Loki IntroductionLoki provides a GUI interface for multiple protocol attacks, allowing you to manipulate network protocols for man-in-the-middle attacks and other malicious network activity. Supported protocols include:
- HSRP, HSRPv
- EIGRP [not-yet-to-be-released due to legal blur]
- WLCCP [not-yet-to-be-released due to legal blur]
- VRRP, VRRPv
- BFD (Bidirectional Forwarding Protocol)
- LDP (Label Distribution Protocol)
- MPLS (re-labeling, tunnel interface)
With an easy-to-use interface, Loki is my new preferred tool for exploiting many of these protocols, but more than that it offers a reliable interface for exploiting protocols not covered in other tools. Specifically, I’m very pleased I now have a tool to inject and manipulate routes in OSPF environments, including an interface to mount a (fast) offline dictionary attack against the MD shared secret.
Unfortunately, Loki is not the simplest tool to get running on Backtrack R. It is not included in the Backtrack repository, but we can add it to any BT R installation (or VM) with a few straightforward steps.
Installing LokiTo install Loki on BT R we’ll need to install some additional packages, and apply a source code patch to make Loki compatible with Backtrack’s Python interpreter. First, install several needed packages from the Backtrack repository:
# apt-get update # apt-get install autoconf automake autotools-dev python-ipy python-libpcap
Next, we need to remove a Python module that is included by default on Backtrack but conflicts with the Loki-required python-libpcap module, as shown:
# apt-get remove python-pypcap
Next, we can download Loki and the patch to make it work on Backtrack R. I put this patch together so we could use Loki in the SEC course, and Daniel Mende is kind enough to host it for us on his site:
# wget https://www.cdecafe.de/loki/loki-.tar.gz # wget https://www.cdecafe.de/loki/loki--bt.diff
Now we can extract the source and apply the patch, as shown:
# tar xfz loki-.tar.gz # cd loki- # patch -p <../loki--bt.diff patching file configure.in patching file loki_bindings/ospfmd/ospfmdbf.c patching file modules/module_hsrp.py patching file modules/module_hsrp.py patching file modules/module_rip.py patching file modules/module_vrrp.py patching file modules/module_vrrp.py patching file src/loki.py
Not so hard! Next, we can configure the development environment to build Loki, then build and install it, as shown:
# aclocal && automake --add-missing && autoconf # ./configure && make && make install # which loki.py /usr/local/bin/loki.py
Now that you’ve got Loki installed on your system, you’re ready to put it to use. After invoking Loki (by running “loki.py” from the shell), click the top-left corner button to invoke the packet sniffing function. While Loki sniffs network traffic, it will identify supported protocols that it can attack by blinking the tab designed for that specific protocol. Otherwise, you can navigate to other tabs, such as the ARP tab, and click on the active scanning functionality to discover attack targets (as shown below).
I’m very impressed with the functionality of Loki, and I’ve been pleased with how well it works on various penetration testing engagements. There are still some minor bugs, but nothing that can’t be rectified quickly with a little Python edit here and there.
If you have a Loki success story (e.g. how you owned a network with Loki) or if you run across a Loki bug you want to share, please leave a comment below. In the meantime, check out this powerful tool and, for practical hands-on experience on using Loki to exploit interior routing protocols, check out SEC660 at a SANS conference near (or not-so-near) you soon!
Special thanks to Daniel, Enno and Rene for making Loki available to the open-source community. Tool authors don’t get enough thanks for their hard work, so please considering leaving them a note as well thanking them for this very useful addition to your attack tool arsenal.