Detecting Rogue Gateways on a LAN

Rogue GatewayThere was an interesting thread on the pentest@securityfocus.com mailing list a few days ago. A member asked how to detect illegal or “rogue” gateways in a big international organization. Rogue devices can be seen from different point of views. For the network administrators or the security auditors, it’s really a pain. Users may connect prohibited devices on the network. Those are often poorly or even not configured at all (running with the factory settings). But from an attacker point of view, it’s a great opportunity to bypass controls in place like firewalls or IDS. Rogue devices are not a new threat. Already in 2008, I wrote a Nagios plug-in to detect rogue DHCP servers (also extremely dangerous in a LAN).

For evident security reasons, a network must have only one default gateway. This single network point is the way out to the Internet and must be configured to enforce security rules and control the traffic. If a rogue gateway is available, users can change their default gateway in their TCP/IP stack and they will evade all the security filters in place. A good example is a small ADSL SO-HO router connected on a corporate LAN. But a server or a workstation can also act as a gateway (a badly configuration workstation with a Tethered iPhone is very risky).

Basic detection can be achieved by using scanners like Nmap. Based on the MAC addresses or their fingerprints, major devices like Cisco or Juniper routers can be easily detected. Using SNMP, some OID’s may reveal sensible devices. But gateways can be hardened to not answer to ICMP requests or have SNMP disabled (or properly protected). To probe for rogue gateways, we need to test their routing capabilities using tools like traceroute.

Testing a big network is a pain and requires a lot of time. I wrote a Perl script to automate the following task: For every IP address in a given range, a static route for an external host is created pointing to the current scanned IP and a traceroute is performed. The results are analyzed and produce an output like in the example below. A valid gateway will report several hops.

# ./roguegw.pl -h
Usage: roguegw.pl --startip x.x.x.x --endip x.x.x.x --target x.x.x.x \
                  [--randomize] [--help]

startip / endip : Define the range of IP addresses to scan.
target          : Defines the target IP address to reach via the gateway.
                  (Can be a public IP address or another organization subnet.
randomize       : Randomizes the IP range (usefull to work below the radar).
# ./roguegw.pl --startip 192.168.254.1 --endip 192.168.254.10
Scanning IP range: 192.168.254.1 - 192.168.254.10 ...
Testing: 192.168.254.1... Found 5 hops!
	1: 192.168.254.1 (0.531ms)
	2: *
	3: 81.245.21.1 (29.207ms)
	4: 80.201.237.64 (37.407ms)
	5: 194.78.0.141 (45.358ms)
Testing: 192.168.254.2... Host reported unreachable from 192.168.254.229
Testing: 192.168.254.3... Host reported unreachable from 192.168.254.229
Testing: 192.168.254.4... Host reported unreachable from 192.168.254.229
Testing: 192.168.254.5... Host reported unreachable from 192.168.254.229
Testing: 192.168.254.6... Host up but no packet forwarding.
Testing: 192.168.254.7... Host reported unreachable from 192.168.254.229
Testing: 192.168.254.8... Host reported unreachable from 192.168.254.229
Testing: 192.168.254.9... Host reported unreachable from 192.168.254.229
Testing: 192.168.254.10... Host reported unreachable from 192.168.254.229
Done.

The script accepts some arguments: an IP range delimited by a starting and ending addresses and an optional target IP address (by default an IP address of www.google.com is used). The target can be a public IP address (on the Internet) or another private IP address. If the argument “–randomize” is given, the IP range will be first randomized. This can be helpful to work “below the radar”. Note that the script limits the traceroute to the first five hops for speed reason (it should be sufficient in most cases). To execute the script you need the following Perl modules installed: Net::IP and Net::Traceroute.

My first idea was to grab the TCP/IP settings from the host running the Perl scripts but it looks to be difficult due to the high number of systems running Perl. By providing an IP range you can  restrict the scan to only a few IP addresses like to ten first or the ten last of your subnet (where are usually assigned gateway IP addresses). This will also be less intrusive.

The Perl script is available here: roguegw.pl.txt. Same disclaimer as usual, it is provided “as is” without any warranty. Feel free to re-use it or adapt it.

2 comments

  1. I’m trying to solve a similar problem, but i don’t want to change my systems routing table. What i have done so far is to detect running hosts via arping to get the macs:
    user@host:~$ for i in $(seq 1 255); do arping -c1 -D -I eth2 192.168.0.$i | grep reply; done;

    After that I told Mausezahn to send ICMP ping packets using the detected hosts as gateway.
    user@host:~$ mz eth0 -b 00:17:9A:*:*:* -B 193.99.144.80 -t icmp ping

    If the host is a gateway tcpdump shows the ICMP reply.

    This would be much more comfortable if I hadn’t to use a sniffer, but can’t figure out how to tell hping3 that it hasn’t to use my default gateway.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.