Presentation on theme: "IPv6 Some ISP related security Problems Sina Herbert / Christoph Weber Swinog 10.5.2012 Version 1.02."— Presentation transcript:
IPv6 Some ISP related security Problems Sina Herbert / Christoph Weber Swinog Version 1.02
about us Sina Herbert Study of computer science at the university of applied sciences in Fulda (Germany). Christoph Weber First Hack is more the 30 year ago, and i am still active. Both currently working for a big ISP in Switzerland in the development Team for datacenter, network and security. - integration of IPv6 in our datacenter environment - IPv4 + IPv6 Security - IPv4 old world routing / switching
Disclaimer + Warning This is our own study and analysis, or is based on public available information ! All information are our private work and ideas ! Represents our meaning ! No relation to the company, we currently work for it ! Warning ! ALL information's are for internal and testing purpose only ! Don’t do this at home !
agenda DNS Problem - bruteforce / reverse WLAN - sniffing / mDNS / Mobile Devices OSPFv3 implementation problems - wrong integration 6RD security - attack ipv4 from ipv6 (anti)spoofing - Example Hurricane Electric Tunnel Broker
DNS Hostnames Naming scheme DNS Server the new target on IPv6 DNS bruteforce Reverse DNS bruteforce
find the target with DNS DNS based on DNS Information, the Public Server are easy to find. - create your own dig-script, thc tool dnsdict6 (You need a good hostname list…) Sys and Net-Admins mostly use the last 4 (or 8) characters of the IPv6 address range (simpler to remember and to write) Scanning simply address, because sysadmin’s are lazy (or geeks) :1 :53 :80 :def :affe :c5c0 :cafe :babe Because most Company use a IPv6 addressing plan, it’s easy to find more targets.
find the target with DNS Bruteforce the DNS Server with a „large optimized“ Hostname-file.
find the target with DNS Sample: switch.ch autoconfig by hand
Reverse DNS Sample Environment: 2001:DB8::/32 there is 2001:DB8:FF::/48 which has reverse DNS hosted in a zone called F.F b.d ip6.arpa. For simpler handling we call F.F b.d ip6.arpa. => X In the given the zone name we can query 0.X, 1.X, 2.X … up to and including f.X. Most of these queries will return an NXDOMAIN rcode; this means the name does not exist, but very importantly, this can usually be construed to mean that no longer name exists either. Suppose that in this case, two of the names (0.X and f.X) do not return NXDOMAIN – instead they return NOERROR. This means the nameserver has a reason to not deny existence, and in this case, that reason is that a longer name exists.
X.0 -> NXDOMAIN X.1 -> NXDOMAIN X.2 -> NXDOMAIN X.3 -> NXDOMAIN X.4 -> NOERROR X.4.0 -> NXDOMAIN X.4.1 -> NXDOMAIN X.4.2 -> NOERROR X > NOERROR X > NOERROR X > NXDOMAIN X > NOERROR X > NOERROR. X F.F A.F.F.E -> Reverse DNS NXDOMAIN -> next, same level NOERROR -> next, on level lower
Reverse DNS Tools, for reverse dns scan ip6-arpa-scan.py ip6.arpa base ip6.arpa server limit 41 c.d ip6.arpa., 1630 queries done, 365 found, 0.00% done dnsrevenum :620::/48 Starting DNS reverse enumeration of 2001:620:: on server Found: scsnms.switch.ch. is 2001:620::1 Found: NET-HOST-LOOPBACK.switch.ch. is 2001:620:: Found: domreg.nic.ch. is 2001:620::4 Found: merapi.switch.ch. is 2001:620::5 Found: mamp1.switch.ch. is 2001:620::a Found: atitlan.switch.ch. is 2001:620::2 Found: manaro.switch.ch. is 2001:620::14 Found: lopevi.switch.ch. is 2001:620::1a
Reverse DNS :620::/48 Starting DNS reverse enumeration of 2001:620:: on server Found: NET-HOST-LOOPBACK.switch.ch. is 2001:620:: Found: scsnms.switch.ch. is 2001:620::1 Found: atitlan.switch.ch. is 2001:620::2 Found: domreg.nic.ch. is 2001:620::4 Found: merapi.switch.ch. is 2001:620::5 Found: mamp1.switch.ch. is 2001:620::a Found: manaro.switch.ch. is 2001:620::14 Found: lopevi.switch.ch. is 2001:620::1a Found: tbutest.switch.ch. is 2001:620::2a Found: snmp-trap.lan.switch.ch. is 2001:620::162. Found: htabi-swiBE2.switch.ch. is 2001:620:0:fff9::2 Found: swiLS2-G2-4.switch.ch. is 2001:620:0:fffb::1 Found: swiGE2-10GE-3-2.switch.ch. is 2001:620:0:fffc::1 Found: swiIBM2-G1-2.switch.ch. is 2001:620:0:fffd::1 Found 1111 entries.
