Merge pull request #2035 from HackTricks-wiki/research_update_src_generic-methodologies-and-resources_pentesting-network_eigrp-attacks_20260319_211452

Research Update Enhanced src/generic-methodologies-and-resou...

Author: carlospolop

src/generic-methodologies-and-resources/pentesting-network/eigrp-attacks.md

@@ -62,6 +62,33 @@
 
 - **HELLO packets carry K-values and neighbors only form when they match.** This is the basis for K-value mismatch/relationship disruption attacks and why mismatched K-values prevent adjacency.
 - **The PARAMETER TLV (Type 0x0001) in HELLO (and initial UPDATE) carries K-values and Hold Time**, so passive captures reveal the exact values used on the segment.
+- **EIGRP uses IP protocol 88**, multicasting to **224.0.0.10** in IPv4 and **FF02::A** in IPv6. That makes it easy to spot with `tcpdump 'ip proto 88 or ip6 proto 88'` before attempting active abuse.
+- **Reliable UPDATEs are ordered with sequence / acknowledgement fields and SEQUENCE TLVs.** Blind multicast route injection can work in weak labs, but when emulating a real neighbor you often need to track `seq`, `ack`, and the peer list carried in SEQUENCE TLVs to stay in sync with the RTP logic.
+
+## **Passive Recon Before Injection**
+
+Before you try to inject routes, capture a legitimate HELLO / UPDATE exchange and extract:
+
+- **AS number**
+- **K-values and Hold Time** from the PARAMETER TLV
+- **Authentication in use**: none, MD5, or HMAC-SHA-256
+- **Neighbor source address** and the subnet/interface where EIGRP is active
+- **Software / TLV profile** (`SOFTWARE_VERSION`, `STUB`, `SEQUENCE`) so your crafted packets look like the local routers
+
+Useful commands:
+
+```bash
+# Passive sniffing
+sudo tcpdump -ni eth0 'ip proto 88 or ip6 proto 88'
+
+# Quick discovery and route enumeration on IPv4
+sudo nmap --script broadcast-eigrp-discovery
+
+# If you already know the AS
+sudo nmap --script broadcast-eigrp-discovery --script-args broadcast-eigrp-discovery.as=100
+```
+
+Nmap's `broadcast-eigrp-discovery` works by sending a HELLO to `224.0.0.10` and parsing the returned UPDATE packets, which is useful to enumerate prefixes before attempting a more intrusive route injection.
 
 ## **Scapy Packet Crafting (Route Injection / Fake Neighbors)**
 
@@ -79,6 +106,41 @@ sendp(Ether()/IP(src="192.168.1.248", dst="224.0.0.10") /
 
 The same repo includes quick "fake neighbor" scripts that sniff a real EIGRP packet and replay it with a spoofed source IP to create phantom neighbors (useful for CPU/neighbor-table pressure).
 
+Scapy also exposes primitives that are useful when you need higher-fidelity emulation instead of a single UPDATE:
+
+- `EIGRPAuthData` for authenticated adjacencies
+- `EIGRPSeq` for sequence / conditional-receive handling
+- `EIGRPStub` to mirror observed stub behavior
+- `EIGRPv6IntRoute` / `EIGRPv6ExtRoute` for IPv6 route injection
+
+That matters because the reliable transport logic is often what separates a throwaway PoC from a fake neighbor that survives long enough to learn routes and poison the topology.
+
+## **EIGRP for IPv6**
+
+EIGRP for IPv6 is a separate address-family transported over IPv6. It still uses EIGRP packet format / TLVs, but it is enabled directly on interfaces and multicasts to `FF02::A`. From an offensive perspective, that means a dual-stack segment may expose an EIGRP attack surface even when the IPv4 side looks clean.
+
+Important differences:
+
+- **IPv6 EIGRP is enabled per interface** (`ipv6 eigrp <as>`), not with IPv4-style `network` statements.
+- **A router ID is still required**, so sniffing an active segment usually reveals enough context to mimic a valid peer.
+- **MD5 authentication exists for EIGRP for IPv6**, and modern named mode deployments may also use **HMAC-SHA-256**, which blocks unauthenticated route injection.
+
+Minimal Scapy example for IPv6 route injection:
+
+```python
+from scapy.all import *
+load_contrib("eigrp")
+
+send(IPv6(src="fe80::250:56ff:feaa:1111", dst="ff02::a") /
+     EIGRP(opcode="Update", asn=100, seq=0, ack=0,
+           tlvlist=[EIGRPv6IntRoute(dst="2001:db8:dead:beef::",
+                                    prefixlen=64,
+                                    nexthop="fe80::250:56ff:feaa:1111")]),
+     iface="eth0")
+```
+
+If the IPv6 next hop inside the route TLV is zeroed, receivers fall back to the IPv6 source address in the packet header. That makes source spoofing and correct link-local addressing especially important during EIGRPv6 testing.
+
 - Scapy EIGRP contrib docs: https://scapy.readthedocs.io/en/latest/api/scapy.contrib.eigrp.html
 - Example scripts: https://github.com/davidbombal/scapy
 
@@ -90,11 +152,14 @@ The same repo includes quick "fake neighbor" scripts that sniff a real EIGRP pac
 ## **Authentication Recon**
 
 - EIGRP named mode supports **HMAC-SHA-256 authentication** via `authentication mode hmac-sha-256 ...`. If enabled, crafted packets must be authenticated with the correct key; if not enabled, spoofing/injection is easier to validate.
+- RFC 7868 also defines both **MD5** and **SHA2-256** authentication data inside the EIGRP AUTH TLV, which is why passive captures quickly tell you whether a blind spoof is realistic or whether you first need key material.
+- On EIGRP for IPv6, Cisco also supports **MD5 authentication with key chains**. If multiple keys with send/accept lifetimes are configured, replaying stale authenticated traffic becomes less reliable because the active key can rotate without changing the rest of the adjacency profile.
 
 ## **References**
 - [https://www.rfc-editor.org/rfc/rfc7868.html](https://www.rfc-editor.org/rfc/rfc7868.html)
 - [https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_eigrp/configuration/15-mt/ire-15-mt-book/ire-sha-256.html](https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_eigrp/configuration/15-mt/ire-15-mt-book/ire-sha-256.html)
+- [https://nmap.org/nsedoc/scripts/broadcast-eigrp-discovery.html](https://nmap.org/nsedoc/scripts/broadcast-eigrp-discovery.html)
+- [https://sensepost.com/blog/2020/routopsy-hacking-routing-with-routers/](https://sensepost.com/blog/2020/routopsy-hacking-routing-with-routers/)
 
 {{#include ../../banners/hacktricks-training.md}}
 
-