IPv6 Security & HackingSwiss IPv6 Council Tech-Event                            Frank Herberg                            f...
Die nächsten 60 Minuten•  Aspekte von IPv6-Security•  Hackertools & ein paar Angriffsszenarien•  3 Empfehlungen  © 2013 SW...
Quiz: Was ist die relevanteFragestellung?✗q  a) Ist IPv6 sicherer als IPv4?✗q    b) Ist IPv6 unsicherer als IPv4?✗q  c)...
Quiz: Was ist die relevanteFragestellung? Und warum?✓q  Wie wirkt sich die Integration von IPv6 in meine Organisation auf...
Ziel: Sicherheitsniveau aufrecht erhalten       Value of                          Security   Risk        assets           ...
Dual Stack                  IPv6          IPv4    Managed                                        Monitored                ...
Mehr Komplexität durch mehrere IP-Adressen pro Interface                                                       IPv4 traffi...
Unvorhersehbare Quell-Adresswahl beiDual-Stack durch Happy Eyeballs173.194.32.119                              Monitoring,...
IPv6 Adress-Notation ist nicht eindeutigfe80:0000:0000:0000:0204:61ab:fe9d:f156 // full formfe80:0:0:0:204:61ab:fe9d:f156 ...
Extension Header & Security     IPv6-Header          TCP-            DATA     Next Header = 6     Header            …     ...
Extension Header Attacken•  Angreifer sendet Pakete mit    •  vielen EH    •  EH mit vielen Optionen    •  ungültigen EH o...
ICMPv6 ist viel umfangreicherError-Messages (1-127)1:Destination Unreachable 2:Packet too big (PMTUD)3:Time Exceeded (Hop ...
Geringere Reife im Design...•  Parts of IPv6 are still "Development in Progress"•  Examples:    RFC 6564: April 2012    "A...
... und in den Implementierungen(insbesondere bei Security Devices)                                               know wha...
Aktuelles Beispiel: "Remote system freezethanks to Kaspersky Internet Security 2013"                        a fragmented p...
Was sonst noch...•  IDS/IPS, Network-Monitoring, Service-Monitoring, etc.   must be upgraded for IPv6•  IPv4-based ACLs! (...
Wenig Know-how und Erfahrungen•  Little or no Know-how compared to IPv4   •  Network-Staff, Sysadmins, Security-Staff   • ...
Neue Angriffe – neue Hackertools•  The Hackers Choice IPv6 Attack Toolkit    ca. 50 Tools, M. Heuse und andere    http://t...
THC IPv6 Attack Toolkit (thc.org)•    Last update 2013-01-21•    Current public version: v2.1•    GPLv3 applies to this co...
SLAAC Step 1: generating link-local addr.                                            R1     A     MAC: 3c:07:54:5d:40:66  ...
SLAAC Step 2: generating global addresses                                              R1     A     fe80::3e07:54ff:fe5d:4...
Rogue Router Advertisement Principle                                                   I am your                          ...
Rogue RA – Denial of Service                                                  BLOCK                   R1    A             ...
Rogue RA – Man in the Middle Attack                                   FORWARD                  R1    A                    ...
Rogue RA – Performance Issue                                               WLAN                 R1    A                   ...
Rogue RA Attacking Toolfake_router6 / fake_router26Announce yourself as a router and try to become the default router.If a...
Rogue RA Scenarios•  Local Attacker with thc-tools installed•  Remote Attacker who successfully compromised a   node on th...
Router Lifetime 0 AttackWann sendet ein Router RAs mit"Router Lifetime" = 0? © 2013 SWITCH                   28
Router Lifetime 0 Attack                                                  R1 is down                                      ...
Router Lifetime 0 Attackkill_router6 eth0 ‘fe80::219:7ff:feeb:f80’!!Starting to send router kill entries forfe80::219:7ff:...
Router Lifetime 0 Attackkill_router6 eth0 ‘fe80::219:7ff:feeb:f80’!Starting to send router kill entries forfe80::219:7ff:f...
Router Advertisement Flooding                                                2004:: is a prefix                           ...
Router Advertisement Floodingflood_router6, flood_router26Flood the local network with router advertisements.Each packet c...
RA Flooding Effect on Win7 © 2013 SWITCH               34
Some RA Flooding Facts•  Nodes will stall or crash:   •    Windows XP,Vista,7,8,200x Server   •    Free/Net/Open-BSD - dep...
An "IPv6 readiness update" is availablefor Windows 7 and for Windows Server2008 R2 (Nov. 2012)http://support.microsoft.com...
Fazit zu Rogue Router Advertisements•  Everybody on the local network can   •  add IPs, delete / change default router   •...
Duplicate Address Detection - DOS                                                                 sorry, I have          I...
Duplicate Address Detection - DOS © 2013 SWITCH                      39
Some DAD-DOS Observations•  Linux configures link local address (!) and tries   every 30 seconds to configure a Global Uni...
Some other Attacks•  Attacks with MLD (fake/flood)•  NA Spoofing (wie ARP)•  Neighbor Cache Exhaustion Attack (Scanning)• ...
Fazit: Wie wirkt IPv6-Integration auf IT-Security einer Organisation?                   •  Higher complexity (protocol and...
How to decrease the Security of an IPv6deployment?  "Its  hard enough to deploy IPv6,    lets deal with the Security stuff...
How to improve the Security of an IPv6deployment? – Its simple!0. Secure existing Operationsè IPv6 is already there! (Aut...
frank.herberg@switch.ch                http://securityblog.switch.ch/                http://switch.ch/securitytraining© 20...
Anhang• Lese-Tipps• THC Installationstipps   © 2013 SWITCH           46
Zum Lesen• Scott Hogg / Eric Vyncke: "IPv6-Security"   Cisco Press• NIST - Guidelines for the Secure Deployment of IPv6   ...
Get & Install THC IPv6 Attack tools•  Download thc-ipv6-[Version].tar.gz from thc.org•  Required: Linux 2.6 or higher•  In...
Upcoming SlideShare
Loading in …5
×