DNS Security Prepare for a large amount of query‘s DoS Protect your DNS Infrastructure Rate limit DNS query‘s (if possible) Only provide necessary information consider the DNS logs.
PWLAN PWLAN Sniffing Find the User mDNS Attack RA
mDNS / Zeroconf Zeroconf with mDNS is a very good place, to find devices in the network. Multicast addresses ipv6 ff02::fb port 5353 ipv port 5353 Turned „ON“ bye default in many systems some Ubuntu / Fedora (avahi) iMac / iPhone / iPads …
Mobile Devices HTC iPhone
a day on „Zürich“ Main Station
Find the iPhone user Find the user….
Find the next user…
RA Attacks Other possibilities Router Advertisments./flood_advertise6 eth3 Starting to flood network with neighbor advertisements on eth3 (Press Control-C to end, a dot is printed for every 100 packet): ^C
Android HTC Desire S (Android Version 2.3.5)
Android Only 16 ipv6 addresses on the interface, but more „routes“ for networks, „inserted“ by RA
OSPFv3 authentication Works with Cisco … – But when changing from AH to ESP – The AH session is still active, the same by changing the password. This can be cause issues e.g. by changing the password only on one side. – Furthermore, if there are more OSPFv3 connections, there will also be needed an IPSEC connection for each of it and this costs high CPU load. – So, what will be the best practice …
OSPFv3 authentication with Check Point – Capability of IPSEC with IPSO (IPSO = OS for Checkpoint Hardware)
OSPFv3 Basic OSPFv3 configuration works with IPSO, but what happens, if a not so conventional packet occurs … lets try this: Returns …ups NokiaIP690:117> show ipv6 ospf3 neighbors NokiaIP690:118>
Solution Check Point Doesn‘t support IPSO with IPv6 IPv6 support only with GAIA GAIA doesn‘t support IPv6 dynamic routing
Nice to know OSPFv3 RFC 2740 – “However, unlike in IPv4, IPv6 allows LSAs with unrecognized LS types to be labeled "Store and flood the LSA, as if type understood””. – “Uncontrolled introduction of such LSAs could cause a stub area's link-state database to grow larger than its component routers' capacities.”
Attack a Routing devices Fact: - Most Network Devices handle IPv6 Traffic in Software, not in hardware - more CPU Power for handling IPv6 extensions Headers - the routing table becomes much bigger Samples Packets with a hop-by-hop option header Packets with the same destination IPv6 address as that of routers Packets that fail the scope enforcement check Packets that exceed the MTU of the output link Packets with a TTL that is less than or equal to 1 …..
Antispoofing Verify ANTI-spoofing ! Possible IPv6 Addresses. - Link Local Address - Site Local Addess - Unique Local Address - Multicast - Any other IPv6 address - localhost - ….
Hurricane Electric's Tunnel Spoofing from Source IP‘s HE Tunnel: - ULA - 6Bone - Any Global IPv6 Address Miredo/Teredo - not possible Some ISP‘s - Sometimes ULA - Sometimes ALL
Spoof Test Source System eth3 2001:0:ffff::beef. Sending ICMPv6 Packets to eth3 from spoofed fdbb:7d77:bc07:affe::1 Sending ICMPv6 Packets to eth3 from spoofed 2001:db8::12001::1 Sending ICMPv6 Packets to eth3 from spoofed 2002::1 Sending ICMPv6 Packets to eth3 from spoofed 3FFE::1 Sending ICMPv6 Packets to eth3 from spoofed 2001:503:ba3e::2:30 Sending ICMPv6 Packets to eth3 from spoofed 2001:500:2f::f Sending ICMPv6 Packets to eth3 from spoofed 2001:500:1::803f:235 Sending ICMPv6 Packets to eth3 from spoofed 2001:503:c27::2:30 Sending ICMPv6 Packets to eth3 from spoofed 2001:7fd::1 Sending ICMPv6 Packets to eth3 from spoofed 2001:dc3::35 Sending ICMPv6 Packets to eth3 from spoofed 2001:4860:4860::8888 Sending ICMPv6 Packets to eth3 from spoofed 2001:4860:4860::8844 Sending ICMPv6 Packets to eth3 from spoofed ffff:ffff:ffff:ffff:ffff:ffff:fffff:ffff Done! On the Target System with tcpdump: fdbb:7d77:bc07:affe::1 > 2001:X:ffff::beef