Sina Herbert/Christoph Weber, IPv6 Security
advertisement
IPv6
Some ISP related security Problems
Sina Herbert / Christoph Weber
Swinog 10.5.2012
Version 1.02
about us
• Sina Herbert
Study of computer science at the university of
applied sciences in Fulda (Germany).
• Christoph Weber
First Hack is more the 30 year ago, and i am still
active.
• Both currently working for a big ISP in Switzerland in
the development Team for datacenter, network and
security.
- integration of IPv6 in our datacenter environment
- IPv4 + IPv6 Security
- IPv4 old world routing / switching
Disclaimer + Warning
• This is our own study and analysis, or is based on
public available information !
• All information are our private work
and ideas !
• Represents our meaning !
• No relation to the company,
we currently work for it !
Warning !
• ALL information's are for internal and testing purpose
only !
• Don’t do this at home !
agenda
• DNS Problem
- bruteforce / reverse
• WLAN
- sniffing / mDNS / Mobile Devices
• OSPFv3 implementation problems
- wrong integration
• 6RD security
- attack ipv4 from ipv6
• (anti)spoofing
- Example Hurricane Electric Tunnel Broker
DNS
•
•
•
•
•
Hostnames
Naming scheme
DNS Server the new target on IPv6
DNS bruteforce
Reverse DNS bruteforce
find the target with DNS
• DNS
based on DNS Information, the Public Server are easy to find.
- create your own dig-script , thc tool dnsdict6
(You need a good hostname list…)
• Sys and Net-Admins mostly use the last 4 (or 8) characters of
the IPv6 address range (simpler to remember and to write)
• Scanning
simply address, because sysadmin’s are lazy (or geeks)
:1 :53 :80 :def :affe :c5c0 :cafe :babe
• Because most Company use a IPv6 addressing plan, it’s easy
to find more targets.
find the target with DNS
• Bruteforce the DNS Server with a „large
optimized“ Hostname-file.
find the target with DNS
Sample: switch.ch
autoconfig
by hand
Reverse DNS
Sample Environment:
2001:DB8::/32 there is 2001:DB8:FF::/48 which has reverse DNS hosted in
a zone called F.F.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
For simpler handling we call F.F.0.0.8.b.d.0.1.0.0.2.ip6.arpa. => X
In the given the zone name we can query 0.X, 1.X, 2.X … up to and including
f.X. Most of these queries will return an NXDOMAIN rcode; this means the
name does not exist, but very importantly, this can usually be construed to
mean that no longer name exists either. Suppose that in this case, two of
the names (0.X and f.X) do not return NXDOMAIN – instead they return
NOERROR. This means the nameserver has a reason to not deny
existence, and in this case, that reason is that a longer name exists.
Reverse DNS
X.0 -> NXDOMAIN
NXDOMAIN -> next , same level
X.1 -> NXDOMAIN
NOERROR -> next, on level lower
X.2 -> NXDOMAIN
X.3 -> NXDOMAIN
X.4 -> NOERROR
X.4.0 -> NXDOMAIN
X.4.1 -> NXDOMAIN
X.4.2 -> NOERROR
X.4.2.0 -> NOERROR
X.4.2.0.0 -> NOERROR
X.4.2.0.0.0 -> NXDOMAIN
X.4.2.0.0.1 -> NOERROR
X.4.2.0.0.1.0 -> NOERROR
.
.
.
X.4.2.0.0.1.0.0.F.F.0.0.0.1.0.1.2.A.F.F.E -> www.whatever.com
Reverse DNS
Tools, for reverse dns scan
ip6-arpa-scan.py
root@blubberli:#./ip6-arpa-scan.py 0.2.6.0.1.0.0.2.ip6.arpa 195.186.1.110 64
base 0.2.6.0.1.0.0.2.ip6.arpa server 195.186.1.110 limit 41
c.d.0.0.0.0.2.6.0.1.0.0.2.ip6.arpa., 1630 queries done, 365 found, 0.00% done
dnsrevenum6
root@blubberli:dnsrevenum6 195.186.1.110 2001:620::/48
Starting DNS reverse enumeration of 2001:620:: on server 195.186.1.110
Found: scsnms.switch.ch. is 2001:620::1
Found: NET-HOST-LOOPBACK.switch.ch. is 2001:620::
Found: domreg.nic.ch. is 2001:620::4
Found: merapi.switch.ch. is 2001:620::5
Found: mamp1.switch.ch. is 2001:620::a
Found: atitlan.switch.ch. is 2001:620::2
Found: manaro.switch.ch. is 2001:620::14
Found: lopevi.switch.ch. is 2001:620::1a
Reverse DNS
root@blubberli:./dnsrevenum6 195.186.1.110 2001:620::/48
Starting DNS reverse enumeration of 2001:620:: on server 195.186.1.110
Found: NET-HOST-LOOPBACK.switch.ch. is 2001:620::
Found: scsnms.switch.ch. is 2001:620::1
Found: atitlan.switch.ch. is 2001:620::2
Found: domreg.nic.ch. is 2001:620::4
Found: merapi.switch.ch. is 2001:620::5
Found: mamp1.switch.ch. is 2001:620::a
Found: manaro.switch.ch. is 2001:620::14
Found: lopevi.switch.ch. is 2001:620::1a
Found: tbutest.switch.ch. is 2001:620::2a
Found: snmp-trap.lan.switch.ch. is 2001:620::162
.
.
.
Found: htabi-swiBE2.switch.ch. is 2001:620:0:fff9::2
Found: swiLS2-G2-4.switch.ch. is 2001:620:0:fffb::1
Found: swiGE2-10GE-3-2.switch.ch. is 2001:620:0:fffc::1
Found: swiIBM2-G1-2.switch.ch. is 2001:620:0:fffd::1
Found 1111 entries.
DNS Security
•
•
•
•
•
Prepare for a large amount of query‘s
DoS Protect your DNS Infrastructure
Rate limit DNS query‘s (if possible)
Only provide necessary information
consider the DNS logs.
PWLAN
•
•
•
•
PWLAN Sniffing
Find the User
mDNS Attack
RA
mDNS / Zeroconf
• Zeroconf with mDNS is a very good place, to
find devices in the network.
• Multicast addresses
ipv6 ff02::fb port 5353
ipv4 224.0.0.251 port 5353
• Turned „ON“ bye default in many systems
some Ubuntu / Fedora (avahi)
iMac / iPhone / iPads …
Mobile Devices
• HTC
• iPhone
a day on „Zürich“ Main Station
Find the iPhone user
• Find the user….
Find the next user…
RA Attacks
• Other possibilities
Router Advertisments
./flood_advertise6 eth3
Starting to flood network with neighbor advertisements
on eth3 (Press Control-C to end, a dot is printed for
every 100 packet):
........................................................
........................................................
........................................................
........................................................
........................................................
........................................................
........................................................
........................................................
........................................................
......................................^C
Andorid 2.2
Android
• HTC Desire S (Android Version 2.3.5)
Android
• Only 16 ipv6 addresses on the interface, but
more „routes“ for networks, „inserted“ by RA
OSPFv3
• OSPFv3 authentication
- Cisco
- Checkpoint
OSPFv3 authentication
• For example the configuration with Cisco
– AH
• ipv6 ospf authentication ipsec spi spi md5 [keyencryption-type {key | null}]
– ESP
• ipv6 ospf encryption {ipsec spi spi esp encryptionalgorithm [[key-encryption-type] key] authenticationalgorithm [key-encryption-type] key | null}
OSPFv3 authentication
• Works with Cisco …
– But when changing from AH to ESP
– The AH session is still active, the same by changing the password. This can be
cause issues e.g. by changing the password only on one side.
– Furthermore, if there are more OSPFv3 connections, there will also be needed
an IPSEC connection for each of it and this costs high CPU load.
