Indien u hergebruik wenst te maken van de inhoud van deze presentatie, vragen wij u in het kader
van auteursrechtelijke bescherming de juiste bronvermelding toe te passen.
17 juni 2014 | De Reehorst in Ede
Black Hat Sessions XII
INLICHTINGEN
DIENSTEN
SPIONAGE
INLICHTINGEN
DIENSTEN
SPIONAGE
PRIVACY
PRIVACY
GEORGANISEERD DOOR MADISON GURKHA
www.blackhatsessions.com
Your Security is Our Business
omslag BHS_2014_01.indd 1
10-06-14 11:30
IPv6: new attack vector for intelligence
services and cyber criminals?
Sander Degen, Security researcher
2
Outline
Background
Why attack IPv6?
The project
Ways to attack IPv6
45m
3
Background
Me
You
Technical
Know how communication protocols work
No IPv6 experts
Test: NAT / Hashing / DHCP / Rainbow table /
ICMP / MitM / Multicast
English vs Dutch
4
Why attack IPv6
We’re living in an interconnected world
IPv6 is the network protocol of the ‘future’
“He who controls the network, controls the universe” Especially if you can crack encryption
Current network & MitM attacks show difficulty in
securing network access
Rogue access points
False base stations
BYOD
Accessing the network through exploited systems
5
Percentage of IPv6 announcing ASes
Source: http://v6asns.ripe.net/v/6
6
The project
TNO aims to improve the competitiveness of
businesses and organisations
Fewer security incidents == more competitiveness
Together with these security companies we set up a
handbook for testing the security of IPv6
implementations:
Fox-IT, ITsec, Madison Gurkha, Pine, Riscure
Financial support by Ministry of Economic Affairs
https://www.tno.nl/downloads/testing_the_security_of_IPv6_implementations.pdf
7
Host discovery
8
Intro
Host discovery
First step in identifying the attack vector
With IPv4 you can scan the entire range
With IPv6 this takes a while
IPv4
1 cm2
IPv6
?
9
X 1 600 000
Source: NASA
12
Issues
Host discovery
Looking up (DNS) addresses / ranges
Check google:
https://encrypted.google.com/#q=site:*.acme.com
Check Netcraft:
http://searchdns.netcraft.com/?host=acme.com&x=
0&y=0
Check Hurricane Electric:
http://bgp.he.net/search?search%5Bsearch%5D=a
cme&commit=Search
13
Issues
Host discovery
DNS can be a goldmine
Zone transfer (probably not)
Step by step with DNSSEC & NSEC (unlikely)
Step by step with DNSSEC & NSEC3 (unlikelier)
Requires rainbow tables to analyse hashes
Specific for the domain
Salt is periodically changed
Dictionary attack on subdomains
14
Crashing a system
15
Intro
Crashing a system
Best practices
Do not crash
Specifically due to network traffic
Always a bug: fix & patch!
Goals:
Prevent DoS due to crashes
16
Issues
Crashing a system
Crashing from bad reassembly
Flooding fragments with random ID and M (more)
FID | M Flag | Offset
837 | More | 0
837 | No more | 100
17
Issues
Crashing a system
Crashing from unlimited extension headers
Similar to previous example, but different
Building a packet that is > RAM
Crashing from flooding
Router Advertisements
SEND!
Source: amazon.com
18
DoS reflector attacks
19
Intro
DoS reflector attacks
Best practices
Filter out bad packets
Prevent amplification / reflection of traffic
If the source address can be spoofed (!TCP)
If the source address is a multicast address
Goals:
Prevent DoS
20
Issues
DoS reflector attacks
Internet
Control
Message
Protocol
ICMP responses to multicast destination address
M
A
*
RFC 2463 (ICMPv6
spec) forbids this
behaviour
* : PING
A : PONG
Linux, my Xerox printer
21
Issues
DoS reflector attacks
ICMP responses to multicast source address
Also a problem but much smaller
M
*
A
RFC 2463 (ICMPv6
spec) forbids this
behaviour
A
A : PING
* : PONG
Linux
22
Outside access to LAN
23
Intro
Outside access to LAN
Best practices
Don’t trust external systems
Filter with firewalls & IPSs
Process IPv6 packets correctly
Goals:
Prevent access to systems (out->in)
Prevent data leakage (in->out)
24
Issues
Outside access to LAN
No filtering enabled
IPv6 removes the need for NAT
Network Address Translation (poor man’s firewall)
No more NAT = no more firewall
No filtering of IPv6 traffic
Because the firewall rules are aimed at IPv4
and IPv6 isn’t explicitly blocked
No filtering of IPv6 traffic in IPv4 tunnels (in out)
Teredo offers IPv6 internet access to IPv4 hosts
Other tunnels are SixXS, Gogo6client etc
Issues
TCP handshake:
SYN
SYN, ACK
ACK
Outside access to LAN
Incorrect handling of overlapping fragments
Allows bypassing of the firewall:
Fragments with
same fragment ID
TCP (S)
TCP (S,A)
Ignored
“SA = response to connection = pass through”
“S = belongs to same fragment as allowed packed = pass through”
Accepted
25
26
Inside access to LAN
27
Intro
Inside access to LAN
Best practices
Don’t trust internal systems
Filter with switches
Think ‘RA Guard’
Goals:
Prevent DoS (in->in)
Prevent MitM (in->in->out)
28
Issues
Inside access to LAN
Rogue DHCPv6 server
May give out bad IP addresses: DoS
ICMPv6 Redirect packets
Target specific MitM
M
Redirect: B => M
2
A
4
3
1
B
29
Issues
Inside access to LAN
Rogue router advertisement packets
Configure hosts with bad default gateway: MitM
“RA guard” – RFC 6105
DHCP(v4)
DHCP(v6)
SLAAC RA
Host address
Yes
Yes
Yes
Default gateway
Yes
DNS info
Yes
Yes
Yes
Privacy extension!
Messy
Source: www.elgrafico.com.ar
Sort of
Not supported in
default Windows *
(ND RDNSS)
30
Issues
Inside access to LAN
What’s the MAC of IP X?
Rogue Neighbour Solicitation packets
Bad client can reply to all ND’s => MitM
Bad client can flood neighbour cache => DoS
Rogue Duplicate Address Detection packets
System can’t find an unused IP to use => DoS
31
Issues
Inside access to LAN
SEND? (SEcure Neighbour Discovery)
Requires the (src) IP to match a certificate
generated by the same host
Trade-off between DoS and DoS
No SEND
A
V
cafe::face
cafe::face
V
cafe::face
cafe::face
SEND
X
cafe::face
cafe::face
M
32
Extra topics:
Deprecated feature support
Source routing, Site Local Addressing
Limiting based on 1 IP address
Plenty available!
Amplification with DNS
But DNSSEC is the bigger issue here
No null routing for unused address space
TCAM Exhaustion in switches
33
Questions / Discussion