IPv6 - Black Hat Sessions
advertisement
Indien u hergebruik wenst te maken van de inhoud van deze presentatie, vragen wij u in het kader van auteursrechtelijke bescherming de juiste bronvermelding toe te passen. 17 juni 2014 | De Reehorst in Ede Black Hat Sessions XII INLICHTINGEN DIENSTEN SPIONAGE INLICHTINGEN DIENSTEN SPIONAGE PRIVACY PRIVACY GEORGANISEERD DOOR MADISON GURKHA www.blackhatsessions.com Your Security is Our Business omslag BHS_2014_01.indd 1 10-06-14 11:30 IPv6: new attack vector for intelligence services and cyber criminals? Sander Degen, Security researcher 2 Outline Background Why attack IPv6? The project Ways to attack IPv6 45m 3 Background Me You Technical Know how communication protocols work No IPv6 experts Test: NAT / Hashing / DHCP / Rainbow table / ICMP / MitM / Multicast English vs Dutch 4 Why attack IPv6 We’re living in an interconnected world IPv6 is the network protocol of the ‘future’ “He who controls the network, controls the universe” Especially if you can crack encryption Current network & MitM attacks show difficulty in securing network access Rogue access points False base stations BYOD Accessing the network through exploited systems 5 Percentage of IPv6 announcing ASes Source: http://v6asns.ripe.net/v/6 6 The project TNO aims to improve the competitiveness of businesses and organisations Fewer security incidents == more competitiveness Together with these security companies we set up a handbook for testing the security of IPv6 implementations: Fox-IT, ITsec, Madison Gurkha, Pine, Riscure Financial support by Ministry of Economic Affairs https://www.tno.nl/downloads/testing_the_security_of_IPv6_implementations.pdf 7 Host discovery 8 Intro Host discovery First step in identifying the attack vector With IPv4 you can scan the entire range With IPv6 this takes a while IPv4 1 cm2 IPv6 ? 9 X 1 600 000 Source: NASA 12 Issues Host discovery Looking up (DNS) addresses / ranges Check google: https://encrypted.google.com/#q=site:*.acme.com Check Netcraft: http://searchdns.netcraft.com/?host=acme.com&x= 0&y=0 Check Hurricane Electric: http://bgp.he.net/search?search%5Bsearch%5D=a cme&commit=Search 13 Issues Host discovery DNS can be a goldmine Zone transfer (probably not) Step by step with DNSSEC & NSEC (unlikely) Step by step with DNSSEC & NSEC3 (unlikelier) Requires rainbow tables to analyse hashes Specific for the domain Salt is periodically changed Dictionary attack on subdomains 14 Crashing a system 15 Intro Crashing a system Best practices Do not crash Specifically due to network traffic Always a bug: fix & patch! Goals: Prevent DoS due to crashes 16 Issues Crashing a system Crashing from bad reassembly Flooding fragments with random ID and M (more) FID | M Flag | Offset 837 | More | 0 837 | No more | 100 17 Issues Crashing a system Crashing from unlimited extension headers Similar to previous example, but different Building a packet that is > RAM Crashing from flooding Router Advertisements SEND! Source: amazon.com 18 DoS reflector attacks 19 Intro DoS reflector attacks Best practices Filter out bad packets Prevent amplification / reflection of traffic If the source address can be spoofed (!TCP) If the source address is a multicast address Goals: Prevent DoS 20 Issues DoS reflector attacks Internet Control Message Protocol ICMP responses to multicast destination address M A * RFC 2463 (ICMPv6 spec) forbids this behaviour * : PING A : PONG Linux, my Xerox printer 21 Issues DoS reflector attacks ICMP responses to multicast source address Also a problem but much smaller M * A RFC 2463 (ICMPv6 spec) forbids this behaviour A A : PING * : PONG Linux 22 Outside access to LAN 23 Intro Outside access to LAN Best practices Don’t trust external systems Filter with firewalls & IPSs Process IPv6 packets correctly Goals: Prevent access to systems (out->in) Prevent data leakage (in->out) 24 Issues Outside access to LAN No filtering enabled IPv6 removes the need for NAT Network Address Translation (poor man’s firewall) No more NAT = no more firewall No filtering of IPv6 traffic Because the firewall rules are aimed at IPv4 and IPv6 isn’t explicitly blocked No filtering of IPv6 traffic in IPv4 tunnels (in out) Teredo offers IPv6 internet access to IPv4 hosts Other tunnels are SixXS, Gogo6client etc Issues TCP handshake: SYN SYN, ACK ACK Outside access to LAN Incorrect handling of overlapping fragments Allows bypassing of the firewall: Fragments with same fragment ID TCP (S) TCP (S,A) Ignored “SA = response to connection = pass through” “S = belongs to same fragment as allowed packed = pass through” Accepted 25 26 Inside access to LAN 27 Intro Inside access to LAN Best practices Don’t trust internal systems Filter with switches Think ‘RA Guard’ Goals: Prevent DoS (in->in) Prevent MitM (in->in->out) 28 Issues Inside access to LAN Rogue DHCPv6 server May give out bad IP addresses: DoS ICMPv6 Redirect packets Target specific MitM M Redirect: B => M 2 A 4 3 1 B 29 Issues Inside access to LAN Rogue router advertisement packets Configure hosts with bad default gateway: MitM “RA guard” – RFC 6105 DHCP(v4) DHCP(v6) SLAAC RA Host address Yes Yes Yes Default gateway Yes DNS info Yes Yes Yes Privacy extension! Messy Source: www.elgrafico.com.ar Sort of Not supported in default Windows * (ND RDNSS) 30 Issues Inside access to LAN What’s the MAC of IP X? Rogue Neighbour Solicitation packets Bad client can reply to all ND’s => MitM Bad client can flood neighbour cache => DoS Rogue Duplicate Address Detection packets System can’t find an unused IP to use => DoS 31 Issues Inside access to LAN SEND? (SEcure Neighbour Discovery) Requires the (src) IP to match a certificate generated by the same host Trade-off between DoS and DoS No SEND A V cafe::face cafe::face V cafe::face cafe::face SEND X cafe::face cafe::face M 32 Extra topics: Deprecated feature support Source routing, Site Local Addressing Limiting based on 1 IP address Plenty available! Amplification with DNS But DNSSEC is the bigger issue here No null routing for unused address space TCAM Exhaustion in switches 33 Questions / Discussion
