3.2.11

Exploiting Networks with Loki on Backtrack 4 R2

Loki is the impressive layer 2/3 network manipulation tool by Daniel Mende, Rene Graf and Enno Rey of ERNW.  Released at BlackHat 2010 last year (slides here), Loki replicates some of the functionality of Yersinia, but does so in a much more useful package while adding support for lots of new protocols commonly found in enterprise networks (that is, found in an insecure and exploitable form in many enterprise networks).

Lately I’ve been working on 2 days of the new SANS Advanced Penetration Testing and Ethical Hacking course (SEC660).  I wrote day 3 materials covering Python for Pen Testers, Scapy, Fuzzing and Cryptography for Pen Testers as well as the day 2 materials on Network Attacks, focusing on accessing the network, manipulating the network and exploiting the network.  I’ll write some future articles on the cool Python, Scapy, Fuzzing and Crypto attacks in SEC660, but today I want to focus on how to effectively use the powerful Loki tool to exploit common network flaws.

Loki Introduction

Loki provides a GUI interface for multiple protocol attacks, allowing you to manipulate network protocols for man-in-the-middle attacks and other malicious network activity.  Supported protocols include:

  • ARP
  • HSRP, HSRPv2
  • RIP
  • BGP
  • OSPF
  • EIGRP [not-yet-to-be-released due to legal blur]
  • WLCCP [not-yet-to-be-released due to legal blur]
  • VRRP, VRRPv3
  • BFD (Bidirectional Forwarding Protocol)
  • LDP (Label Distribution Protocol)
  • MPLS (re-labeling, tunnel interface)

ospf-attack

With an easy-to-use interface, Loki is my new preferred tool for exploiting many of these protocols, but more than that it offers a reliable interface for exploiting protocols not covered in other tools.  Specifically, I’m very pleased I now have a tool to inject and manipulate routes in OSPF environments, including an interface to mount a (fast) offline dictionary attack against the MD5 shared secret.

Unfortunately, Loki is not the simplest tool to get running on Backtrack 4 R2.  It is not included in the Backtrack repository, but we can add it to any BT4 R2 installation (or VM) with a few straightforward steps.

Installing Loki

To install Loki on BT4 R2 we’ll need to install some additional packages, and apply a source code patch to make Loki compatible with Backtrack’s Python 2.5 interpreter.  First, install several needed packages from the Backtrack repository:

# apt-get update
# apt-get install autoconf automake autotools-dev python-ipy python-libpcap

Next, we need to remove a Python module that is included by default on Backtrack but conflicts with the Loki-required python-libpcap module, as shown:

# apt-get remove python-pypcap

Next, we can download Loki and the patch to make it work on Backtrack 4 R2.  I put this patch together so we could use Loki in the SEC660 course, and Daniel Mende is kind enough to host it for us on his site:

# wget https://www.c0decafe.de/loki/loki-0.2.4.tar.gz
# wget https://www.c0decafe.de/loki/loki-0.2.4-bt4.diff

Now we can extract the source and apply the patch, as shown:

# tar xfz loki-0.2.4.tar.gz
# cd loki-0.2.4
# patch -p1 <../loki-0.2.4-bt4.diff
patching file configure.in
patching file loki_bindings/ospfmd5/ospfmd5bf.c
patching file modules/module_hsrp2.py
patching file modules/module_hsrp.py
patching file modules/module_rip.py
patching file modules/module_vrrp3.py
patching file modules/module_vrrp.py
patching file src/loki.py

Not so hard! Next, we can configure the development environment to build Loki, then build and install it, as shown:

# aclocal && automake --add-missing && autoconf
# ./configure && make && make install
# which loki.py
/usr/local/bin/loki.py

Using Loki


Now that you’ve got Loki installed on your system, you’re ready to put it to use.  After invoking Loki (by running “loki.py” from the shell), click the top-left corner button to invoke the packet sniffing function.  While Loki sniffs network traffic, it will identify supported protocols that it can attack by blinking the tab designed for that specific protocol.  Otherwise, you can navigate to other tabs, such as the ARP tab, and click on the active scanning functionality to discover attack targets (as shown below).


loki-arp


I’m very impressed with the functionality of Loki, and I’ve been pleased with how well it works on various penetration testing engagements.  There are still some minor bugs, but nothing that can’t be rectified quickly with a little Python edit here and there.


If you have a Loki success story (e.g. how you owned a network with Loki) or if you run across a Loki bug you want to share, please leave a comment below.  In the meantime, check out this powerful tool and, for practical hands-on experience on using Loki to exploit interior routing protocols, check out SEC660 at a SANS conference near (or not-so-near) you soon!


Special thanks to Daniel, Enno and Rene for making Loki available to the open-source community.  Tool authors don’t get enough thanks for their hard work, so please considering leaving them a note as well thanking them for this very useful addition to your attack tool arsenal.


-Josh