Recent advances in IPv6 insecurities Marc van Hauser Heuse Deepsec 2010, Vienna. 2010 Marc Heuse <mh@mh-sec.de>

Similar documents
IPv6 Infrastructure Security

IPv6 Security Analysis

IPv6 Trace Analysis using Wireshark Nalini Elkins, CEO Inside Products, Inc.

Guide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP

Security of IPv6 and DNSSEC for penetration testers

IPv6 Infrastructure Security Jeffrey L Carrell Network Conversions Network Security Consultant, IPv6 SME/Trainer

OLD VULNERABILITIES IN NEW PROTOCOLS? HEADACHES ABOUT IPV6 FRAGMENTS

IPv6 Associated Protocols

IP(v6) security. Matěj Grégr. Brno University of Technology, Faculty of Information Technology. Slides adapted from Ing.

Getting started with IPv6 on Linux

Introduction to IP v6

Vulnerabili3es and A7acks

IPv6 Security Best Practices. Eric Vyncke Distinguished System Engineer

Eric Vyncke, Distinguished Engineer, 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 1

IPv6 Fundamentals: A Straightforward Approach

IPv6 Network Security.

Practical Security Assessment of IPv6 Networks and Devices. Fernando Gont

Procedure: You can find the problem sheet on Drive D: of the lab PCs. 1. IP address for this host computer 2. Subnet mask 3. Default gateway address

Chapter 3 Configuring Basic IPv6 Connectivity

Joe Davies. Principal Writer Windows Server Information Experience. Presented at: Seattle Windows Networking User Group June 1, 2011

CloudEngine Series Switches. IPv6 Technical White Paper. Issue 01 Date HUAWEI TECHNOLOGIES CO., LTD.

INLICHTINGEN DIENSTEN INLICHTINGEN DIENSTEN

Internet Protocol: IP packet headers. vendredi 18 octobre 13

IPv6.marceln.org.

IPv6 Hardening Guide for Windows Servers

8.2 The Internet Protocol

Aculab digital network access cards

IPv6 for Cisco IOS Software, File 2 of 3: Configuring

Learn About Differences in Addressing Between IPv4 and IPv6

IPv6 Intrusion Detection Research Project

About Me. Work at Jumping Bean. Developer & Trainer Contact Info: mark@jumpingbean.co.za

Firewalls und IPv6 worauf Sie achten müssen!

IPv6 Functionality. Jeff Doyle IPv6 Solutions Manager

IPv6 SECURITY. May The Government of the Hong Kong Special Administrative Region

IPv6 Security. Scott Hogg. Global Technology Resources, Inc. Director of Technology Solutions CCIE #5133, CISSP #4610

Technology Brief IPv6 White Paper.

Technical Support Information Belkin internal use only

Internetworking. Problem: There is more than one network (heterogeneity & scale)

About the Technical Reviewers

Are You Ready to Teach IPv6?

Implementing DHCPv6 on an IPv6 network

Personal Firewall Default Rules and Components

Network layer: Overview. Network layer functions IP Routing and forwarding

IP Address Classes (Some are Obsolete) Computer Networking. Important Concepts. Subnetting Lecture 8 IP Addressing & Packets

ICS 351: Today's plan

Guideline for setting up a functional VPN

IPv6 in Axis Video Products

Security Assessment of Neighbor Discovery for IPv6

Presentation_ID. 2001, Cisco Systems, Inc. All rights reserved.

Host Configuration (Linux)

Telematics. 9th Tutorial - IP Model, IPv6, Routing

IPv6 Security. Scott Hogg, CCIE No Eric Vyncke. Cisco Press. Cisco Press 800 East 96th Street Indianapolis, IN USA

Local DNS Attack Lab. 1 Lab Overview. 2 Lab Environment. SEED Labs Local DNS Attack Lab 1

1 Data information is sent onto the network cable using which of the following? A Communication protocol B Data packet

- IPv6 Addressing - (References:

Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.

