This document provides an overview of a student's final IT project on IPv6 security. The student will examine security issues in IPv6 and demonstrate an attack to show IPv6 is also vulnerable. Potential solutions will be briefly discussed. The student will analyze whether IPv6 provides more advantages than disadvantages compared to IPv4. The project will involve performing a man-in-the-middle attack using Evil FOCA and packet sniffing using Wireshark. A neighbor spoofing attack will also be demonstrated using files shared over an SMB server. A milestone plan outlines the stages of research, testing, analysis and documentation.
2. Javid Gozalov
4.sem INT B
Network
Mike Kandi
Tuesday, 10 June 2014
1
IT Technology programme
Final Project
(15 ECTS)
Examination: June 2014 Report no.:
Name: Javid Gozalov
Project title: IPv6 Security
Problem definition and technical specification:
I will start by addressing the different kinds of security issues that are present in IPv6.
Furthermore I will show what an attack, for the purpose of showing that IPv6 has security
issues too.
Some plausible solutions for fixing the problems will be presented, briefly.
Finally I will come with my own reasoning whether IPv6 provides more pros than cons
contrary to IPv4, and how it is so.
Supervisor:
Mike Kandi
The project is copyright protected.
Date: Student signature:
Date: Supervisor signature:
3. Javid Gozalov
4.sem INT B
Network
Mike Kandi
Tuesday, 10 June 2014
2
IPv6 Security
Tro- og loveerklæring
Det erklæres herved på tro og love, at undertegnede egenhændigt og selvstændigt har
udformet denne opgave. Alle citater i teksten er markeret som sådanne, og opgaven eller
væsentlige dele af den har ikke tidligere været og er ikke aktuelt fremlagt i anden
bedømmelsesammenhæng.
Undertegnede er gjort bekendt med, at overtrædelse af reglerne om videnskabelig
redelighed behandles i henhold til §19 i Bekendtgørelse om prøver og eksamen i
erhvervsrettede uddannelser nr. 1016 af 24/08/2010.
Solemn Declaration
I solemnly declare that I have personally and independently created this report. I have
clearly marked any and all quotes in the text as such, and neither the report nor any
essential parts of it are at present or have previously been submitted for any other
examination.
I am aware that any violation of the rules on academic integrity shall be treated in
accordance with Article 19 of the Danish Order No 1016 of 24 August 2010 on Tests and
Examinations in vocational educations.
[Student’s signature]
____________________________
[Student’s name, date]
4. Javid Gozalov
4.sem INT B
Network
Mike Kandi
Tuesday, 10 June 2014
3
Table of Contents
Preface ................................................................................................................................5
Abbreviations.......................................................................................................................6
Introduction..........................................................................................................................7
Problem formulation and project scope ...............................................................................8
Problem formulation .........................................................................................................8
Project scope....................................................................................................................8
The Project ..........................................................................................................................9
Milestones – plan..............................................................................................................9
Theory behind IPv4 & IPv6.............................................................................................11
Quick history ...............................................................................................................11
Special-Use IPv6 addresses .......................................................................................13
IPv6 and IPv4 differences ...........................................................................................14
IPv4 header.................................................................................................................17
IPv6 header.................................................................................................................18
IPv6 basics detailed........................................................................................................20
IPv6 Protocols .............................................................................................................20
Link-local addresses....................................................................................................21
Preperation.....................................................................................................................23
Neighbor Spoofing: MITM Attack....................................................................................25
Neighbor spoofing: Detailed ...........................................................................................28
Recap..........................................................................................................................28
Possible fix..................................................................................................................29
Reality check...............................................................................................................30
Conclusion.........................................................................................................................33
List of references ...............................................................................................................34
5. Javid Gozalov
4.sem INT B
Network
Mike Kandi
Tuesday, 10 June 2014
4
Bibliography.......................................................................................................................35
Appendices........................................................................................................................36
Risk assessment for IPv4 exhaustion and IPv6 adoption ...............................................36
Risk events occurrences .............................................................................................36
Risk damage occurrences...........................................................................................37
Installation of Wireshark .................................................................................................37
Installation of Evil FOCA.................................................................................................37
SMB server setup...........................................................................................................38
The steps ....................................................................................................................38
6. Javid Gozalov
4.sem INT B
Network
Mike Kandi
Tuesday, 10 June 2014
5
Preface
Computer Networking, Fifth Edition is a classic book that teaches the very key principles of
computer networking with a real life examples and protocol explanations. Its primary
example is the internet with various protocols and technologies being explained. That is,
with the exception of one very important protocol. IPv6.
Although one would argue it has been explained in the book itself, I would argue the real
matter on the subject is lacking. Contrary to the IPv4 that is explained in the book, the
main concept, working status and history is presentenced, the security and lack of thereof
is not there at all, for IPv6 that is.
During the reading of this little chapter about IPv6 in the book, which also was disregarded
in our lectures, it was clear that several things were missing.
I’m in no way a professional, nor educated in IPv6, so I’ve limited myself to the basic
security of IPv6 in a very basic and simple network.
Now for one of the first times I’ll give a decent overview of how IPv6 works in the real world
within a simple home network and how it can be intercepted by a network educated end
user.
