Ipv6 some isp related security problems
Download
1 / 47

IPv6 Some ISP related security Problems - PowerPoint PPT Presentation


  • 145 Views
  • Uploaded on

IPv6 Some ISP related security Problems. Sina Herbert / Christoph Weber Swinog 10.5.2012 Version 1.02. about us. Sina Herbert Study of computer science at the university of applied sciences in Fulda (Germany). Christoph Weber First Hack is more the 30 year ago, and i am still active.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' IPv6 Some ISP related security Problems ' - efrem


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Ipv6 some isp related security problems

IPv6 Some ISP related security Problems

Sina Herbert / Christoph Weber

Swinog 10.5.2012

Version 1.02


About us
about us

Sina Herbert Study of computer science at the university of applied sciences in Fulda (Germany).

Christoph Weber First Hack is more the 30 year ago, and i am still active.

Both currently working for a big ISP in Switzerland in the development Team for datacenter, network and security.- integration of IPv6 in our datacenter environment- IPv4 + IPv6 Security- IPv4 old world routing / switching


Disclaimer warning
Disclaimer + Warning

This is our own study and analysis, or is based on public available information !

All information are our private work and ideas !

Represents our meaning !

No relation to the company, we currently work for it !

Warning !

ALL information's are for internal and testing purpose only !

Don’t do this at home !


Agenda
agenda

DNS Problem- bruteforce / reverse

WLAN - sniffing / mDNS / Mobile Devices

OSPFv3 implementation problems- wrong integration

6RD security - attack ipv4 from ipv6

(anti)spoofing- Example Hurricane Electric Tunnel Broker


DNS

Hostnames

Naming scheme

DNS Server the new target on IPv6

DNS bruteforce

Reverse DNS bruteforce


Find the target with dns
find the target with DNS

DNSbased on DNS Information, the Public Server are easy to find. - create your own dig-script , thc tool dnsdict6(You need a good hostname list…)

Sys and Net-Admins mostly use the last 4 (or 8) characters of the IPv6 address range (simpler to remember and to write)

Scanningsimply address, because sysadmin’s are lazy (or geeks) :1 :53 :80 :def :affe :c5c0 :cafe :babe

Because most Company use a IPv6 addressing plan, it’s easy to find more targets.


Find the target with dns1
find the target with DNS

Bruteforce the DNS Server with a „large optimized“ Hostname-file.


Find the target with dns2
find the target with DNS

Sample: switch.ch

autoconfig

by hand


Reverse dns
Reverse DNS

Sample Environment: 2001:DB8::/32 there is 2001:DB8:FF::/48 which has reverse DNS hosted in a zone called F.F.0.0.8.b.d.0.1.0.0.2.ip6.arpa. For simpler handling we call F.F.0.0.8.b.d.0.1.0.0.2.ip6.arpa. => X

In the given the zone name we can query 0.X, 1.X, 2.X … up to and including f.X. Most of these queries will return an NXDOMAIN rcode; this means the name does not exist, but very importantly, this can usually be construed to mean that no longer name exists either. Suppose that in this case, two of the names (0.X and f.X) do not return NXDOMAIN – instead they return NOERROR. This means the nameserver has a reason to not deny existence, and in this case, that reason is that a longer name exists.


Reverse dns1

X.0 -> NXDOMAIN

X.1 -> NXDOMAIN

X.2 -> NXDOMAIN

X.3 -> NXDOMAIN

X.4 -> NOERROR

X.4.0 -> NXDOMAIN

X.4.1 -> NXDOMAIN

X.4.2 -> NOERROR

X.4.2.0 -> NOERROR

X.4.2.0.0 -> NOERROR

X.4.2.0.0.0 -> NXDOMAIN

X.4.2.0.0.1 -> NOERROR

X.4.2.0.0.1.0 -> NOERROR

.

.

.

