Разведка в сетях IPv6

Fernando Gont
Network Reconnaissance in IPv6
PHDays VII
Moscow, Russia. May 23-24, 2017

© 2017 SI6 Networks. All rights reserved
PHDays WII
About...
● Security Researcher and Consultant at SI6 Networks
● Published:
● 30 IETF RFCs (10+ on IPv6)
● 10+ active IETF Internet-Drafts
● Author of the SI6 Networks' IPv6 toolkit
● https://www.si6networks.com/tools/ipv6toolkit
● I have worked on security assessment of communication
protocols for:
● UK NISCC (National Infrastructure Security Co-ordination Centre)
● UK CPNI (Centre for the Protection of National Infrastructure)
● More information at: https://www.gont.com.ar

PHDays WII
Why I'm presenting on this topic
“I’ve never met anybody who really did spend
blood on something who wasn’t eager to describe
what they’ve done and how they did it and why”
-- Ken Thompson (in “Coders at Work:
Reflections on the Craft of Programming”)

Congreso de Seguridad en Computo 2011 4
PHDays WII
Introduction

PHDays WII
Network Reconnaissance
Network reconnaissance:
Locate possible targets and/or learn network information/features
that can be leveraged for performing network-based attacks

PHDays WII
Network Reconnaissance in IPv6
● A large part of today's network reconnaissance is about address
scanning
● IPv6 has rather substantial changes in IP addressing
● Much lager address space
● Nodes employ multiple addresses of different properties
● How can we learn information about IPv6 networks?
● Are address scans feasible in IPv6?
● What other techniques can be applied if/when IPv6 address scanning is
not feasible?
● Our approach:
● Understand the theory
● “Walk the talk” (i.e., apply the concepts to the real world)

Congreso de Seguridad en Computo 2011 7
PHDays WII
Brief introduction to IPv6

PHDays WII
IPv4 address exhaustion
● The Internet relies on unique addresses for host communication
or...well... that was the original idea :-)
● More than 20 years ago it was already evident that we'd
eventually run out of IPv4 addresses
● Network Address Translators (NATs) have served as a stop-gap
● But nevertheless we're hitting IPv4 address exhaustion

PHDays WII
IPv4 address exhaustion (II)
● IPv4 address exhaustion, as predicted by Geoff Huston

PHDays WII
So... what is this “IPv6” thing about?
● It tackles the problem of IPv4 address exhaustion
● Employs 128-bit addresses (vs. IPv4's 32-bit addresses)
● Provides the same service as IPv4
● It is not backwards-compatible with IPv4

PHDays WII
So... what is this “IPv6” thing about? (II)
● We can connect IPv6 “islands” across the IPv4 Internet with
tunnels

PHDays WII
So... what is this “IPv6” thing about? (III)
● We can interconnect IPv6-only hosts with IPv4-only hosts with
“translators”

PHDays WII
So... what is this “IPv6” thing about? (IV)
● For every domain name, the DNS can contain
● A resource records (IPv4 addresses)
● AAAA (Quad-A) resource records (IPv6 addresses)
● Host may query for A and/or AAAA resource records according
different criteria
● Based on the available resource records, supported protocols,
and local policy, IPv6 and/or IPv4 could be employed

PHDays WII
Current state of affairs: Implementation
● General-purpose OSes have shipped with IPv6 support for a
long time
● part of your network is already running IPv6!
● Other devices may require updates or replacement:
● CPE's
● Firewalls
● Routers
● NIDSs
● etc.

PHDays WII
Current state of affairs: Deployment
● IPv6 was essentially ignored for years
● Many organizations have now started to take IPv6 more
seriously, partly as a result of:
● Exhaustion of the IANA IPv4 free pool
● Imminent exhaustion of the address pool at the different RIRs
● Awareness activities (“World IPv6 Day” & “World IPv6 Launch Day”)
● Main content providers (Google, Facebook, Yahoo, etc.) deploying IPv6
on their public-facing servers

PHDays WII
Current state of affairs: Deployment (II)
● IPv6 usage as measured by Google:

PHDays WII
Current state of affairs: Deployment (III)
● IPv6 deployment per country
● Visit: https://www.google.com/intl/en/ipv6/statistics.html

PHDays WII
Why bother with IPv6?
● Most general-purpose operating systems support IPv6
● Increasing number of IPv6 deployments
● Some mobile operators have opted for IPv6-only on the client-side
● More and more Internet sites are becoming dual-stacked
● Even in IPv4-only networks, IPv6 can be leveraged in a number
of ways
● IPv6 connectivity is “dormant”, waiting to be exploited
● No parity of security policies between IPv4 and IPv6
● IPv6 can be the “weakest link in the chain”

19
PHDays WII
Brief comparison between IPv6 and
IPv4

PHDays WII
Brief comparison between IPv6/IPv4
● Very similar in terms of functionality, but not in terms of mechanisms
IPv4 IPv6
Addressing 32 bits 128 bits
Address
Resolution
ARP ICMPv6 NS/NA (+ MLD)
Auto-
configuration
DHCP & ICMP RS/RA ICMPv6 RS/RA & DHCPv6
(optional) (+ MLD)
Fault Isolation ICMPv4 ICMPv6
IPsec support Optional Optional
Fragmentation Both in hosts and
routers
Only in hosts