As mentioned above, this report will be based on:
1) The lack of knowledge of security on IPv6 in the book Computer Networking, Fifth
Edition
2) IPv6 attacks in Internet Connections by Chema Alonso, using his video presentation
pdf
3) The knowledge we have gained using Wireshark in different exercises and basic
computer knowledge.
7. Javid Gozalov
4.sem INT B
Network
Mike Kandi
Tuesday, 10 June 2014
6
Abbreviations
ARP Address Resolution Protocol
DSCP Differentiated Services Code Point
ICMPv6 Internet Control Message Protocol version 6
IETF Internet Engineering Task Force
IP Internet Protocol
IPsec Internet Protocol Security
IPv4 Internet Protocol version 4
IPv6 Internet Protocol version 6
MAC Media Access Control Address
MVP Microsoft Most Valuable Professional
NA Neighbor Advertisement
NAT Network Address Translation
NDP Neighbor Discovery Protocol
NIC Network Interface Card
NS Neighbor Solicitation
QoS Quality of Service
RA Router Advertisement
RS Router Solicitation
SMB Server Message Block
ST/ST-II The Internet Stream Protocol
TCP Transmission Control Protocol
UDP User Datagram Protocol
8. Javid Gozalov
4.sem INT B
Network
Mike Kandi
Tuesday, 10 June 2014
7
Introduction
I’ve learned a fair amount about IPv4, and all of the protocols following and coopering with
it. I’ve been presented with all of its cons and pros. All of the basics gave me a decent,
somewhat see-through idea of how the internet really works in today’s world.
Following the things I have been taught, I learned there’s a big brother to our current IP
version 4 protocol, and that is IPv6.
Learning about the IPv6, I found out there’s a fair amount I still don’t know and is virtually
unknown to the general public (partially educated within computer networks that is).
This report will follow my journey throughout explain and comparison of IPv4 and IPv6.
I will use some programs to assist me:
Wireshark1
o Wireshark is an open-source packet analyzer. It has used several awards,
and is by far the most preferred application to use for the network educated
and hackers.
Evil FOCA2
o Evil FOCA is a weaponized executable program that can perform several
IPv4 and IPv6 attacks and hijacks. It is in a beta stage, but it does its work
just fine.
SMB server
o Is enabled in Windows 7 and functions as an actual Network server which
can share files.
1
https://www.wireshark.org/download.html
2
http://www.informatica64.com/evilfoca/
9. Javid Gozalov
4.sem INT B
Network
Mike Kandi
Tuesday, 10 June 2014
8
Problem formulation and project scope
Problem formulation
I will start by addressing the different kinds of security issues that are present in IPv6.
Furthermore I will show what an attack, for the purpose of showing that IPv6 has security
issues too.
Some plausible solutions for fixing the problems will be presented, briefly.
Finally I will come with my own reasoning whether IPv6 provides more pros than cons
contrary to IPv4, and how it is so.
Project scope
My report will solely be about the security of IPv6 with some brief contrast mirrored on
IPv4.
I will perform the following attack(s) (really 1 attack, combined with other programs
attacking):
MITM (using Evil FOCA)
Neighbor Spoofing (using Evil FOCA)
Packet sniffing (using Wireshark)
To prove the attack has been successful I will return the same data that was exchanged
between two computers. The shared information will be going through a SMB server.3
The attack is actually already performed by Chema Alonso, a security researcher for
Eleven Paths, a Telefonica Digital company. He has a PhD in Computer Security, as well
as Computer Science and System Engineering degrees. He has more than 12 years of
experience as a security professional and is recognized as a MVP. 4
In perspective to this current report, he performs several attacks in IPv6 and the Evil
FOCA tool. 5
3
The SMB server is going to be detailed in the Appendices.
4
https://www.linkedin.com/pub/chema-alonso/25/42a/810
5
http://www.securitytube.net/video/9275
10. Javid Gozalov
4.sem INT B
Network
Mike Kandi
Tuesday, 10 June 2014
9
The Project
Milestones – plan
After a rough estimate of what is needed in this particular case we have sketched up a
general milestone plan. More specified milestone plans under each area will be supplied.
(1
7
will be discussed after the plan) (plan was written on the March 18th
)
Week # 12 13 14 15 16 17 18 19 20 21 22 23
Research on
IPv4 & IPv6
Problem
formulation &
scope
Introduction
Project 1
Understanding
video 2
Pre-tests
3
Construction
4
Neighbor
spoof
5
Recap and
reality 6
Appendices 7
Conclusion
11. Javid Gozalov
4.sem INT B
Network
Mike Kandi
Tuesday, 10 June 2014
10
1) The standard form of the project is to be shaped, I was trying to figure out how to
place everything together and make this puzzle piece work, without making it too
advanced and boring, but overall educational to follow throughout the conception of
the spoofing hack.
2) Understanding the hacking video explanation done by Chema Alonso, and figure
out how he did his magic, that took a while. Several other videos were watched to
regain similar understandings of the main video.
3) Pre-tests, I tried doing the spoofing hack several times, first I tried with LAN, using
my switch, but it provided a good amount of problems I couldn’t comprehend to
even understand, so WLAN was chosen afterwards, that worked fluently.
4) Construction: This phase really just was for my own and readers sake, to explain
the work behind and before the actual spoofing hack.
