Skip to content

Commit fbcb478

Browse files
carlospolopcarlospolop
authored
Merge pull request #1992 from HackTricks-wiki/research_update_src_generic-methodologies-and-resources_pentesting-network_eigrp-attacks_20260312_170206
Research Update Enhanced src/generic-methodologies-and-resou...
2 parents 9fd8783 + 8fe8ac6 commit fbcb478

1 file changed

Lines changed: 37 additions & 1 deletion

File tree

src/generic-methodologies-and-resources/pentesting-network/eigrp-attacks.md

Lines changed: 37 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -58,7 +58,43 @@
5858
- `--as`: Defines the EIGRP AS number.
5959
- `--src`: Sets the attacker’s IP address.
6060

61-
{{#include ../../banners/hacktricks-training.md}}
61+
## **Protocol Notes Useful for Attacks**
62+
63+
- **HELLO packets carry K-values and neighbors only form when they match.** This is the basis for K-value mismatch/relationship disruption attacks and why mismatched K-values prevent adjacency.
64+
- **The PARAMETER TLV (Type 0x0001) in HELLO (and initial UPDATE) carries K-values and Hold Time**, so passive captures reveal the exact values used on the segment.
65+
66+
## **Scapy Packet Crafting (Route Injection / Fake Neighbors)**
67+
68+
Scapy ships an EIGRP contrib layer with TLVs like `EIGRPParam` and `EIGRPIntRoute`, which is enough to craft UPDATEs for route injection. Example adapted from the `davidbombal/scapy` EIGRP route injection script:
69+
70+
```python
71+
from scapy.all import *
72+
load_contrib("eigrp")
73+
74+
sendp(Ether()/IP(src="192.168.1.248", dst="224.0.0.10") /
75+
EIGRP(opcode="Update", asn=100, seq=0, ack=0,
76+
tlvlist=[EIGRPIntRoute(dst="192.168.100.0",
77+
nexthop="192.168.1.248")]))
78+
```
79+
80+
The same repo includes quick "fake neighbor" scripts that sniff a real EIGRP packet and replay it with a spoofed source IP to create phantom neighbors (useful for CPU/neighbor-table pressure).
6281

82+
- Scapy EIGRP contrib docs: https://scapy.readthedocs.io/en/latest/api/scapy.contrib.eigrp.html
83+
- Example scripts: https://github.com/davidbombal/scapy
84+
85+
## **Routopsy & NSE Helpers**
86+
87+
- **Routopsy** builds a virtual-router attack lab (FRRouting + Scapy) and includes DRP attacks you can adapt for EIGRP tests. https://sensepost.com/blog/2020/routopsy-hacking-routing-with-routers/
88+
- Nmap's NSE has a small `eigrp` library for parsing/generating a subset of EIGRP packets. https://nmap.org/nsedoc/lib/eigrp.html
89+
90+
## **Authentication Recon**
91+
92+
- EIGRP named mode supports **HMAC-SHA-256 authentication** via `authentication mode hmac-sha-256 ...`. If enabled, crafted packets must be authenticated with the correct key; if not enabled, spoofing/injection is easier to validate.
93+
94+
## **References**
95+
- [https://www.rfc-editor.org/rfc/rfc7868.html](https://www.rfc-editor.org/rfc/rfc7868.html)
96+
- [https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_eigrp/configuration/15-mt/ire-15-mt-book/ire-sha-256.html](https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_eigrp/configuration/15-mt/ire-15-mt-book/ire-sha-256.html)
97+
98+
{{#include ../../banners/hacktricks-training.md}}
6399

64100

0 commit comments

Comments
 (0)