Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Разведка в сетях IPv6

350 views

Published on

С переходом на новую версию интернет-протокола (IPv6) изменились и правила игры «Сетевая разведка»: использовать метод перебора адресов, как в случае с IPv4, не представляется возможным, так как на каждую подсеть приходится 264 адреса. На мастер-классе вы узнаете о новейших технологиях в области исследования сетей IPv6, описанных в RFC 7707. Вашему вниманию будет представлен интенсивный мастер-класс, посвященный отработке методов исследования и взлома сетей IPv6.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Разведка в сетях IPv6

  1. 1. Fernando Gont Network Reconnaissance in IPv6 PHDays VII Moscow, Russia. May 23-24, 2017
  2. 2. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 About... ● Security Researcher and Consultant at SI6 Networks ● Published: ● 30 IETF RFCs (10+ on IPv6) ● 10+ active IETF Internet-Drafts ● Author of the SI6 Networks' IPv6 toolkit ● https://www.si6networks.com/tools/ipv6toolkit ● I have worked on security assessment of communication protocols for: ● UK NISCC (National Infrastructure Security Co-ordination Centre) ● UK CPNI (Centre for the Protection of National Infrastructure) ● More information at: https://www.gont.com.ar
  3. 3. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 Why I'm presenting on this topic “I’ve never met anybody who really did spend blood on something who wasn’t eager to describe what they’ve done and how they did it and why” -- Ken Thompson (in “Coders at Work: Reflections on the Craft of Programming”)
  4. 4. Congreso de Seguridad en Computo 2011 4 PHDays WII Moscow, Russia. May 23-24, 2017 © 2017 SI6 Networks. All rights reserved Introduction
  5. 5. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 Network Reconnaissance Network reconnaissance: Locate possible targets and/or learn network information/features that can be leveraged for performing network-based attacks
  6. 6. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 Network Reconnaissance in IPv6 ● A large part of today's network reconnaissance is about address scanning ● IPv6 has rather substantial changes in IP addressing ● Much lager address space ● Nodes employ multiple addresses of different properties ● How can we learn information about IPv6 networks? ● Are address scans feasible in IPv6? ● What other techniques can be applied if/when IPv6 address scanning is not feasible? ● Our approach: ● Understand the theory ● “Walk the talk” (i.e., apply the concepts to the real world)
  7. 7. Congreso de Seguridad en Computo 2011 7 PHDays WII Moscow, Russia. May 23-24, 2017 © 2017 SI6 Networks. All rights reserved Brief introduction to IPv6
  8. 8. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 IPv4 address exhaustion ● The Internet relies on unique addresses for host communication or...well... that was the original idea :-) ● More than 20 years ago it was already evident that we'd eventually run out of IPv4 addresses ● Network Address Translators (NATs) have served as a stop-gap ● But nevertheless we're hitting IPv4 address exhaustion
  9. 9. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 IPv4 address exhaustion (II) ● IPv4 address exhaustion, as predicted by Geoff Huston
  10. 10. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 So... what is this “IPv6” thing about? ● It tackles the problem of IPv4 address exhaustion ● Employs 128-bit addresses (vs. IPv4's 32-bit addresses) ● Provides the same service as IPv4 ● It is not backwards-compatible with IPv4
  11. 11. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 So... what is this “IPv6” thing about? (II) ● We can connect IPv6 “islands” across the IPv4 Internet with tunnels
  12. 12. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 So... what is this “IPv6” thing about? (III) ● We can interconnect IPv6-only hosts with IPv4-only hosts with “translators”
  13. 13. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 So... what is this “IPv6” thing about? (IV) ● For every domain name, the DNS can contain ● A resource records (IPv4 addresses) ● AAAA (Quad-A) resource records (IPv6 addresses) ● Host may query for A and/or AAAA resource records according different criteria ● Based on the available resource records, supported protocols, and local policy, IPv6 and/or IPv4 could be employed
  14. 14. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 Current state of affairs: Implementation ● General-purpose OSes have shipped with IPv6 support for a long time ● part of your network is already running IPv6! ● Other devices may require updates or replacement: ● CPE's ● Firewalls ● Routers ● NIDSs ● etc.
  15. 15. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 Current state of affairs: Deployment ● IPv6 was essentially ignored for years ● Many organizations have now started to take IPv6 more seriously, partly as a result of: ● Exhaustion of the IANA IPv4 free pool ● Imminent exhaustion of the address pool at the different RIRs ● Awareness activities (“World IPv6 Day” & “World IPv6 Launch Day”) ● Main content providers (Google, Facebook, Yahoo, etc.) deploying IPv6 on their public-facing servers
  16. 16. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 Current state of affairs: Deployment (II) ● IPv6 usage as measured by Google:
  17. 17. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 Current state of affairs: Deployment (III) ● IPv6 deployment per country ● Visit: https://www.google.com/intl/en/ipv6/statistics.html