5) Test: After all the construction and preparing, the actual hack was put to the test
and results were provided with detailed explanations.
6) A summary if you will, to wrap it all up and see if things were as expected, why and
why not. Reality check was provided afterwards to set everything in perspective to
possibly solving the spoofing issue and whatnot in the IPv6 world as it will get
adapted all over soon (hoping).
7) Last but not least, the appendices. I chose to attach the making of SMB server
here, although I personally felt that it did belong to the report after all, so that was
detailed very well with several screenshots too.
12. Javid Gozalov
4.sem INT B
Network
Mike Kandi
Tuesday, 10 June 2014
11
Theory behind IPv4 & IPv6
Quick history
First of all, what is IPv6? Why does it appear everywhere on the internet?
Well IPv6 is the newest version of the Internet Protocol. IPv6 was developed for the sole
purpose of dealing with the inevitable IPv4 address exhaustion, by the IETF.
In the beginning the NAT protocol was the short-term solution for the lack of IPv4
addresses, but IPv6 has (since its invention) been the long-term solution, due to the
guarantee of sufficient addresses to all smart devices world over.
The total IPv4 address space is:
The total IPv6 address space is:
IPv4 is written in dotted-decimal notations, making it really easy to decipher for the
common man. IPv4 usually has an address like so: 192.168.1.3
A rule of thumb is that one can replace 4 groups of consecutive 0’s with “::”.
This rule can once be used once for each address to avoid confusion. To explain further
an example will be provided. We can use another IPv6 address.
Some great examples can be borrowed from Jeffrey L. Carrel, first we have the
hexadecimal notation picture of the octacts of the IPv6 addresse and then the shortcut
explanation in pictures too. 6
6
http://www.txv6tf.org/wp-content/uploads/2011/04/Carrell-IPv6_for_SMBs_Easy_or_Hard.pdf
13. Javid Gozalov
4.sem INT B
Network
Mike Kandi
Tuesday, 10 June 2014
12
The rule is simple. Seeing the first picture, it’s very clear that we need 8 octets in size, thus
if we used the “::” shortcut once we can calculate exactly how many groups of zeros are
missing.
Using this shortcut more than once will provide a problem as we will be unable to see the
hidden groups.
14. Javid Gozalov
4.sem INT B
Network
Mike Kandi
Tuesday, 10 June 2014
13
IPv6 has the same way of showing address prefixes as in IPv4, using the CIDR slash
notation. 7
ipv6-address/prefix-length
Special-Use IPv6 addresses
::/128 – This address will turn all bits zero, aka. 0.0.0.0/32 in IPv4.
::/0 – The default unicast address aka. 0.0.0.0/ 0 in IPv4.
::1/128 – Localhost aka. 127.0.0.1 in IPv4.
fe80::/10 – The link-local address, generating a LAN network in the fe80::/64 range.
ff00::0/8 – Are multicast addresses reserved for multicast uses.
These are by far the most important- there are thousands more though, which is in the
RFC document. 8
7
http://tools.ietf.org/html/rfc3513#section-2.3
8
https://tools.ietf.org/html/rfc5156
15. Javid Gozalov
4.sem INT B
Network
Mike Kandi
Tuesday, 10 June 2014
14
IPv6 and IPv4 differences
So if we were to draw a big picture we are talking about loads of differences.
Simplified and summarized, IPv6 has/is:
1) No NAT (IP is unique now)
2) Is approximately times bigger
3) Real QoS, replaced by Flow labeling
4) No need for a DHCP server no more
5) A much simplier header
6) A more efficient routing system (anycast)
7) Can handle jumbograms, which can be as large as , almost as large as
4GB9
ISP’s are therefore very generous with address allocation. A home user using IPv6 will get
a /64 suffix, which is almost 4 billion times larger than the entire IPv4 address room.
According Cisco, in their IPv6 Address Plan Considerations10
/64 prefix should be used for traditional LAN/WAN interfaces of network devices.
/126 prefix should be used for point-to-point links. However due to the extensive
size in the address space in IPv6, the recommendation is again /64.
/128 prefix is only for use where only one address is required. Ex. Loopback addr
IPv6 also has the ability to use static configurations, meaning it’ll use IPv6 stateless
address auto configuration to make address without a DHCP server, using the network
prefix combined with the interface identifier. 11
Looking at the picture below, we is the actual side by side comparison to the creation of
the IPv6 address. It uses the link-local /64 prefix, together with the MAC address to make
a calculation and make one unique IPv6 address.
That’s the one without a router dealing out addresses, the other one is same one, except
now the MAC address mix is excluded and is a random 64 bit creation by the router, once
again making this as unique as possible, with little or almost no chance of duplication.
9
https://tools.ietf.org/html/rfc2675
10
http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-
government/sbaBN_IPv6addrG.pdf
11
http://tools.ietf.org/html/rfc4862
16. Javid Gozalov
4.sem INT B
Network
Mike Kandi
Tuesday, 10 June 2014
15
The creation of the /64 prefix together with the MAC address is pretty interesting.
As the above picture shows, it’s not very hard to see how it’s done.12
12
http://www.txv6tf.org/wp-content/uploads/2011/04/Carrell-IPv6_for_SMBs_Easy_or_Hard.pdf - slide 9
17. Javid Gozalov
4.sem INT B
Network
Mike Kandi
Tuesday, 10 June 2014
16
The address management and assignment systems are explained by Cisco.
Static configuration: Similar to IPv4, everything is manually
configurated.
Stateless Auto Address Configuration (SLAAC): The host does
everything on its own, and send RS messages and requesting RA’s
are send around too, to enter other devices IPv6 tables.
Stateful DHCPv6: The host uses DHCP to get the IPv6 address,
similar to IPv4.
Stateless DHCP: The host uses SLAAC and also DHCP to get extra
info about TFTP servers etc.13
Those 4 different ways to configure a host address in IPv6 is detailed in the document by
Cisco. The only lack here of in this document is security, but all that can be found (as
mentioned later) in different RFC memos.
A last interesting fact about IPv6 is that they skipped IPv5 for a unique reason. That
reason being that IPv5 or rather a protocol named ST/ST-II uses an Internet Protocol
version number 5, although it has never been known as IPv5. IP itself has version number
4. So for avoid any further confusion IPv5 was officially skipped and dubbed IPv6. 14
It’s important to remember that not dealing with this new IP protocol and the many features
it comes with, one is begging to be hacked; it’s virtually a free pass into one’s network, one
way or another.
13
http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-
government/sbaBN_IPv6addrG.pdf
14
https://tools.ietf.org/html/rfc1819, page 8 – second paragraph.
18. Javid Gozalov
4.sem INT B
Network
Mike Kandi
Tuesday, 10 June 2014
17
IPv4 header
One of the most noticeable
differentials between IPv4 and
IPv6 are the datagram formats,
the actual headers.
The familiar header, the IPv4 is
fairly advanced and filled with
options necessary for it to function
properly and securely.
From the top left corner, moving to
the right, we account for the
following IPv4 datagram fields:15
Version number. 4 bits
specifying the IP protocol version, in this case: IPv4.
Header length. These 4 bits specify the actual size of the header.
Type of service (now called DSCP). Used for example by Voice over IP (VoIP)
technology. 16
Datagram length. The total length of the IP datagram (header + data). 16 bits long.
Identifier, flags, fragmentation offset.
Time-to-live (TTL). Is made to ensure that datagrams don’t circulate forever. Once
the TTL field reaches zero, the datagram must be dropped.
Protocol. In this field an IP protocol number is being used to define the protocol
used in payload of the IP datagram.
Header checksum. The checksum used for detecting bit errors in the received IP
datagram. Both UDP and TCP have checksum fields. As the TTL field is changed,
the checksum is recalculated.
Source and destination IP addresses. Once the source creates the datagram, it
uses the IP address of itself into the source IP address field and inserts the
15
Computer Network, 5th Edition, page 342 – 4.4.1 Datagram Format
16
https://tools.ietf.org/html/rfc2474
19. Javid Gozalov
4.sem INT B
Network
Mike Kandi
Tuesday, 10 June 2014
18
receiver/destination into the destination IP address field. Both fields can be
interchanged on the run due to NAT. 17
Options. A rarely used field, which means this field is only used if needed, thus it
won’t be included in all overheads unless used.
Data/payload. The final part field. Usually contains transport-layer segment
(TCP/UDP) to be delivered. Can also contain ICMP messages such as “Destination
Unreachable” etc. 18
IPv6 header
As we move to the
upper class, the IPv6
datagram format, we
see rather interesting
changes.
The differences are
rather logical, so are
the same datagram
fields. So I will rather
discuss the uttermost
important changes that
were introduced in
IPv6, which are most evident in this format:
Expanded addressing capabilities. With the insane increase of the size of the IP
address to be 128 bits from 32 bits, we can surely say the world will almost NEVER
run out of IP addresses. Also in IPv6 a new network methodology is created, called
anycast, along with the well-known unicast and multicast. Anycast is addressing the
route datagram to a single member of a group with the potential same destination
address. 19
Thus hitting the one endpoint that is nearest. As mentioned in the book
17
https://tools.ietf.org/html/rfc2663
18
http://www.iana.org/assignments/icmp-parameters
19
https://tools.ietf.org/html/rfc4291#section-2.6
20. Javid Gozalov
4.sem INT B
Network
Mike Kandi
Tuesday, 10 June 2014
19
this would be great for sending an HTTP GET to the nearest number of mirror sites
for a said document, as this will greatly improve loading time. 20
Streamlined 40-byte header. Since a lot of IPv4 fields have been dropped, the
header is faster processed.
Flow labeling and priority. The philosophy is that audio and video transmission
can/might be treated as a flow, but newer “similar” traditional programs won’t be
treated as a flow. 21
Quickly going through all the fields:
Version. As in IPv4, this is where it says IPv6 by carrying the number 6.
Traffic class. 8-bit field in similar ways of the same field in IPv4.
Flow label. 20-bit field which basically serves as some kind of hint to either routers
and/or switches with lots of paths’, so the packets stay on their correct path.22
It has
been suggest it can be used to detect spoofed packets too. Without a good mention
how though. 23
Payload length. 16-bit value.
Next header. Basically indicated which protocol the datagram will be delivered to.
Hop limit. Replaces TTL from IPv4.
Source and destination addr. 128-bit addresses.
Data. The payload portion of the datagram. Once it reaches the dest. Ithe load will
be removed from the datagram and passed onto the protocol, as specified in the
next header field.
20
Computer Network, 5th Edition, page 366 – 4th
last sentences in braces, “This feature could….”
21
Computer Network, 5th Edition, page 367 – Flow labeling and priority – “For example, audio…”
22
http://tools.ietf.org/html/rfc6437
23
http://tools.ietf.org/html/draft-blake-ipv6-flow-label-nonce-02
21. Javid Gozalov
4.sem INT B
Network
Mike Kandi
Tuesday, 10 June 2014
20
IPv6 basics detailed
In this section certain basic principles of IPv6 will be introduced.
IPv6 is automatically configured by default in most OS across the Internet. 24
IPv6 Protocols
There are several protocols for IPv6 one should be aware of; I will focus on the main ones
that we will be using later in this report.
Neighbor Discovery Protocol
NDP uses five ICMPv6 packet types: RS, RA, NS, NA and Redirect.
The actual scenario is that one device sends a NS message to a multicast address, and
the corresponding device sends back a unicast message, NA, with the information of that
devices
MAC
address.
That
particular
address
will then
be saved
in the
Neighbor
table of
the
requesting
device
which originally sends the NS message.25
Furthermore, to actually access the Neighbor table, we have to open CMD and run the
command:
24
https://en.wikipedia.org/wiki/Comparison_of_IPv6_support_in_operating_systems
25
https://tools.ietf.org/html/rfc4861
22. Javid Gozalov
4.sem INT B
Network
Mike Kandi
Tuesday, 10 June 2014
21
This is what will appear.
The two top IPv6 addresses are the two computers I share the SMB server with on the
WLAN network on my router. More may appear assuming your PC automatically used
NDP to add others from your network to your table.
Link-local addresses
Since most OS support IPv6 now a days, the NIC (assuming it support IPv6 too) is going
to be configured either manually or automatically and will present that device with a Local-
link address.
That particular address is generated by full automatic and is then announced across the
network using NDP. As mentioned in the RFC, the link-local address is designed for ND
and must not have packets forwarded by any router to other links. Its main purpose is for
addressing when a router isn’t present. 26
26
https://tools.ietf.org/html/rfc4291#section-2.5.6
23. Javid Gozalov
4.sem INT B
Network
Mike Kandi
Tuesday, 10 June 2014
22
As it is seen, the “Obtain an IPv6 address automatically” for both IPv6 addr. And DNS
server is on, by default. Duplication of the local-link address will most likely not happen. 27
Since IPv6 is
now default set
as the link-local
addresse, we
can try pinging
the other PC’s
using their PC
names, on the
WLAN network, see whether the IPv4 or IPv6 addresse wil appear on the ping screen in
command.
And as seen on
the screenshot,
computer B28
was pinged
successfully,
using the link-
local address.
Let’s try
computer A too,
but let’s try
pinging from B to A so we for a fact know they talk to each other, before the SMB server is
setup and we start.
So now we are all set and ready for the next steps.
27
http://tools.ietf.org/html/rfc4862#section-5.3
28
See next page for computer B reference, visible in the table.
24. Javid Gozalov
4.sem INT B
Network
Mike Kandi
Tuesday, 10 June 2014
23
Preperation
For the IPv6 attack using Evil FOCA through a SMB server, we will have to make sure all
devices (in this case simply PC’s) are on the same network, in this case WLAN.
It is important to note that the PC that will perform the MITM attack will be Javaa-PC = C.
Then we have two more PC’s the second one being Java-PC aka A and Emil-PC aka B.
IPv6 addr MAC addr NAME
A fe80::397a:3b1c:d948:7df 74-DE-2B-38-0A-64 Java-PC
B fe80::c45b:5bfc:b253:7ede 00-21-5C-92-E6-35 Emil-PC
C fe80::88f5:5c29:f65:8c32 00-21-6A-57-71-EE Javaa-PC
As we open Evil FOCA on A
we can double check and see
whether the information above
is correct or not.
First it is important that we
select WLAN as our interface
in Evil FOCA. It’ll tell our IPv6
address too.
As seen on the two
screenshots the WLAN is correctly selected, and we are presented with our IPv6
addresses to confirm that is indeed the correct interface.
Continuing on, we clearly see our
beloved two computers, A and B
with their unique names, IPv4
addresses (irrelevant, but
presented none the less) and
their IPv6 addresses. To the left
of the computer names MAC
addresses are viewable too.
25. Javid Gozalov
4.sem INT B
Network
Mike Kandi
Tuesday, 10 June 2014
24
Comparing to the table I made earlier, we can see that it all corresponds together, so let’s
continue with the hack.
In this case we will be using A as Gateway and B as Target. Simply by dragging A to
Gateway and letting go, and doing the same with B as Target, we are almost ready for the
spoofing attack.
Before clicking start we need to fire up Wireshark so we’ll capture everything going on in
the network.
In Wireshark we must remember to select WLAN and click start so it’ll begin capturing.
Afterwards it’ll start capturing everything going through this computer – including the traffic
between computer A and B and everything they share.
26. Javid Gozalov
4.sem INT B
Network
Mike Kandi
Tuesday, 10 June 2014
25
Neighbor Spoofing: MITM Attack
As Wireshark has started, we click start on our Evil FOCA MITM attack and let the games
begin.
The first seconds of the packet tracing is going to give quite the results. As we can see,
the MITM has sent a NA packet with the spoofing of computer A and then exact same with
computer B.
27. Javid Gozalov
4.sem INT B
Network
Mike Kandi
Tuesday, 10 June 2014
26
This is incredibly easy to see as the Link-layer address is computer C’s, which is the MITM
computer performing the attack, spoofing both computers and thus being wired into their
Neighbor table, without them really knowing – all done silently.
To enter the SMB server, we use A whom will be the victim accesing the needes file
between the exhange of him and B. So we need to open a file that B has shared. We do
that by enter the Network folder and finding Emil-PC (B) and following the folders
avaliable, and opening the first text file in the folder, a benchmark for an SSD of mine.
Now lets jump onto Wireshark and see what is really going on in terms of sniffing after
we’ve spoofed usselves in between the those computers.
As mentioned the text file contains a decent amount of information, which may or may not
be secret to the users. We will jump into Wireshark once more to analyze the traffic
capture by the attacker, C, to observe what SMB packets have been going back and force
to obtain that particular text file that was transmitted over IPv6.
We do this finding the SMB packets and right clicking one of them and “Follow TCP
Stream”. This way we’ll be listening to the whole conversation between A and B
throughout the SMB server connection via IPv6.
28. Javid Gozalov
4.sem INT B
Network
Mike Kandi
Tuesday, 10 June 2014
27
Now all we have to do is follow the TCP Stream and find something useful, or rather that
particular file that transmitted.
Both A and B computer names are shown, so we are on the right track.
29. Javid Gozalov
4.sem INT B
Network
Mike Kandi
Tuesday, 10 June 2014
28
Impressively enough the whole file is placed ever so perfectly, and the path is linked too.
Neighbor spoofing: Detailed
Recap
Our attack was based on the NA and NS protocols.
We used the NDP protocol, with only two different subset ICMPv6 messages, mentioned
above.
Not going into detail, NDP is very similar to ARP for IPv4, as it works in the same as ARP,
but is not ARP. 29
In our case, without being asked, we managed to put our own information in the two
victim’s routing table without being asked by a NS, thus we ensured routes into those
particular devices without the devices actually knowing, or being notified in any sort of
way.
Our MITM attack managed to send 2 NA packets to 2 different network devices
(respectively A and B) which gave us an exclusive ability to have both devices to have
29
http://docs.oracle.com/cd/E19082-01/819-3000/chapter1-41/index.html
30. Javid Gozalov
4.sem INT B
Network
Mike Kandi
Tuesday, 10 June 2014
29
their SMB packets to go through us, computer C, thus reading everything, following the
TCP stream that is.
Possible fix
In RFC3765, it is mentioned, and I quote:
2. During Duplicate Address Detection (DAD), if a node receives a
Neighbor Solicitation for the same address it is soliciting for, the
situation is considered a collision, and the node must cease to
solicit for the said address.
That makes sense, and that will surely fix it, especially once they mention this below:
An attacking node can cause packets for legitimate nodes, both
hosts and routers, to be sent to some other link-layer address. This
can be done by either sending a Neighbor Solicitation with a
different source link-layer address option, or sending a Neighbor
Advertisement with a different target link-layer address option.
In terms of that, we successfully achieved that- with our MITM attack using Neighbor
spoofing.
RFC3756 simply provides security ideas and is a memo for the sake of securing IPv6 and
its protocols. 30
A possible fix can also be IPsec. IPsec adds a few extra “layers” if you will to the IP
protocol, by advancing the header format. 31
IPsec according to Cisco:
With IPsec, data can be sent across a public network without
observation, modification, or spoofing. IPsec functionality is similar
in both IPv6 and IPv4; however, site-to-site tunnel mode only is
supported in IPv6.
30
http://tools.ietf.org/html/rfc3756#section-4.1.1 - Is meant as reference to the whole paragraph with the
quotes.
31
https://tools.ietf.org/html/rfc4302#section-2
31. Javid Gozalov
4.sem INT B
Network
Mike Kandi
Tuesday, 10 June 2014
30
IPsec doesn’t work well with NAT in IPv4, but in IPv6 there’s no need for NAT, thus
making it full force effective as it can get. A modified NA or NS packet will be dropped if
IPsec sees an unrecognized change. 32
IPsec is fairly advanced, so I will chose not to go further with it, but should one choose to
get a secure IPv6 network, IPsec is one opportunity, that is even supported and detailed
by Cisco. (see reference 25
below)
According to ipv6.com33
IPSec supports several security protocols, including DES 56-bit,
3DES 168-bit key encryption, standalone encryption between clients, routers and even
firewalls. And on top of that VPN solutions can be added too.
Reality check
One might wonder if this is all necessary, surely IPv6 is near, but we will all by that time be
educated in that IPv6 standard.
Well according to the Japanese government that supports the IPv6 deployment that they
so successfully have deployed, the IPv4 Address Exhaustion Task Force, Japan have
made a document for that very matter documenting how everything has gone for the time
being with IPv6 deployment. 34
Canada has implemented DNS root servers to support IPv6 DNS requests, and more and
more ISP’s are supporting this, they even made graphs illustrating the development of the
deployment. 35
Several other countries have followed example. 36
To generate a more detailed view of IPv6 on the internet we have to go to the basic root of
the internet, Google. 37
32
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6/configuration/15-2mt/ipv6-15-2mt-book/ip6-
ipsec.html - both quote and text is explained by Cisco.
33
http://ipv6.com/articles/security/IPsec.htm
34
http://www.jaipa.or.jp/ipv6day/data/111121_iaetf.pdf
35
http://www.viagenie.ca/radarv6/
36
http://ipv6.com/articles/deployment/IPv6-Deployment-Status.htm
37
https://www.google.com/intl/en/ipv6/
32. Javid Gozalov
4.sem INT B
Network
Mike Kandi
Tuesday, 10 June 2014
31
As Google very beautifully illustrates IPv4 has no chance if we want the internet to
continue to grow, the amount of devices completely annihilates the amount of IPv4
addresses available. This is where IPv6 is to come into play.
Google has so ever beautifully made a graph of the amount of traffic accessing Google
through IPv6 natively and IPv6-to-IPv4 networks.
33. Javid Gozalov
4.sem INT B
Network
Mike Kandi
Tuesday, 10 June 2014
32
A total of 3.73% of the traffic going through Google is using IPv6 one way or another. That
is fairly sad, considering the amount of possibly IPv6 offers contrary to IPv4. It’s a matter
of change, the cost of change and the lust to do so- which isn’t very pleasing for most, if
not almost anyone.
I reckon in a good amount of years, before 2016, we should see a tenfold if not twentyfold
on that percentage. Hopefully, for the right reasons with the correct security setup too.
34. Javid Gozalov
4.sem INT B
Network
Mike Kandi
Tuesday, 10 June 2014
33
Conclusion
It’s been a long journey and I must admit that it’s been far more entertaining than I
anticipated.
The IPv6 protocol is a very large subject and has massive takes on the future of online
network. It simplifies and easy-fies a lot of things that one used several protocols to get
working in IPv4. It is far more universal, much more user friendly and faster in terms of
computing the same packet versus IPv4.
I’ve learned that something new as IPv6 needs time to get the majority accustomed to it-
security courses need to become mandatory on IPv6, people are not aware that they have
IPv6 enabled and someone might be listening if they most surely know how to get through
to your little private network.
It has been very interesting seeing the deep bottom of an Internet Protocol with the size of
IPv6.
I feel very good with the IPv6 attack using its own protocols, even though it was as simple
as it gets and severely internal on a local network. My point was made, I feel that my goal
was achieved and problem formulation was fulfilled. The basic idea was not to make the
worlds most advanced IPv6 security breach known to man, but rather understand the
concept behind IPv6, the story the whole reasoning behind its existence and use it against
it, which I succeed in.
The learning process was a bit difficult in the beginning, I failed when trying to make the
Neighbor spoofing attack to function properly, it took me a while to make the SMB server
function properly and set it all up.
Everything was all new to me and let’s just says the internet isn’t forgiving when trying to
read about IPv6, they already assume you know a great deal- so it all ends up with you
reading about things you have no idea about and only realize what those things really are
after a very long time frame.
Personally I am very pleased with the end result. IPv6 is a very pleasant surprise, I
learned a great deal.
35. Javid Gozalov
4.sem INT B
Network
Mike Kandi
Tuesday, 10 June 2014
34
List of references
1) Front page picture.
http://www.midphase.com/blog/wp-content/uploads/2012/10/MP-IPv6-Security.png
2) Actual IP Spoofing IPv6 hack using Evil FOCA, inspired by Chema Alonso.
https://www.youtube.com/watch?v=327mt5igHVQ
3) IPv4 header, snapshot from Computer Networking, 5th Edition, page 343 – Figure
4.13
4) IPv6 header, snapshot from Computer Networking, 5th Edition, page 367 – Figure
4.24
5) All screenshots are taken on A and C by me.