X.4.2.0.0.1.0.0.F.F.0.0.0.1.0.1.2.A.F.F.E -> www.whatever.com

Reverse DNS

NXDOMAIN -> next , same level

NOERROR -> next, on level lower


Reverse dns2
Reverse DNS

Tools, for reverse dns scan

ip6-arpa-scan.py

[email protected]:#./ip6-arpa-scan.py 0.2.6.0.1.0.0.2.ip6.arpa 195.186.1.110 64

base 0.2.6.0.1.0.0.2.ip6.arpa server 195.186.1.110 limit 41

c.d.0.0.0.0.2.6.0.1.0.0.2.ip6.arpa., 1630 queries done, 365 found, 0.00% done

dnsrevenum6

[email protected]:dnsrevenum6 195.186.1.110 2001:620::/48

Starting DNS reverse enumeration of 2001:620:: on server 195.186.1.110

Found: scsnms.switch.ch. is 2001:620::1

Found: NET-HOST-LOOPBACK.switch.ch. is 2001:620::

Found: domreg.nic.ch. is 2001:620::4

Found: merapi.switch.ch. is 2001:620::5

Found: mamp1.switch.ch. is 2001:620::a

Found: atitlan.switch.ch. is 2001:620::2

Found: manaro.switch.ch. is 2001:620::14

Found: lopevi.switch.ch. is 2001:620::1a


Reverse dns3
Reverse DNS

[email protected]:./dnsrevenum6 195.186.1.110 2001:620::/48

Starting DNS reverse enumeration of 2001:620:: on server 195.186.1.110

Found: NET-HOST-LOOPBACK.switch.ch. is 2001:620::

Found: scsnms.switch.ch. is 2001:620::1

Found: atitlan.switch.ch. is 2001:620::2

Found: domreg.nic.ch. is 2001:620::4

Found: merapi.switch.ch. is 2001:620::5

Found: mamp1.switch.ch. is 2001:620::a

Found: manaro.switch.ch. is 2001:620::14

Found: lopevi.switch.ch. is 2001:620::1a

Found: tbutest.switch.ch. is 2001:620::2a

Found: snmp-trap.lan.switch.ch. is 2001:620::162

.

.

.

Found: htabi-swiBE2.switch.ch. is 2001:620:0:fff9::2

Found: swiLS2-G2-4.switch.ch. is 2001:620:0:fffb::1

Found: swiGE2-10GE-3-2.switch.ch. is 2001:620:0:fffc::1

Found: swiIBM2-G1-2.switch.ch. is 2001:620:0:fffd::1

Found 1111 entries.


Dns security
DNS Security

Prepare for a large amount of query‘s

DoS Protect your DNS Infrastructure

Rate limit DNS query‘s (if possible)

Only provide necessary information

consider the DNS logs.


Pwlan
PWLAN

PWLAN Sniffing

Find the User

mDNS Attack

RA


Mdns zeroconf
mDNS / Zeroconf

Zeroconf with mDNS is a very good place, to find devices in the network.

Multicast addresses ipv6 ff02::fb port 5353 ipv4 224.0.0.251 port 5353

Turned „ON“ bye default in many systemssome Ubuntu / Fedora (avahi)iMac / iPhone / iPads …


Mobile devices
Mobile Devices

HTC

iPhone



Find the iphone user
Find the iPhone user

Find the user….



Ra attacks
RA Attacks

Other possibilities Router Advertisments

./flood_advertise6 eth3

Starting to flood network with neighbor advertisements on eth3 (Press Control-C to end, a dot is printed for every 100 packet):

..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................^C



Android
Android

HTC Desire S (Android Version 2.3.5)


Android1
Android

Only 16 ipv6 addresses on the interface, but more „routes“ for networks, „inserted“ by RA


Ospfv3
OSPFv3

OSPFv3 authentication- Cisco - Checkpoint


Ospfv3 authentication
OSPFv3 authentication

For example the configuration with Cisco

AH

ipv6 ospf authenticationipsecspispi md5 [key-encryption-type {key | null}]

ESP

ipv6 ospf encryption {ipsecspispi esp encryption-algorithm [[key-encryption-type] key] authentication-algorithm [key-encryption-type] key | null}


Ospfv3 authentication1
OSPFv3 authentication

Works with Cisco …

But when changing from AH to ESP

The AH session is still active, the same by changing the password. This can be cause issues e.g. by changing the password only on one side.

