|
HCNA-22 配置RIPv2的认证
基本配置 <Huawei>system-view [r1]interface GigabitEthernet 0/0/2 [r1-GigabitEthernet0/0/2]ip address 192.168.10.1 24 [r1-GigabitEthernet0/0/2]quit [r1]interface GigabitEthernet 0/0/0 [r1-GigabitEthernet0/0/0]ip address 172.16.12.1 24 [r1-GigabitEthernet0/0/0]quit [r1]rip 1 [r1-rip-1]version 2 [r1-rip-1]network 192.168.10.0 [r1-rip-1]network 172.16.0.0 [r1-rip-1]quit <Huawei>system-view [Huawei]sysname r2 [r2]interface GigabitEthernet 0/0/2 [r2-GigabitEthernet0/0/2]ip address 192.168.20.1 24 [r2-GigabitEthernet0/0/2]quit [r2]interface GigabitEthernet 0/0/0 [r2-GigabitEthernet0/0/0]ip address 172.16.12.2 24 [r2-GigabitEthernet0/0/0]quit [r2]rip 1 [r2-rip-1]version 2 [r2-rip-1]network 192.168.20.0 [r2-rip-1]network 172.16.0.0 [r2-rip-1]quit [r2]display ip routing-table Route Flags: R - relay, D - download to fib ------------------------------------------------------------------------------ Routing Tables: Public Destinations : 11 Routes :11 Destination/Mask Proto Pre Cost Flags NextHop Interface 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 …… 192.168.10.0/24 RIP 100 1 D 172.16.12.1 GigabitEthernet 0/0/0 192.168.20.0/24 Direct 0 0 D 192.168.20.1 GigabitEthernet …… 模拟非法路由进行网络攻击 <Huawei>system-view [Huawei]sysname r3 [r3]interface GigabitEthernet 0/0/0 [r3-GigabitEthernet0/0/0]ip address 172.16.12.3 24 [r3-GigabitEthernet0/0/0]quit [r3]rip 1 [r3-rip-1]version 2 [r3-rip-1]network 172.16.0.0 [r3-rip-1]quit [r3]display ip routing-table Route Flags: R - relay, D - download to fib ------------------------------------------------------------------------------ Routing Tables: Public Destinations : 9 Routes :9 Destination/Mask Proto Pre Cost Flags NextHop Interface …… 172.16.12.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet 0/0/0 192.168.10.0/24 RIP 100 1 D 172.16.12.1 GigabitEthernet 0/0/0 192.168.20.0/24 RIP 100 1 D 172.16.12.2 GigabitEthernet 0/0/0 255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0 R3可以轻易获取到R1与R2的路由 若此时R3对R1与R2进ping –t操作发送大量数据包,可以形成攻击形式 下面配置欺骗网段 [r3]interface LoopBack 1 [r3-LoopBack1]ip address 192.168.10.1 24 [r3-LoopBack1]quit [r3]interface loopback 2 [r3-LoopBack2]ip address 192.168.20.1 24 [r3-LoopBack2]quit [r3]display ip interface brief *down: administratively down ^down: standby (l): loopback (s): spoofing The number of interface that is UP in Physical is 4 The number of interface that is DOWN in Physical is2 The number of interface that is UP in Protocol is 4 The number of interface that is DOWN in Protocol is2 Interface IP Address/Mask Physical Protocol GigabitEthernet0/0/0 172.16.12.3/24 up up GigabitEthernet0/0/1 unassigned down down GigabitEthernet0/0/2 unassigned down down LoopBack1 192.168.10.1/24 up up(s) LoopBack2 192.168.20.1/24 up up(s) NULL0 unassigned up up(s) [r3]rip 1 [r3-rip-1]network 192.168.10.0 [r3-rip-1]network 192.168.20.0 [r3-rip-1]quit 查看R1与R2的路由表 <r1>display ip routing-table Route Flags: R - relay, D - download to fib ------------------------------------------------------------------------------ Routing Tables: Public Destinations : 11 Routes :12 Destination/Mask Proto Pre Cost Flags NextHop Interface …… 192.168.20.0/24 RIP 100 1 D 172.16.12.2 GigabitEthernet 0/0/0 RIP 100 1 D 172.16.12.3 GigabitEthernet 0/0/0 255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0 <r2>display ip routing-table Route Flags: R - relay, D - download to fib ------------------------------------------------------------------------------ Routing Tables: Public Destinations : 11 Routes :12 Destination/Mask Proto Pre Cost Flags NextHop Interface …… 192.168.10.0/24 RIP 100 1 D 172.16.12.1 GigabitEthernet 0/0/0 RIP 100 1 D 172.16.12.3 GigabitEthernet 0/0/0 192.168.20.0/24 Direct 0 0 D 192.168.20.1 GigabitEthernet ……. 重要的地方来了,R1和R2接收到了R3发来的路由更新,由于R2和R3发送RIP更新的COST都是1跳,所以在R1的路由表中,目的为192.168.20.0的网段形成了两条等价负载均衡的路径,下一跳分别是R2与R3,这样一来会导致去往192.168.20.0网段的数据包会有部份发送到了非法路由R3。R2路由表变化与R1一样。 配置RIPv2简单验证 配置两端接口认证 <r1>system-view [r1-GigabitEthernet0/0/0]rip authentication-modesimple cipher admin1234 //配置RIP认证模式为简单密码admin1234 PC>ping 192.168.20.100 Ping 192.168.20.100: 32 data bytes, Press Ctrl_C tobreak Request timeout! Request timeout! Request timeout! Request timeout! Request timeout! --- 192.168.20.100 ping statistics --- 5 packet(s)transmitted 0 packet(s)received 100.00%packet loss 当只配置了一个接口的认证后,RIP运行不再正常,需要连接端口同时配置认证! <r2>system-view [r2]interface GigabitEthernet 0/0/0 [r2-GigabitEthernet0/0/0]rip authentication-modesimple admin1234 [r2-GigabitEthernet0/0/0]quit [r2]display ip routing-table Route Flags: R - relay, D - download to fib ------------------------------------------------------------------------------ Routing Tables: Public Destinations : 11 Routes :11 Destination/Mask Proto Pre Cost Flags NextHop Interface ……. 192.168.10.0/24 RIP 100 1 D 172.16.12.1 GigabitEthernet 0/0/0 192.168.20.0/24 Direct 0 0 D 192.168.20.1 GigabitEthernet ….. 此时R3的路由没有了,由于R3没有配置RIP认证,所以被排斥了出去。
抓包发现R1与R2间的RIP报文内有包含authentication字样,并且password是明文显示的admin1234。 配置RIPv2 MD5认证 <r1>system-view [r2]interface GigabitEthernet 0/0/0 [r1-GigabitEthernet0/0/0]undo ripauthentication-mode [r1-GigabitEthernet0/0/0]rip authentication-mode md5usual cipher admin1234 [r1-GigabitEthernet0/0/0]quit <r2>system-view [r2]interface GigabitEthernet 0/0/0 [r2-GigabitEthernet0/0/0]undo rip authentication-mode [r2-GigabitEthernet0/0/0]rip authentication-mode md5usual cipher admin1234 [r2-GigabitEthernet0/0/0]quit
| 
|Archiver|手机版|小黑屋|祖瑞科技 全国计算机 网络IT运维社区!
( 沪ICP备16021636号-2 )
发表于 2021-2-5 16:38:59
