Cатсн²² (in)sесuяitу / ChrisJohnRiley

Recent advances in IPv6 insecurity Marc “van Hauser” Heuse

In a distant future… IPv6 will come. Maybe, hopefully never!!!

If you haven’t already realised it, IPv6 is already in your systems. The future is already here!

Providers are now finding issues getting IPv4 addresses. IPv6 addresses are coming, slowly.

The biggest provider in Germany (Deutsche Telekom) is working on an IPv6 rollout in 2011.

Typical standard subnet for IPv6 is /64

Enough addresses for anybody!

IPv6 doesn’t do broadcasts anymore, but there are multicast addresses (local only)

This all means there are issues with scanning

Complete client autoconfiguration

IPSEC built-in by default

IPv6 is a lot about visions of how things could be! Not sure if it will be everything yet.

What’s missing from the IPv6 header

• No header length
• No identification header
• No checksum (now handled by upper layers)
• No fragmentation
• No options

Every option is an extension header on its own

• Fragmentation
• Source routing
• Destination options
• IPSEC
• ….

IPv6 is much simpler than IPv4 (or at least it seems that way)

The creators are not learning from historical issues from IPv4

Many many CVE numbers

Presented in 2005

There were no tools…

So one was created… the THC IPv6 Attack Toolkit

• Neighbor Discovery
  • ARP spoofing isn’t possible anymore. However ICMP6 ND spoofing does the same job
• Neighbor Solicitation
  • Duplicate address detection DoS condition. Similar to DHCP exhaustion attacks
• MITM with redirects
  • Local land
• DHCP => Autoconfiguration
  • Uses router advertisements
  • Lets a user pick their own address
• Kick the default router
  • Spoof RA (Router Advertisement) to reduce default gateway to 0 lifetime
  • Send your own RA
• Send RA => Systems become dual stack
  • Some systems are just waiting for an RA packet to enable IPv6
  • These systems will then prefer IPv6
• RA Flooding
  • IPv6 is designed to have multiple addresses
  • But what happens when you advertise 10,000 ?
    • 100% CPU
    • 100% RAM
    • Cisco, Windows, old Linux, …

Remote ping scans of IPv6 not possible – van Hauser (2005)

But there are options

Identify remote systems through

• Search engines / Databases
• DNS
• Common addresses

With this we can identify SOME systems…

There are a number of common host addresses based on whats been seen on the internet in testing. The most common host address is 1

Host Addresses Analysis

How are addresses assigned

Autoconfiguration

• MAC address
• Privacy option
• Fixed random

Check similar MAC addresses… same vendor, different system!

By Hand

• Pattern
• Random

Common names

::1, ::2, ::3 …

::service_port (e.g. ::80)

The IPv4 address

DHCP

• Sequential
  • Get one, get ALL

In total we can find around 66% of systems using these methods currently… this could be increased to 70-75% with more tuning

Just by DNS brute-forcing you can find 90% of systems (using 1900 words)

Alive brute-forcing you can find 66% of systems

Combined (with use of the brain) you can find 90-95% of the systems

Multicast

Sends periodic MLD general queries

You can send a DONE message to prevent your system receiving these MLD queries (there is a confirmation however… that spoils the party)

So the attacker has to become the Query Router

Spoof the query router for the target

If your system doesn’t send MLD general queries however, the original router will resume sending

By spoofing with a specific MAC address you can send only the MLD to the router and not the target

Is anybody sniffing

A bug found in Linux in 2008

Re-discovered in IPv6 recently

Side channel attacks in IPv6! IPv6 IS a side channel

IPv6 is complex, and the more you look into it, the more complex it becomes

Finding interesting bugs that actually matter in IPv6 is easy

Join researching IPv6

Links:

• Talk synopsis –> HERE
• THC IPv6 Attack Toolkit –> HERE
• ipv6security.info
• ipv6hacking.info