IPv6 Header StructureVersion 6 Next Header 128 bit Source Address 128 bit Destination Address... IPv6 Layer StructureIPv6 Header Extension Header Upper Layer Protocol Data Unit PDU Paylo
Trang 1THE HACKERS CHOICE
Attacking the IPv6 Protocol Suite
van Hauser, THC
vh@thc.org http://www.thc.org
Trang 2You You might might know know me me from from
Anonymizing
Unix Systems
Trang 31 Short Short Introduction to IPv6 Introduction to IPv6
2 The THC IPv6 The THC IPv6 Attack Suite Attack Suite
3 Security Security relevant changes relevant changes IPv4 IPv4<> <>IPv6 IPv6
4 Security Security Vulnerabilities in Vulnerabilities in IPv6 so far IPv6 so far
4 Security Security Vulnerabilities in Vulnerabilities in IPv6 so far IPv6 so far
5 Implementation Implementation Vulnerabilities in Vulnerabilities in IPv6 IPv6
6 New New Research & Future Research & Future
Trang 4Goals of IPv6
n Enough Enough IP addresses for the next decades IP addresses for the next decades
2 128 =340.282.366.920.938.463.463.374.607.431.768 211.456
n Auto Auto configuration configuration of IP addresses and of IP addresses and
networking
Reduces Reduces operational costs operational costs
Trang 5IPv6 Header Structure
Version
6
Next Header
128 bit Source Address
128 bit Destination Address
Trang 6IPv6 Layer Structure
IPv6 Header Extension
Header
Upper Layer Protocol Data Unit (PDU)
Payload
IPv6 Packet
IPv6 Header ≡ 40 Bytes
Upper Layer PDU ≤ 65535 Bytes
Upper Layer PDU > 65535 Bytes = Jumbo Payload
Trang 7IPv6 Header Structure
IPv6 Header
Next Header = 6
TCP Header Application Data
Examples for Extension Headers: Hop-by-Hop = 0 ; UDP = 17 ; Encapsulated Header = 41 ; RSVP
= 46 ; IPSEC – Encapsulating Security Payload = 50 + Authentication Header = 51 ;
ICMPv6 = 58 ; No Next Header = 59 ; Destination Options = 60 ; OSPFv3 = 98
IPv6 Header
Next Header = 43
TCP Header Routing Header
Trang 8Blackhat Blackhat usage of IPv6 today usage of IPv6 today
n Enable Enable IPv6 IPv6 6to4 6to4 tunneling tunneling
n Run Run Backdoor on IPv6 address Backdoor on IPv6 address
n Not Not detected by port scanning detected by port scanning
n Harder Harder to analyze to analyze traffic traffic
Trang 9Availability of Hacker Tools so far …
Not many Hacker
Not many Hacker tools tools exist for IPv6: exist for IPv6:
n Port Port Scanning: Scanning: nmap nmap, halfscan6, … , halfscan6, …
n Port Port Bouncers: relay6, 6tunnel, nt6tunnel, Bouncers: relay6, 6tunnel, nt6tunnel, asybo asybo, … , …
n Denial Denial of of Service Service (connection flooding): 6tunneldos (connection flooding): 6tunneldos
n Packet Packet fun: isic6, fun: isic6, scapy6, scapy6, libnet libnet ((partially partially
implemented only
implemented only))
implemented only
implemented only))
More expected when
More expected when IPv6 deployment is IPv6 deployment is wider wider Specific IPv6 protocol attacking tools?
