Friday, October 15, 2010

Finding EIGRP Peer's AS Number & K Values - Who's behind the mask ?

Today I am gonna show you guys a mean trick which I learned during a class way back. It's about finding EIGRP Peer's AS Number & K Values in order to form neighbor-ship.


Lets first discuss the topology and load the initial configuration for this lab.


                                                             Click Image to enlarge


so here is the quick topology, We have two routers namely R1 & R2. Router R1 is configured inside some Mysterious EIGRP AS ( like some BB router in Lab with no mention of it's EIGRP AS number in diagram). Now we need to make R2 (to which we have access) to peer with R1.


But before that lets load the initials. From Initials you may see what's the EIGRP AS number for R1 :-) but just pretend you don't know anything :-)


Although it's one of those things which might be hard for someone Vs others 
:-)


=====================
           *** Initials ***
=====================



^^^ R1 ^^^
!
en
!
conf t
!
no ip domain-lo
!
ho R1
!
int l0
ip add 1.1.1.1 255.255.255.255
exit
!
int f0/0
ip add 12.0.0.1 255.255.255.0
no sh
exit
!
router eigrp 12
no au
net 1.1.1.1 0.0.0.0
net 12.0.0.1 0.0.0.0
end
!
-------------------------------

^^^ R2 ^^^
!
en
!
conf t
!
no ip domain-lo
!
ho R2
!
int l0
ip add 2.2.2.2 255.255.255.255
exit
!
int f0/0
ip add 12.0.0.2 255.255.255.0
no sh
end
!
-------------------------------

Now lets get started

Lets first verify basic reachability to R1

R2#ping 12.0.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 12.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/5/12 ms

Hmmm....everything looks good so far.

Now lets create two ACLs to match EIGRP traffic coming from and going towards R1.

Source of this packet is although going to be 12.0.0.1 from R1's generated EIGRP packet with destination as 224.0.0.10 (Well Known All EIGRP Routers multicast address), but I am going a little less specific without any particular reason :-)

Same logic you can follow for R2

R2(config)#access-l 100 permit ip any ho 224.0.0.10 log 

Now lets move is to debug ip packet with dump keyword which is BTW a hidden keyword and basically gives you Hex Dump of packet which you can later analyze with any packet sniffer.

R2#debug ip pack detail 100 dump
IP packet debugging is on (detailed) (dump) for access list 100

Now next step is to listen to EIGRP packets and for that we gonna enable EIGRP on router with some dummy AS number for a moment.

R2(config)#router eigrp 1  
R2(config-router)#no au
R2(config-router)#net 2.2.2.2 0.0.0.0
R2(config-router)#net 12.0.0.2 0.0.0.0
R2(config-router)#end

As soon as we do this we start getting following debug messages on screen:

*Mar  1 00:18:13.323: IP: s=2.2.2.2 (local), d=224.0.0.10 (Loopback0), len 60, sending broad/multicast, proto=88
0C600850:                   45C0003C 00000000          E@.<....
0C600860: 0258D39C 02020202 E000000A 0205EECB  .XS.....`.....nK
0C600870: 00000000 00000000 00000000 00000001  ................
0C600880: 0001000C 01000100 0000000F 00040008  ................
0C600890: 0C040102                             ....            

*Mar  1 00:18:14.111: IP: s=12.0.0.1 (FastEthernet0/0), d=224.0.0.10, len 60, rcvd 2, proto=88
0C9CA8A0:                       0100 5E00000A            ..^...
0C9CA8B0: C2000607 00000800 45C0003C 00000000  B.......E@.<....
0C9CA8C0: 0158CC9F 0C000001 E000000A 0205EEC0  .XL.....`.....n@
0C9CA8D0: 00000000 00000000 00000000 0000000C  ................
0C9CA8E0: 0001000C 01000100 0000000F 00040008  ................
0C9CA8F0: 0C040102                             ....            

Okay...don't get scared right now :-)


Lets Analyze the debug output and see how we can find AS number in that.

All you have to do is that first of all find the following keyword in Hex dump - 
E000000A" , now from there count 5 blocks of Hex characters which in first hex dump is going to be "00000001" & in second hex dump it's "0000000C", now next thing to watch out for is direction or more importantly source of packet. In first dump it's "2.2.2.2" which is loopback of local router on R2. So which means its locally generated packet. Now lets get back to 5th Hex block for this packet "00000001". Now as I said It's in Hex format. Now convert this back to Decimal and you will find value as "1". Which is telling us that local AS number configured is "1". So far so good...

Now lets take a look at 5th Hex block from next Hex dump which is "0000000C". Convert this back to Decimal using Windows calculator and you will find out the value comes as "12".

Now lets remove the old config and put EIGRP AS 12 on R2 and see if magically peering comes up.

R2#sh ip ro e

R2#             <- No Neighbor

R2(config)#no router eigrp 1

R2(config)#router eigrp 12  
R2(config-router)#no au
R2(config-router)#net 2.2.2.2 0.0.0.0
R2(config-router)#net 12.0.0.2 0.0.0.0
R2(config-router)#exit
R2(config)#

*Mar  1 00:21:43.627: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 12: Neighbor 12.0.0.1 (FastEthernet0/0) is up: new adjacency

Gr8...

