ipv6 vulnerabilities, failures - and a future? · 2019. 4. 4. · ipv6 vulnerabilities, failures -...
TRANSCRIPT
![Page 1: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/1.jpg)
© 2011 Marc Heuse <[email protected]>
IPv6 Vulnerabilities, Failures - and a Future?
Marc “van Hauser” Heuse November 2011
![Page 2: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/2.jpg)
Hello, my name is …
![Page 3: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/3.jpg)
Basics
Philosophy
Vulnerabilities
Vendor Responses & Failures
Recommendations
![Page 4: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/4.jpg)
![Page 5: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/5.jpg)
![Page 6: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/6.jpg)
“There is more money to be made with IPv6 than with Y2K”
me
![Page 8: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/8.jpg)
![Page 9: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/9.jpg)
The future is here already
![Page 10: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/10.jpg)
IPv4
4 octets
4.294.967.296 addresses
192.168.1.1
![Page 11: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/11.jpg)
IPv6
16 octets
340.282.366.920.938.463.463.374.607.431.768.211.456 addresses
2a01:2b3:4:a::1
![Page 12: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/12.jpg)
2a01:2b3:4:a::1
2 octets each, hexadecimal
Separated by colons
The longest chain of :0:0: is replaced with ::
Leading zeros are omitted
![Page 13: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/13.jpg)
Subnets are /64
4.294.967.296 x the size of the Internet!
![Page 14: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/14.jpg)
No broadcasts
![Page 15: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/15.jpg)
Multicasts, but they are local only
![Page 16: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/16.jpg)
Features!
Autoconfiguration
IPSEC
Mobility Enough addresses!
![Page 17: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/17.jpg)
Version 6
Next Header
0 31
Class Flow Label
Payload Length Hop Limit
128 bit Source Address
128 bit Destination Address
4 12 24 16
IPv6 header layout
![Page 18: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/18.jpg)
Version 6
Next Header
0 31
Class Flow Label
Payload Length Hop Limit
128 bit Source Address
128 bit Destination Address
4 12 24 16
IPv6 header layout
• No header length
• No identification
• No checksum
• No fragmentation
• No options
![Page 19: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/19.jpg)
Every option is an
extension header
Source routing
Fragmentation
Destination Options IPSEC
Hop-byHop
![Page 20: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/20.jpg)
IPv6 Header UDP Header Fragment Header Data
Next Header = 43 Next Header = 17
Routing Header
Next Header = 44
![Page 21: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/21.jpg)
Most in IPv6 is OPTIONAL
![Page 22: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/22.jpg)
Mandatory
• Multiple IPv6 addresses per interface
• ARP => ICMPv6
• Router Advertisements
• No router & routes via DHCPv6!
• Multicast (local)
![Page 23: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/23.jpg)
IPv6 is much simpler than IPv4
![Page 24: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/24.jpg)
… in theory.
![Page 26: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/26.jpg)
Eliminate IPv4
![Page 27: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/27.jpg)
True end-to-end communication
No NAT No fragmentation by routers
No defragmentation by firewalls
Many ICMPv6 msgs must pass the firewall
![Page 28: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/28.jpg)
“IPv6 is secure”
IPv6 has mandatory IPSEC
![Page 29: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/29.jpg)
Security Model is from 1995
Local = Trusted Security = Encryption
Networking + Features > Security
Security = Filter Rules
![Page 30: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/30.jpg)
From networkers for networkers
Features
Features!
FEATURES !!!
![Page 31: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/31.jpg)
Goal #1 Network Efficiency
![Page 32: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/32.jpg)
Goal #2 Network Features
![Page 33: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/33.jpg)
Goal #436 some security
![Page 34: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/34.jpg)
Blatant mistakes
No DNS server in autoconfiguration
IPSEC does not work with multicast
No private addresses
Many protocol security design problems
![Page 36: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/36.jpg)
thc-ipv6 – why?
