IPv6 Network Reconnaissance:

Similar documents
IPv6 Network Reconnaissance:

Recent Advances in IPv6 Security. Fernando Gont

Security Assessments of IPv6 Networks and Firewalls

Practical Security Assessment of IPv6 Networks and Devices. Fernando Gont

Security Implications of the Internet Protocol version 6 (IPv6)

The Truth about IPv6 Security

Security Assessment of Neighbor Discovery for IPv6

Recent advances in IPv6 insecurities Marc van Hauser Heuse Deepsec 2010, Vienna Marc Heuse

IPv6.marceln.org.

IPv6 Trace Analysis using Wireshark Nalini Elkins, CEO Inside Products, Inc.

IPv6 Security Analysis

Security of IPv6 and DNSSEC for penetration testers

IPv6 Hardening Guide for Windows Servers

Getting started with IPv6 on Linux

IPv6 Infrastructure Security

Are You Ready to Teach IPv6?

About the Technical Reviewers

IPv6 Diagnostic and Troubleshooting

Network layer: Overview. Network layer functions IP Routing and forwarding

Guide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP

About Me. Work at Jumping Bean. Developer & Trainer Contact Info: mark@jumpingbean.co.za

IP(v6) security. Matěj Grégr. Brno University of Technology, Faculty of Information Technology. Slides adapted from Ing.

IPv6 Security. Scott Hogg, CCIE No Eric Vyncke. Cisco Press. Cisco Press 800 East 96th Street Indianapolis, IN USA

IPv6 Network Security.

Joe Davies. Principal Writer Windows Server Information Experience. Presented at: Seattle Windows Networking User Group June 1, 2011

Firewalls und IPv6 worauf Sie achten müssen!

IPv6 Infrastructure Security Jeffrey L Carrell Network Conversions Network Security Consultant, IPv6 SME/Trainer

Chapter 3 Configuring Basic IPv6 Connectivity

Introduction to IP v6

Linux as an IPv6 dual stack Firewall

Host Configuration (Linux)

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

IPV6 流 量 分 析 探 讨 北 京 大 学 计 算 中 心 周 昌 令

Telematics. 9th Tutorial - IP Model, IPv6, Routing

IPv6 Addressing. Awareness Objective. IPv6 Address Format & Basic Rules. Understanding the IPv6 Address Components

IPv6 Fundamentals: A Straightforward Approach

Vulnerabili3es and A7acks

IPv6 for SMB s: Easy or Hard?

IPv6 Addressing and Subnetting

IPv6 in Axis Video Products

IPv6 Functionality. Jeff Doyle IPv6 Solutions Manager

Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.

IPv6 Security Best Practices. Eric Vyncke Distinguished System Engineer

Mobile IP Network Layer Lesson 02 TCP/IP Suite and IP Protocol

Step-by-Step Guide for Setting Up IPv6 in a Test Lab

IP addressing and forwarding Network layer

IPv6 Security. Scott Hogg. Global Technology Resources, Inc. Director of Technology Solutions CCIE #5133, CISSP #4610

IPv6 Fundamentals, Design, and Deployment

IPv6 for Cisco IOS Software, File 2 of 3: Configuring

Network Security TCP/IP Refresher

DNS (Domain Name System) is the system & protocol that translates domain names to IP addresses.

Keywords: IPv6, transition, security, network, IPv4 security of IPv6 still has a long way to go.

IPv6 Security ::/0. Poland MUM Warsaw March, 2012 Eng. Wardner Maia Brazil

Types of IPv4 addresses in Internet

Building Secure Network Infrastructure For LANs

INLICHTINGEN DIENSTEN INLICHTINGEN DIENSTEN

SSVVP SIP School VVoIP Professional Certification

Tools for penetration tests 1. Carlo U. Nicola, HT FHNW With extracts from documents of : Google; Wireshark; nmap; Nessus.