  18. 18. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 Why bother with IPv6? ● Most general-purpose operating systems support IPv6 ● Increasing number of IPv6 deployments ● Some mobile operators have opted for IPv6-only on the client-side ● More and more Internet sites are becoming dual-stacked ● Even in IPv4-only networks, IPv6 can be leveraged in a number of ways ● IPv6 connectivity is “dormant”, waiting to be exploited ● No parity of security policies between IPv4 and IPv6 ● IPv6 can be the “weakest link in the chain”
  19. 19. 19 PHDays WII Moscow, Russia. May 23-24, 2017 © 2017 SI6 Networks. All rights reserved Brief comparison between IPv6 and IPv4
  20. 20. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 Brief comparison between IPv6/IPv4 ● Very similar in terms of functionality, but not in terms of mechanisms IPv4 IPv6 Addressing 32 bits 128 bits Address Resolution ARP ICMPv6 NS/NA (+ MLD) Auto- configuration DHCP & ICMP RS/RA ICMPv6 RS/RA & DHCPv6 (optional) (+ MLD) Fault Isolation ICMPv4 ICMPv6 IPsec support Optional Optional Fragmentation Both in hosts and routers Only in hosts
  21. 21. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 Brief comparison between IPv6/IPv4 ● Header formats
  22. 22. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 General IPv6 packet format ● Consists of an IPv6 header chain and an (optional) payload ● Each Extension Header is typically encoded as TLV (Type- Length-Value) ● Any number of instances of any number of different headers are allowed ● Each header may contain an arbitrary number of options I P v 6 H e a d e r I P v 6 H e a d e r D e s t i n a t i o n O p ti o n s H e a d e r D e s ti n a t i o n O p ti o n s H e a d e r N H = 6 0 N H = 6 0 D e s t . O p t i o n s H e a d e r D e s t . O p t i o n s H e a d e r T C P S e g m e n t T C P S e g m e n t N H = 0 6N H = 6 0
  23. 23. 26 PHDays WII Moscow, Russia. May 23-24, 2017 © 2017 SI6 Networks. All rights reserved IPv6 tools
  24. 24. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 Introduction ● This workshop employs free software ● IPv6-specific toolkits: ● SI6 Networks' IPv6 Toolkit ● THC-IPv6 ● General IPv6-enabled tools: ● nmap
  25. 25. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 THC-IPv6 Toolkit: Introduction ● First and only IPv6 attack toolkit for many years ● Easy to use ● Only minimal IPv6 knowledge required ● Features: ● Free software ● Only runs on Linux with Ethernet ● Home: ● http://www.thc.org/thc-ipv6 ● Collaborative development: ● https://github.com/vanhauser-thc/thc-ipv6.git
  26. 26. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 ● Brief history: ● Originally produced as part of a governmental project on IPv6 security ● Maintenance and extension taken over by SI6 Networks ● Goals: ● Security assessment and trouble-shooting of IPv6 networks and implementations ● Clean, portable, and secure code ● Good documentation SI6 Networks' IPv6 Toolkit
  27. 27. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 ● Supported OSes: ● Linux, FreeBSD, NetBSD, OpenBSD, OpenSolaris, and Mac OS ● License: ● GPL (free software) ● Home: ● https://www.si6networks.com/tools/ipv6toolkit ● Collaborative development: ● https://www.github.com/fgont/ipv6toolkit.git SI6 Networks' IPv6 Toolkit (II)
  28. 28. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 IDEAS TOOLS ipv6 NETWORK “an interface between your ideas and an IPv6 network” SI6 Networks' IPv6 Toolkit: Philosophy
  29. 29. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 ● No need to introduce nmap :-) ● IPv6 support in nmap: ● IPv6-prefix scanning ● Local-network address scans ● Some IPv6-specific host-scanning techniques ● IPv6-based port scans ● IPv6-based OS detection (although nowhere near its IPv4 counter- part) nmap
  30. 30. 35 PHDays WII Moscow, Russia. May 23-24, 2017 © 2017 SI6 Networks. All rights reserved IPv6 Addressing Architecture
  31. 31. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 Brief overview ● The main driver for IPv6 is its increased address space ● IPv6 uses 128-bit addresses ● Similarly to IPv4, ● Addresses are aggregated into “prefixes” (for routing purposes) ● There are different address types (unicast, anycast, and multicast) ● There are different address scopes (link-local, global, etc.) ● However, at any given time, several IPv6 addresses, of multiple types and scopes are used: ● One or more unicast link-local address ● One or more global unicast address ● One or more multicast link-local address
  32. 32. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 Brief overview (II) ● The much larger address space has concrete implications on address scanning ● brute-force approach not feasible! ● Not all the possible scope/type/stability combinations are of use for “attack” purposes in all scenarios. e.g. ● a “private” (local) address may be of no use from a remote network ● a temporary address may be of no use if persistance is desired ● Different address notation may difficult inspection and/or procesing of IPv6 addresses. e.g. ● New tools needed for processing IPv6 addresses
  33. 33. 38 PHDays WII Moscow, Russia. May 23-24, 2017 © 2017 SI6 Networks. All rights reserved IPv6 Addressing Architecture IPv6 address notation
  34. 34. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 IPv6 address notation x:x:x:x:x:x:x:x where each “x” s a 4-digit hexadecimal number ● Leading zeros in each “x” can be supressed ● One (and only one) group of all-zeroes hexadecimal numers can be represented with “::” ● IPv6 addresses can be specified as: x:x:x:x::y.y.y.y where “y.y.y.y” corresponds to an IPv4 address
  35. 35. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 The need for canonic IPv6 addresses ● Which of these addresses are equivalent? 1) fc00:1:0:0:0:0:0a0a:0a0a 2) fc00:1::a0a:a0a 3) fc00:1:0000:0000:0000:0000:0a0a:0a0a 4) fc00:1::10.10.10.10 5) fc00:1::aa:aa 6) fc00:1::0a0a:0a0a 7) fc00:1:0::a0a:a0a 8) fc00:1:0000::a0a:a0a ● Moral of the story?