IPv6 Security und Hacking

1,363
-1

Published on

Aspekte von IPv6-Security
• Hackertools & ein paar Angriffsszenarien
• 3 Empfehlungen

q a) Ist IPv6 sicherer als IPv4?
q b) Ist IPv6 unsicherer als IPv4?
q c) Wer ist an allem Schuld?
q d) Wie wirkt sich die Integration von IPv6 in
meine Organisation auf deren IT-Sicherheit aus?

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,363
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
34
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

IPv6 Security und Hacking

  1. 1. IPv6 Security & HackingSwiss IPv6 Council Tech-Event Frank Herberg frank.herberg@switch.chZürich, 25.3.2013 v1.2
  2. 2. Die nächsten 60 Minuten•  Aspekte von IPv6-Security•  Hackertools & ein paar Angriffsszenarien•  3 Empfehlungen © 2013 SWITCH 2
  3. 3. Quiz: Was ist die relevanteFragestellung?✗q  a) Ist IPv6 sicherer als IPv4?✗q  b) Ist IPv6 unsicherer als IPv4?✗q  c) Wer ist an allem Schuld?✓q  d) Wie wirkt sich die Integration von IPv6 in meine Organisation auf deren IT-Sicherheit aus? © 2013 SWITCH 3
  4. 4. Quiz: Was ist die relevanteFragestellung? Und warum?✓q  Wie wirkt sich die Integration von IPv6 in meine Organisation auf deren IT-Sicherheit aus? è  IPv6 kommt zusätzlich zu IPv4 ins Haus è  IPv6-Integration bringt vieles in Bewegung è  Ableiten von Massnahmen um akzeptables Sicherheitsniveau zu gewährleisten © 2013 SWITCH 4
  5. 5. Ziel: Sicherheitsniveau aufrecht erhalten Value of Security Risk assets level IT-Security Strategy © 2013 SWITCH 5
  6. 6. Dual Stack IPv6 IPv4 Managed Monitored Defined???? Filtered Secured maybe not Well known at all known © 2013 SWITCH 6
  7. 7. Mehr Komplexität durch mehrere IP-Adressen pro Interface IPv4 traffic173.194.32.119 link local IPv6 trafficfe80::3e07:54ff:fe5d:abcd2001:610::41:3e07:54ff:fe5d:abcd* global IPv6 traffic2001:610::41:65d2:e7eb:d16b:a761** è privacy issue global IPv6 traffic è traceability issue* Interface Identifier derived from MAC è the same all over the world** Privacy Extensions: random / temporary IP address © 2013 SWITCH 7
  8. 8. Unvorhersehbare Quell-Adresswahl beiDual-Stack durch Happy Eyeballs173.194.32.119 Monitoring,fe80::3e07:54ff:fe5d:abcd Traceability,2001:610::41:3e07:54ff:fe5d:abcd Session Hijacking2001:610::41:65d2:e7eb:d16b:a761 Prevention2 Mechanismen für Adresswahl:•  Default Address Selection RFC 6724 (2012) è "prefer IPv6"•  Happy Eyeballs RFC 6555 (2012), Application level è "prefer better user experience" (faster response) © 2013 SWITCH 8
  9. 9. IPv6 Adress-Notation ist nicht eindeutigfe80:0000:0000:0000:0204:61ab:fe9d:f156 // full formfe80:0:0:0:204:61ab:fe9d:f156 // drop leading zeroesfe80::204:61ab:fe9d:f156 // collapse multiple zeroes to ::fe80::204:61ab:254.157.241.86 // dotted quad at the end,multiple zeroes collapsed è  filtern & suchen wird schwieriger è  z.B. Logfile|grep, queries è  selbstgeschriebene Skripte © 2013 SWITCH 9
  10. 10. Extension Header & Security IPv6-Header TCP- DATA Next Header = 6 Header … (TCP) IPv6-Header Routing-Hdr. Frgmnt-Hdr. TCP- DATA Next Header = 43 Next Header = 44 Next Header = 6 Header … (Routing) (Fragment) (TCP)Die Grösse des IPv6-Header ist fix (40 Byte) èFür Optionen werden Extension Header angehängt•  Beliebig viele EH können verkettet werden alles•  EH können beliebig viele Optionen enthalten willkommene Einladungen•  EH haben verschiedene Formate für Hacker•  Reihenfolge ist nicht festgelegt (nur empfohlen) © 2013 SWITCH 10