Cisco IOS Flexible NetFlow Technology

Implementing DHCPv6 on an IPv6 network

IPv6 End Station Addressing: Choosing SLAAC or DHCP Jeff Harrington - NYSERNet

Hacking the Next Web: Penetration Testing over IPv6

Internet Protocols. Addressing & Services. Updated:

Updates to Understanding IPv6

IPv6 Protocols & Standards. ISP/IXP Workshops

1 Data information is sent onto the network cable using which of the following? A Communication protocol B Data packet

Learn About Differences in Addressing Between IPv4 and IPv6

Track 2 Workshop PacNOG 7 American Samoa. Firewalling and NAT

JOB READY ASSESSMENT BLUEPRINT COMPUTER NETWORKING FUNDAMENTALS - PILOT. Test Code: 4514 Version: 01

: Interconnecting Cisco Networking Devices Part 1 v2.0 (ICND1)

IPv6 SECURITY. May The Government of the Hong Kong Special Administrative Region

Networking 4 Voice and Video over IP (VVoIP)

Internet Protocol Version 6 (IPv6)

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Internet Protocol: IP packet headers. vendredi 18 octobre 13

Some insights about the recent TCP DoS (Denial of Service) vulnerabilities

IP Addressing and Subnetting. 2002, Cisco Systems, Inc. All rights reserved.

Windows 7 Resource Kit

Discovering IPv6 with Wireshark. presented by Rolf Leutert

A Sampling of Internetwork Security Issues Involving IPv6

DHCP, ICMP, IPv6. Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley DHCP. DHCP UDP IP Eth Phy

8.2 The Internet Protocol

Broadband Network Architecture

Procedure: You can find the problem sheet on Drive D: of the lab PCs. 1. IP address for this host computer 2. Subnet mask 3. Default gateway address

Detecting rogue systems

Description: Objective: Attending students will learn:

IPv6 Security Nalini Elkins, CEO Inside Products, Inc.

How To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)

ERserver. iseries. Networking TCP/IP setup

Networking Devices. Lesson 6

Port Scanning and Vulnerability Assessment. ECE4893 Internetwork Security Georgia Institute of Technology

Transcription:

IPv6 Network Reconnaissance: Theory & Practice Fernando Gont

About... I have worked in security assessment of communication protocols for: UK NISCC (National Infrastructure Security Co-ordination Centre) UK CPNI (Centre for the Protection of National Infrastructure) Currently working as a security researcher for SI6 Networks (http://www.si6networks.com) Active participant at the Internet Engineering Task Force (IETF) More information at: http://www.gont.com.ar

Introduction IPv6 changes the Network Reconnaissance game Brute force address scanning attacks undesirable (if at all possible) Security guys need to evolve in how they do net reconnaissance Pentests/audits Deliberate attacks Network reconnaissance support in security tools has been very poor

IPv6 Network Reconnaissance Address scans DNS-based (AXFR, reverse mappings, etc.) Application-based Inspection of local data structures (NC, routing table, etc.) Inspection of system configuration and log files Snooping routing protocols draft-ietf-opsec-ipv6-host-scanning is your friend :-)

IPv6 Address Scanning 5

What we did We researched the problem We worked on a comprehensive IPv6 Address Scanner We used our toolkit on the public Internet, to: Test the effectiveness of our techniques (theory -> practice) Gain further insights (practice -> theory)

IPv6 Address Scanning Local Networks 7

Overview Leverage IPv6 all-nodes link-local multicast address Employ multiple probe types: Normal multicasted ICMPv6 echo requests (don't work for Windows) Unrecognized options of type 10xxxxxx Combine learned IIDs with known prefixes to learn all addresses Example: # scan6 -i eth0 -L

IPv6 Address Scanning Remote Networks 9

Overview IPv6 address-scanning attacks have long been considered unfeasible This myth has been based on the assumption that: IPv6 subnets are /64s, and, Host addresses are randomly selected from that /64 Existing research suggests this is not the case Malone, D., "Observations of IPv6 Addresses", Passive and Active Measurement Conference (PAM 2008, LNCS 4979), April 2008, <http://www.maths.tcd.ie/~dwmalone/p/addr-pam08.pdf>.