![Page 37: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/37.jpg)
thc-ipv6
• Linux
• Ethernet
•GPLv3
http://www.thc.org/thc-ipv6
![Page 38: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/38.jpg)
Local Remote
Design Implementation
Vulnerabilities
![Page 39: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/39.jpg)
Excerpt!
![Page 40: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/40.jpg)
Local
Remote
Design
Implementation
Vulnerabilities
![Page 41: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/41.jpg)
Neighbor Discovery Spoofing
“ARP spoofing” in IPv4 more dangerous due “OVERRIDE” flag
Source: common knowledge Tool: parasite6
1. NS: ICMP Type = 135 Src = A Dst = All-Nodes Mulitcast Query= Who-has IP B?
1. NS
A
2. NA
2. NA: ICMP Type = 136 Src = B Dst = A Data= MAC
B
parasite6: Answers to every NS, claims to be every system on the LAN
![Page 42: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/42.jpg)
Duplicate Address Detection DOS
optional in IPv4, mandatory in IPv6 for all addresses
Source: common knowledge Tool: dos-new-ipv6
1. NS: ICMP Type = 135 Src = A Dst = All-Nodes Mulitcast Query= Who-has IP B?
1. NS
A
dos-new-ipv6: Answer to every NS, claim to be every system on the LAN
![Page 43: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/43.jpg)
Router Advertisement Spoofing
Source: common knowledge Tool: fake_router6
A
1. RA
ICMP Type = 134 Src = Router Link-local Address Dst = FF02::1 Data= options, prefix, lifetime, autoconfig flag
fake_router6: Sets any IP as default router, defines network prefixes and DNS servers
many, many attacks
![Page 44: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/44.jpg)
Router Advertisement Spoofing
• Become the default router
–MITM
• Assign multiple address spaces
–Paypal, Ebay, Amazon, Google == local
–MITM
• Remove real routing entry (spoofing lifetime 0)
–DOS
![Page 45: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/45.jpg)
Router Advertisement Spoofing
• Turns IPv4 networks into Dual Stack environments
–MITM to remote dual stack targets
–Attack on IPv6 address potentially bypasses personal firewall
![Page 46: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/46.jpg)
ICMP Redirect Spoofing
Bypasses “secure redirect” check, default on all OS. IPv4: remote, IPv6: local only
Source: Sebastian Krahmer, Marc Heuse Tool: redir6
(V)ictim (A)ttacker (R)outer (T)arget
redir6
Ping Pong
Redirect
![Page 47: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/47.jpg)
Alive Detection via Multicast
• Detect all local systems with one multicast packet
• Invalid option triggers ICMPv6 error reply from all systems
Source: Marc Heuse Tool: alive6
Next Header: Destination Header Src: [local address] Dst: ff02::1
Next Header: ICMPv6 Option: 128 (invalid)
Echo Request Packet
For ff02::1 you can also do an MLD general query
![Page 48: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/48.jpg)
Multicast Listener Discovery DOS
Denies site/org multicast traffic to LAN
Source: Marc Heuse Tool: fake_mld6
A
Spoofs “A” MLD Done message
Spoof MLD general query message as fe80::
Send general query as fe80:: with special MAC
Sends periodically MLD general query messages
MLD Report: “I am a multicast DNS server” to all routers
DNS multicast traffic
flows to the network
![Page 49: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/49.jpg)
<DHCPv6 & mDNS attacks omitted>
![Page 50: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/50.jpg)
More attack scenarios
• Use multicast to send an exploit to all servers in the organization
• Join multicast addresses and spoof server replies
![Page 51: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/51.jpg)
Local Remote
Design
Implementation
Vulnerabilities
![Page 52: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/52.jpg)
0
2
4
6
8
10
12
14
16
18
2002 2003 2004 2005 2006 2007 2008 2009 2010 2011
IPv6 Vulnerabilities (CVE)
![Page 53: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/53.jpg)
Router Advertisement Flooding
Flood LAN with random RAs.
