Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

DeepSEC: Recent advances in IPv6 insecurity

Recent advances in IPv6 insecurity Marc “van Hauser” Heuse

In a distant future… IPv6 will come. Maybe, hopefully never!!!

If you haven’t already realised it, IPv6 is already in your systems. The future is already here!

Providers are now finding issues getting IPv4 addresses. IPv6 addresses are coming, slowly.

The biggest provider in Germany (Deutsche Telekom) is working on an IPv6 rollout in 2011.

Typical standard subnet for IPv6 is /64

Enough addresses for anybody!

IPv6 doesn’t do broadcasts anymore, but there are multicast addresses (local only)

This all means there are issues with scanning

Complete client autoconfiguration

IPSEC built-in by default

IPv6 is a lot about visions of how things could be! Not sure if it will be everything yet.

What’s missing from the IPv6 header

  • No header length
  • No identification header
  • No checksum (now handled by upper layers)
  • No fragmentation
  • No options

Every option is an extension header on its own

  • Fragmentation
  • Source routing
  • Destination options
  • ….

IPv6 is much simpler than IPv4 (or at least it seems that way)

The creators are not learning from historical issues from IPv4

Many many CVE numbers

Presented in 2005

There were no tools…

So one was created… the THC IPv6 Attack Toolkit

  • Neighbor Discovery
    • ARP spoofing isn’t possible anymore. However ICMP6 ND spoofing does the same job
  • Neighbor Solicitation
    • Duplicate address detection DoS condition. Similar to DHCP exhaustion attacks
  • MITM with redirects
    • Local land
  • DHCP => Autoconfiguration
    • Uses router advertisements
    • Lets a user pick their own address
  • Kick the default router
    • Spoof RA (Router Advertisement) to reduce default gateway to 0 lifetime
    • Send your own RA
  • Send RA => Systems become dual stack
    • Some systems are just waiting for an RA packet to enable IPv6
    • These systems will then prefer IPv6
  • RA Flooding
    • IPv6 is designed to have multiple addresses
    • But what happens when you advertise 10,000 ?
      • 100% CPU
      • 100% RAM
      • Cisco, Windows, old Linux, …

Remote ping scans of IPv6 not possible – van Hauser (2005)

But there are options

Identify remote systems through

  • Search engines / Databases
  • DNS
  • Common addresses

With this we can identify SOME systems…

There are a number of common host addresses based on whats been seen on the internet in testing. The most common host address is 1

Host Addresses Analysis

How are addresses assigned


  • MAC address
  • Privacy option
  • Fixed random

Check similar MAC addresses… same vendor, different system!

By Hand

  • Pattern
  • Random

Common names

::1, ::2, ::3 …

::service_port (e.g. ::80)

The IPv4 address


  • Sequential
    • Get one, get ALL

In total we can find around 66% of systems using these methods currently… this could be increased to 70-75% with more tuning

Just by DNS brute-forcing you can find 90% of systems (using 1900 words)

Alive brute-forcing you can find 66% of systems

Combined (with use of the brain) you can find 90-95% of the systems


Sends periodic MLD general queries

You can send a DONE message to prevent your system receiving these MLD queries (there is a confirmation however… that spoils the party)

So the attacker has to become the Query Router

Spoof the query router for the target

If your system doesn’t send MLD general queries however, the original router will resume sending

By spoofing with a specific MAC address you can send only the MLD to the router and not the target

Is anybody sniffing

A bug found in Linux in 2008

Re-discovered in IPv6 recently

Side channel attacks in IPv6! IPv6 IS a side channel

IPv6 is complex, and the more you look into it, the more complex it becomes

Finding interesting bugs that actually matter in IPv6 is easy

Join researching IPv6


  • Talk synopsis –> HERE
  • THC IPv6 Attack Toolkit –> HERE
  • ipv6security.info
  • ipv6hacking.info

3 responses to “DeepSEC: Recent advances in IPv6 insecurity

  1. This November 26, 2010 at 12:00

    This artikel is full for nonsense. If you don;t understand IPv6 dont talk about it.

  2. ChrisJohnRiley November 26, 2010 at 13:01

    Well thanks for popping by, and thanks for your constructive feedback. I always love it when people are too scared to give there name when leaving posts. It makes me truely appreciate that the internet is full of useless things.

    I’d like to point out these are live notes written from the IPv6 at the Deepsec conference and not something I created. It’s also not an article.

    Still I’m sure if people surf over to networkconcepts.nl ( they can get much better info. You are obviously the expert on all things IPv6!

    Might I also suggest, if you don’t like it, move along! I write this blog and these notes for people who have respect and aren’t idiots!

  3. Pingback: Week 47 in Review – 2010 - 博客与新闻 - Network Security - 网络安全 - 信息安全播客网

%d bloggers like this: