Your SlideShare is downloading. ×
0
Crash
Crash
Crash
Crash
Crash
Crash
Crash
Crash
Crash
Crash
Crash
Crash
Crash
Crash
Crash
Crash
Crash
Crash
Crash
Crash
Crash
Crash
Crash
Crash
Crash
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Crash

524

Published on

A little bit of IPv6 security

A little bit of IPv6 security

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
524
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. A little bit of IPv6 security Rafa Sanchez Gómez – CISA rafa@iniqua.com @r_a_ff_a_e_ll_o 1
  • 2. Seguridad en IPv6 1. Brief introduction to IPv62. Some security risks in IPv6 3. Research results 4. Demo 2
  • 3. 1. Brief introduction to IPv6 3
  • 4. Some interesting aspects of IPv6 The main driver for IPv6 is its increased address space IPv6 uses 128-bit addresses There are different address types (unicast, anycast, and multicast) and different address scopes (link-local, global, etc.) It’s common for a node to be using, at any given time, several addresses, of multiple types and scopes. 4
  • 5. Some interesting aspects of IPv6 The “end-to-end principle” … Each device will have a globally-unique address. NATs will be no longer needed. 5
  • 6. Hacking IPv6 6
  • 7. Hacking IPv6 - parasite6: icmp neighbor solitication/advertisement spoofer, puts you as man-in-the-middle, same as ARP mitm (and parasite) - alive6: an effective alive scanng, which will detect all systems listening to this address - fake_router6: announce yourself as a router on the network, with the highest priority - redir6: redirect traffic to you intelligently (man-in-the-middle) with a clever icmp6 redirect spoofer - toobig6: mtu decreaser with the same intelligence as redir6 - dos-new-ip6: detect new ip6 devices and tell them that their chosen IP collides on the network (DOS). - trace6: very fast traceroute6 with supports ICMP6 echo request and TCP- SYN - flood_router6: flood a target with random router advertisements - flood_advertise6: flood a target with random neighbor advertisements - exploit6: known ipv6 vulnerabilities to test against a target - denial6: a collection of denial-of-service tests againsts a target - fuzz_ip6: fuzzer for ipv6 - implementation6: performs various implementation checks on ipv6 - implementation6d: listen daemon for implementation6 to check behind a fw - fake_mld6: announce yourself in a multicast group on the net - fake_mld26: same but for MLDv2 7
  • 8. Hacking IPv6 IPv6(dst="2a02:9001:0:ffff:80:58:105:253")/ IPv6ExtHdrRouting(type=0,addresses=["2a02:9001:0:57::6"])/ ICMPv6EchoRequest()#!/usr/bin/pythonfromscapy.all import *def aleatorio(): ff=str(RandIP6()) ff=ff[20:39] return fffor i in range(1,100000): packet=IPv6(src="2001:5c0:1400:a:8000:0:580c:3aa",dst="2a02:9008:3:111:"+(aleatorio()))/ICMPv6EchoRequest() send(packet,iface="sit1") 8
  • 9. 2. Some security risks in IPv6 9
  • 10. IPv4 Attack Example Internal Network Victim is attacked !!! 10
  • 11. IPv6 Connectivity Schema No NAT Needed with IPv6 No internal network needed Direct connectivity Administration 2a02:9008:3::1 Administration Public Prefix assigned 2a02:9008:3::/64 11
  • 12. IPv6 Phishing Attack Example Victim is attacked !!! 2a02:9008:3::1 Public Prefix assigned 2a02:9008:3::/64 Don’t work too hard No scpecial vulnerability in the routers is needed. Default Passwords No interaction from the Brute Force (Hydra) clients is needed Exploit Known Vulnerabilities 12
  • 13. Users also exposed End-to-end model 2a02:9008:3::a36:1 Vulnerable 2a02:9008:3::a35:2 services !! 2a02:9008:3::1 2a02:9008:3::a46:8 2a02:9008:3::a86:6 13
  • 14. 3. Research results 14
  • 15. Administration Services exposed in Internet We made a research to check if this was a real risk, and we discovered that indeed it is… We collected public information avaliable in Internet about IPv6 prefixes asigned by LIRs 15
  • 16. IPv4 Connectivity 16
  • 17. Administration Services exposed in Internet We Scanned some of those prefixes just using nmap Only some of the first IPs of each prefix… 17
  • 18. Administration Services exposed in Internet 18
  • 19. Administration Services exposed in Internet Mail services in IPv6 SPAM nightmare is coming… 19
  • 20. 4. Demo … 20
  • 21. Tunneling… 1. Windows 7 2. Linux (Backtrack) 3. Mac OS 21
  • 22. NDP 2a02:9008:3:f0f0:437:af0:665:8 2a02:9008:3:f0f0:437:af0:665:8 2a02:9008:3:f0f0:889:acb:9999:1 Public Prefix2a02:9008:3:f0f0:437:af0:665:8 2a02:9008:3:f0f0:/64 2a02:9008:3:f0f0:7676:bbb:9:10 22
  • 23. NDP Flooding … 2a02:9008:3:f0f0:437:af0:665:8 Public Prefix 2a02:9008:3:f0f0:RAND 2a02:9008:3:f0f0:437:af0:665:8 2a02:9008:3:f0f0:/64 2a02:9008:3:f0f0:889:acb:9999:1 2a02:9008:3:f0f0:7676:bbb:9:10 CAM Table 11:22:33:44:55:66 - 2a02:9008:3:f0f0:437:af0:665:8 66:55:44:33:22:11 - 2a02:9008:3:f0f0:7676:bbb:9:10 …-… 23
  • 24. NDP Flooding in action… 24
  • 25. Questions ??? Rafa Sánchez Gómez rafa@iniqua.com @R_a_ff_a_e_ll_oes.linkedin.com/in/rafasanchezgomez 25

×