DOS:
• Windows 7, 2008, 2003, XP
• Cisco IOS+ASA (fixed)
• Juniper Netscreen
• FreeBSD (should be fixed)
Source: Marc Heuse Tool: flood_router6
C B A
![Page 54: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/54.jpg)
Sniffer Detection
![Page 55: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/55.jpg)
Sniffer Detection
Discover:
• Windows 7, 2008, 2003, XP
• Linux
• FreeBSD
Source: Marc Heuse Tool: thcping6
A C
ping6 dst-mac: 33:33:ff:00:ff:00
ping6 dst-mac: 33:33:ff:00:ff:00
ping6 reply
![Page 56: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/56.jpg)
Reverse Smurfing
Reflective victims:
• Linux
Source: Marc Heuse Tool: rsmurf6
rsmurf6 Reflector Host
ping6 src ff02::1
Victims
ping6 reply
![Page 57: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/57.jpg)
Weird stuff
• Speed-up packet transmission by factor x100 on IPv6 (details to be released in May 2012 )
![Page 58: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/58.jpg)
“Remote alive scans (ping scans) as we know them are unfeasible on IPv6”
me in 2005
(and lots of other people incl. RFC documents)
![Page 59: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/59.jpg)
How to identify remote systems?
Broadcasts Scan the whole range
DNS Search-engines / databases
Common addresses
Combining them
![Page 60: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/60.jpg)
![Page 61: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/61.jpg)
Dumped various IPv6 directories
↓ 17.000 possible domains & subdomains
identified
Search Engines
![Page 62: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/62.jpg)
17.000 domains bruteforcing 3217 hostnames
↓ 23.334 DNS entries found
↓ 15.607 unique IPv6 addresses found
DNS Results
![Page 63: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/63.jpg)
15.607 unique IPv6 addresses found
↓ 7.305 networks
5.811 unique host addresses
DNS Results
![Page 64: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/64.jpg)
0
2000
4000
6000
8000
10000
12000
14000
16000
18000
IPv6 Host Addresses
![Page 65: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/65.jpg)
Host address analysis
Autoconfiguration
DHCP
by hand
~24 bit key space per vendorID bad luck bad luck
─ Sequential ─ Got one, got all ─ Usually easy to find ─ Pattern
─ Random got one, got all bad luck
─ MAC address ─ Privacy option ─ Fixed random
![Page 66: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/66.jpg)
by hand
::1, ::2, ::3, …
::service_port
::1:service_port, ::2:service_port, …
::service_port:1, ::service_port:2, …
The IPv4 address
Funny stuff (::b00b:babe, etc.)
etc.
