Discovering secret OSPF information on Cisco routers – part 2

Home > Blogs > Cisco > Discovering secret OSPF information on Cisco routers – part 2

Discovering secret OSPF information on Cisco routers – part 2

Like This Blog 0 Mark Jacob
Added by March 31, 2014

In a previous blog, I discussed OSPF authentication. In that blog, I covered the configuration of simple password protection. At the end of that blog I mentioned that the password when using this method is sent across the wire in clear text. Let us use that fact to our advantage as we delve into part two of discovering secret OSPF information in Cisco routers. Part 1 covered how to obtain the area ID from a neighboring router. This blog will explore the ease with which a simple password can be pulled off the wire, without so much as a packet sniffer in sight. Let’s begin by observing the network diagram.

001-Discovering-secret-OSPF-information-on-Cisco-routers

LEFT router has simple password authentication configured on F0/0. The objective is to log in to the console of RIGHT router and determine the password in use, configure our side to match, and create an adjacency between the two routers. We will have administrative power on RIGHT, but we are not permitted to access LEFT router. Let’s begin.

First, let’s see how close we are to success in our current configuration.

002-current-configuration-OSPF-information-on-Cisco-routers

So we are already running OSPF – that’s one less thing to cross off our list. Let’s check the status of this OSPF process.

003-current-configuration-OSPF-information-on-Cisco-routers

One of the pieces of information that was given to us is that LEFT router is already running simple (plain-text) authentication. We see from the above output that RIGHT router is not participating in authentication and the status in Inactive. Let’s see what it takes to snag that secret password while accessing only RIGHT router. The first step is to configure an extended access-list that watches for the information we want, which is hello packets (addressed to the multicast address 224.0.0.5). It looks like this:

004-packet-configuration-OSPF-information-on-Cisco-routers

Now to craft the debug command which will expose the information we seek. The command is debug ip packet detail 150 dump

005-debug-ip-configuration-OSPF-information-on-Cisco-routers

Focus your attention on the received (rcvd) hello packet. Within the raw dump to the screen is the plain-text password we seek. (It is on two lines, so follow the word-wrap to get it all.) We believe the password is secretid. Let’s try configuring it on our side. If it is correct, our neighbor relationship should spring up shortly after we configure it.

006-secrete-ip-configuration-OSPF-information-on-Cisco-routers

How about that? No WireShark and we captured everything we needed to get our router to speak the correct password on its OSPF interface. Not so difficult at all. It also shows the importance of avoiding plain-text password authentication and using the stronger md5 option supported by OSPF.

Some of the debug tricks are pretty cool and occasionally can come in handy on your certification exams by allowing you to extract seemingly secret information. Just think, someday you can be a great debugger! While that may not sound so impressive, the result most certainly is!

Until next time, debug away…when it is safe to do so, of course.

Mark Jacob
Cisco Instructor – Interface Technical Training
Phoenix, AZ

Videos You May Like

Creating Users and Managing Passwords in Microsoft Office 365

0 642 3

In this Office 365 training video, instructor Spike Xavier demonstrates how to create users and manage passwords in Office 365.   For instructor-led Office 365 training classes, see our course schedulle: Spike Xavier SharePoint Instructor – Interface Technical Training Phoenix, AZ 20347: Enabling and Managing Office 365    

Subnetting a TCP/IP Network using the Magic Box Method

0 1635 5

See our class schedule for complete Course Schedule Training. Classes are held in Phoenix, AZ and can be attended online from anywhere in the world with RemoteLive™. Instructor: Rick Trader  Video Transcription: One of the things that we might have to do in our corporate network is to take a class of IP addresses and then subnet that into … Continue reading Subnetting a TCP/IP Network using the Magic Box Method

Detailed Forensic Investigation of Malware Infections – April 21, 2015

4 608 5

How does an investigator hunt down and identify unknown malware? In this recording of our IT Security training webinar on April 21, 2015, Security expert Mike Danseglio (CISSP / CEH) performed several malware investigations on infected computers and identify symptoms, find root cause, and follow the leads to determine what’s happening. He demonstrated his preferred … Continue reading Detailed Forensic Investigation of Malware Infections – April 21, 2015

Write a Comment

Share your thoughts...

Please fill out the comment form below to post a reply.