Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: ipv6

DeepSEC: Recent advances in IPv6 insecurity

Recent advances in IPv6 insecurity Marc “van Hauser” Heuse

In a distant future… IPv6 will come. Maybe, hopefully never!!!

If you haven’t already realised it, IPv6 is already in your systems. The future is already here!

Providers are now finding issues getting IPv4 addresses. IPv6 addresses are coming, slowly.

The biggest provider in Germany (Deutsche Telekom) is working on an IPv6 rollout in 2011.

Typical standard subnet for IPv6 is /64

Enough addresses for anybody!

IPv6 doesn’t do broadcasts anymore, but there are multicast addresses (local only)

This all means there are issues with scanning

Complete client autoconfiguration

IPSEC built-in by default

IPv6 is a lot about visions of how things could be! Not sure if it will be everything yet.

What’s missing from the IPv6 header

  • No header length
  • No identification header
  • No checksum (now handled by upper layers)
  • No fragmentation
  • No options

Every option is an extension header on its own

  • Fragmentation
  • Source routing
  • Destination options
  • IPSEC
  • ….

IPv6 is much simpler than IPv4 (or at least it seems that way)

The creators are not learning from historical issues from IPv4

Many many CVE numbers

Presented in 2005

There were no tools…

So one was created… the THC IPv6 Attack Toolkit

  • Neighbor Discovery
    • ARP spoofing isn’t possible anymore. However ICMP6 ND spoofing does the same job
  • Neighbor Solicitation
    • Duplicate address detection DoS condition. Similar to DHCP exhaustion attacks
  • MITM with redirects
    • Local land
  • DHCP => Autoconfiguration
    • Uses router advertisements
    • Lets a user pick their own address
  • Kick the default router
    • Spoof RA (Router Advertisement) to reduce default gateway to 0 lifetime
    • Send your own RA
  • Send RA => Systems become dual stack
    • Some systems are just waiting for an RA packet to enable IPv6
    • These systems will then prefer IPv6
  • RA Flooding
    • IPv6 is designed to have multiple addresses
    • But what happens when you advertise 10,000 ?
      • 100% CPU
      • 100% RAM
      • Cisco, Windows, old Linux, …

Remote ping scans of IPv6 not possible – van Hauser (2005)

But there are options

Identify remote systems through

  • Search engines / Databases
  • DNS
  • Common addresses

With this we can identify SOME systems…

There are a number of common host addresses based on whats been seen on the internet in testing. The most common host address is 1

Host Addresses Analysis

How are addresses assigned

Autoconfiguration

  • MAC address
  • Privacy option
  • Fixed random

Check similar MAC addresses… same vendor, different system!

By Hand

  • Pattern
  • Random

Common names

::1, ::2, ::3 …

::service_port (e.g. ::80)

The IPv4 address

DHCP

  • Sequential
    • Get one, get ALL

In total we can find around 66% of systems using these methods currently… this could be increased to 70-75% with more tuning

Just by DNS brute-forcing you can find 90% of systems (using 1900 words)

Alive brute-forcing you can find 66% of systems

Combined (with use of the brain) you can find 90-95% of the systems

Multicast

Sends periodic MLD general queries

You can send a DONE message to prevent your system receiving these MLD queries (there is a confirmation however… that spoils the party)

So the attacker has to become the Query Router

Spoof the query router for the target

If your system doesn’t send MLD general queries however, the original router will resume sending

By spoofing with a specific MAC address you can send only the MLD to the router and not the target

Is anybody sniffing

A bug found in Linux in 2008

Re-discovered in IPv6 recently

Side channel attacks in IPv6! IPv6 IS a side channel

IPv6 is complex, and the more you look into it, the more complex it becomes

Finding interesting bugs that actually matter in IPv6 is easy

Join researching IPv6

Links:

  • Talk synopsis –> HERE
  • THC IPv6 Attack Toolkit –> HERE
  • ipv6security.info
  • ipv6hacking.info

[BruCON] Transition to IPv6 on the internet: Threats and Mitigation techniques

Eric Vyncke – Transition to IPv6 on the internet: Threats and Mitigation techniques

Has been running IPv6 at home for 6-7 years.

  • Why IPv6, What is IPv6 ?
  • Shared issues by IPv4 and IPv6
  • Specific issues of IPv6
  • Enforcing a Security policy in IPv6

Current estimates are that IPv4 will be exhausted by the beginning of 2011

Currently seeing <1Gbps of IPv6 traffic through the Amsterdam Internet Exchange — This is not much

Four big changes introduced by IPv6

  • Larger addresses (128 bits vs 32 bits)
  • Multiple addresses per node (correlation more difficult)
  • Optional extension headers (complexity for ACL)
  • ARP is replaced by Neighbor Discovery Protocol

A lot of these changes are a security implication (good and bad)

Shared issues

(Reconnaissance)

  • Due to address space issues, scanning methods will need to change
  • Public servers will be DNS resolvable
  • Increased reliance on Dynamic DNS
  • Administrators will tend to pick easy-to-remember addresses
  • By compromising a host an attacker can learn new addresses to scan

Scanning an IPv6 subnet could be an attack on the router due to the amount of traffic needed to find hosts within a reasonable timeframe.

(Viruses and Worms)

  • Worms cannot scan subnets like they did with IPv4 (see Reconnaissance)
  • Use email to propagate (No change)

IPv6 Privacy Extension (RFC 3041)

  • Should be used as a consumer, but not inside networks
  • changing addresses make your logs useless

ICMPv6

  • Significant changes
  • More relied upon than ICMPv4 (not so easy to just block it all)
  • Firewalls will need to reply to some ICMPv6 messages (Type 133/134, etc….)

Neighbor Discovery Issues

  • Stateless autoconfiguration – Attackers can send fake router advertisements due to lack of authentication
  • Neighbor solicitation – No authentication (much like ARP spoofing for IPv6)
  • Duplicate address detection – System sends request to see if a conflict exists (attacker can DoS a system)

ARP spoofing is now NDP spoofing !

Solution coming that uses Secure Neighbor Discovery – SEND = NDP + crypto (RFC 3971)

Bugs in IPv6 exist just like they have/do in IPv4. The more it’s implemented the more problems can be found and fixed. However attack tools exist for IPv6 already.

Specific IPv6 issues
(The IPSEC myth)

  • IPv6 mandates the implementation of IPv6, but doesn’t require it’s use
  • IPSEC has scaling issues
  • Firewalls, IDS cannot read your traffic
  • Network services like QoS are hindered

(IPv4 to IPv6 Transition challenges)

  • 16+ Methods !
  • Dual Stack – Dual attack surface ! You are only as strong as your weakest stack
  • Jumping from an IPv6 attack into an IPv4 “No split tunneling” VPN possible
  • Your network doesn’t run IPv6, however it doesn’t need to if you PC enables it by default
  • Most transition mechanisms don’t include authentication – Spoofing

Tools like Teredo that make tunnels through the NAT can be used to transport traffic that would normally by blocked when using IPv4. A single opening in the NAT can be used to attack the internal host.

Enforcing the policy
ACL’s need to be able to pass more complex chains to support IPv4 and IPv6.

Training for  network engineers and everybody on what IPv6 is and what impact it will have.