IPv6 addresses in the real world Malone measured (*) the address generation policy of hosts and routers in real networks Address type Percentage SLAAC 50% IPv4-based 20% Teredo 10% Low-byte 8% Privacy 6% Wordy <1% Others <1% Hosts Address type Percentage Low-byte 70% IPv4-based 5% SLAAC 1% Wordy <1% Privacy <1% Teredo <1% Others <1% Routers Malone, D., "Observations of IPv6 Addresses", Passive and Active Measurement Conference (PAM 2008, LNCS 4979), April 2008, <http://www.maths.tcd.ie/~dwmalone/p/addr-pam08.pdf>.

IPv6 addresses embedding IEEE IDs 24 bits 16 bits 24 bits IEEE OUI FF FE Lower 24 bits of MAC Known or guessable Known Unknown In practice, the search space is at most ~2 23 bits feasible! Example: # scan6 -i eth0 -d fc00::/64 -K 'Dell Inc' -v

IPv6 addresses embedding IEEE IDs (II) Virtualization technologies present an interesting case Virtual Box employs OUI 08:00:27 (search space: ~2 23 ) VMWare ESX employs: Automatic MACs: OUI 00:05:59, and next 16 bits copied from the low order 16 bits of the host's IPv4 address (search space: ~2 8 ) Manually-configured MACs:OUI 00:50:56 and the rest in the range 0x000000-0x3fffff (search space: ~2 22 ) Examples: # scan6 -i eth0 -d fc00::/64 -V vbox # scan6 -i eth0 -d fc00::/64 -V vmware -Q 10.10.0.0/8

IPv6 addresses embedding IPv4 addr. They simply embed an IPv4 address in the IID Two variants found in the wild: 2000:db8::192.168.0.1 <- Embedded in 32 bits 2000:db8::192:168:0:1 <- Embeded in 64 bits Search space: same as the IPv4 search space feasible! Example: # scan6 -i eth0 -d fc00::/64 -Q 10.10.0.0/8

IPv6 addresses embedding service ports They simply embed the service port the IID Two variants found in the wild: 2001:db8::1:80 <- n:port 2001:db8::80:1 <- port:n Additionally, the service port can be encoded in hex vs. dec 2001:db8::80 vs. 2001:db8::50 Search space: smaller than 2 8 feasible! Example: # scan6 -i eth0 -d fc00::/64 -g

IPv6 low-byte addresses The IID is set to all-zeros, except for the last byte e.g.: 2000:db8::1 Other variants have been found in the wild: 2001:db8::n1:n2 <- where n1 is typically greater than n2 Search space: usually 2 8 or 2 16 feasible! Example: # scan6 -i eth0 -d fc00::/64 --tgt-low-byte

IPv6 host-tracking SLAAC typically leads to IIDs that are constant across networks Sample scenario: Node is known to have the IID 1:2:3:4 To check whether the node is at fc00:1::/64 or fc00:2::/64: ping fc00:1::1:2:3:4 and fc00:2::1:2:3:4 Examples: # scan6 -i eth0 -d fc00:1::/64 -d fc00:2::/64 -W ::1:2:3:4 # scan6 -i eth0 -m prefs.txt -w iids.txt -l -z 60 -t -v

IPv6 Address Scanning Advanced topics 18

Packet-loss detection/recovery (TODO) Possible causes of packet-loss: Network congestion Rate-limits Neighbor Cache exhaustion Address-scanning is essentially an open-loop! Workaround: Obtain the last hop to a target-network Probe that router periodically Back-off and rewind upon packet loss

Automated heuristic scanner (TODO) Allow scan6 to receive IPv6 addresses known to be alive Identify the IPv6 address/iid type Compute new target ranges New targets are ignored if redundant Targets are coalesced with other targets if appropriate Different patterns -> different priorities - based on sizeof(search space) Example: # cat sources scan6 -i eth0 -c -v

IPv6 Address Scanning Real-world data 21

Our experiment Find a considerable number of IPv6 nodes for address analysis: Alexa Top-1M sites + perl script + dig World IPv6 Launch Day site + perl script + dig For each domain: AAAA records NS records -> AAAA records MX records -> AAAA records What did we find?