  11. 11. Extension Header Attacken•  Angreifer sendet Pakete mit •  vielen EH •  EH mit vielen Optionen •  ungültigen EH oder Optionen (Fuzzing) •  EH in denen Informationen versteckt sind (Covert Channel) •  sehr viele Pakete mit Router-Alert-Option•  Umgehen von Security-Einrichtungen z.B. im Switch RA- Guard, Angriff auf das Endsystem (Robustheit der Implementierung), auf Router (beschäftigen) © 2013 SWITCH 11
  12. 12. ICMPv6 ist viel umfangreicherError-Messages (1-127)1:Destination Unreachable 2:Packet too big (PMTUD)3:Time Exceeded (Hop Limit) 4:Parameter Problem ICMP kann nichtInfo-Messages (Ping) mehr so einfach128:Echo Request 129:Echo Reply gefiltert werden siehe RFC 4890 (38Multicast Listener Discovery (MLD, MLD2) Seiten)130:Multicast Listener Query 131/143:Multicast Listener Report/2132:Multicast Listener DoneNeighbor Discovery (NDP), Stateless neue AngriffsvektorenAutoconfiguration (SLAAC) (lokal, remote)133:Router Solicitation 134:Router Advertisement ein paar Beispiele135:Neighbor Solicitation (DAD) 136:Neighbor Advertisement(DAD) 137:Redirect Message siehe untenOther (Router Renumbering, Mobile IPv6, Inverse NS/NA,…) 138-153 © 2013 SWITCH 12
  13. 13. Geringere Reife im Design...•  Parts of IPv6 are still "Development in Progress"•  Examples: RFC 6564: April 2012 "A Uniform Format for IPv6 Extension Headers" RFC 6555: April 2012 "Happy Eyeballs: Success with Dual-Stack Hosts" RFC 6724: September 2012 "Default Address Selection for IPv6" © 2013 SWITCH 13
  14. 14. ... und in den Implementierungen(insbesondere bei Security Devices) know what•  Common effects you need •  Required Features are not yet implemented •  You will have to wait for it watch out •  Performance isnt ensured •  Things are probably not (yet) hardware accelerated •  Stability isnt guaranteed be prepared •  You will have to deal with frequent updates © 2013 SWITCH 14
  15. 15. Aktuelles Beispiel: "Remote system freezethanks to Kaspersky Internet Security 2013" a fragmented packet with one large extension header leads to a complete freeze of the operating system...! © 2013 SWITCH 15
  16. 16. Was sonst noch...•  IDS/IPS, Network-Monitoring, Service-Monitoring, etc. must be upgraded for IPv6•  IPv4-based ACLs! (ssh-Access, DB-Access, you name it)•  IP Reputation based protection does not (yet) exist (IPv6 blacklists)•  Tunnel can be autoconfigured, can bypass IPv4- Firewalls (Protocol type 41, UDP) & NAT (Teredo, UDP)•  ... © 2013 SWITCH 16
  17. 17. Wenig Know-how und Erfahrungen•  Little or no Know-how compared to IPv4 •  Network-Staff, Sysadmins, Security-Staff •  Management, (1st-Level-)Support•  Learning IPv6 needs •  time •  free resources •  practical experience •  leads to mistakes in the beginning © 2013 SWITCH 17
  18. 18. Neue Angriffe – neue Hackertools•  The Hackers Choice IPv6 Attack Toolkit ca. 50 Tools, M. Heuse und andere http://thc.org/thc-ipv6/•  SI6 Networks IPv6 Toolkit ca. 12 Tools, F. Gont http://www.si6networks.com/tools/ipv6toolkit/è erproben neue Angriffsvektorenè zeigen Schwachstellen im Designè  oder der Implementierung (auch zum Testen!)è  können missbraucht werden © 2013 SWITCH 18
  19. 19. THC IPv6 Attack Toolkit (thc.org)•  Last update 2013-01-21•  Current public version: v2.1•  GPLv3 applies to this code•  This tool is for legal purposes only! © 2013 SWITCH 19
  20. 20. SLAAC Step 1: generating link-local addr. R1 A MAC: 3c:07:54:5d:40:66 B C Generate a link local address (FE80), from MAC address state: tentative Send NeighSolicit for DupAddrDetect (:: => Solicited-Node multicast addr) Either receive a NeighAdvert to show an address conflict: stop autoconfig or change state of link local address to: preferred fe80::3e07:54ff:fe5d:4066 © 2013 SWITCH 20