  36. 36. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 Practice: addr6 to our rescue! ● addr6 can print the canonic version of an IPv6 address: addr6 ­c ­a fc00::10.10.10.10 ● Please try addr6 with the addresses of the previous slide! fgont@snow:~$ cat canonic.txt | addr6 ­i ­c fc00:1::a0a:a0a fc00:1::a0a:a0a fc00:1::a0a:a0a fc00:1::a0a:a0a fc00:1::aa:aa fc00:1::a0a:a0a fc00:1::a0a:a0a fc00:1::a0a:a0a
  37. 37. 42 PHDays WII Moscow, Russia. May 23-24, 2017 © 2017 SI6 Networks. All rights reserved IPv6 Addressing Architecture IPv6 address types
  38. 38. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 IPv6 address types ● The address type can be identified as follows: Address Type IPv6 Prefix Unspecified ::/128 Loopback ::1/128 Multicast FF00::/8 Link-local Unicast FE80::/10 Unique Local Unicast FC00::/7 Global Unicast (everything else)
  39. 39. 44 PHDays WII Moscow, Russia. May 23-24, 2017 © 2017 SI6 Networks. All rights reserved IPv6 address types Unicast addresses
  40. 40. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 IPv6 unicast addresses ● Global unicast ● Meant for communication on the public Internet ● Link-local unicast ● Meant for communication within a network link/segment ● Site-local unicast ● Deprecated (were meant to be valid only within a site) ● Unique Local unicast ● Are expected to be globally unique, but not routable on the public Internet -- kind of equivalent to IPv4's private address space
  41. 41. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 IPv6 Global Unicast Addresses ● A number of possibilities for generating the Interface ID: ● Embed the MAC address (traditional SLAAC) ● Embed the IPv4 address (e.g. 2001:db8::192.168.1.1) ● Low-byte (e.g. 2001:db8::1, 2001:db8::2, etc.) ● Wordy (e.g. 2001:db8::dead:beef) ● According to a transition/co-existence technology (6to4, etc.) Global Routing Prefix Subnet ID Interface ID | n bits | m bits | 128-n-m bits |
  42. 42. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 IPv6 Link-local Unicast Addresses ● The Link-Local Unicast Prefix is fe80::/64 Link Local Unicast Prefix Interface ID | 64 bits | 64 bits |
  43. 43. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 IPv6 Unique Local Unicast Addresses ● Specified in RFC4193 ● Identified by the prefix FC00::/7 ● Special prefix, but otherwise syntax similar to that of global unicast addresses ULA Prefix Subnet ID Interface ID | 48 bits | 16 bits | 64 bits |
  44. 44. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 IIDs derived from link-layer addresses ● They are the result of traditional SLAAC ● IIDs derived from a link-layer address are constructed as follows: ● Flip the U/L bit of the OUI (bit 1 of the most significant byte) ● Insert the word “0xfffe” in between the upper and lower 24-bits IEEE OUI FF FE Lower 24 bits of MAC | 24 bits | 16 bits | 24 bits |
  45. 45. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 Temporary IIDs (based on RFC4941) ● They are the result of SLAAC ● Random IIDs that change over time ● Generated in addition to traditional SLAAC addresses ● Traditional addresses used for server-like communications ● Temporary addresses for client-like communications
  46. 46. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 IIDs in MS Windows ● They are the result of SLAAC ● Microsoft replaced the MAC-address-based identifiers with (non-standard) randomized IIDs ● Essentially RFC 4941, but they don't vary over time
  47. 47. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 IIDs based on RFC7217 ● Currently recommended algorithm for SLAAC stable addresses ● IIDs are generated as: Hash(Prefix, Net_Iface, Network_ID, DAD_Count, Secret_Key) ● Where: ● Hash(): Cryptographically secure hash function ● Prefix: SLAAC or link-local prefix ● Net_Iface: some interface identifier ● Network_ID: e.g. the SSID of a wireless network ● DAD_Count: initialized to 0, and incremented by 1 upon collisions ● Secret_Key: unknown to the attacker (and randomly generated by default)
  48. 48. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 IIDs based on RFC7217 (II) ● As a host moves: ● Prefix and Network_ID change from one network to another ● But they remain constant within each network ● F() varies across networks, but remains constant within each network ● This results in addresses that: ● Are stable within the same subnet ● Have different Interface-IDs when moving across networks ● For the most part, they have “the best of both worlds”
  49. 49. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 IIDs based on RFC7217 (III) ● Known implementations: ● Linux kernel v4.0 ● NetworkManager v1.2.0-0.3.20151112gitec4d653.fc24 ● dhcpcd 6.4.0 ● OSes known to already ship with RFC7217: ● Mac OS Sierra ● Fedora
  50. 50. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 IIDs embedding IPv4 addreses ● They are the result of manual configuration ● They simply embed an IPv4 address in the IID ● Convenient to deduce IPv6 address from IPv4 address! ● Two variants found in the wild: ● 2000:db8::192.168.0.1 <- Embedded in 32 bits ● 2000:db8::192:168:0:1 <- Embedded in 64 bits
  51. 51. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 IIDs embedding service ports ● They are the result of manual configuration ● The IID embeds the service port ● Two variants found in the wild: ● 2001:db8::1:80 <- n:port ● 2001:db8::80:1 <- port:n ● Additionally, the service port can be encoded in hex vs. dec ● 2001:db8::80 vs. 2001:db8::50
  52. 52. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 IIDs with small integers (“low-byte”) ● They are the result of manual configuration ● The IID is set to all-zeros, “except for the last byte” ● e.g.: 2000:db8::1 ● Other variants have been found in the wild: ● 2001:db8::n1:n2 <- where n1 is typically greater than n2
  53. 53. 60 PHDays WII Moscow, Russia. May 23-24, 2017 © 2017 SI6 Networks. All rights reserved IPv6 address types Multicast addresses
  54. 54. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 IPv6 multicast addresses ● Identify a set of nodes ● Can be of different scopes (link-local, global, etc.) ● Some examples: Multicast address Use FF01:0:0:0:0:0:0:1 All nodes (interface-local) FF01:0:0:0:0:0:0:2 All routers (interface-local) FF02:0:0:0:0:0:0:1 All nodes (link-local) FF02:0:0:0:0:0:0:2 All routers (link-local) FF05:0:0:0:0:0:0:2 All routers (site-local) FF02:0:0:0:0:1:FF00::/104 Solicited-Node http://www.iana.org/assignments/ipv6-multicast-addresses/ipv6-multicast-addresses.xhtml