![Page 67: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/67.jpg)
DHCP
::1000-2000
::100-200
::1:0-1000
::1:1000-2000
![Page 68: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/68.jpg)
IPv6 Host Address Distribution
Autoconfiguration
Easy DHCP/Hand
IPv4 address
Random/Pricacy
Hard DHCP/Hand
![Page 69: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/69.jpg)
7.305 networks bruteforcing 3000 host addresses
↓ 380.766 alive systems
↓ 8.160 networks
2.779 unique host addresses
Alive Scanning
![Page 70: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/70.jpg)
0
50000
100000
150000
200000
250000
300000
350000
400000
Alive Host Addresses
![Page 71: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/71.jpg)
DNS Analysis
<some slides omitted due boringness>
![Page 72: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/72.jpg)
Conclusion
DNS bruteforcing: 90% of systems in DNS with 1900 words
![Page 73: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/73.jpg)
Conclusion
Alive bruteforcing: 66% of systems with 2000 addresses
scanned in 1-20 seconds
![Page 74: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/74.jpg)
Final Conclusion
Combined (and use of brain) ~90-95% of servers are found
![Page 75: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/75.jpg)
Local
Remote
Design
Implementation
Vulnerabilities
![Page 76: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/76.jpg)
Privacy Issues in Autoconfiguration
MAC address: 00:0c:29:69:a6:66
IPv6 host address: ::020c:29ff:fe69:a666
Identify a host wherever it travels
Source: common knowledge Tool: not needed
A
1. RA
ICMP Type = 134 Src = Router Link-local Address Dst = FF02::1 Data= options, prefix, lifetime, autoconfig flag
Autoconfiguration: host address based on MAC address
![Page 77: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/77.jpg)
Source Routing
Spoofing, DOS
Now deprecated by RFC
Source: Philippe Bondi Tool: alive6
Internet
![Page 78: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/78.jpg)
Routing Loop Tunnel DOS
Multiple encapsulation headers specifying tunnel endpoints => DOS
Source: Gabi Nakibly Tool: unknown
Internet
![Page 79: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/79.jpg)
<more tunneling issues omitted>
![Page 80: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/80.jpg)
Reduce MTU
Reduces MTU to 1280, limited impact
Same as redirect attack, but remote
Source: Marc Heuse Tool: toobig6
(V)ictim (R)outer (T)arget
(A)ttacker
toobig6
![Page 81: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/81.jpg)
![Page 83: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/83.jpg)
The complexity problem™
![Page 84: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/84.jpg)
So many
• extension headers
• options in extension headers
• possibilities of orders of headers and options
• new additions come often
![Page 85: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/85.jpg)
The vendor solution:
![Page 86: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/86.jpg)
Different support of options
Different maturity
Changes with every update
↓ “Product supports IPv6” means nothing
![Page 87: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/87.jpg)
Firewalls
IPv4: Whitelist / Deny anything unknown
↓
IPv6: Blacklist / Drop anything known evil
![Page 88: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/88.jpg)
Covert Channels
foo
Source: Marc Heuse Tool: covert_send6
Every field can be used
(IPv6 header fields, Fragment ID, …)
1.4kb per packet (>90%)
Destination Options
[ENCRYPTED SECRET DATA]
TCP
HTTP
IPv6
Internet Company
Collector Host
![Page 89: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/89.jpg)
Trust Local
(“do nothing”)
RA Guard / ND Security
SeND IPSEC
What vendors propose
![Page 90: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/90.jpg)
Trust Local
(“do nothing”)
RA Guard
SeND
IPSEC
What vendors propose
a.k.a. as “The Microsoft Approach”™
![Page 91: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/91.jpg)
“We consider this issue to be by design
[and will not fix it].
The attack would require that an attacker has access to the targeted network - a
situation that does not provide a security boundary.”
Microsoft statement
![Page 92: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/92.jpg)
“while there are no explicit RFC violations in our implementation, we do agree that
there is room for improvement
Juniper is currently working through the IETF to come up with a standard method
of avoiding
[and won’t move a finger until then, see you again in two years]”
Juniper Statement
![Page 93: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/93.jpg)
Source: http://www.networkworld.com/news/2011/050311-microsoft-juniper-ipv6.html
![Page 94: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/94.jpg)
Public WLANs?
Untrusted/uncontrolled environments?
Microsoft has fixed similar bugs before
on IPv4
Options: accept risk or disable IPv6
![Page 95: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/95.jpg)
This builds public confidence in IPv6, good work!
![Page 96: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/96.jpg)
Trust Local
(“do nothing”)
RA Guard / ND Security
SeND
IPSEC
What vendors propose
![Page 97: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/97.jpg)
My opinion of RA guard (and NDP security)
![Page 98: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/98.jpg)
RA Guard
![Page 99: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/99.jpg)
RA Guard / ND Security Bypass
+ use overlapping fragments, and it’s game over
Source: Marc Heuse Tool: fake_router6
RA RA
Prepend fragmentation and destination header
Fragmentation
Destination Options
(large & empty)
RA
IPv6
![Page 100: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/100.jpg)
Trust Local
(“do nothing”)
RA Guard / ND Security
SeND IPSEC
What vendors propose
![Page 101: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/101.jpg)
Sorry, but:
All devices must support it (printers!)