  21. 21. SLAAC Step 2: generating global addresses R1 A fe80::3e07:54ff:fe5d:4066 3c:07:54:5d:40:66 B C Send RS to All-Router-Multicast-Address (ff02::2) RA: Prefix is "2001:620:0:49::" Default Router Address is fe80... If RA received: generate global routable address(es) from received prefix(es) Send NS for DAD (:: => Solicited-Node multicast addr) Either receive a NA to show an address conflict: dont use address or configure Global Address(es) 2001:620:0:49:3e07:54ff:fe5d:4066, default router address(es) and other parameter (DNS) © 2013 SWITCH 21
  22. 22. Rogue Router Advertisement Principle I am your Default Router! R1 A C B Attacker sends Router Advertisements nodes configure IPv6 according to spoofed RA: IPv6 addresses & Default Router © 2013 SWITCH 22
  23. 23. Rogue RA – Denial of Service BLOCK R1 A B B Default RouterAll traffic sent to Attacker ends up in a black hole © 2013 SWITCH 23
  24. 24. Rogue RA – Man in the Middle Attack FORWARD R1 A B B Default RouterAttacker can intercept, listen, modify unprotected data © 2013 SWITCH 24
  25. 25. Rogue RA – Performance Issue WLAN R1 A B B Default Router Attacker becomes a bottleneck Often not an attack but misconfigured client © 2013 SWITCH 25
  26. 26. Rogue RA Attacking Toolfake_router6 / fake_router26Announce yourself as a router and try to become the default router.If a non-existing link-local or mac address is supplied, this results in a DOS.Example: fake_router6 eth0 2004::/48 © 2013 SWITCH 26
  27. 27. Rogue RA Scenarios•  Local Attacker with thc-tools installed•  Remote Attacker who successfully compromised a node on the network segment (DMZ)•  Misconfiguration! User "accidentally" transmits RAs onto the local link.•  E.g. Windows ICS (Internet Connection Sharing)è Accidental Rogue RA incidents are likely. © 2013 SWITCH 27
  28. 28. Router Lifetime 0 AttackWann sendet ein Router RAs mit"Router Lifetime" = 0? © 2013 SWITCH 28
  29. 29. Router Lifetime 0 Attack R1 is down (Router lifetime = 0) R1 A B B R1 sends legitimate RAs Attacker clones RAs but with Lifetime = 0 Remove legitimate router from routing table © 2013 SWITCH 29
  30. 30. Router Lifetime 0 Attackkill_router6 eth0 ‘fe80::219:7ff:feeb:f80’!!Starting to send router kill entries forfe80::219:7ff:feeb:f80 (Press Control-C to end)...!!!!Option -H adds hop-by-hop, -F fragmentation header and -D dst header tobypass RA guard. ! © 2013 SWITCH 30
  31. 31. Router Lifetime 0 Attackkill_router6 eth0 ‘fe80::219:7ff:feeb:f80’!Starting to send router kill entries forfe80::219:7ff:feeb:f80 (Press Control-C to end)... ! © 2013 SWITCH 31
  32. 32. Router Advertisement Flooding 2004:: is a prefix 2005:: is a prefix 2006:: is a prefix 2007:: is a prefix… R1 A B C Attacker floods LAN with Router Advertisements © 2013 SWITCH 32
  33. 33. Router Advertisement Floodingflood_router6, flood_router26Flood the local network with router advertisements.Each packet contains 17 prefix and route entries (only Version _26)-F/-D/-H add fragment/destination/hop-by-hop header to bypass RA guardsecurity.Syntax: flood_router6 [-HFD] interfaceExample: flood_router6 eth0 © 2013 SWITCH 33
  34. 34. RA Flooding Effect on Win7 © 2013 SWITCH 34
  35. 35. Some RA Flooding Facts•  Nodes will stall or crash: •  Windows XP,Vista,7,8,200x Server •  Free/Net/Open-BSD - depends on version •  OS X •  Juniper •  Android phones, iPads,... slow down or freeze•  Save: •  Cisco IOS & ASA - is fixed* •  Linux has a limit of 16 IPv6 addresses incl. link local (not attackable) © 2013 SWITCH 35