  55. 55. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 IPv6 Multicast Groups ● On Linux: ip -6 maddr show ● On FreeBSD: ifmcstat ● On OpenBSD (after install): ifmcstat
  56. 56. 66 PHDays WII Moscow, Russia. May 23-24, 2017 © 2017 SI6 Networks. All rights reserved IPv6 addressing Processing IPv6 addresses
  57. 57. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 Processing IPv6 addresses ● Given an IPv6 address: ● What's its canonic form? ● What's its type? ● What's its scope? ● etc. ● Given a set of addresses ● Filter addresses of specific properties ● Produce statistics to help locate additional potential targets
  58. 58. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 Analyzing IPv6 Address Types ● The addr6 tool can analyze IPv6 addresses ● Example: addr6 -a ADDRESS ● Format: type=subtype=scope=IID_type=IID_subtype
  59. 59. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 Practice: Analyzing IPv6 Address Types ● What is the type of these IPv6 addresses? ● fe80::1 ● 2001:8a0:2104:ff:213:13:145:64 ● 2400:cb00:2048:1::6ca2:c5ca ● fc00::1 ● ::1 ● :: ● ff02::1
  60. 60. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 Filtering IPv6 addresses ● addr6 has a number of features to filter IPv6 addresses ● Filter duplicate addresses: cat LIST.TXT | addr6 -i -q ● Only accept (or block) specific prefixes: cat LIST.TXT | addr6 -i --accept 2001:db8::/16 cat LIST.TXT | addr6 -i --block 2001:db8::/16 ● Accept (or block) address types: cat LIST.TXT | addr6 -i --accept-type TYPE cat LIST.TXT | addr6 -i --block-type TYPE ● Types: unicast, unspec, multicast
  61. 61. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 Filtering IPv6 addresses ● Accept (or block) address scopes: cat LIST.TXT | addr6 -i --accept-scope SCOPE cat LIST.TXT | addr6 -i --block-scope SCOPE ● Scopes: interface, link, admin, site, local, global... ● Accept (or block) unicast address types: cat LIST.TXT | addr6 -i --accept-utype TYPE cat LIST.TXT | addr6 -i --block-utype TYPE ● Types: loopback, ipv4-compat, ipv4-mapped, link-local, site-local, unique-local, 6to4, teredo, global
  62. 62. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 Practice: Filtering IPv6 addresses ● Print all addresses that are NOT: ● global ● unicast
  63. 63. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 Producing statistics ● Given a large set of addresses, producing stats may help to find additional targets ● e.g., if the vast majority of the addresses contain a specific IID type ● The addr6 tool can produce such statistics ● Example: cat LIST.TXT | addr6 -i -s
  64. 64. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 Practice: Producing statistics ● What are the stats for our datasets?
  65. 65. 76 PHDays WII Moscow, Russia. May 23-24, 2017 © 2017 SI6 Networks. All rights reserved IPv6 Address Scanning
  66. 66. 77 PHDays WII Moscow, Russia. May 23-24, 2017 © 2017 SI6 Networks. All rights reserved IPv6 Address Scanning Introduction
  67. 67. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 Introduction ● Address scanning in IPv4 is typically “brute force” ● search space is so small we can get away with such a loosy job! ● Bruteforce approach simply unfeasible for IPv6 ● search space would be too big (264 addresses)
  68. 68. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 Approaching IPv6 address scanning ● Two (totally-different) problem areas: ● Local-network scans ● Remote-network scans ● Local-network scans rather easy ● Remote-network scans more challenging ● It is key to understant the IPv6 Addressing Architeture
  69. 69. 80 PHDays WII Moscow, Russia. May 23-24, 2017 © 2017 SI6 Networks. All rights reserved IPv6 Address Scanning Local networks
  70. 70. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 Overview ● Leverage IPv6 all-nodes link-local multicast address ● Employ multiple probe types: ● Normal multicasted ICMPv6 echo requests (don't work for Windows) ● Unrecognized options of type 10xxxxxx ● Combine learned IIDs with known prefixes to learn all addresses ● Example: # scan6 -i eth0 -L
  71. 71. 82 PHDays WII Moscow, Russia. May 23-24, 2017 © 2017 SI6 Networks. All rights reserved IPv6 Address Scanning Remote networks
  72. 72. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 Myths about address scanning “Thanks to the increased IPv6 address space, IPv6 host scanning attacks are unfeasible. Scanning a /64 would take 500.000.000 years” – Urban legend Is the search space for a /64 really 264 addresses?
  73. 73. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 Myths about address scanning (II) ● The feasibility of IPv6 address scanning depends on how the IIDs are generated/selected ● Random IIDs → Search space 264 → unfeasible ● Some pattern → Search space < 264 → possibly feasible ● Number of aspects: ● Different possible IID generation algorithms/techniques ● Different algorithms/techniques employed in different scenarios
  74. 74. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 IPv6 addresses in the real world ● Malone measured (*) the address generation policy of hosts and routers in real networks Address type Percentage SLAAC 50% IPv4-based 20% Teredo 10% Low-byte 8% Privacy 6% Wordy <1% Others <1% Address type Percentage Low-byte 70% IPv4-based 5% SLAAC 1% Wordy <1% Privacy <1% Teredo <1% Others <1% Hosts Routers Malone, D., "Observations of IPv6 Addresses", Passive and Active Measurement Conference (PAM 2008, LNCS 4979), April 2008, <http://www.maths.tcd.ie/~dwmalone/p/addr-pam08.pdf>.
  75. 75. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 Some take aways from Malone's work ● IPv6 addresses do follow patterns! ● Some limitations of Malone's work: ● Possibly dated results – Widespread use of transition technologies for clients – Widespread use of manual configuration for clients ● It does not contain data for servers ● This motivated our study on the topic
  76. 76. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 Our experiment ● Find “a considerable number of IPv6 nodes” for address analysis: ● Alexa Top-1M sites -> script6 -> addr6 ● World IPv6 Launch Day site -> script6 -> addr6 ● For each domain: ● AAAA records ● NS records -> AAAA records ● MX records -> AAAA records ● What did we find?