Mobile IP. Bheemarjuna Reddy Tamma IIT Hyderabad. Source: Slides of Charlie Perkins and Geert Heijenk on Mobile IP

Basic IPv6 WAN and LAN Configuration

HOST AUTO CONFIGURATION (BOOTP, DHCP)

Network Security TCP/IP Refresher

DHCP, ICMP, IPv6. Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley DHCP. DHCP UDP IP Eth Phy

Unix System Administration

TCP/IP Security Problems. History that still teaches

IPv6 Security ::/0. Poland MUM Warsaw March, 2012 Eng. Wardner Maia Brazil

IPv6 associated protocols. Piers O Hanlon

Lab 2. CS-335a. Fall 2012 Computer Science Department. Manolis Surligas

IPv6 for SMB s: Easy or Hard?

TECHNICAL NOTE. Technical Note P/N REV 03. EMC NetWorker Simplifying firewall port requirements with NSR tunnel Release 8.

Linux as an IPv6 dual stack Firewall

IPv6 Security Nalini Elkins, CEO Inside Products, Inc.

ACHILLES CERTIFICATION. SIS Module SLS 1508

IPv6 Diagnostic and Troubleshooting

Application Protocols for TCP/IP Administration

UIP1868P User Interface Guide

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

Windows 7 Resource Kit

Security Assessments of IPv6 Networks and Firewalls

We Are HERE! Subne\ng

IPv6 Security from point of view firewalls

A S B

LAB THREE STATIC ROUTING

Chapter 3 LAN Configuration

IPv6 Addressing and Subnetting

GregSowell.com. Mikrotik Security

ERserver. iseries. Networking TCP/IP setup

13 Virtual Private Networks 13.1 Point-to-Point Protocol (PPP) 13.2 Layer 2/3/4 VPNs 13.3 Multi-Protocol Label Switching 13.4 IPsec Transport Mode

Internet Protocols Fall Lectures 7-8 Andreas Terzis

CSCE 465 Computer & Network Security

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Vicenza.linux.it\LinuxCafe 1

Network Layer: and Multicasting Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

Lecture Computer Networks

Transcription:

Recent advances in IPv6 insecurities Marc van Hauser Heuse Deepsec 2010, Vienna 2010 Marc Heuse <mh@mh-sec.de>

Hello, my name is

The future is here already

Let s start with the basics

IPv4 4 octets 4.294.967.296 addresses 192.168.1.1

IPv6 16 octets 340.282.366.920.938.463.463.374.607.431.768.211.456 addresses 2a01:2b3:4:a::1

Separated by colons Leading zeros are omitted 2a01:2b3:4:a::1 2 octets each, hexadecimal The longest chain of :0:0: is replaced with ::

Subnets are /64 4.294.967.296 x the size of the Internet!

No broadcasts

Multicasts, but they are local only

Features! Autoconfiguration IPSEC Mobility Enough addresses!

IPv6 header layout 0 4 12 16 24 31 Version 6 Class Flow Label Payload Length Next Header Hop Limit 128 bit Source Address 128 bit Destination Address

IPv6 header layout 0 4 12 16 24 31 Version 6 Class Payload Length Flow Label Next Header 128 bit Source Address 128 bit Destination Address Hop Limit No header length No identification No checksum No fragmentation No options

Every option is an extension header Fragmentation IPSEC Source routing Destination Options

IPv6 Header Routing Header Fragment Header Next Header = 43 Next Header = 44 Next Header = 17 UDP Header Data

IPv6 is much simpler than IPv4

in theory.

