Table of Contents
=================

1) General Information
2) Operation Modes

1) General Information
----------------------

bgpcrack tries to guess, by brute force, the key used to create the
MD5 hash of a TCP segment as described in RFC2385. Network packets are
stored in a file in pcap format, and the dictionary of words to use in
the brute-force attempt is a text file that contains one password per
line.

The "bgp" in "bgpcrack" is historical: bgpcrack does not have anything
to do with BGP - it just tries to guess the password used to generate a
TCP signature of _any_ TCP segment, not just those that are part of a
BGP conversation.

For _each_ TCP segment with TCP option 0x19 (TCP signature), the
program will try all passwords in a dictionary file. If the generated
MD5 digest is equal to the digest in the trace the password will have
been guessed, and the program will stop.

The program is run like this:

$ ./bgpcrack -r bgp-2600-1750 -w words port bgp

In this example, "bgp-2600-1750" is the network trace file, and
"words" is the dictionary. "port bgp" is a pcap expression (same syntax
as tcpdump's expressions) that will limit what frames from the trace
file we pay attention to (this expression is completely optional since
we already filter out frames without TCP segments and without the TCP
signature option.)

All the words in the dictionary are read from disk into memory before
starting the brute force attack. This should make the process very
efficient.

However, generating MD5 digests is a time-consuming operation, so I
don't think we can do the brute force attack in real time, especially
if the dictionary is big.

2) Operation Modes
------------------

bgpcrack can operate in one of two modes: on-line and off-line. In the
on-line operation mode, bgpcrack sends TCP segments with the SYN bit
set and that are signed with different passwords. The idea is that a
TCP device should repond to a SYN packet with a SYN-ACK packet, if the
packet has a valid signature.

In off-line operation mode bgpcrack just uses a tcpdump file as its
input. This is the fastest and most efficient way of cracking passwords
since no network traffic needs to be generated and bgpcrack can be
told to focus on only one TCP segment, so it will not waste time with
unneeded TCP segments.

Be sure to capture the entire BGP packet using "-s 0" or something 
similar. Otherwise the tool will not function properly.


Eloy Paris
Cisco Systems Critical Infrastructure Assurance Group (CIAG)
Questions to: ciag-tools@cisco.com

$Id: README,v 1.2 2003/07/15 19:10:59 peloy Exp $