  36. 36. An "IPv6 readiness update" is availablefor Windows 7 and for Windows Server2008 R2 (Nov. 2012)http://support.microsoft.com/kb/2750841/en•  Only for Win7 and 2008 R2•  Limits no of prefixes to 100•  a patched machine still freezes totally during the attack, but recovers quickly when it stops © 2013 SWITCH 36
  37. 37. Fazit zu Rogue Router Advertisements•  Everybody on the local network can •  add IPs, delete / change default router •  DOS network •  do a MITM attack •  decrease Network-Performance •  decrease System-Performance •  crash Systems •  !! Autoconf. IPv6 in IPv4-only network = open 2nd doorConsider Mitigation ;-) è RFC 6104 © 2013 SWITCH 37
  38. 38. Duplicate Address Detection - DOS sorry, I have I want to use this address this IPv6 already address A B C A sends NS for DAD (to Solicited Node Multicast Address) Attacker sends NA for each NS A cant configure any IPv6 address © 2013 SWITCH 38
  39. 39. Duplicate Address Detection - DOS © 2013 SWITCH 39
  40. 40. Some DAD-DOS Observations•  Linux configures link local address (!) and tries every 30 seconds to configure a Global Unicast Address.•  XP tries a few times – also with different random addresses, and then quits•  Win7 tries a few times and then quits - might show popup "Windows has detected an IP address conflict"è works also for DHCPv6 and manual config!è Switch "MLD Snooping" © 2013 SWITCH 40
  41. 41. Some other Attacks•  Attacks with MLD (fake/flood)•  NA Spoofing (wie ARP)•  Neighbor Cache Exhaustion Attack (Scanning)•  Redirect Spoofing (wie gehabt)•  Attacks with DHCPv6 (wie gehabt)•  DNS dictionary / IP Pattern-scan (Reconnaissance)•  .... © 2013 SWITCH 41
  42. 42. Fazit: Wie wirkt IPv6-Integration auf IT-Security einer Organisation? •  Higher complexity (protocol and network) •  Lower maturity (especially security devices) Security level •  Less Know-how •  New / more Attack vectors •  Less visibility (monitoring) •  Already active in "IPv4-only" net •  A lot of changes (also means new opportunities) © 2013 SWITCH 42
  43. 43. How to decrease the Security of an IPv6deployment? "Its hard enough to deploy IPv6, lets deal with the Security stuff afterwards!" © 2013 SWITCH 43
  44. 44. How to improve the Security of an IPv6deployment? – Its simple!0. Secure existing Operationsè IPv6 is already there! (Autoconf., Tunnel èMonitoring, 2nd door ACLs, FW Tunnel traffic)1. Understand IPv6 before you deploy it!è Start early – start small – take your time!2. Synchronise deployment with the readiness ofyour Security equipment!è Have a plan - which involves Security! © 2013 SWITCH 44
  45. 45. frank.herberg@switch.ch http://securityblog.switch.ch/ http://switch.ch/securitytraining© 2013 SWITCH 45
  46. 46. Anhang• Lese-Tipps• THC Installationstipps © 2013 SWITCH 46
  47. 47. Zum Lesen• Scott Hogg / Eric Vyncke: "IPv6-Security" Cisco Press• NIST - Guidelines for the Secure Deployment of IPv6 http://csrc.nist.gov/publications/nistpubs/800-119/sp800-119.pdf• Mailing List ipv6hackers http://lists.si6networks.com/listinfo/ipv6hackers © 2013 SWITCH 47
  48. 48. Get & Install THC IPv6 Attack tools•  Download thc-ipv6-[Version].tar.gz from thc.org•  Required: Linux 2.6 or higher•  Install sudo apt-get install libssl-dev libpcap-dev! tar -xzf thc-ipv6-n.n.tar.gz ! cd thc-ipv6-n.n/! make! sudo make install! make clean! !•  Run as root!•  Also to test implementations in your Lab! © 2013 SWITCH 48

×