ICMP6, packet too big, mtu 0, length 48 fdbb:7d77:bc07:affe::1 > 2001:X:ffff::beef ICMP6, echo request, seq 0, length :470:94df:1::ffff > 2001:X:ffff::beef ICMP6, packet too big, mtu 0, length :470:94df:1::ffff > 2001:X:ffff::beef ICMP6, echo request, seq 0, length ::1 > 2001:X:ffff::beef ICMP6, packet too big, mtu 0, length ::1 > 2001:X:ffff::beef ICMP6, echo request, seq 0, length 48 3ffe::1 > 2001:X:ffff::beef ICMP6, packet too big, mtu 0, length 48 3ffe::1 > 2001:X:ffff::beef ICMP6, echo request, seq 0, length :503:ba3e::2:30 > 2001:X:ffff::beef ICMP6, packet too big, mtu 0, length :503:ba3e::2:30 > 2001:X:ffff::beef ICMP6, echo request, seq 0, length 48 (Info: the 2001:X:ffff::beef is a spaceholder for the real IPv6 address)
6RD Address Building Link Prefix is build with the IPv6 Prefix (/28 - /32) CPE IPv4 Address 32 bit 0-4 bit Subnet ID 64 bit Interface ID IPv6 Prefix: 2001:db8:0123::/ IPv => 2001:db8:0123:0A01:0203::/64
some ideas IPv4 Address Part -Any other IPv4 Global Address -IPv4 Privat Address -Loopback / Management IPv4 -Localhost -IPv4 Multicast (for instance Routing Protocols) -IPv4 Broadcast / Network Address -…….
Routing 2001:db8:0123:0A01:0203:: [2001:db8:0123:0A01:0203::1] Routing depending on the routing table 2001:db8:0123:0808:0808:: [2001:db8:0123:0808:0808::1 ] 2001:db8:0123:C0A8:0001:: [2001:db8:0123:C0A8:0001::1]
Some 6RD ISP Tests 5 well known 6RD provider tested Swisscom Free ATT USA Sakura ISP Telfort -> ALL allow relaying to a public IPv4 address (other tests, result unknown)
Security Access only for 6RD ISP-Client to use the 6RD BR as 6RD-Relay 6RD BR must check, if the IPv6 Traffic is for a 6RD ISP Client or not. Prevent traffic relay for DoS from IPv6 to IPv4 !
Tools FunctionTools Scanning/Surveillance:halfscan6, nmap, Scan6, Strobe Covert Channel/Backdoor:relay6, 6tunnel, nt6tunnel, netcat6, VoodooNet, etc. Port Bouncing:relay6, nt6tunnel, ncat, and asybo, Denial of Service (DOS):6tunneldos, 6To4DDos, Imps6-tools Packet-Level attack toolkits:isic6, spak6, THC-6 Packet-Crafting:scapy, sendIP, Packit, Spack IRC Zombies/Bots:Eggdrop, Supybot, etc. Sniffer:snort, tcpdump, snoop, wireshark, tshark etc. Pen Testing Tool:Metasploit Security Warning and Disclaimer: Never ever use this tools, maybe it‘s against your local law !
terminology Node: Device that implements IPv6 Router: Node that forwards IPv6 Packets Host: Any Node, that isn‘t a router Upper Layer: Protocol layer above ipv6 Link: Medium or communication Facility over with nodes can communicateat the link layer Neighbors: Nodes attached on the same link Interface: A Node‘s attachment to a link Address: IPv6 Layer identification for an interface Packet: IPv6 header + payload Link MTU: Maximum Transmission Unit Path MTU: Minimum link MTU of all links in a path between source und destination node‘s
Tools needed more protocol testing tools (fuzzer..) tool for automatic network discovery and analysis of local traffic (ping/mld/mdns … ) -> IP + function list Better filter implementation in tcpdump / tshark
IPv6 hacking future more crypto is used, but… still new RFC‘s growing unknown usage creates more attacking surface Mobile devices are one of the next big target, because the need a large IP address space, with will be covered with ipv6
mDNS Problems / Attack Internet Draft: DNS queries for names that do not end with ".local." MAY be sent to the mDNS multicast address, if no other conventional DNS server is available. This can allow hosts on the same link to continue communicating using each other's globally unique DNS names during network outages which disrupt communication with the greater Internet. mDNS generates a lot of new options for fun and abuse Flood the network with „some“ mDNS information to fill up the tables on each devices Overwrite existing entries.