PHDays WII
Brief comparison between IPv6/IPv4
● Header formats

PHDays WII
General IPv6 packet format
● Consists of an IPv6 header chain and an (optional) payload
● Each Extension Header is typically encoded as TLV (Type-
Length-Value)
● Any number of instances of any number of different headers are
allowed
● Each header may contain an arbitrary number of options
I P v 6
H e a d e r
I P v 6
H e a d e r D e s t i n a t i o n O p ti o n s
H e a d e r
D e s ti n a t i o n O p ti o n s
H e a d e r
N H = 6 0 N H = 6 0
D e s t . O p t i o n s
H e a d e r
D e s t . O p t i o n s
H e a d e r T C P S e g m e n t
T C P S e g m e n t
N H = 0 6N H = 6 0

26
PHDays WII
IPv6 tools

PHDays WII
Introduction
● This workshop employs free software
● IPv6-specific toolkits:
● SI6 Networks' IPv6 Toolkit
● THC-IPv6
● General IPv6-enabled tools:
● nmap

PHDays WII
THC-IPv6 Toolkit: Introduction
● First and only IPv6 attack toolkit for many years
● Easy to use
● Only minimal IPv6 knowledge required
● Features:
● Free software
● Only runs on Linux with Ethernet
● Home:
● http://www.thc.org/thc-ipv6
● Collaborative development:
● https://github.com/vanhauser-thc/thc-ipv6.git

PHDays WII
● Brief history:
● Originally produced as part of a governmental project on IPv6 security
● Maintenance and extension taken over by SI6 Networks
● Goals:
● Security assessment and trouble-shooting of IPv6 networks and
implementations
● Clean, portable, and secure code
● Good documentation
SI6 Networks' IPv6 Toolkit

PHDays WII
● Supported OSes:
● Linux, FreeBSD, NetBSD, OpenBSD, OpenSolaris, and Mac OS
● License:
● GPL (free software)
● Home:
● https://www.si6networks.com/tools/ipv6toolkit
● Collaborative development:
● https://www.github.com/fgont/ipv6toolkit.git
SI6 Networks' IPv6 Toolkit (II)

PHDays WII
IDEAS TOOLS ipv6 NETWORK
“an interface between your ideas and an IPv6 network”
SI6 Networks' IPv6 Toolkit: Philosophy

PHDays WII
● No need to introduce nmap :-)
● IPv6 support in nmap:
● IPv6-prefix scanning
● Local-network address scans
● Some IPv6-specific host-scanning techniques
● IPv6-based port scans
● IPv6-based OS detection (although nowhere near its IPv4 counter-
part)
nmap

35
PHDays WII
IPv6 Addressing Architecture

PHDays WII
Brief overview
● The main driver for IPv6 is its increased address space
● IPv6 uses 128-bit addresses
● Similarly to IPv4,
● Addresses are aggregated into “prefixes” (for routing purposes)
● There are different address types (unicast, anycast, and multicast)
● There are different address scopes (link-local, global, etc.)
● However, at any given time, several IPv6 addresses, of multiple
types and scopes are used:
● One or more unicast link-local address
● One or more global unicast address
● One or more multicast link-local address

PHDays WII
Brief overview (II)
● The much larger address space has concrete implications on
address scanning
● brute-force approach not feasible!
● Not all the possible scope/type/stability combinations are of use
for “attack” purposes in all scenarios. e.g.
● a “private” (local) address may be of no use from a remote network
● a temporary address may be of no use if persistance is desired
● Different address notation may difficult inspection and/or
procesing of IPv6 addresses. e.g.
● New tools needed for processing IPv6 addresses

38
PHDays WII
IPv6 address notation

PHDays WII
IPv6 address notation
x:x:x:x:x:x:x:x
where each “x” s a 4-digit hexadecimal number
● Leading zeros in each “x” can be supressed
● One (and only one) group of all-zeroes hexadecimal numers
can be represented with “::”
● IPv6 addresses can be specified as:
x:x:x:x::y.y.y.y
where “y.y.y.y” corresponds to an IPv4 address

PHDays WII
The need for canonic IPv6 addresses
● Which of these addresses are equivalent?
1) fc00:1:0:0:0:0:0a0a:0a0a
2) fc00:1::a0a:a0a
3) fc00:1:0000:0000:0000:0000:0a0a:0a0a
4) fc00:1::10.10.10.10
5) fc00:1::aa:aa
6) fc00:1::0a0a:0a0a
7) fc00:1:0::a0a:a0a
8) fc00:1:0000::a0a:a0a
● Moral of the story?