6) Internet Protocol, Version 6 (IPv6) Specification
https://tools.ietf.org/html/rfc2460
7) A good SMB explanation for IPv6 , as well as IPv6 explanation
http://www.txv6tf.org/wp-content/uploads/2011/04/Carrell-
IPv6_for_SMBs_Easy_or_Hard.pdf
8) Google’s IPv6 vs IPv4 limitation using a graph
https://www.google.com/intl/en/ipv6/images/graph.png
9) Cisco’s own IPv6 addressing technical overview document (the picture)
http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-
government/sbaBN_IPv6addrG.pdf
10) Google’s IPv6 statistics interactive graph
https://www.google.com/intl/en/ipv6/statistics.html#tab=ipv6-adoption
36. Javid Gozalov
4.sem INT B
Network
Mike Kandi
Tuesday, 10 June 2014
35
Bibliography
1) Computer Networking 5th
Edition
2) IPv6 Enabling SMB applications
http://www.snia.org/sites/default/files2/sdc_archives/2010_presentations/monday/Davi
dHolder_IPv6_Enabling_CIFS_SMB_Applications_v0_1.pdf
3) Fear the Evil FOCA, Attacking Internet Connections with IPv6
https://www.defcon.org/images/defcon-21/dc-21-presentations/Alonso/DEFCON-21-
Alonso-Fear-the-Evil-FOCA-Updated.pdf
4) IETF, RFC documents /everything was searched manually via their official website
http://tools.ietf.org/html/
37. Javid Gozalov
4.sem INT B
Network
Mike Kandi
Tuesday, 10 June 2014
36
Appendices
Risk assessment for IPv4 exhaustion and IPv6 adoption
Risk events occurrences
Very high
Router overload
Switch crash
High:
Packet sniffing
Miscommunication
Medium:
Bad equipment, slow loading times
Performance below goal
IPv4-IPv6 tunneling chaos
Likelihood of a risk event occurring
Very high:
Very likely to occur once the internet
advances
High:
Somewhat likely to occur
Medium:
Can occur, depends on size
Low:
May occur
Very Low:
Very unlikely to occur
Level of risk damage that occurs
Very high:
High damage output, may threat the project
High:
Substantial impact on time/time/quality
Medium:
Somewhat noticeable impact
Low:
Minor impact
Very Low:
Negligible impact
38. Javid Gozalov
4.sem INT B
Network
Mike Kandi
Tuesday, 10 June 2014
37
Low:
Doesn’t meet a necessary objective
Very low
Minor performance loss, from IPv4-IPv6 tunneling
No impact on program success, IPv6 will work almost everywhere
Risk damage occurrences
Very high:
Budget impacted by a significant amount, everyone needs IPv6
training before it’s too late, can’t risk having the company or ones
network attacked
High:
Budget impacted by a little bit, thus having training earlier
Medium:
Thinking IPv6 will replace IPv4, maybe in the long term
Loss of a bit of quality- loads of programs don’t support IPv6 yet
Low:
Minor attacks might steal some info
Very low
Someone trying to go on certain websites with your info
Installation of Wireshark
Running the installation of Wireshark is fairly simple. I installed Wireshark 1.10.7 64bit
version via the official Wireshark website. WinPcap 4.1.3 was installed simultaneously.
WinPcap is a driver that supports the capturing of packets in Windows. 38
Installation of Evil FOCA
As mentioned above in the installation of Wireshark, WinPcap was installed already,
otherwise I would have to install it via the Evil FOCA installer. The version I am installing
is Evil FOCA DEFCON21 Edition, via their website in the download section which sends
a download link to your email. That version corresponds to 0.1.3.0. We are presented
with a ZIP file, which inside has two files, an .msi extension and setup.exe file. I chose the
setup.exe file to install the Evil FOCA program.
38
http://wiki.wireshark.org/WinPcap
39. Javid Gozalov
4.sem INT B
Network
Mike Kandi
Tuesday, 10 June 2014
38
In this installation nothing special is done either. It’s being installed simply by allowing the
installer to choose its own destination and all I do is click next. Nothing else is being done.
SMB server setup
Known as the Server Message Block, but modernly called the Common Internet File
System. 39
We will be using a LAN network, sharing files using the internal
SMB file server inside the Windows OS.
The steps
1) First we need to make sure that both IPv6 is enabled,
since SMB primarily uses IPv6. 40
We do this by clicking the Network Internet Access icon on the
bottom right of our screen, and opening
Network and Sharing Center. We then
find Change Adapter Settings and click on that.
As we move on we right click the Wireless Network Adapter, enter
Properties and
make sure it has
IPv6 ticket as on.
As clearly IPv6 is enabled and can we can
continue with the SMB server
configuration.
2) As we enter the same Network
and Sharing Center interface as
before we’ll have to enter a different section called Change advanced sharing
settings.
39
http://technet.microsoft.com/en-us/library/cc939973.aspx
40
https://library.netapp.com/ecmdocs/ECMP1366834/html/GUID-8EBF01F5-6A64-4FFD-BC0C-
2C15C9182E50.html
40. Javid Gozalov
4.sem INT B
Network
Mike Kandi
Tuesday, 10 June 2014
39
There might or might not several options for different network
profiles. Either way if both, Home or Work and Public
networks are present; they have to be configured equally to
have this work on several networks.
Network discovery is on. File and printer sharing is on.
Public folder sharing is on. File sharing connections is for
the sake of encryption, either way both 128-bit and older 40 –
56 bit encryptions work. Password protected sharing is
turned off so the people outside the actual computer can see files. HomeGroup
connections this option doesn’t matter as we do not actually use the HomeGroup
connections, but rather only the SMB server.
3) Clicking on Save changes and close all remaining windows.
4) Afterwards we navigate to any folder we care to share on the SMB server that will
be accessed and (hopefully) read by our Wireshark packet sniffing ability, due to the
hack.
In this case we go to
D:M1530 and we
want to share this
folder. What we do is
we left click it and
enter Share with then
clicking on Specific
people we can add
Everyone from the list
of people, or by typing
it out and clicking on Add. There after clicking on Share. And voila we have established a
SMB server on Windows 7.
The SMB server runs over TPC,
port 445. 41
41
https://support.microsoft.com/kb/204279