IPv6 Vulnerabilities (CVE) 20 18 16 Not counting my CVE entries 14 12 10 8 6 4 2 0 2002 2003 2004 2005 2006 2007 2008 2009 2010

Kids, in 2005

The THC-IPv6 Attack Toolkit

ARP Spoofing => ND spoofing A B 1. NS 1. NS: ICMP Type = 135 Src = A Dst = All-Nodes Mulitcast Query= Who-has IP B? parasite6: Answers to every NS, claims to be every system on the LAN 2. NA 2. NA: ICMP Type = 136 Src = B Dst = A Data= MAC

Duplicate Address Detection DOS A 1. NS 1. NS: ICMP Type = 135 Src = :: (unspecified) Dst = All-Nodes Mulitcast Address query= Who-has IP A? dos-new-ipv6: Answer to every NS, claim to be every system on the LAN 2. No reply if nobody owns the IP address.

MITM with Redirects

MITM with Redirects (V)ictim (A)ttacker (R)outer (T)arget redir6

DHCP => Autoconfiguration A 1. RS 1. RS: ICMP Type = 133 Src = :: Dst = FF02::2 query= please send RA fake_router6: Sets any IP as default router, defines network prefixes and DNS servers 2. RA 2. RA: ICMP Type = 134 Src = Router Link-local Address Dst = FF02::1 Data= options, prefix, lifetime, autoconfig flag, DNS

Kick the default router! A default router 1. Send own RA 2. Spoof RA of default router with 0 lifetime We are getting back to this one 3. Resend own RA just to be sure

Kill all routers and clients think everything is local (it s in the standard)

RA => Systems become dual stack Can be port scanned on IPv6 No filtering on IPv6? Full port access Prefer IPv6 Will use your tunnel / MITM

How about announcing remote network addresses local? (Paypal, )

RA flooding! Cisco ASA/PIX, Cisco IOS Windows 2008, 7, Vista old Linux more?

Cisco: Just fixed for IOS, ASA soon (CSCti24526, CSCti33534)

Microsoft We consider this issue to be by design. *and will not fix this+ Even Apple got this problem right!

Remote alive scans (ping scans) as we know them are unfeasible on IPv6 some jerk (OK, that was me in 2005)

How to identify remote systems? Broadcasts Search-engines / databases Combining them Scan the whole range DNS Common addresses

Search Engines Dumped various IPv6 directories 14.651 possible domains & subdomains identified

DNS 14.651 domains bruteforcing 3000 hostnames 40.193 DNS entries found 1.846 unique hostnames found

1 101 201 301 401 501 601 701 801 901 1001 1101 1201 1301 1401 1501 1601 1701 1801 DNS Hostnames 45000 40000 35000 30000 25000 20000 15000 10000 5000 0

DNS Results 14.456 unique IPv6 addresses found 12.942 networks 5434 unique host addresses

1 301 601 901 1201 1501 1801 2101 2401 2701 3001 3301 3601 3901 4201 4501 4801 5101 5401 IPv6 Host Addresses 16000 14000 12000 10000 8000 6000 4000 2000 0

Host addresses analysis Autoconfiguration by hand Pattern Random MAC address Privacy option Fixed random got one, got all bad luck ~24 bit key space per vendorid bad luck bad luck DHCP Sequential Got one, got all Usually easy to find

by hand ::1, ::2, ::3, ::service_port ::1:service_port, ::2:service_port, ::service_port:1, ::service_port:2, The IPv4 address Funny stuff (::b00b:babe, etc.) etc.

DHCP ::1000-2000 ::100-200 ::1:0-1000 ::1:1000-2000

IPv6 Host Address Distribution Autoconfiguration Easy DHCP/Hand IPv4 address Random/Pricacy Hard DHCP/Hand

Alive Scanning 12.942 networks bruteforcing 2000 host addresses 379.223 alive systems 7.895 networks 1975 unique host addresses

1 100 199 298 397 496 595 694 793 892 991 1090 1189 1288 1387 1486 1585 1684 1783 1882 1975 400000 Alive Host Addresses 350000 300000 250000 200000 150000 100000 50000 0

Alive Scanning 379.223 alive systems 13.402 reverse DNS entries 3.922 unique domains 7.860 unique hostnames