  77. 77. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 IPv6 address distribution for the web
  78. 78. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 IPv6 address distribution for mail servers
  79. 79. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 IPv6 address distribution for the DNS
  80. 80. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 Client addresses ● Caveats: ● Graphic illustrates IID types used for outgoing connections. ● No data about IID types used for stable addresses when RFC4941 is employed. Source: <http://www.internetsociety.org/blog/2013/05/ipv6-address-analysis-privacy-transition-out>
  81. 81. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 Some take-aways from our study ● Server addresses clearly do follow patterns ● The majority of addresses follow patterns with a small search space ● Passive measurements on client addresses are of little use ● Due to IPv6 temporary addresses (RFC4941)
  82. 82. 93 PHDays WII Moscow, Russia. May 23-24, 2017 © 2017 SI6 Networks. All rights reserved IPv6 Address Scanning Scanning remote networks
  83. 83. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 IPv6 addresses embedding IEEE IDs ● In practice, the search space is at most ~224 bits – feasible! ● The low-order 24-bits are not necessarily random: ● An organization buys a large number of boxes ● In that case, MAC addresses are usually consecutive ● Consecutive MAC addresses are generally in use in geographically- close locations IEEE OUI FF FE Lower 24 bits of MAC | 24 bits | 16 bits | 24 bits | Known or guessable Known Unknown
  84. 84. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 IPv6 addresses embedding IEEE IDs (II) ● Virtualization technologies present an interesting case ● Virtual Box employs OUI 08:00:27 (search space: 224) ● VMWare ESX employs: ● Automatic MACs: OUI 00:05:59, and next 16 bits copied from the low order 16 bits of the host's IPv4 address (search space: ~28) ● Manually-configured MACs:OUI 00:50:56 and the rest in the range 0x000000-0x3fffff (search space: ~222) ● Examples: # scan6 -d fc00::/64 -K 'Dell Inc' -v # scan6 -d fc00::/64 -V vbox # scan6 -d fc00::/64 -V vmware -Q 10.10.0.0/16
  85. 85. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 IPv6 addresses embedding IPv4 addr. ● They simply embed an IPv4 address in the IID ● Two variants found in the wild: ● 2000:db8::192.168.0.1 <- Embedded in 32 bits ● 2000:db8::192:168:0:1 <- Embedded in 64 bits ● Search space: same as the IPv4 search space – feasible! ● Examples: # scan6 -d fc00::/64 -B all -Q 10.10.0.0/16
  86. 86. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 IPv6 addresses embedding service ports ● They simply embed the service port the IID ● Two variants found in the wild: ● 2001:db8::1:80 <- n:port ● 2001:db8::80:1 <- port:n ● Additionally, the service port can be encoded in hex vs. dec ● 2001:db8::80 vs. 2001:db8::50 ● Search space: smaller than 28 – feasible! ● Example: # scan6 -d fc00::/64 -g
  87. 87. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 IPv6 “low-byte” addresses ● The IID is set to all-zeros, “except for the last byte” ● e.g.: 2000:db8::1 ● Other variants have been found in the wild: ● 2001:db8::n1:n2 <- where n1 is typically greater than n2 ● Search space: usually 28 or 216 – feasible! ● Example: # scan6 -d fc00::/64 --tgt-low-byte
  88. 88. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 scan6 coolness ● “What if I'm lazy enough to 'set' an appropriate address pattern?” ● scan6 infers the address pattern for you! ● Example: # scan6 ­d DOMAIN/64 ­v # scan6 ­d IPv6_ADDRESS/64 ­v
  89. 89. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 Some conclusions ● Brute-force IPv6 address scanning is unfeasible ● More heuristic scanning is possible ● Leveraging IPv6 address patterns ● Recent improvements in IPv6 addressing mitigate address scanning ● Manually-configured nodes are likely to remain “vulnerable”to address scanning
  90. 90. 101 PHDays WII Moscow, Russia. May 23-24, 2017 © 2017 SI6 Networks. All rights reserved IPv6 Host Tracking
  91. 91. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 Host-tracking attacks ● Traditional IIDs are constant for each interface ● As the host moves, the prefix changes, but the IID doesn't ● the 64-bit IID results in a super-cookie! ● This introduces a problem not present in IPv4: host-tracking ● Example: ● In net #1, host configures address: 2001:db8:1::1111:22ff:fe33:4444 ● In net #2, host configures address: 2001:db8:2::1111:22ff:fe33:4444 ● The IID “1111:22ff:fe33:4444” leaks out host “identity” ● Given a target, host tracking can help locate such target in a different network as it moves
  92. 92. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 Host-tracking attacks (II) ● Passive attack: ● The victim connects to a server, and the server logs its IPv6 address ● Active attack: ● An attacker actively probes the client's address(es). ● Sample scenario for active host-tracking attack: ● Node is known to have the IID 1:2:3:4 ● To check whether the node is at fc00:1::/64 or fc00:2::/64 ● ping fc00:1::1:2:3:4 and fc00:2::1:2:3:4
  93. 93. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 Host-tracking attacks (III) ● Active host-tracking with the scan6 tool: # scan6 -m prefs.txt -w iids.txt -l -z 60 -t -v # scan6 -d fc00:1::/64 -d fc00:2::/64 -W ::1:2:3:4
  94. 94. 111 PHDays WII Moscow, Russia. May 23-24, 2017 © 2017 SI6 Networks. All rights reserved IPv6 Extension Headers In Network Reconnaissance
  95. 95. 112 PHDays WII Moscow, Russia. May 23-24, 2017 © 2017 SI6 Networks. All rights reserved IPv6 Extension Headers Overview
  96. 96. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 General IPv6 packet format ● Consists of an IPv6 header chain and an (optional) payload ● Each Extension Header is typically encoded as TLV (Type- Length-Value) ● Any number of instances of any number of different headers are allowed ● Each header may contain an arbitrary number of options I P v 6 H e a d e r I P v 6 H e a d e r D e s t i n a t i o n O p ti o n s H e a d e r D e s ti n a t i o n O p ti o n s H e a d e r N H = 6 0 N H = 6 0 D e s t . O p t i o n s H e a d e r D e s t . O p t i o n s H e a d e r T C P S e g m e n t T C P S e g m e n t N H = 0 6N H = 6 0
  97. 97. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 Processing the IPv6 header chain ● Implications for inspecting “boxes”: ● Large number of headers/options may have a negative impact on performance ● Many routers can only look into a few dozen bytes into the packet ● It becomes harder (if at all possible) to enforce layer-4 ACLs ● Fragmentation represents similar challenge as in IPv4 ● Potential benefits for network reconnaissance: ● Evasion
  98. 98. 115 PHDays WII Moscow, Russia. May 23-24, 2017 © 2017 SI6 Networks. All rights reserved IPv6 Extension Headers In The Real World
  99. 99. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 DO8 HBH8 FH512 Webservers Mailservers Nameservers 0 10 20 30 40 50 60 Alexa dataset: Packet Drop rate
  100. 100. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 DO8 HBH8 FH512 Webservers Mailservers Nameservers 0 10 20 30 40 50 60 70 Alexa dataset: Drops by diff. AS
  101. 101. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 So... what does this all mean? ● IPv6 EHs “not that cool” for evasion or reconnaissance ...at least when doing remote IPv6 network reconnaissance!