Furthermore, if there are more OSPFv3 connections, there will also be needed an IPSEC connection for each of it and this costs high CPU load.

So , what will be the best practice …


Ospfv3 authentication2
OSPFv3 authentication

with Check Point

Capability of IPSEC with IPSO (IPSO = OS for Checkpoint Hardware)


Ospfv31
OSPFv3

Basic OSPFv3 configuration works with IPSO, but what happens, if a not so conventional packet occurs …

lets try this:

Returns …ups

NokiaIP690:117> show ipv6 ospf3 neighbors

NokiaIP690:118>


Solution check point
Solution Check Point

Doesn‘t support IPSO with IPv6

IPv6 support only with GAIA

GAIA doesn‘t support IPv6 dynamic routing


Nice to know ospfv3 rfc 2740
Nice to know OSPFv3 RFC 2740

“However, unlike in IPv4, IPv6 allows LSAs with unrecognized LS types to be labeled "Store and flood the LSA, as if type understood””.

“Uncontrolled introduction of such LSAs could cause a stub area's link-state database to grow larger than its component routers' capacities.”


Attack a routing devices
Attack a Routing devices

Fact: - Most Network Devices handle IPv6 Traffic in Software, not in hardware- more CPU Power for handling IPv6 extensions Headers - the routing table becomes much bigger

Samples Packets with a hop-by-hop option headerPackets with the same destination IPv6 address as that of routersPackets that fail the scope enforcement checkPackets that exceed the MTU of the output linkPackets with a TTL that is less than or equal to 1…..


Antispoofing
Antispoofing

Verify ANTI-spoofing !

Possible IPv6 Addresses. - Link Local Address - Site Local Addess- Unique Local Address- Multicast- Any other IPv6 address- localhost- ….


Hurricane electric s tunnel
Hurricane Electric's Tunnel

Spoofing from Source IP‘sHE Tunnel:- ULA - 6Bone- Any Global IPv6 Address Miredo/Teredo- not possibleSome ISP‘s- Sometimes ULA- Sometimes ALL


Spoof test
Spoof Test

Source System

[email protected]:thc-1.9-chw# ./spoof6 eth3 2001:0:ffff::beef

.

Sending ICMPv6 Packets to eth3 from spoofed fdbb:7d77:bc07:affe::1

Sending ICMPv6 Packets to eth3 from spoofed 2001:db8::12001::1

Sending ICMPv6 Packets to eth3 from spoofed 2002::1

Sending ICMPv6 Packets to eth3 from spoofed 3FFE::1

Sending ICMPv6 Packets to eth3 from spoofed 2001:503:ba3e::2:30

Sending ICMPv6 Packets to eth3 from spoofed 2001:500:2f::f

Sending ICMPv6 Packets to eth3 from spoofed 2001:500:1::803f:235

Sending ICMPv6 Packets to eth3 from spoofed 2001:503:c27::2:30

Sending ICMPv6 Packets to eth3 from spoofed 2001:7fd::1

Sending ICMPv6 Packets to eth3 from spoofed 2001:dc3::35

Sending ICMPv6 Packets to eth3 from spoofed 2001:4860:4860::8888

Sending ICMPv6 Packets to eth3 from spoofed 2001:4860:4860::8844

Sending ICMPv6 Packets to eth3 from spoofed ffff:ffff:ffff:ffff:ffff:ffff:fffff:ffff

Done!