PHDays WII
Practice: addr6 to our rescue!
● addr6 can print the canonic version of an IPv6 address:
addr6 c a fc00::10.10.10.10
● Please try addr6 with the addresses of the previous slide!
fgont@snow:~$ cat canonic.txt | addr6 i c
fc00:1::a0a:a0a
fc00:1::a0a:a0a
fc00:1::a0a:a0a
fc00:1::a0a:a0a
fc00:1::aa:aa
fc00:1::a0a:a0a
fc00:1::a0a:a0a
fc00:1::a0a:a0a

42
PHDays WII
IPv6 address types

PHDays WII
IPv6 address types
● The address type can be identified as follows:
Address Type IPv6 Prefix
Unspecified ::/128
Loopback ::1/128
Multicast FF00::/8
Link-local Unicast FE80::/10
Unique Local Unicast FC00::/7
Global Unicast (everything else)

44
PHDays WII
IPv6 address types
Unicast addresses

PHDays WII
IPv6 unicast addresses
● Global unicast
● Meant for communication on the public Internet
● Link-local unicast
● Meant for communication within a network link/segment
● Site-local unicast
● Deprecated (were meant to be valid only within a site)
● Unique Local unicast
● Are expected to be globally unique, but not routable on the public
Internet -- kind of equivalent to IPv4's private address space

PHDays WII
IPv6 Global Unicast Addresses
● A number of possibilities for generating the Interface ID:
● Embed the MAC address (traditional SLAAC)
● Embed the IPv4 address (e.g. 2001:db8::192.168.1.1)
● Low-byte (e.g. 2001:db8::1, 2001:db8::2, etc.)
● Wordy (e.g. 2001:db8::dead:beef)
● According to a transition/co-existence technology (6to4, etc.)
Global Routing Prefix Subnet ID Interface ID
| n bits | m bits | 128-n-m bits |

PHDays WII
IPv6 Link-local Unicast Addresses
● The Link-Local Unicast Prefix is fe80::/64
Link Local Unicast Prefix Interface ID
| 64 bits | 64 bits |

PHDays WII
IPv6 Unique Local Unicast Addresses
● Specified in RFC4193
● Identified by the prefix FC00::/7
● Special prefix, but otherwise syntax similar to that of global
unicast addresses
ULA Prefix Subnet ID Interface ID
| 48 bits | 16 bits | 64 bits |

PHDays WII
IIDs derived from link-layer addresses
● They are the result of traditional SLAAC
● IIDs derived from a link-layer address are constructed as
follows:
● Flip the U/L bit of the OUI (bit 1 of the most significant byte)
● Insert the word “0xfffe” in between the upper and lower 24-bits
IEEE OUI FF FE Lower 24 bits of MAC
| 24 bits | 16 bits | 24 bits |

PHDays WII
Temporary IIDs (based on RFC4941)
● They are the result of SLAAC
● Random IIDs that change over time
● Generated in addition to traditional SLAAC addresses
● Traditional addresses used for server-like communications
● Temporary addresses for client-like communications

PHDays WII
IIDs in MS Windows
● They are the result of SLAAC
● Microsoft replaced the MAC-address-based identifiers with
(non-standard) randomized IIDs
● Essentially RFC 4941, but they don't vary over time

PHDays WII
IIDs based on RFC7217
● Currently recommended algorithm for SLAAC stable addresses
● IIDs are generated as:
Hash(Prefix, Net_Iface, Network_ID, DAD_Count, Secret_Key)
● Where:
● Hash(): Cryptographically secure hash function
● Prefix: SLAAC or link-local prefix
● Net_Iface: some interface identifier
● Network_ID: e.g. the SSID of a wireless network
● DAD_Count: initialized to 0, and incremented by 1 upon collisions
● Secret_Key: unknown to the attacker (and randomly generated by
default)

PHDays WII
IIDs based on RFC7217 (II)
● As a host moves:
● Prefix and Network_ID change from one network to another
● But they remain constant within each network
● F() varies across networks, but remains constant within each network
● This results in addresses that:
● Are stable within the same subnet
● Have different Interface-IDs when moving across networks
● For the most part, they have “the best of both worlds”

PHDays WII
IIDs based on RFC7217 (III)
● Known implementations:
● Linux kernel v4.0
● NetworkManager v1.2.0-0.3.20151112gitec4d653.fc24
● dhcpcd 6.4.0
● OSes known to already ship with RFC7217:
● Mac OS Sierra
● Fedora

PHDays WII
IIDs embedding IPv4 addreses
● They are the result of manual configuration
● They simply embed an IPv4 address in the IID
● Convenient to deduce IPv6 address from IPv4 address!
● Two variants found in the wild:
● 2000:db8::192.168.0.1 <- Embedded in 32 bits
● 2000:db8::192:168:0:1 <- Embedded in 64 bits

PHDays WII
IIDs embedding service ports
● The IID embeds the service port
● 2001:db8::1:80 <- n:port
● 2001:db8::80:1 <- port:n
● Additionally, the service port can be encoded in hex vs. dec
● 2001:db8::80 vs. 2001:db8::50

PHDays WII
IIDs with small integers (“low-byte”)
● The IID is set to all-zeros, “except for the last byte”
● e.g.: 2000:db8::1
● Other variants have been found in the wild:
● 2001:db8::n1:n2 <- where n1 is typically greater than n2

60
PHDays WII
IPv6 address types
Multicast addresses

PHDays WII
IPv6 multicast addresses
● Identify a set of nodes
● Can be of different scopes (link-local, global, etc.)
● Some examples:
Multicast address Use
FF01:0:0:0:0:0:0:1 All nodes (interface-local)
FF01:0:0:0:0:0:0:2 All routers (interface-local)
FF02:0:0:0:0:0:0:1 All nodes (link-local)
FF02:0:0:0:0:0:0:2 All routers (link-local)
FF05:0:0:0:0:0:0:2 All routers (site-local)
FF02:0:0:0:0:1:FF00::/104 Solicited-Node
http://www.iana.org/assignments/ipv6-multicast-addresses/ipv6-multicast-addresses.xhtml