  102. 102. 119 PHDays WII Moscow, Russia. May 23-24, 2017 © 2017 SI6 Networks. All rights reserved IPv6 Extension Headers Use in network reconnaissance
  103. 103. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 path6: An EH-enabled traceroute ● How far do your IPv6 EH-enabled packets get? ● No existing traceroute tool supported IPv6 extension headers ● Hence we produced our path6 tool ● Supports IPv6 Extension Headers ● Can employ TCP, UDP, or ICMPv6 probes ● It's faster ;-) ● Example: # path6 -u 100 -d fc00:1::1 Dst Opt Hdr
  104. 104. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 path6: An EH-enabled traceroute (II)
  105. 105. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 blackhole6: Finding IPv6 blackholes ● How it works? ● path6 without EHs + path6 with EHs + a little bit of magic fgont@satellite:~$ sudo blackhole6 www.google.com do8 SI6 Networks IPv6 Toolkit v2.0 blackhole6: A tool to find IPv6 blackholes Tracing www.google.com (2607:f8b0:400b:807::1012)... Dst. IPv6 address: 2607:f8b0:400b:807::1012 (AS15169 ­ GOOGLE ­ Google  Inc.,US) Last node (no EHs): 2607:f8b0:400b:807::1012 (AS15169 ­ GOOGLE ­ Google  Inc.,US) (13 hop(s)) Last node (DO 8): 2001:5a0:12:100::72 (AS6453 ­ AS6453 ­ TATA  COMMUNICATIONS (AMERICA) INC,US) (7 hop(s)) Dropping node: 2001:4860:1:1:0:1935:0:75 (AS15169 ­ GOOGLE ­ Google  Inc.,US || AS15169 ­ GOOGLE ­ Google Inc.,US)
  106. 106. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 blackhole6: Methodology ● Given the output of path6 for no-EH and EHs: No EHs With EHs 1. fc00:1:1:1000::1 2. fc00:1:1:2000::4 3. fc00:1:2:4000::1 4. fc00:2:1:4000::1 5. fc00:a:2:1000::1 6. fc00:a:4:4000::1 7. fc00:b:1:1000::1 8. fc00:b:2:5000::1 9. fc00:b:4:5000::1 10. fc00:d::1 1. fc00:1:1:1000::1 2. fc00:1:1:2000::4 3. fc00:1:2:4000::1 4. fc00:2:1:4000::1 5. fc00:a:2:1000::1 6. fc00:a:4:4000::1 DROP
  107. 107. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 blackhole6: Methodology (II) ● We assume ingress filtering... ● Otherwise dropping node actually is M rather than M+1
  108. 108. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 blackhole6: ASes ● Lookup ASN of dropping node, but... ● There may be ambiguity when finding the AS of the dropping node: ● who provides the address space for the peering?
  109. 109. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 blackhole6: ASes (II) ● Case 1: Address space provided by AS Y
  110. 110. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 blackhole6: ASes (III) ● Case 2: Address space provided by AS X
  111. 111. 128 PHDays WII Moscow, Russia. May 23-24, 2017 © 2017 SI6 Networks. All rights reserved Port scanning The basics
  112. 112. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 IPv6-based TCP/UDP port scanning ● scan6 incorporates all known TCP and UDP port-scanning techniques ● Specifying a protocol and port range: ­­port­scan {tcp,udp}:port_low[­port_hi] ● Specifying a TCP scan type: ­­tcp­scan­type {syn,fin,null,xmas,ack} ● Example: ­­port­scan tcp:1­1024 ­­tcp­scan­type syn
  113. 113. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 TCP port scanning: Intro/Overview ● TCP connection-establishment in a nutshell:
  114. 114. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 TCP port scanning: connect() scan ● Implements the full 3WHS ● Slow (requires two RTTs) ● Notifies the target application of the communication attempt ● Ties resources on both ends of the connection ● Not implemented in scan6
  115. 115. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 TCP port scanning: SYN scan ● Does not implement the full 3WHS ● Send a SYN, process response packet ● SYN/ACK= Open, RST= Closed ● It is fast ● Does not tie resources on our end ● Implemented in scan6
  116. 116. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 TCP port scanning: FIN, NULL, and XMAS ● Does not implement the full 3WHS ● Send a packet without A bit set, wait for response ● RST= Closed, Timeout= Open ● It is rather slow (need to wait for a timeout) ● Does not tie resources on an side ● Implemented in scan6
  117. 117. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 TCP/UDP most popular ports ● scan6 can target the most frequently open ports ● All top ports for all protocols: ­­port­scan all:top:all ● Top N of all protocols: ­­port­scan all:top:N ● All TCP top ports: ­­port­scan tcp:top:all ● Top N TCP ports ­­port­scan tcp:top:N
  118. 118. 135 PHDays WII Moscow, Russia. May 23-24, 2017 © 2017 SI6 Networks. All rights reserved Port Scanning EH-based IPv6 Idle Scan
  119. 119. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 Idle scan: Introduction ● Stealth port scanning technique ● No need to contact the target with our Source Address ● Prevents easy tracing of the attacker ● The attacker only needs a host that employs predictable Identification values.