No privacy extensions possible
Key distribution => big overhead
Only protects RA & ND (SeND)
![Page 102: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/102.jpg)
SeND DOS
CGA verification => CPU expensive
Flood => DOS
Source: Will Damn Tool: seenpees6
A B
Flood NS: ICMP Type = 135 Src = Attacker Dst = All-Nodes Mulitcast Data= MAC CGA = fake signing information
NS NS
1. NS: ICMP Type = 135 Src = A Dst = All-Nodes Mulitcast Query= Who-has IP B? CGA = signing information
1. NS
![Page 103: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/103.jpg)
SeND Attack
Source: Marc Heuse Tool: ******6
<I am not publishing this yet, sorry>
![Page 104: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/104.jpg)
IPSEC Attack
<I am not publishing this yet, sorry>
Source: Marc Heuse Tool: ******6
![Page 105: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/105.jpg)
The Problem:
IPv4 thinking applied to IPv6
![Page 106: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/106.jpg)
IPv6 requires a new thinking for
• Designing
• Implementing
• Configuring
• Hacking
![Page 107: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/107.jpg)
Besides security, lots of problems …
• Tunnel/MTU problems
• Client DNS server config
• …
![Page 109: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/109.jpg)
BEWARE!
Nobody really knows (including me)
![Page 110: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/110.jpg)
The Good Thing™:
Critical issues are site-local only
![Page 111: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/111.jpg)
Where to deploy IPv6 in the next 2 years?
Front-end DMZ only
(if you are a “normal” company. ISPs, Telcos, Universities, etc.: good luck)
![Page 112: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/112.jpg)
How to deploy in the DMZ?
Dedicated IPv6 Firewall
Dedicated IPv6 Web server – or share
Share all rest of the infrastructure
![Page 113: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/113.jpg)
What to configure in the DMZ
• Strong incoming/outgoing ICMPv6 filtering on firewall
• Random host numbering
• Secure DNS, implement DNSSEC with NSEC3
![Page 114: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/114.jpg)
Everywhere else …
• Disable IPv6 on all devices possible
– Laptops, smartphones, embedded, …
![Page 115: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/115.jpg)
If ever on the LAN …
• Private address space internally (random identifier)
• Don’t use privacy extension (discuss with data protection officer & Betriebsrat)
• Don’t use DHCPv6
![Page 116: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/116.jpg)
If ever on the LAN …
• Forget RA guard and SeND
• Don’t use site/org multicast, disable MLD
• IPv6 hardening on client/server/router
![Page 117: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/117.jpg)
IPv6 requires new thinking
![Page 118: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/118.jpg)
If even vendors can’t do it – who can?
![Page 120: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/120.jpg)
IPv6 Pentesting Tools
• THC-IPv6 Attack Suite
• Portscanner: Nmap / Halfscan6 / strobe / amap
• Protocol Analyzer: Wireshark / COLD
• Packet Generators: Scapy6 / Multi-Generator (MGEN) / spak6 / isic6 / Hyenae / SendIP / Packit
• Forwarder: socat / Relay6 / 6tunnel / NT6tunnel
• Covert Channel: VoodooNet
• Exploitation Framework: Metasploit
![Page 122: IPv6 Vulnerabilities, Failures - and a Future? · 2019. 4. 4. · IPv6 Vulnerabilities, Failures - and a Future? Marc “van Hauser” Heuse November 2011 . Basics Philosophy Vulnerabilities](https://reader030.vdocument.in/reader030/viewer/2022011917/5fed0c2831dfbc02435dd513/html5/thumbnails/122.jpg)
Contact
Marc Heuse