1 401 801 1201 1601 2001 2401 2801 3201 3601 4001 4401 4801 5201 5601 6001 6401 6801 7201 7601 DNS Reverse Hostnames 12000 10000 8000 6000 4000 2000 0

do { new_dns=dns_brute(new_alive); new_alive=alive_brute(new_dns); } while (new_dns new_alive)

Conclusion DNS bruteforcing: 90% of systems in DNS with 1900 words

Conclusion Alive bruteforcing: 66% of systems with 2000 addresses scanned in 1-20 seconds

Conclusion Combined (and use of brain) ~90-95% of hosts are found

Taking over the Multicast Listener Discovery Protocol for fun and denying multicast traffic

How does MLD work? A Sends periodically MLD general query messages MLD Report: I am a multicast DNS server to all routers Sends specific address query message MLD Report: I am (still) a multicast DNS server DNS multicast traffic flows to the network Spoofs A MLD Done message

First we want to become the MLD query router if (router1 < router2) master(router1);

A Sends periodically MLD general query messages MLD Report: I am a multicast DNS server to all routers DNS multicast traffic flows to the network Spoofs MLD general query message as fe80:: Spoofs A MLD Done message

Problem: We must send an MLD general query message regularly

Solution: Spoof query message with multicast all-router MAC address!

A Spoof MLD general query message as fe80:: Spoofs A MLD Done message Send general query as fe80:: with special MAC

Anybody sniffing?

Send a ping to the target with an unused multicast MAC address (Windows, Linux, more?)

Side channels in IPv6? IPv6 *is* a side channel.

Don t be scared.

IPv6 complex intellectual challenge tired? be an explorer!

Join researching IPv6!

How to get IPv6 to your home (1/4) 1. Create an account at Sixxs: http://www.sixxs.net/ 2. Request tunnel (static if possible for you, heartbeat otherwise) 3. Request a subnet (a week later)

How to get IPv6 to your home (2/4) 4. a) Configure a static tunnel: ip tunnel add sixxs mode sit local [Your IPv4 Endpoint] remote [Sixxs IPv4 Endpoint] ip link set sixxs up ip link set mtu 1280 dev sixxs ip tunnel change sixxs ttl 64 ip -6 addr add [Your IPv6 Endpoint]/[Prefix Length] dev sixxs ip -6 ro add default via [Your IPv6 endpoint] dev sixxs

How to get IPv6 to your home (3/4) 4. b) Configure a heartbeat tunnel: a) Install aiccu b) Configure aiccu.conf: username xxxx-sixxs password xxxxxxxxx tunnel_id T<your tunnel id> daemonize true automatic true ipv6_interface sixxs c) Start aiccu

How to get IPv6 to your home (4/4) 5. Configure your local network card ip -6 addr add [Your IPv6 subnet]::1/[prefix Length] dev eth0 6. Use fake_router6 for your local subnet: fake_router6 eth0 <Your IPv6 subnet>::/<prefix Length> 2a01:4f8:100:2283::2

What is new in thc-ipv6 since the 2005-2007 release? DNS6 bruteforcer More payloads for fake_router6 Implementation test-case tool Fast traceroute6 Fuzzer for IPv6 Flood tools for RA and NA Several library bugfixes & enhancements

What is new in the current thc-ipv6 source state? alive6 rewritten with 250% new functionality Flood & spoofing for all multicast protocols DHCPs6 spoofer DHCPc6 flooder DNS6 spoofer more new tools than fit the slide Enhancements for all previous tools Several library bugfixes & enhancements

How to get access to the current thc-ipv6 source code state? Send in patches and new tools! Small and limited updates will still get into the public version. Complete public release in ~2011.

http://www.thc.org/thc-ipv6

Central information resource for IPv6 security (wiki, forum, news): www.ipv6security.info www.ipv6hacking.info (Online after Xmas 2010)

Contact

Thanks! And have fun exploring IPv6!

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information