IPv6 address distribution for the web

IPv6 address distribution for MXs

IPv6 address distribution for the DNS

Mat Ford's measurements Analysis of client IPv6 addresses from web-server log:

Further measurements (TODO) Evaluate the reliability of different probe packets Is IPv6 fragment filtering that bad? How about other IPv6 extension headers? How about rate limiting of ICMPv6 vs. other probe packets Finally, evaluate IPv6 packet-filtering practices Same as for IPv4?

DNS-based IPv6 Network Reconnaissance 28

DNS for Network Reconnaissance Most of this ground is well-known from the IPv4-world: DNS zone transfers DNS bruteforcing etc. DNS reverse-mappings particularly useful for address scanning

IPv6 DNS reverse mappings Technique: Given a zone X.ip6.arpa., try the labels [0-f].X.ip6.arpa. If an NXDOMAIN is received, that part of the tree should be ignored Otherwise, if NOERROR is received, walk that part of the tree Example (using dnsrevenum6 from THC-IPv6): $ dnsrevenum6 DNSSERVER IPV6PREFIX

Aplication-based IPv6 Network Reconnaissance 31

Application-based Network Recon Many application-layer protocol deal with domain-names or IPv6 addresses. Some applications even leave publicly trails of data exchanges Examples: P2P aplications email etc.

Application-based Network Recon (II) Sample email header: X-ClientAddr: 46.21.160.232 Received: from srv01.bbserve.nl (srv01.bbserve.nl [46.21.160.232]) by venus.xmundo.net (8.13.8/8.13.8) with ESMTP id p93ar0e4003196 for <fernando@gont.com.ar>; Mon, 3 Oct 2011 07:53:01-0300 Received: from [2001:5c0:1000:a::943] by srv01.bbserve.nl with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.76) (envelope-from <fgont@si6networks.com>) id 1RAg8k-0000Qf-Hu; Mon, 03 Oct 2011 12:52:55 +0200 Message-ID: <4E8993FC.30600@si6networks.com> Date: Mon, 03 Oct 2011 07:52:44-0300 From: Fernando Gont <fgont@si6networks.com> Organization: SI6 Networks User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-us; rv:1.9.2.23) Gecko/20110922 Thunderbird/3.1.15 MIME-Version: 1.0 To: Fernando Gont <fernando@gont.com.ar> Subject: Prueba

Inspection of local data structures 34

Inspection of local data structures Local data structures store valuable network information: IPv6 addresses of local nodes IPv6 addresses of known nodes Routing information etc loopback6 (upcoming) aims at collecting such information from the local nod Example: # loopback6 --all

Inspection of system configuration & log files 36

System configuration and log files Yet another source of possibly interesting names/addresses Trivial approach: Walk the tree and look virtually everywhere Improved approach: Look at interesting places depending on the local operating system audit6 (upcoming) aims at collecting such information from the local system Example: # audit6 --all

Snooping routing protocols 38

System configuration and log files Some sites employ interior routing protocols (RIP, OSPF, etc.) Snooping/participating in the protocol can provide useful info Internal subnets Internal routers

Conclusions 40

Conclusions IPv6 changes the Network Reconnaissance game Smart address scanning is feasible A number of techniques still need to be explored Stay tuned to further developments in this area :-)

Thanks! Fernando Gont fgont@si6networks.com @FernandoGont SI6 Networks www.si6networks.com @SI6Networks

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information