– So , what will be the best practice …
OSPFv3 authentication
• with Check Point
– Capability of IPSEC with IPSO
(IPSO = OS for Checkpoint Hardware)
OSPFv3
• Basic OSPFv3 configuration works with IPSO,
but what happens, if a not so conventional
packet occurs …
lets try this:
• Returns …ups
NokiaIP690:117> show ipv6 ospf3 neighbors
NokiaIP690:118>
Solution Check Point
• Doesn‘t support IPSO with IPv6
• IPv6 support only with GAIA
• GAIA doesn‘t support IPv6 dynamic routing
Nice to know
OSPFv3 RFC 2740
– “However, unlike in IPv4, IPv6 allows LSAs with
unrecognized LS types to be labeled "Store and
flood the LSA, as if type understood””.
– “Uncontrolled introduction of such LSAs could
cause a stub area's link-state database to grow
larger than its component routers' capacities.”
Attack a Routing devices
• Fact:
- Most Network Devices handle IPv6 Traffic in Software, not in
hardware
- more CPU Power for handling IPv6 extensions Headers
- the routing table becomes much bigger
• Samples
Packets with a hop-by-hop option header
Packets with the same destination IPv6 address as that of
routers
Packets that fail the scope enforcement check
Packets that exceed the MTU of the output link
Packets with a TTL that is less than or equal to 1
…..
Antispoofing
• Verify ANTI-spoofing !
• Possible IPv6 Addresses.
- Link Local Address
- Site Local Addess
- Unique Local Address
- Multicast
- Any other IPv6 address
- localhost
- ….
Hurricane Electric's Tunnel
• Spoofing from Source IP‘s
HE Tunnel:
- ULA
- 6Bone
- Any Global IPv6 Address
Miredo/Teredo
- not possible
Some ISP‘s
- Sometimes ULA
- Sometimes ALL
Spoof Test
Source System
root@blubberli:thc-1.9-chw# ./spoof6 eth3 2001:0:ffff::beef
.
Sending ICMPv6 Packets to eth3 from spoofed
Sending ICMPv6 Packets to eth3 from spoofed
Sending ICMPv6 Packets to eth3 from spoofed
Sending ICMPv6 Packets to eth3 from spoofed
Sending ICMPv6 Packets to eth3 from spoofed
Sending ICMPv6 Packets to eth3 from spoofed
Sending ICMPv6 Packets to eth3 from spoofed
Sending ICMPv6 Packets to eth3 from spoofed
Sending ICMPv6 Packets to eth3 from spoofed
Sending ICMPv6 Packets to eth3 from spoofed
Sending ICMPv6 Packets to eth3 from spoofed
Sending ICMPv6 Packets to eth3 from spoofed
Sending ICMPv6 Packets to eth3 from spoofed
Done!
fdbb:7d77:bc07:affe::1
2001:db8::12001::1
2002::1
3FFE::1
2001:503:ba3e::2:30
2001:500:2f::f
2001:500:1::803f:235
2001:503:c27::2:30
2001:7fd::1
2001:dc3::35
2001:4860:4860::8888
2001:4860:4860::8844
ffff:ffff:ffff:ffff:ffff:ffff:fffff:ffff
On the Target System with tcpdump:
fdbb:7d77:bc07:affe::1 > 2001:X:ffff::beef ICMP6, packet too big, mtu 0, length 48
fdbb:7d77:bc07:affe::1 > 2001:X:ffff::beef ICMP6, echo request, seq 0, length 48
2001:470:94df:1::ffff > 2001:X:ffff::beef ICMP6, packet too big, mtu 0, length 48
2001:470:94df:1::ffff > 2001:X:ffff::beef ICMP6, echo request, seq 0, length 48
2002::1 > 2001:X:ffff::beef ICMP6, packet too big, mtu 0, length 48
2002::1 > 2001:X:ffff::beef ICMP6, echo request, seq 0, length 48
3ffe::1 > 2001:X:ffff::beef ICMP6, packet too big, mtu 0, length 48
3ffe::1 > 2001:X:ffff::beef ICMP6, echo request, seq 0, length 48
2001:503:ba3e::2:30 > 2001:X:ffff::beef ICMP6, packet too big, mtu 0, length 48
2001:503:ba3e::2:30 > 2001:X:ffff::beef ICMP6, echo request, seq 0, length 48
(Info: the 2001:X:ffff::beef is a spaceholder for the real IPv6 address)
6RD Security Problems
• 6RD Client
• 6RD IPv6 -> IPv4 DoS
Sample „Free“
6RD Address Building
Link Prefix is build with the IPv6 Prefix (/28 - /32)
CPE IPv4 Address 32 bit
0-4 bit Subnet ID
64 bit Interface ID
IPv6 Prefix: 2001:db8:0123::/32 + + IPv4 10.1.2.3
=> 2001:db8:0123:0A01:0203::/64
1
60
IPv6 Prefix
128
64
Site Prefix
28
Subnet ID
CPE IPv4 Address
1
Interface ID
128
64
Site Prefix
32
IPv6 Prefix
CPE IPv4 Address
Interface ID
some ideas
IPv6 Prefix
IPv4 Address
Interface ID
IPv4 Address Part
- Any other IPv4 Global Address
- IPv4 Privat Address
- Loopback / Management IPv4
- Localhost
- IPv4 Multicast (for instance Routing Protocols)
- IPv4 Broadcast / Network Address
- …….