PHDays WII
IPv6 Multicast Groups
● On Linux:
ip -6 maddr show
● On FreeBSD:
ifmcstat
● On OpenBSD (after install):
ifmcstat

66
PHDays WII
IPv6 addressing
Processing IPv6 addresses

PHDays WII
Processing IPv6 addresses
● Given an IPv6 address:
● What's its canonic form?
● What's its type?
● What's its scope?
● etc.
● Given a set of addresses
● Filter addresses of specific properties
● Produce statistics to help locate additional potential targets

PHDays WII
Analyzing IPv6 Address Types
● The addr6 tool can analyze IPv6 addresses
● Example:
addr6 -a ADDRESS
● Format:
type=subtype=scope=IID_type=IID_subtype

PHDays WII
Practice: Analyzing IPv6 Address Types
● What is the type of these IPv6 addresses?
● fe80::1
● 2001:8a0:2104:ff:213:13:145:64
● 2400:cb00:2048:1::6ca2:c5ca
● fc00::1
● ::1
● ::
● ff02::1

PHDays WII
Filtering IPv6 addresses
● addr6 has a number of features to filter IPv6 addresses
● Filter duplicate addresses:
cat LIST.TXT | addr6 -i -q
● Only accept (or block) specific prefixes:
cat LIST.TXT | addr6 -i --accept 2001:db8::/16
cat LIST.TXT | addr6 -i --block 2001:db8::/16
● Accept (or block) address types:
cat LIST.TXT | addr6 -i --accept-type TYPE
cat LIST.TXT | addr6 -i --block-type TYPE
● Types: unicast, unspec, multicast

PHDays WII
Filtering IPv6 addresses
● Accept (or block) address scopes:
cat LIST.TXT | addr6 -i --accept-scope SCOPE
cat LIST.TXT | addr6 -i --block-scope SCOPE
● Scopes: interface, link, admin, site, local, global...
● Accept (or block) unicast address types:
cat LIST.TXT | addr6 -i --accept-utype TYPE
cat LIST.TXT | addr6 -i --block-utype TYPE
● Types: loopback, ipv4-compat, ipv4-mapped, link-local, site-local,
unique-local, 6to4, teredo, global

PHDays WII
Practice: Filtering IPv6 addresses
● Print all addresses that are NOT:
● global
● unicast

PHDays WII
Producing statistics
● Given a large set of addresses, producing stats may help to find
additional targets
● e.g., if the vast majority of the addresses contain a specific IID type
● The addr6 tool can produce such statistics
● Example:
cat LIST.TXT | addr6 -i -s

PHDays WII
Practice: Producing statistics
● What are the stats for our datasets?

76
PHDays WII
IPv6 Address Scanning

77
PHDays WII
Introduction

PHDays WII
Introduction
● Address scanning in IPv4 is typically “brute force”
● search space is so small we can get away with such a loosy job!
● Bruteforce approach simply unfeasible for IPv6
● search space would be too big (264 addresses)

PHDays WII
Approaching IPv6 address scanning
● Two (totally-different) problem areas:
● Local-network scans
● Remote-network scans
● Local-network scans rather easy
● Remote-network scans more challenging
● It is key to understant the IPv6 Addressing Architeture

80
PHDays WII
Local networks

PHDays WII
Overview
● Leverage IPv6 all-nodes link-local multicast address
● Employ multiple probe types:
● Normal multicasted ICMPv6 echo requests (don't work for Windows)
● Unrecognized options of type 10xxxxxx
● Combine learned IIDs with known prefixes to learn all
addresses
● Example:
# scan6 -i eth0 -L

82
PHDays WII
Remote networks

PHDays WII
Myths about address scanning
“Thanks to the increased
IPv6 address space, IPv6
host scanning attacks are
unfeasible. Scanning a /64
would take 500.000.000
years”
– Urban legend
Is the search space for a /64 really
264 addresses?

PHDays WII
Myths about address scanning (II)
● The feasibility of IPv6 address scanning depends on how the
IIDs are generated/selected
● Random IIDs → Search space 264 → unfeasible
● Some pattern → Search space < 264 → possibly feasible
● Number of aspects:
● Different possible IID generation algorithms/techniques
● Different algorithms/techniques employed in different scenarios

PHDays WII
IPv6 addresses in the real world
● Malone measured (*) the address generation policy of hosts and
routers in real networks
Address type Percentage
SLAAC 50%
IPv4-based 20%
Teredo 10%
Low-byte 8%
Privacy 6%
Wordy <1%
Others <1%
Address type Percentage
Low-byte 70%
IPv4-based 5%
SLAAC 1%
Wordy <1%
Privacy <1%
Teredo <1%
Others <1%
Hosts Routers
Malone, D., "Observations of IPv6 Addresses", Passive and Active Measurement Conference (PAM
2008, LNCS 4979), April 2008, <http://www.maths.tcd.ie/~dwmalone/p/addr-pam08.pdf>.