R2#sh ip eigrp nei
IP-EIGRP neighbors for process 12
H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq
                                            (sec)         (ms)       Cnt Num
0   12.0.0.1                Fa0/0             13 00:00:25    9   200  0  3

R2#sh ip ro e     
     1.0.0.0/32 is subnetted, 1 subnets
D       1.1.1.1 [90/409600] via 12.0.0.1, 00:00:50, FastEthernet0/0


R2#ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
**********************************************************

Now Next mean trick is to find K-Values of neighbor in order in-case we need to peer with Any EIGRP neighbor which has different K-Values instead of default one.

Let's Change Local K Values over R2 now and see if we can figure it out sitting over R1.

R2(config)#router eigrp 12
R2(config-router)#metric weights 0 0 0 1 0 0 

As soon as we run this command we see following messages over R2's console:

R2(config-router)#
*Mar  1 00:23:53.607: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 12: Neighbor 12.0.0.1 (FastEthernet0/0) is down: metric changed
*Mar  1 00:23:58.191: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 12: Neighbor 12.0.0.1 (FastEthernet0/0) is down: Interface Goodbye received
*Mar  1 00:24:21.139: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 12: Neighbor 12.0.0.1 (FastEthernet0/0) is down: K-value mismatch

Now Lets take a look at R1:

R1#
*Mar  1 00:24:02.983: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 12: Neighbor 12.0.0.2 (FastEthernet0/0) is down: K-value mismatch
*Mar  1 00:24:07.695: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 12: Neighbor 12.0.0.2 (FastEthernet0/0) is down: K-value mismatch
*Mar  1 00:24:12.339: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 12: Neighbor 12.0.0.2 (FastEthernet0/0) is down: Interface Goodbye received

Ok...

In order to do some debugs over R1 first of all I must turn this logging off to make life easier else I'll keep getting these messages all the time.

R1(config)#router eigrp 12
R1(config-router)#no eigrp log-neighbor-changes 
R1(config-router)#end

Now Lets create same kind of ACL we made earlier over R2 but being more specific this time :-)

R1(config)#access-l 100 per ip ho 12.0.0.2 ho 224.0.0.10 log

R1#debug ip pack detail 100 dump
IP packet debugging is on (detailed) (dump) for access list 100
R1#
*Mar  1 00:29:55.959: %SEC-6-IPACCESSLOGRP: list 100 permitted eigrp 12.0.0.2 -> 224.0.0.10, 1 packet 
*Mar  1 00:29:55.959: IP: s=12.0.0.2 (FastEthernet0/0), d=224.0.0.10, len 60, rcvd 2, proto=88
0C9CB7A0:                       0100 5E00000A            ..^...
0C9CB7B0: C2010607 00000800 45C0003C 00000000  B.......E@.<....
0C9CB7C0: 0158CC9E 0C000002 E000000A 0205EFC0  .XL.....`.....o@
0C9CB7D0: 00000000 00000000 00000000 0000000C  ................
0C9CB7E0: 0001000C 00000100 0000000F 00040008  ................
0C9CB7F0: 0C040102         

BTW... Did I tell you guys that EIGRP does have it's own transport protocol which is RTP and defined as IP Protocol number 88 ? :-)

Ok...Getting back to idea of finding K-Values.

In this hex dump we need to leave last two block of hex characters (from bottom side this time ) completely, from 3rd block we just need to use "two" most significant characters and need to pick entire "4th" block from bottom.

Now in this case each "two" digits in hex specifies one K value. let me break it further for significance of you guys.

00 -> 0 -> K1
00 -> 0 -> K2
01 -> 1 -> K3
00 -> 0 -> K4
00 -> 0 -> K5

So from this it's clear that all other K values are set to zero except K3 being as 1.

Lets configure these K-Values locally on R1 and see if magical peering comes up back.

R1(config)#router eigrp 12
R1(config-router)#eigrp log-neighbor-changes 
R1(config-router)#metric weights 0 0 0 1 0 0

R1(config-router)#
*Mar  1 00:34:13.259: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 12: Neighbor 12.0.0.2 (FastEthernet0/0) is up: new adjacency

R1#sh ip ei n    
IP-EIGRP neighbors for process 12
H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq
                                            (sec)         (ms)       Cnt Num
0   12.0.0.2                Fa0/0             14 00:00:23    8   200  0  15

R1#sh ip ro e
     2.0.0.0/32 is subnetted, 1 subnets
D       2.2.2.2 [90/153600] via 12.0.0.2, 00:00:34, FastEthernet0/0

R1#ping 2.2.2.2 r 3 so lo0

Type escape sequence to abort.
Sending 3, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1 
!!!
Success rate is 100 percent (3/3), round-trip min/avg/max = 4/5/8 ms

HTH...
Deepak Arora













7 comments:

Samir Dobaria said...

Deepak,

That was really very informational.. Well I was trying to find out the same thing but wasn't able to verify.. Will give it a try sometime soon in LAB...

Thanks.. Sam

Anonymous said...

these above things are only possible when there is no authentication enabled, and in real seneario i never seen such config (without auth). but still can be use in LAB.:)

Piffer said...

Impressive! I'm really liking this blog! Lots of useful information.
Thanks
-P

Anonymous said...

I suppose the EIGRP packet format is used some how, right? Maybe the explanation should start at that! Otherwise its just guess work?

Jim Rethmann said...

FYI...
When I went thru this on my own lab I found that the K values where being sent at 255 (goodbye). I removed EIGRP and now can read the dump and grab the K values.
Great information!!

Marek Golha said...

Great information. I simulated this in GNS and it is exactly as you described.

Thank you.

Marek

Taran Singh said...

Very informational Deepak. A good trick to learn for troubleshooting purposes.
Thanks and keep up the good work.

Regards
Taran