Routing
loopback
localhost
2001:db8:0123:0808:0808::1
2001:db8:0123:C0A8:0001::1
2001:db8:0123:0A01:0203::1
IPv4 6RD Kunden
IPv6 Global
10.1.2.3 [2001:db8:0123:0A01:0203::1]
Routing depending
on the routing table
Router
Management
IPv4 Gobal
Some 6RD ISP Tests
5 well known 6RD provider tested
• Swisscom
• Free
• ATT USA
• Sakura
• ISP Telfort
->
ALL allow relaying to a public IPv4 address
(other tests , result unknown)
Security
• Access only for 6RD ISP-Client to use the 6RD
BR as 6RD-Relay
• 6RD BR must check, if the IPv6 Traffic is for a
6RD ISP Client or not.
• Prevent traffic relay for DoS from IPv6 to IPv4 !
questions ?
sina.herbert@online.de
christoph.weber@packetlevel.ch
Tools
Security Warning and Disclaimer:
Never ever use this tools, maybe it‘s against your local law !
Function
Tools
Scanning/Surveillance:
halfscan6, nmap, Scan6, Strobe
Covert Channel/Backdoor:
relay6, 6tunnel, nt6tunnel, netcat6, VoodooNet, etc.
Port Bouncing:
relay6, nt6tunnel, ncat, and asybo,
Denial of Service (DOS):
6tunneldos, 6To4DDos, Imps6-tools
Packet-Level attack toolkits:
isic6, spak6, THC-6
Packet-Crafting:
scapy, sendIP, Packit, Spack
IRC Zombies/Bots:
Eggdrop, Supybot, etc.
Sniffer:
snort, tcpdump, snoop, wireshark, tshark etc.
Pen Testing Tool:
Metasploit
terminology
•
•
•
•
•
•
•
•
•
•
•
Node: Device that implements IPv6
Router: Node that forwards IPv6 Packets
Host: Any Node, that isn‘t a router
Upper Layer: Protocol layer above ipv6
Link: Medium or communication Facility over with nodes can
communicate at the link layer
Neighbors: Nodes attached on the same link
Interface: A Node‘s attachment to a link
Address: IPv6 Layer identification for an interface
Packet: IPv6 header + payload
Link MTU: Maximum Transmission Unit
Path MTU: Minimum link MTU of all links in a path between source und
destination node‘s
Tools needed
• more protocol testing tools (fuzzer..)
• tool for automatic network discovery and
analysis of local traffic
(ping/mld/mdns … ) -> IP + function list
• Better filter implementation in tcpdump /
tshark
IPv6 hacking future
• more crypto is used, but…
• still new RFC‘s
• growing unknown usage creates more
attacking surface
• Mobile devices are one of the next big target,
because the need a large IP address space,
with will be covered with ipv6
mDNS Problems / Attack
• Internet Draft:
DNS queries for names that do not end with ".local." MAY be
sent to the mDNS multicast address, if no other conventional
DNS server is available. This can allow hosts on the same link
to continue communicating using each other's globally unique
DNS names during network outages which disrupt communication
with the greater Internet.
• mDNS generates a lot of new options for fun and
abuse
• Flood the network with „some“ mDNS information to
fill up the tables on each devices
• Overwrite existing entries.