PHDays WII
Some take aways from Malone's work
● IPv6 addresses do follow patterns!
● Some limitations of Malone's work:
● Possibly dated results
– Widespread use of transition technologies for clients
– Widespread use of manual configuration for clients
● It does not contain data for servers
● This motivated our study on the topic

PHDays WII
Our experiment
● Find “a considerable number of IPv6 nodes” for address
analysis:
● Alexa Top-1M sites -> script6 -> addr6
● World IPv6 Launch Day site -> script6 -> addr6
● For each domain:
● AAAA records
● NS records -> AAAA records
● MX records -> AAAA records
● What did we find?

PHDays WII
IPv6 address distribution for the web

PHDays WII
IPv6 address distribution for mail servers

PHDays WII
IPv6 address distribution for the DNS

PHDays WII
Client addresses
● Caveats:
● Graphic illustrates IID types used for outgoing connections.
● No data about IID types used for stable addresses when RFC4941 is
employed.
Source: <http://www.internetsociety.org/blog/2013/05/ipv6-address-analysis-privacy-transition-out>

PHDays WII
Some take-aways from our study
● Server addresses clearly do follow patterns
● The majority of addresses follow patterns with a small search space
● Passive measurements on client addresses are of little use
● Due to IPv6 temporary addresses (RFC4941)

93
PHDays WII
Scanning remote networks

PHDays WII
IPv6 addresses embedding IEEE IDs
● In practice, the search space is at most ~224 bits – feasible!
● The low-order 24-bits are not necessarily random:
● An organization buys a large number of boxes
● In that case, MAC addresses are usually consecutive
● Consecutive MAC addresses are generally in use in geographically-
close locations
IEEE OUI FF FE Lower 24 bits of MAC
| 24 bits | 16 bits | 24 bits |
Known or guessable Known Unknown

PHDays WII
IPv6 addresses embedding IEEE IDs (II)
● Virtualization technologies present an interesting case
● Virtual Box employs OUI 08:00:27 (search space: 224)
● VMWare ESX employs:
● Automatic MACs: OUI 00:05:59, and next 16 bits copied from the low
order 16 bits of the host's IPv4 address (search space: ~28)
● Manually-configured MACs:OUI 00:50:56 and the rest in the range
0x000000-0x3fffff (search space: ~222)
● Examples:
# scan6 -d fc00::/64 -K 'Dell Inc' -v
# scan6 -d fc00::/64 -V vbox
# scan6 -d fc00::/64 -V vmware -Q 10.10.0.0/16

PHDays WII
IPv6 addresses embedding IPv4 addr.
● They simply embed an IPv4 address in the IID
● 2000:db8::192.168.0.1 <- Embedded in 32 bits
● 2000:db8::192:168:0:1 <- Embedded in 64 bits
● Search space: same as the IPv4 search space – feasible!
● Examples:
# scan6 -d fc00::/64 -B all -Q 10.10.0.0/16

PHDays WII
IPv6 addresses embedding service ports
● They simply embed the service port the IID
● 2001:db8::1:80 <- n:port
● 2001:db8::80:1 <- port:n
● Additionally, the service port can be encoded in hex vs. dec
● 2001:db8::80 vs. 2001:db8::50
● Search space: smaller than 28 – feasible!
● Example:
# scan6 -d fc00::/64 -g

PHDays WII
IPv6 “low-byte” addresses
● The IID is set to all-zeros, “except for the last byte”
● e.g.: 2000:db8::1
● Other variants have been found in the wild:
● 2001:db8::n1:n2 <- where n1 is typically greater than n2
● Search space: usually 28 or 216 – feasible!
● Example:
# scan6 -d fc00::/64 --tgt-low-byte

PHDays WII
scan6 coolness
● “What if I'm lazy enough to 'set' an appropriate address
pattern?”
● scan6 infers the address pattern for you!
● Example:
# scan6 d DOMAIN/64 v
# scan6 d IPv6_ADDRESS/64 v

PHDays WII
Some conclusions
● Brute-force IPv6 address scanning is unfeasible
● More heuristic scanning is possible
● Leveraging IPv6 address patterns
● Recent improvements in IPv6 addressing mitigate address
scanning
● Manually-configured nodes are likely to remain “vulnerable”to
address scanning

101
PHDays WII
IPv6 Host Tracking

PHDays WII
Host-tracking attacks
● Traditional IIDs are constant for each interface
● As the host moves, the prefix changes, but the IID doesn't
● the 64-bit IID results in a super-cookie!
● This introduces a problem not present in IPv4: host-tracking
● Example:
● In net #1, host configures address: 2001:db8:1::1111:22ff:fe33:4444
● In net #2, host configures address: 2001:db8:2::1111:22ff:fe33:4444
● The IID “1111:22ff:fe33:4444” leaks out host “identity”
● Given a target, host tracking can help locate such target in
a different network as it moves

PHDays WII
Host-tracking attacks (II)
● Passive attack:
● The victim connects to a server, and the server logs its IPv6 address
● Active attack:
● An attacker actively probes the client's address(es).
● Sample scenario for active host-tracking attack:
● Node is known to have the IID 1:2:3:4
● To check whether the node is at fc00:1::/64 or fc00:2::/64
● ping fc00:1::1:2:3:4 and fc00:2::1:2:3:4

PHDays WII
Host-tracking attacks (III)
● Active host-tracking with the scan6 tool:
# scan6 -m prefs.txt -w iids.txt -l -z 60 -t -v
# scan6 -d fc00:1::/64 -d fc00:2::/64 -W ::1:2:3:4

111
PHDays WII
IPv6 Extension Headers
In Network Reconnaissance

112
PHDays WII
Overview

PHDays WII
Processing the IPv6 header chain
● Implications for inspecting “boxes”:
● Large number of headers/options may have a negative impact on
performance
● Many routers can only look into a few dozen bytes into the packet
● It becomes harder (if at all possible) to enforce layer-4 ACLs
● Fragmentation represents similar challenge as in IPv4
● Potential benefits for network reconnaissance:
● Evasion

115
PHDays WII
In The Real World

PHDays WII
DO8
HBH8
FH512
Webservers Mailservers Nameservers
0
10
20
30
40
50
60
Alexa dataset: Packet Drop rate

PHDays WII
DO8
HBH8
FH512
Webservers Mailservers Nameservers
0
10
20
30
40
50
60
70
Alexa dataset: Drops by diff. AS

PHDays WII
So... what does this all mean?
● IPv6 EHs “not that cool” for evasion or reconnaissance
...at least when doing remote IPv6 network reconnaissance!

119
PHDays WII
Use in network reconnaissance

PHDays WII
path6: An EH-enabled traceroute
● How far do your IPv6 EH-enabled packets get?
● No existing traceroute tool supported IPv6 extension headers
● Hence we produced our path6 tool
● Supports IPv6 Extension Headers
● Can employ TCP, UDP, or ICMPv6 probes
● It's faster ;-)
● Example:
# path6 -u 100 -d fc00:1::1
Dst Opt Hdr

PHDays WII
path6: An EH-enabled traceroute (II)

PHDays WII
blackhole6: Finding IPv6 blackholes
● How it works?
● path6 without EHs + path6 with EHs + a little bit of magic
fgont@satellite:~$ sudo blackhole6 www.google.com do8
SI6 Networks IPv6 Toolkit v2.0
blackhole6: A tool to find IPv6 blackholes
Tracing www.google.com (2607:f8b0:400b:807::1012)...
Dst. IPv6 address: 2607:f8b0:400b:807::1012 (AS15169 GOOGLE Google
Inc.,US)
Last node (no EHs): 2607:f8b0:400b:807::1012 (AS15169 GOOGLE Google
Inc.,US) (13 hop(s))
Last node (DO 8): 2001:5a0:12:100::72 (AS6453 AS6453 TATA
COMMUNICATIONS (AMERICA) INC,US) (7 hop(s))
Dropping node: 2001:4860:1:1:0:1935:0:75 (AS15169 GOOGLE Google
Inc.,US || AS15169 GOOGLE Google Inc.,US)

PHDays WII
blackhole6: Methodology
● Given the output of path6 for no-EH and EHs:
No EHs With EHs
1. fc00:1:1:1000::1
2. fc00:1:1:2000::4
3. fc00:1:2:4000::1
4. fc00:2:1:4000::1
5. fc00:a:2:1000::1
6. fc00:a:4:4000::1
7. fc00:b:1:1000::1
8. fc00:b:2:5000::1
9. fc00:b:4:5000::1
10. fc00:d::1
1. fc00:1:1:1000::1
2. fc00:1:1:2000::4
3. fc00:1:2:4000::1
4. fc00:2:1:4000::1
5. fc00:a:2:1000::1
6. fc00:a:4:4000::1
DROP

PHDays WII
blackhole6: Methodology (II)
● We assume ingress filtering...
● Otherwise dropping node actually is M rather than M+1

PHDays WII
blackhole6: ASes
● Lookup ASN of dropping node, but...
● There may be ambiguity when finding the AS of the dropping
node:
● who provides the address space for the peering?

PHDays WII
blackhole6: ASes (II)
● Case 1: Address space provided by AS Y

PHDays WII
blackhole6: ASes (III)
● Case 2: Address space provided by AS X

128
PHDays WII
Port scanning
The basics

PHDays WII
IPv6-based TCP/UDP port scanning
● scan6 incorporates all known TCP and UDP port-scanning
techniques
● Specifying a protocol and port range:
portscan {tcp,udp}:port_low[port_hi]
● Specifying a TCP scan type:
tcpscantype {syn,fin,null,xmas,ack}
● Example:
portscan tcp:11024 tcpscantype syn

PHDays WII
TCP port scanning: Intro/Overview
● TCP connection-establishment in a nutshell:

PHDays WII
TCP port scanning: connect() scan
● Implements the full 3WHS
● Slow (requires two RTTs)
● Notifies the target application of the communication attempt
● Ties resources on both ends of the connection
● Not implemented in scan6

PHDays WII
TCP port scanning: SYN scan
● Does not implement the full 3WHS
● Send a SYN, process response packet
● SYN/ACK= Open, RST= Closed
● It is fast
● Does not tie resources on our end
● Implemented in scan6

PHDays WII
TCP port scanning: FIN, NULL, and XMAS
● Does not implement the full 3WHS
● Send a packet without A bit set, wait for response
● RST= Closed, Timeout= Open
● It is rather slow (need to wait for a timeout)
● Does not tie resources on an side
● Implemented in scan6

PHDays WII
TCP/UDP most popular ports
● scan6 can target the most frequently open ports
● All top ports for all protocols:
portscan all:top:all
● Top N of all protocols:
portscan all:top:N
● All TCP top ports:
portscan tcp:top:all
● Top N TCP ports
portscan tcp:top:N

135
PHDays WII
Port Scanning
EH-based IPv6 Idle Scan

PHDays WII
Idle scan: Introduction
● Stealth port scanning technique
● No need to contact the target with our Source Address
● Prevents easy tracing of the attacker
● The attacker only needs a host that employs predictable
Identification values.