  120. 120. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 Idle scan: TCP 3WHS review ● Normal TCP 3WHS Open Port Closed Port
  121. 121. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 Idle scan: TCP 3WHS review ● TCP 3WHS with spoofed segments Open Port Closed Port
  122. 122. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 Idle scan “implementation” Open Port Closed Port
  123. 123. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 Idle scan: Challenge in IPv6 ● Base IPv6 header does not contain a Frag ID ● Only way to exploit the Frag ID is when a FH is present ● But...How do we trigger/elicit fragmentation?
  124. 124. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 IPv6 “atomic” fragments ● ICMPv6 PTB < 1280 triggers inclusion of a FH in all packets to that destination (not actual fragmentation) ● Result: IPv6 atomic fragments (Frag. Offset=0, More Frag.=0)
  125. 125. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 Handling of IPv6 atomic fragments Operating System Atomic Frag. Support Improved processing FreeBSD 8.0 No No FreeBSD 8.2 Yes No FreeBSD 9.0 Yes No Linux 3.0.0-15 Yes Yes NetBSD 5.1 No No OpenBSD-current Yes Yes Solaris 11 Yes Yes Windows Vista (build 6000) Yes No Windows 7 Home Premium Yes No
  126. 126. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 Idle scan full implementation Open Port Closed Port ICMPv6
  127. 127. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 Idle scan: nmap implementation ● IPv6 idle scan available in nmap version > vx.x ● Implementation by Mathias Morbitzer ● Example:
  128. 128. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 Idle scan: My take :-) ● Idle scan is a cool idea ● The IPv6 version is even more “creative” ● However, ● Use of EHs makes probes unreliable ● Generation of IPv6 atomic fragments is being deprecated. See: – RFC8021 – draft-ietf-6man-rfc2460bis
  129. 129. 148 PHDays WII Moscow, Russia. May 23-24, 2017 © 2017 SI6 Networks. All rights reserved Neighbor Discovery for IPv6
  130. 130. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 Brief Overview ● ICMPv6 is a core protocol of the IPv6 suite, and is used for: ● Address Resolution (Neighbor Discovery) ● Stateless address auto-configuration (SLAAC) ● Fault isolation (ICMPv6 error messages) ● Troubleshooting (ICMPv6 informational messages) ● ICMPv6 is mandatory for IPv6 operation ● But some ICMP messages were already required for IPv4 operation, too!
  131. 131. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 Brief Overview (II) ● StateLess Address AutoConfiguration (SLAAC): ● Routers advertise network configuration information via ICMPv6 Router Advertisement messages ● Address Resolution ● Maps IPv6 addresses to link-layer addresses ● Employs ICMPv6 Neighbor Solicitation and Neighbor Advertisement messages ● Analogous to IPv4's ARP
  132. 132. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 ndisc6: Obtaining address mappings ● Can be used to send NS for a particular address ● Example: $ ndisc6 fc00:1::1 eth0 Soliciting fc00:1::1 (fc00:1::1) on eth0... Target link-layer address: 08:00:27:F9:73:04 from fe80::a00:27ff:fef9:7304
  133. 133. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 rdisc6: Obtaining local routers ● Sends RS messages, and decodes RA responses ● Sample output: # rdisc6 -v eth0 Soliciting ff02::2 (ff02::2) on eth0... Hop limit : 64 ( 0x40) Stateful address conf. : No Stateful other conf. : No Router preference : medium Router lifetime : 30 (0x0000001e) seconds Reachable time : unspecified (0x00000000) Retransmit time : unspecified (0x00000000) Prefix : fc00:1::/64 Valid time : 2592000 (0x00278d00) seconds Pref. time : 604800 (0x00093a80) seconds Source link-layer address: 00:4F:4E:12:88:0F from fe80::24f:4eff:fe12:880f
  134. 134. 153 PHDays WII Moscow, Russia. May 23-24, 2017 © 2017 SI6 Networks. All rights reserved ICMPv6 Informational Messages
  135. 135. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 ICMPv6 Informational Messages ● Echo Request/Echo response: ● Used to test node reachability (“ping6”) ● Widely supported, although disabled by default in some OSes ● Node Information Query/Response ● Specified by RFC 4620 as “Experimental”, but supported (and enabled by default) in KAME. ● Not supported in other stacks ● Used to obtain node names or addresses.