None Except …
Trang 10The THC The THC IPv6 IPv6 Attack Suite Attack Suite
n An An easy easy to to use IPv6 packet factory use IPv6 packet factory library by library by THC
n IPv6 IPv6 protocol exploits tools can be coded protocol exploits tools can be coded in in just 5
just 5 10 lines 10 lines
n Lots Lots of powerful protocol exploits of powerful protocol exploits included included
n Linux (little Linux (little endian endian) only ) only
n Linux (little Linux (little endian endian) only ) only
n IT’S THE ONLY ONE AVAILABLE IT’S THE ONLY ONE AVAILABLE JJ
Trang 11w Fake a router, implant routes, become the default router, …
n DETECT DETECT NEW NEW IPv6 IPv6
w Detect new IPv6 systems on the LAN, automatically launch a script
DOS
DOS NEW NEW IPv6 IPv6
Trang 12w Play around with Multicast Listener Discovery Reports
w Play around with Multicast Listener Discovery Reports
n FAKE_MIPv6
w Reroute mobile IPv6 nodes where you want them if no IPSEC
is required
n SENDPEES6
w Neighbor Neighbor solicitations solicitations with lots of CGAs with lots of CGAs
n Protocol Protocol Implementation Implementation Tester Tester
w Various tests, more to come
Trang 13Overview of security relevant changes
Trang 141 Protocol Changes
n A A few IP header content and options few IP header content and options were were
removed:
w No No IP ID field IP ID field
Nice uptime check not possible anymore Nice uptime check not possible anymore LL
w No No IP Record Route Option IP Record Route Option
No traceroute alternative anymore No traceroute alternative anymore LL
No traceroute alternative anymore No traceroute alternative anymore LL
n No No Broadcast addresses exist Broadcast addresses exist
n Multicast Multicast addresses can not be destined addresses can not be destined from from remote
w This prevents This prevents remote alive scanning! remote alive scanning!
Trang 152 Reconnaissance IPv4
Network size in a subnet usually 2^8 = 256
Network size in a subnet usually 2^8 = 256
Usual attack methodology:
(takes 5
(takes 5 30 seconds) 30 seconds)
Vulnerability test to active ports
Wide range of tools available
n Nmap Nmap, , Amap Amap, , Nessus Nessus, ,
Trang 162 Reconnaissance IPv6 (1/2)
Network size
Network size now now 2^64 2^64 (varies) in a in a subnet! subnet!
n 18.446.744.073.709.551.616 IPs per 18.446.744.073.709.551.616 IPs per subnet subnet
n Ping Ping sweeps will consume too much time sweeps will consume too much time
wBrute force: Brute force: 500 millions years 500 millions years
wBeing clever + technology advances: still some months
months
Trang 172 Reconnaissance IPv6 (2/2)
n Remote Remote:: only the public servers only the public servers (via (via google google, DNS , DNS,, etc.) and
etc.) and anycast anycast addresses addresses
n New New opportunities are standardized opportunities are standardized multicast multicast
addresses to identify key servers within the
addresses to identify key servers within the local local network (routers, DHCP, Time, etc.)
n Local Local multicasts multicasts ensure ensure that one that one compromised compromised
host can find all other hosts in a subnet
Local
Local multicasts multicasts ensure ensure that one that one compromised compromised
host can find all other hosts in a subnet
n Techniques Techniques to a single host remain the same ( to a single host remain the same (port port scan, attacking active ports, exploitation, etc.)
n Remote Remote alive scans (ping scans) as we know alive scans (ping scans) as we know them them
on networks
on networks are unfeasible are unfeasible
Trang 182 Reconnaissance with the
2 Reconnaissance with the THC THC IPv6 IPv6 Attack Attack
Toolkit
n alive6 – – for local/remote for local/remote unicast unicast targets, targets, and and local multicast addresses
ICMP6 Echo Request
IP6 packet with unknown header
IP6 packet with unknown hop IP6 packet with unknown hop by by hop option hop option
IP6 packet with unknown hop IP6 packet with unknown hop by by hop option hop option
[IP6 fragment (first fragment) [IP6 fragment (first fragment) – – if needed I will add this] if needed I will add this]
wOne One shot fragmentation + routing header shot fragmentation + routing header
Trang 193 ARP IPv4
n ARP ARP uses layer 2 broadcast to perform uses layer 2 broadcast to perform the the
IP >
IP > MAC lookup on the local network MAC lookup on the local network
n Attackers can respond Attackers can respond in order to in order to perform perform
“Man in the middle” Attacks
Trang 203 DHCP IPv4
n DHCP DHCP uses broadcast messages uses broadcast messages
n Any (rogue Any (rogue JJ )) device can device can respond respond
n Feed Feed the host with new DNS and the host with new DNS and routing routing
information
information => => “Man in the “Man in the Middle” attack Middle” attack
Trang 213 ARP/DHCP IPv6
n No No security added security added (to both) (to both)
n ICMP6 ICMP6 Neighbor Discovery Neighbor Discovery / Neighbor / Neighbor
Solicitation = ARP replacement
n Duplicate Duplicate Address Detection based on Address Detection based on NS NS
allows DoS
allows DoS by by responding to responding to those checks those checks
n ICMPv6 ICMPv6 Stateless auto configuration = Stateless auto configuration = DHCP DHCP
n ICMPv6 ICMPv6 Stateless auto configuration = Stateless auto configuration = DHCP DHCP light
Trang 22Dst = A
B
parasite6 parasite6::
Answer to every
NS, claim to be every system on
Dst = All-Nodes Mulitcast Address
query= Who-has IP B?