PHDays WII
Idle scan: TCP 3WHS review
● Normal TCP 3WHS
Open Port Closed Port

PHDays WII
Idle scan: TCP 3WHS review
● TCP 3WHS with spoofed segments

PHDays WII
Idle scan “implementation”

PHDays WII
Idle scan: Challenge in IPv6
● Base IPv6 header does not contain a Frag ID
● Only way to exploit the Frag ID is when a FH is present
● But...How do we trigger/elicit fragmentation?

PHDays WII
IPv6 “atomic” fragments
● ICMPv6 PTB < 1280 triggers inclusion of a FH in all packets to
that destination (not actual fragmentation)
● Result: IPv6 atomic fragments (Frag. Offset=0, More Frag.=0)

PHDays WII
Handling of IPv6 atomic fragments
Operating System Atomic Frag. Support Improved processing
FreeBSD 8.0 No No
FreeBSD 8.2 Yes No
FreeBSD 9.0 Yes No
Linux 3.0.0-15 Yes Yes
NetBSD 5.1 No No
OpenBSD-current Yes Yes
Solaris 11 Yes Yes
Windows Vista (build 6000) Yes No
Windows 7 Home Premium Yes No

PHDays WII
Idle scan full implementation
ICMPv6

PHDays WII
Idle scan: nmap implementation
● IPv6 idle scan available in nmap version > vx.x
● Implementation by Mathias Morbitzer
● Example:

PHDays WII
Idle scan: My take :-)
● Idle scan is a cool idea
● The IPv6 version is even more “creative”
● However,
● Use of EHs makes probes unreliable
● Generation of IPv6 atomic fragments is being deprecated. See:
– RFC8021
– draft-ietf-6man-rfc2460bis

148
PHDays WII
Neighbor Discovery for IPv6

PHDays WII
Brief Overview
● ICMPv6 is a core protocol of the IPv6 suite, and is used for:
● Address Resolution (Neighbor Discovery)
● Stateless address auto-configuration (SLAAC)
● Fault isolation (ICMPv6 error messages)
● Troubleshooting (ICMPv6 informational messages)
● ICMPv6 is mandatory for IPv6 operation
● But some ICMP messages were already required for IPv4 operation, too!

PHDays WII
Brief Overview (II)
● StateLess Address AutoConfiguration (SLAAC):
● Routers advertise network configuration information via ICMPv6 Router
Advertisement messages
● Address Resolution
● Maps IPv6 addresses to link-layer addresses
● Employs ICMPv6 Neighbor Solicitation and Neighbor Advertisement
messages
● Analogous to IPv4's ARP

PHDays WII
ndisc6: Obtaining address mappings
● Can be used to send NS for a particular address
● Example:
$ ndisc6 fc00:1::1 eth0
Soliciting fc00:1::1 (fc00:1::1) on eth0...
Target link-layer address: 08:00:27:F9:73:04
from fe80::a00:27ff:fef9:7304

PHDays WII
rdisc6: Obtaining local routers
● Sends RS messages, and decodes RA responses
● Sample output:
# rdisc6 -v eth0
Soliciting ff02::2 (ff02::2) on eth0...
Hop limit : 64 ( 0x40)
Stateful address conf. : No
Stateful other conf. : No
Router preference : medium
Router lifetime : 30 (0x0000001e) seconds
Reachable time : unspecified (0x00000000)
Retransmit time : unspecified (0x00000000)
Prefix : fc00:1::/64
Valid time : 2592000 (0x00278d00) seconds
Pref. time : 604800 (0x00093a80) seconds
Source link-layer address: 00:4F:4E:12:88:0F
from fe80::24f:4eff:fe12:880f

153
PHDays WII
ICMPv6 Informational Messages

PHDays WII
● Echo Request/Echo response:
● Used to test node reachability (“ping6”)
● Widely supported, although disabled by default in some OSes
● Node Information Query/Response
● Specified by RFC 4620 as “Experimental”, but supported (and enabled
by default) in KAME.
● Not supported in other stacks
● Used to obtain node names or addresses.