  136. 136. 155 PHDays WII Moscow, Russia. May 23-24, 2017 © 2017 SI6 Networks. All rights reserved ICMPv6 Informational Messages Node Information Query/Response
  137. 137. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 Node Information Query/Response ● Specified in RFC 4620 as “Experimental”, but included (and enabled by default) in KAME ● Allows nodes to request certain network information about a node in a server-less environment ● Queries are sent with a target name or address (IPv4 or IPv6) ● Queried information may include: node name, IPv4 addresses, or IPv6 addresses ● Node Information Queries can be sent with the ping6 command (“-w” and “-b” options)
  138. 138. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 NI Query/Response: Examples ● Query node names $ ping6 -w ff02::1%vic0 PING6(72=40+8+24 bytes) fe80::20c:29ff:feaf:194e%vic0 --> ff02::1%vic0 41 bytes from fe80::20c:29ff:feaf:194e%vic0: openbsd46.my.domain. 30 bytes from fe80::20c:29ff:fe49:ebdd%vic0: freebsd 41 bytes from fe80::20c:29ff:feaf:194e%vic0: openbsd46.my.domain. 30 bytes from fe80::20c:29ff:fe49:ebdd%vic0: freebsd 41 bytes from fe80::20c:29ff:feaf:194e%vic0: openbsd46.my.domain. 30 bytes from fe80::20c:29ff:fe49:ebdd%vic0: freebsd --- ff02::1%vic0 ping6 statistics --- 3 packets transmitted, 3 packets received, +3 duplicates, 0.0% packet loss
  139. 139. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 NI Query/Response: Examples (II) ● Use the NI multicast group $ ping6 -I vic0 -a Aacgls -N freebsd PING6(72=40+8+24 bytes) fe80::20c:29ff:feaf:194e%vic0 --> ff02::1%vic0 76 bytes from fe80::20c:29ff:fe49:ebdd%vic0: fe80::20c:29ff:fe49:ebdd(TTL=infty) ::1(TTL=infty) fe80::1(TTL=infty) 76 bytes from fe80::20c:29ff:fe49:ebdd%vic0: fe80::20c:29ff:fe49:ebdd(TTL=infty) ::1(TTL=infty) fe80::1(TTL=infty) 76 bytes from fe80::20c:29ff:fe49:ebdd%vic0: fe80::20c:29ff:fe49:ebdd(TTL=infty) ::1(TTL=infty) fe80::1(TTL=infty) --- ff02::1%vic0 ping6 statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss
  140. 140. 159 PHDays WII Moscow, Russia. May 23-24, 2017 © 2017 SI6 Networks. All rights reserved Obtaining AS-related info
  141. 141. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 Obtaining AS-related info ● Given an IPv6 address, the corresponding AS identifies the corresponding organization ● script6 can query AS-related information: script6 get­as script6 get­asn
  142. 142. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 Obtaining AS-related info ● Example: fgont@snow:~$ script6 get­as 2800:3f0:4002:803::1014 15169 | 2800:3f0::/32 | AR | lacnic | 2009­11­03 15169 | US | arin | 2000­03­30 | GOOGLE ­ Google Inc.,US
  143. 143. 162 PHDays WII Moscow, Russia. May 23-24, 2017 © 2017 SI6 Networks. All rights reserved DNS for IPv6 Network Reconnaissance
  144. 144. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 Introduction ● Most of this ground is well-known from the IPv4-world: ● DNS zone transfers ● DNS bruteforcing ● etc. ● DNS reverse-mappings particularly useful for “address scanning”
  145. 145. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 Get domains and IPv6 addresses ● script6 can do batch-processing of domain names ● Get IPv6 addresses: $ cat domains.txt | script6 get-aaaa ● Get nameserver addresses: $ cat domains.txt | script6 get-ns | script6 get-aaaa ● Get mailserver addresses: $ cat domains.txt | script6 get-mx | script6 get-aaaa
  146. 146. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 Bruteforce domain names ● script6 can bruteforce domain names and get the corresponding AAAA records ● For a single domain: $ script6 get-bruteforce-aaaa DOMAIN ● Pipelined: $ cat domains.txt | script6 get-bruteforce-aaaa
  147. 147. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 IPv6 DNS reverse mappings ● Technique: ● Given a zone X.ip6.arpa., try the labels [0-f].X.ip6.arpa. ● If an NXDOMAIN is received, that part of the “tree” should be ignored ● Otherwise, if NOERROR is received, “walk” that part of the tree ● Example (using dnsrevenum6 from THC-IPv6): $ dnsrevenum6 DNSSERVER IPV6PREFIX
  148. 148. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 THC-IPv6's dnsrevenum6
  149. 149. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 Caveats for DNS reverse mappings ● Some DNS software responds with NOERROR for ENT (Empty Non-Terminals) ● Please see draft-ietf-dnsop-nxdomain-cut
  150. 150. 169 PHDays WII Moscow, Russia. May 23-24, 2017 © 2017 SI6 Networks. All rights reserved Aplication-based IPv6 Network Reconnaissance
  151. 151. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 Application-based Network Recon ● Many application-layer protocol deal with domain-names or IPv6 addresses ● Some applications even leave publicly trails of data exchanges ● Examples: ● P2P aplications ● email ● etc.
  152. 152. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 Application-based Network Recon (II) ● Sample email header: X-ClientAddr: 46.21.160.232 Received: from srv01.bbserve.nl (srv01.bbserve.nl [46.21.160.232]) by venus.xmundo.net (8.13.8/8.13.8) with ESMTP id p93Ar0E4003196 for <fernando@gont.com.ar>; Mon, 3 Oct 2011 07:53:01 -0300 Received: from [2001:5c0:1000:a::943] by srv01.bbserve.nl with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.76) (envelope-from <fgont@si6networks.com>) id 1RAg8k-0000Qf-Hu; Mon, 03 Oct 2011 12:52:55 +0200 Message-ID: <4E8993FC.30600@si6networks.com> Date: Mon, 03 Oct 2011 07:52:44 -0300 From: Fernando Gont <fgont@si6networks.com> Organization: SI6 Networks User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.23) Gecko/20110922 Thunderbird/3.1.15 MIME-Version: 1.0 To: Fernando Gont <fernando@gont.com.ar> Subject: Prueba
  153. 153. 178 PHDays WII Moscow, Russia. May 23-24, 2017 © 2017 SI6 Networks. All rights reserved Some conclusions
  154. 154. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 Some conclusions ● The IPv6 addressing architecture has required us to re-think how we do address scans. This has led to: ● Improvements in scanning techniques ● Improvements in IPv6 addressing to mitigate these attacks ● As address scanning becomes less attractive, other techniques become more relevant ● DNS reverse mappings comes to mind ● But others will likely be developed ● IPv6 is still a moving target: both for attack and for defense
  155. 155. 180 PHDays WII Moscow, Russia. May 23-24, 2017 © 2017 SI6 Networks. All rights reserved Questions?
  156. 156. © 2017 SI6 Networks. All rights reserved PHDays WII Moscow, Russia. May 23-24, 2017 Thanks! Fernando Gont fgont@si6networks.com IPv6 Hackers mailing-list http://www.si6networks.com/community/ www.si6networks.com

×