Dst = A
Data= Link Layer Address
If A needs the MAC of B, it sends an ICMP6 Neighbor
Solicitation to “All-Nodes” multicast address
B sees the request and responds to A with an ICMP6
Neighbor Advertisement with its MAC address
=> Like ARP But everybody can respond to the request
every system on the LAN JJ
Trang 23Answer to every
NS, claim to be every system on
Dst = All-Nodes Mulitcast Address
query= Who-has IP A?
If A sets a new IP address, it makes the Duplicate
Address Detection check, to check if anybody uses the address already.
Anybody can respond to the DAD checks…
every system on the LAN JJ
Trang 24Data= options, prefix, lifetime,
Sets any IP as default router JJ
Routers send periodic periodic (& soliticated soliticated)) Router
Advertisements (RA) to the All-Nodes multicast address Clients configure their routing tables and network prefix from advertisements => Like a DHCP-light in IPv4
Anyone can send Router Advertisements!
Data= options, prefix, lifetime,
autoconfig flag
query= please send RA
Trang 25single target target
n Traffic Traffic amplification amplification
n DoS DoS for target link for target link
n DoS DoS for target link for target link
Trang 264 Smurf IPv6
n No No broadcast addresses broadcast addresses
n Replaced Replaced with various multicast addresses with various multicast addresses
n RFC RFC 2463 states that no ICMP 2463 states that no ICMP response response
should be sent when destination
multicast address
multicast address But But exceptions are made exceptions are made.
wCisco Security Research got it all wrong Cisco Security Research got it all wrong JJ
wCisco Security Research got it all wrong Cisco Security Research got it all wrong JJ
Trang 274 Smurfing
4 Smurfing with with the the THC THC IPv6 IPv6 Attack Toolkit Attack Toolkit
n smurf6 – – for local for local smurfs smurfs
w Source is target, destination is local multicast
implementations (old Linux only) (old Linux only)
w Source is Source is local All local All Nodes Nodes multicast address multicast address
((255.255.255.255 in IPv6 255.255.255.255 in IPv6 speak speak), destination is ), destination is our target
w If target has If target has mis mis implemented implemented IPv6, IPv6, it responds it responds
with an Echo Reply to the with an Echo Reply to the All All Nodes Nodes multicast multicast
Trang 285 Routing Protocols
n Most Most Routing protocols provide their Routing protocols provide their own own
security mechanisms
n This This does not change with IPv6 does not change with IPv6
n With With the exception of OSPFv3, which has the exception of OSPFv3, which has no no
security properties and relies on
Trang 295 Routing Header Manipulation
Routing header attack
(like IPv4 Source Routing)
Internet Internet
Use alive6 for checking if routing
headers are allowed to target
Trang 305
5 More fun with routing headers! More fun with routing headers!
remote system:
alive6 eth0 YOUR eth0 YOUR IP VICTIM IP VICTIM IP IP
n Find all servers in the world for an Find all servers in the world for an anycast anycast
address
address
wSend packets to an Send packets to an anycast anycast address via address via
several remote systems:
alive6 eth0 eth0 AnyCastAddr AnyCastAddr VICTIM VICTIM IP1; IP1;
alive6 eth0 eth0 AnyCastAddr AnyCastAddr VICTIM VICTIM IP2; … etc IP2; … etc.