155
PHDays WII
Node Information Query/Response

PHDays WII
Node Information Query/Response
● Specified in RFC 4620 as “Experimental”, but included (and
enabled by default) in KAME
● Allows nodes to request certain network information about a
node in a server-less environment
● Queries are sent with a target name or address (IPv4 or IPv6)
● Queried information may include: node name, IPv4 addresses, or IPv6
addresses
● Node Information Queries can be sent with the ping6 command
(“-w” and “-b” options)

PHDays WII
NI Query/Response: Examples
● Query node names
$ ping6 -w ff02::1%vic0
PING6(72=40+8+24 bytes) fe80::20c:29ff:feaf:194e%vic0 --> ff02::1%vic0
41 bytes from fe80::20c:29ff:feaf:194e%vic0: openbsd46.my.domain.
30 bytes from fe80::20c:29ff:fe49:ebdd%vic0: freebsd
--- ff02::1%vic0 ping6 statistics ---
3 packets transmitted, 3 packets received, +3 duplicates, 0.0% packet loss

PHDays WII
NI Query/Response: Examples (II)
● Use the NI multicast group
$ ping6 -I vic0 -a Aacgls -N freebsd
PING6(72=40+8+24 bytes) fe80::20c:29ff:feaf:194e%vic0 --> ff02::1%vic0
76 bytes from fe80::20c:29ff:fe49:ebdd%vic0:
fe80::20c:29ff:fe49:ebdd(TTL=infty)
::1(TTL=infty) fe80::1(TTL=infty)
::1(TTL=infty) fe80::1(TTL=infty)
::1(TTL=infty)
fe80::1(TTL=infty)
--- ff02::1%vic0 ping6 statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss

159
PHDays WII
Obtaining AS-related info

PHDays WII
● Given an IPv6 address, the corresponding AS identifies the
corresponding organization
● script6 can query AS-related information:
script6 getas
script6 getasn

PHDays WII
● Example:
fgont@snow:~$ script6 getas 2800:3f0:4002:803::1014
15169 | 2800:3f0::/32 | AR | lacnic | 20091103
15169 | US | arin | 20000330 | GOOGLE Google Inc.,US

162
PHDays WII
DNS for IPv6 Network
Reconnaissance

PHDays WII
Introduction
● Most of this ground is well-known from the IPv4-world:
● DNS zone transfers
● DNS bruteforcing
● etc.
● DNS reverse-mappings particularly useful for “address
scanning”

PHDays WII
Get domains and IPv6 addresses
● script6 can do batch-processing of domain names
● Get IPv6 addresses:
$ cat domains.txt | script6 get-aaaa
● Get nameserver addresses:
$ cat domains.txt | script6 get-ns | script6
get-aaaa
● Get mailserver addresses:
$ cat domains.txt | script6 get-mx | script6
get-aaaa

PHDays WII
Bruteforce domain names
● script6 can bruteforce domain names and get the
corresponding AAAA records
● For a single domain:
$ script6 get-bruteforce-aaaa DOMAIN
● Pipelined:
$ cat domains.txt | script6 get-bruteforce-aaaa

PHDays WII
IPv6 DNS reverse mappings
● Technique:
● Given a zone X.ip6.arpa., try the labels [0-f].X.ip6.arpa.
● If an NXDOMAIN is received, that part of the “tree” should be ignored
● Otherwise, if NOERROR is received, “walk” that part of the tree
● Example (using dnsrevenum6 from THC-IPv6):
$ dnsrevenum6 DNSSERVER IPV6PREFIX

PHDays WII
THC-IPv6's dnsrevenum6

PHDays WII
Caveats for DNS reverse mappings
● Some DNS software responds with NOERROR for ENT (Empty
Non-Terminals)
● Please see draft-ietf-dnsop-nxdomain-cut

169
PHDays WII
Aplication-based IPv6 Network
Reconnaissance

PHDays WII
Application-based Network Recon
● Many application-layer protocol deal with domain-names or
IPv6 addresses
● Some applications even leave publicly trails of data exchanges
● Examples:
● P2P aplications
● email
● etc.

PHDays WII
Application-based Network Recon (II)
● Sample email header:
X-ClientAddr: 46.21.160.232
Received: from srv01.bbserve.nl (srv01.bbserve.nl [46.21.160.232])
by venus.xmundo.net (8.13.8/8.13.8) with ESMTP id p93Ar0E4003196
for <fernando@gont.com.ar>; Mon, 3 Oct 2011 07:53:01 -0300
Received: from [2001:5c0:1000:a::943]
by srv01.bbserve.nl with esmtpsa (TLSv1:AES256-SHA:256)
(Exim 4.76)
(envelope-from <fgont@si6networks.com>)
id 1RAg8k-0000Qf-Hu; Mon, 03 Oct 2011 12:52:55 +0200
Message-ID: <4E8993FC.30600@si6networks.com>
Date: Mon, 03 Oct 2011 07:52:44 -0300
From: Fernando Gont <fgont@si6networks.com>
Organization: SI6 Networks
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.23)
Gecko/20110922 Thunderbird/3.1.15
MIME-Version: 1.0
To: Fernando Gont <fernando@gont.com.ar>
Subject: Prueba

178
PHDays WII
Some conclusions

PHDays WII
Some conclusions
● The IPv6 addressing architecture has required us to re-think
how we do address scans. This has led to:
● Improvements in scanning techniques
● Improvements in IPv6 addressing to mitigate these attacks
● As address scanning becomes less attractive, other techniques
become more relevant
● DNS reverse mappings comes to mind
● But others will likely be developed
● IPv6 is still a moving target: both for attack and for defense

180
PHDays WII
Questions?

PHDays WII
Thanks!
Fernando Gont
fgont@si6networks.com
IPv6 Hackers mailing-list
http://www.si6networks.com/community/
www.si6networks.com

Разведка в сетях IPv6

More Related Content

What's hot

Similar to Разведка в сетях IPv6

More from Positive Hack Days

Recently uploaded

Разведка в сетях IPv6