Indien u hergebruik wenst te maken van de inhoud van deze presentatie, vragen wij u in het kader van auteursrechtelijke bescherming de juiste bronvermelding toe te passen. 17 juni 2014 De Reehorst in Ede Black Hat Sessions XII INLICHTINGEN DIENSTEN SPIONAGE INLICHTINGEN DIENSTEN SPIONAGE PRIVACY PRIVACY GEORGANISEERD DOOR MADISON GURKHA www.blackhatsessions.com Your Security is Our Business omslag BHS_2014_01.indd 1 10-06-14 11:30
IPv6: new attack vector for intelligence services and cyber criminals? Sander Degen, Security researcher
2 Outline Background 45m Why attack IPv6? The project Ways to attack IPv6
3 Background Me You Technical Know how communication protocols work No IPv6 experts Test: NAT / Hashing / DHCP / Rainbow table / ICMP / MitM / Multicast English vs Dutch
4 Why attack IPv6 We re living in an interconnected world IPv6 is the network protocol of the future He who controls the network, controls the universe Especially if you can crack encryption Current network & MitM attacks show difficulty in securing network access Rogue access points False base stations BYOD Accessing the network through exploited systems
5 Percentage of IPv6 announcing ASes Source: http://v6asns.ripe.net/v/6
6 The project TNO aims to improve the competitiveness of businesses and organisations Fewer security incidents == more competitiveness Together with these security companies we set up a handbook for testing the security of IPv6 implementations: Fox-IT, ITsec, Madison Gurkha, Pine, Riscure Financial support by Ministry of Economic Affairs https://www.tno.nl/downloads/testing_the_security_of_ipv6_implementations.pdf
Host discovery 7
Intro 8 Host discovery First step in identifying the attack vector With IPv4 you can scan the entire range With IPv6 this takes a while 1 cm 2 IPv4 IPv6?
9 X 1 600 000 Source: NASA
Issues 12 Host discovery Looking up (DNS) addresses / ranges Check google: https://encrypted.google.com/#q=site:*.acme.com Check Netcraft: http://searchdns.netcraft.com/?host=acme.com&x= 0&y=0 Check Hurricane Electric: http://bgp.he.net/search?search%5bsearch%5d=a cme&commit=search
Issues 13 Host discovery DNS can be a goldmine Zone transfer (probably not) Step by step with DNSSEC & NSEC (unlikely) Step by step with DNSSEC & NSEC3 (unlikelier) Requires rainbow tables to analyse hashes Specific for the domain Salt is periodically changed Dictionary attack on subdomains
Crashing a system 14
Intro 15 Crashing a system Do not crash Specifically due to network traffic Best practices Always a bug: fix & patch! Goals: Prevent DoS due to crashes
Issues 16 Crashing a system Crashing from bad reassembly Flooding fragments with random ID and M (more) FID M Flag Offset 837 More 0 837 No more 100
Issues 17 Crashing a system Crashing from unlimited extension headers Similar to previous example, but different Building a packet that is > RAM Crashing from flooding Router Advertisements SEND! Source: amazon.com
DoS reflector attacks 18
Intro 19 DoS reflector attacks Filter out bad packets Best practices Prevent amplification / reflection of traffic If the source address can be spoofed (!TCP) If the source address is a multicast address Goals: Prevent DoS
Issues 20 Internet Control Message Protocol DoS reflector attacks ICMP responses to multicast destination address M A * : PING * A : PONG RFC 2463 (ICMPv6 spec) forbids this behaviour Linux, my Xerox printer
Issues 21 DoS reflector attacks ICMP responses to multicast source address Also a problem but much smaller M * A : PING A A * : PONG RFC 2463 (ICMPv6 spec) forbids this behaviour Linux
Outside access to LAN 22
Intro 23 Outside access to LAN Don t trust external systems Best practices Filter with firewalls & IPSs Process IPv6 packets correctly Goals: Prevent access to systems (out->in) Prevent data leakage (in->out)
Issues 24 Outside access to LAN No filtering enabled IPv6 removes the need for NAT Network Address Translation (poor man s firewall) No more NAT = no more firewall No filtering of IPv6 traffic Because the firewall rules are aimed at IPv4 and IPv6 isn t explicitly blocked No filtering of IPv6 traffic in IPv4 tunnels (in out) Teredo offers IPv6 internet access to IPv4 hosts Other tunnels are SixXS, Gogo6client etc
Issues TCP handshake: 25 Outside access to LAN SYN SYN, ACK ACK Incorrect handling of overlapping fragments Allows bypassing of the firewall: Fragments with same fragment ID TCP (S) TCP (S,A) Ignored SA = response to connection = pass through S = belongs to same fragment as allowed packed = pass through Accepted
Inside access to LAN 26
Intro 27 Inside access to LAN Don t trust internal systems Best practices Filter with switches Think RA Guard Goals: Prevent DoS (in->in) Prevent MitM (in->in->out)
Issues 28 Inside access to LAN Rogue DHCPv6 server May give out bad IP addresses: DoS ICMPv6 Redirect packets Target specific MitM M Redirect: B => M A 2 3 1 4 B
Issues 29 Inside access to LAN Rogue router advertisement packets Configure hosts with bad default gateway: MitM RA guard RFC 6105 DHCP(v4) DHCP(v6) SLAAC RA Host address Yes Yes Yes Default gateway Yes Yes DNS info Yes Yes Sort of Source: www.elgrafico.com.ar Messy Privacy extension! Not supported in default Windows * (ND RDNSS)
Issues 30 Inside access to LAN What s the MAC of IP X? Rogue Neighbour Solicitation packets Bad client can reply to all ND s => MitM Bad client can flood neighbour cache => DoS Rogue Duplicate Address Detection packets System can t find an unused IP to use => DoS
Issues 31 Inside access to LAN SEND? (SEcure Neighbour Discovery) Requires the (src) IP to match a certificate generated by the same host Trade-off between DoS and DoS No SEND A V cafe::face cafe::face M SEND V X cafe::face cafe::face cafe::face
32 Extra topics: Deprecated feature support Source routing, Site Local Addressing Limiting based on 1 IP address Plenty available! Amplification with DNS But DNSSEC is the bigger issue here No null routing for unused address space TCAM Exhaustion in switches
Questions / Discussion 33