Trang 315 Route Implanting with ICMP6 Redirects
n If a If a system system is choosing a is choosing a wrong local wrong local router for a router for a packet, the router tells this to the sender with an ICMP6 Redirect packet.
the router has to send the offending packet with the redirect.
the redirect.
is sending to a target for which we want to re
is sending to a target for which we want to
re route, we can implement any route we want
route, we can implement any route we want!!
n If If we fake an Echo Request, we know exactly the we fake an Echo Request, we know exactly the
Trang 325 Route Implanting with ICMP6 Redirects
(V)ictim (A)ttacker (R)outer (T)arget
1 (A) (A)ttacker ttacker sends Echo Request: sends Echo Request:
Source: (T) Source: (T)arget arget, Destination: (V) , Destination: (V)ictim ictim Source: (T)
Source: (T)arget arget, Destination: (V) , Destination: (V)ictim ictim
2 (V) (V)ictim ictim received Echo Request, and send a Reply to (T) received Echo Request, and send a Reply to (T)
3 (A) (A)ttacker ttacker crafts Redirect, crafts Redirect,
Source: (R)outer, Destination: (V)
Source: (R)outer, Destination: (V)ictim ictim,, redirects all traffic for (T) to (A)
Performed by redir6 in the in the THC THC IPv6 IPv6 Attack Toolkit Attack Toolkit JJ
Trang 33Implementation Example
Implementation Example – – It’s SIMPLE! It’s SIMPLE!
n 5 5 lines of source are enough (from redir6.c: ) lines of source are enough (from redir6.c: )
n Sending Sending an ICMP6 Echo an ICMP6 Echo Request Request 1 ::
wpkt pkt = thc_create_ipv6(interface, = thc_create_ipv6(interface,
PREFER_GLOBAL, &
PREFER_GLOBAL, &pkt_len pkt_len, , target6 target6, , victim6 victim6, ,
0, 0, 0, 0, 0);
wthc_add_icmp6( thc_add_icmp6(pkt pkt, & , &pkt_len pkt_len, ,
wthc_add_icmp6( thc_add_icmp6(pkt pkt, & , &pkt_len pkt_len, ,
ICMP6_PINGREQUEST, 0, 0xdeadbeef, NULL,
Trang 34Implementation Example
n Sending the Sending the ICMP6 Redirect after the ping: ICMP6 Redirect after the ping:
wthc_inverse_packet thc_inverse_packet(ipv6 (ipv6 > >pkt pkt + 14, ipv6 + 14,
ipv6 >
>pkt_len pkt_len 14); 14);
Function Function inverses the Echo Request Packet to inverses the Echo Request Packet to
an Echo Reply Packet
wthc_redir6(interface, thc_redir6(interface, oldrouter6 oldrouter6, , fakemac fakemac, ,
wthc_redir6(interface, thc_redir6(interface, oldrouter6 oldrouter6, , fakemac fakemac, ,
n That’s That’s all all – – traffic will now be sent to traffic will now be sent to
newrouter
newrouter instead!instead!
Trang 355 Fragmentation
n Fragmentation Fragmentation is performed by source, is performed by source, not not
routers; reassembling performed
destination only
n Routers Routers in path in path can not drop can not drop packets packets with with
routing header if
routing header if fragmentation fragmentation comes comes first first
n Same IPv4 techniques Same IPv4 techniques for fragmentation for fragmentation,,
n Same IPv4 techniques Same IPv4 techniques for fragmentation for fragmentation,,
timeout
timeout, , replays, etc replays, etc exist in IPv6 exist in IPv6
Trang 365 Mobile
5 Mobile IPv6 IPv6
n Mobile IPv6 Mobile IPv6 allows nodes to travel to allows nodes to travel to different different networks, while keeping TCP, UDP etc
networks, while keeping TCP, UDP etc
connections alive
connections alive – – pretty cool pretty cool
n Protocol Protocol specification is secure specification is secure LL because
IPSEC is mandatory
n All All implementations implementations have have the option the option to to
n All All implementations implementations have have the option the option to to
disable IPSEC
disable IPSEC requirement requirement
n If If this is the done, use this is the done, use fake_mipv6 to to redirect redirect traffic
traffic for for any mobile IPv6 node to any mobile IPv6 node to a a
destination of
destination of your your choice choice