On the Target System with tcpdump:

fdbb:7d77:bc07:affe::1 > 2001:X:ffff::beef ICMP6, packet too big, mtu 0, length 48

fdbb:7d77:bc07:affe::1 > 2001:X:ffff::beef ICMP6, echo request, seq 0, length 48

2001:470:94df:1::ffff > 2001:X:ffff::beef ICMP6, packet too big, mtu 0, length 48

2001:470:94df:1::ffff > 2001:X:ffff::beef ICMP6, echo request, seq 0, length 48

2002::1 > 2001:X:ffff::beef ICMP6, packet too big, mtu 0, length 48

2002::1 > 2001:X:ffff::beef ICMP6, echo request, seq 0, length 48

3ffe::1 > 2001:X:ffff::beef ICMP6, packet too big, mtu 0, length 48

3ffe::1 > 2001:X:ffff::beef ICMP6, echo request, seq 0, length 48

2001:503:ba3e::2:30 > 2001:X:ffff::beef ICMP6, packet too big, mtu 0, length 48

2001:503:ba3e::2:30 > 2001:X:ffff::beef ICMP6, echo request, seq 0, length 48

(Info: the 2001:X:ffff::beef is a spaceholder for the real IPv6 address)


6rd security problems
6RD Security Problems

6RD Client

6RD IPv6 -> IPv4 DoS



6rd address building
6RD Address Building

Link Prefix is build with the IPv6 Prefix (/28 - /32)CPE IPv4 Address 32 bit 0-4 bit Subnet ID 64 bit Interface ID

IPv6 Prefix: 2001:db8:0123::/32 + + IPv4 10.1.2.3 => 2001:db8:0123:0A01:0203::/64


Some ideas
some ideas

IPv4 Address Part

Any other IPv4 Global Address

IPv4 Privat Address

Loopback / Management IPv4

Localhost

IPv4 Multicast (for instance Routing Protocols)

IPv4 Broadcast / Network Address

…….


Routing
Routing

2001:db8:0123:0A01:0203::1

2001:db8:0123:0808:0808::1

2001:db8:0123:C0A8:0001::1

192.168.0.1 [2001:db8:0123:C0A8:0001::1]

10.1.2.3 [2001:db8:0123:0A01:0203::1]

8.8.8.0 [2001:db8:0123:0808:0808::1]

Routing depending on the routing table


Some 6rd isp tests
Some 6RD ISP Tests

5 well known 6RD provider tested

Swisscom

Free

ATT USA

Sakura

ISP Telfort

-> ALL allow relaying to a public IPv4 address (other tests , result unknown)


Security
Security

Access only for 6RD ISP-Client to use the 6RD BR as 6RD-Relay

6RD BR must check, if the IPv6 Traffic is for a 6RD ISP Client or not.

Prevent traffic relay for DoS from IPv6 to IPv4 !



Tools
Tools

Security Warning and Disclaimer: Never ever use this tools, maybe it‘s against your local law !


Terminology
terminology

Node: Device that implements IPv6

Router: Node that forwards IPv6 Packets

Host: Any Node, that isn‘t a router

Upper Layer: Protocol layer above ipv6

Link: Medium or communication Facility over with nodes can communicate at the link layer

Neighbors: Nodes attached on the same link

Interface: A Node‘s attachment to a link

Address: IPv6 Layer identification for an interface

Packet: IPv6 header + payload

Link MTU: Maximum Transmission Unit

Path MTU: Minimum link MTU of all links in a path between source und destination node‘s


Tools needed
Tools needed

more protocol testing tools (fuzzer..)

tool for automatic network discovery and analysis of local traffic(ping/mld/mdns … ) -> IP + function list

Better filter implementation in tcpdump / tshark


Ipv6 hacking future
IPv6 hacking future

more crypto is used, but…

still new RFC‘s

growing unknown usage creates more attacking surface

Mobile devices are one of the next big target, because the need a large IP address space, with will be covered with ipv6


Mdns problems attack
mDNS Problems / Attack

Internet Draft:

DNS queries for names that do not end with ".local." MAY be sent to the mDNS multicast address, if no other conventional DNS server is available. This can allow hosts on the same link to continue communicating using each other's globally unique DNS names during network outages which disrupt communication with the greater Internet.

mDNS generates a lot of new options for fun and abuse

Flood the network with „some“ mDNS information to fill up the tables on each devices

Overwrite existing entries.


ad