac address captured in the bgp frame basically i'm creating a frame at layer 2 that mimics the actual session between the two routers i'm also changing the ethernet type and now i'm going to change tcp source and destination ports to the port numbers that the routers are using i'm then going to specify the sequence number but i'm going to increment the sequence number based on this loop so i know what the sequence number is when i capture the packet but then what i'm doing now is i'm just incrementing that and sending packets to the router hopefully getting a sequence number that's valid i'm also specifying the acknowledgement number and then i'm going to specify the source ip address and destination ip address now if you know bgp if you know how to hack you could probably improve these scripts but this is what i got working and i'm happy with it for demonstration purposes what i then did is craft a packet so i'm specifying that bgp reset is going to be an ip packet the source ip address is going to be this ipsource which i got from the original packet the destination ip address is going to be the ip address that i once again captured from the packet ttl or time to live i'm going to set to one this is a line continuation so actually this is one long line of text but to make it easier i've done a backslash there this is layer three this in scapy means next layer so next layer is tcp destination port number is going to be the port number that i read from the packet source port number is going to be my source port now you could point directly to the original frame i've created variables that just makes it easier to explain what's going on here so source and destination port numbers in the tcp header will be set as follows i'm setting the flags to pa sequence number is the sequence number that we worked out but remember this is incrementing acknowledgment number is the acknowledgement number that we grabbed from the packet over there next layer is going to be the bgp header now the marker here is generally written in f's i've written it as follows the decimal equivalent notice that's what it looks like in a y-sharp capture so once again if you want to know what to put into a scapy packet capture packets in wire shock and then you can fill in the details so i've specified for instance source and destination port number sequence number acknowledgement and length you can see that information over here slightly different length here because this is a reset message rather than an update message type is set to three because that's a reset update message has a type of two but i'm sending a reset message rather than an update message or a keeper live notice keeper live is full update message here is two i'm going to send a reset so that is basically going to be sent send p is a scapy way of sending a layer to frame so i'm sending the frame which is frame one which i created up here based on the original frame and then i'm putting bgp reset on that so basically it's layer 2 layer 3 which is the ip layer here layer 4 and then bgp on top of that so i'm stacking those layers and then i'm sending it into the network but just to show you what it looks like i've got some show commands here that shows the frame so shows layer 2 and then shows the bgp reset message sleep for one second and then loop round now the reason i've got two loops here is if the bgp relationship resets i want to grab another frame when the bgp router tries to re-establish the relationship take that and then send more reset messages to get it to reset again okay so there's our script in linux i will open up a terminal let's use nano just because it's easy and i'll create a python script called bgphack1.py now kali comes with escapee pre-installed so you don't have to install it so i'll save that and what i can do now is basically run my python script now before i run that script let's have a look at the router so on my router 1941 this is the router that actually connects me to the internet show ipbgp you can see that i've learned some bgp routes router id is 192.1683 249. i've got a default route to get me to the internet i've learned various routes from neighbor 192.168.1.246 which is this route on my desk if i connect to that router and log in this is an isr 4321 show ipbgp you can see that it's all learnt a route here from 192.168.1.249. that's its default route to get to the internet so as an example this router can ping google.com so back on the first router show ipbgp summary this shows me that the router has a neighbor relationship to 192.168.1.246 it's been up for about two hours received five prefixes back on 246 show ipbgp summary we've got our neighbor relationship to 192.168.1 249. also been up for about two hours that's basically just showing us the relationship between the two routers term mon to monitor stuff that's happening debug ipbgp that'll allow us to see what's happening with bgp hopefully we'll see the neighbor relationship be reset through debug messages and also see that the timer is reset so that's what it is at the moment that's the messages sent and received so let's run our hacking script now what it needs to do is it needs to capture some packets off the wire so it needs to see traffic sent between the two routers in bgp that can take a while bgp doesn't send a lot of messages from one rider to another okay so there you go something's happened and we're sending packets into the network and notice here something's going on it's complaining about a sync error we went from established to closing notification message was sent close after notification we remove stuff from the writing table and notice using the command again we can see that the relationship is idle relationship is being formed again so they are negotiating to set up a relationship and once again we can see it's been up for 13 seconds now up for 32 seconds so i managed to get the neighbor relationship between those two routers to reset by sending notification messages now let's run that again so run it again it's at 52 seconds now it's being reset again notice five seconds it's idle at the moment show ipbgp routes have been lost we don't see one nine two one six eight one two forty 249 as a neighbor now we do so you can see a bunch of messages are displayed now we see the rats from 192 1681 246. so i got this neighbor relationship to reset notice 24 seconds at this point i'll run that again you could leave the scriptures running and i'm breaking it just to try and make this happen quickly but you could leave it running and you could set the loop to a big value so that it just constantly looks for messages and then sends reset messages at the moment 53 seconds relationship is up but notice now it's breaking again went to four seconds show ipbgp rats have been learnt i was a bit too slow there you can see route refreshes you can see that capabilities were exchanged so i managed to reset the neighbor relationship okay so this video is getting too long this is a really long video i'm going to show you the other scripts in separate videos because this is very long basically my simple script over here has sent a bgp reset message into the network to reset the neighbor relationship in the next video i'll show you how to remove a route from the writing table now if you send too many of those messages it'll actually reset the neighbor relationship [Music] oh

Info

Channel: David Bombal

Views: 39,197

Rating: 4.9510045 out of 5

Keywords: bgp, bgp hack, bgp hijacking, bgp protocol, ccna, cyber security, cyber weapon, cyber weapons, ethical hacking, hack cisco, hack cisco router, hacker, hacking, hacking cisco, how to hack, infosec, kali linux, kali linux 2021, kali linux python, null byte, nullbyte, python, python hacking, python scapy, scapy, scapy in python, scapy kali linux, scapy packet crafting, scapy python, scapy python 3, scapy python tutorial, scapy python3, scapy sniffing, scapy tutorial, security

Id: 39DGVpMt7eQ

Channel Id: undefined

Length: 20min 24sec (1224 seconds)

Published: Mon Sep 20 2021