1 / 47

IPv6 Some ISP related security Problems

IPv6 Some ISP related security Problems. Sina Herbert / Christoph Weber Swinog 10.5.2012 Version 1.02. about us. Sina Herbert Study of computer science at the university of applied sciences in Fulda (Germany). Christoph Weber First Hack is more the 30 year ago, and i am still active.

dbonnie
Download Presentation

IPv6 Some ISP related security Problems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IPv6 Some ISP related security Problems Sina Herbert / Christoph Weber Swinog 10.5.2012 Version 1.02

  2. about us Sina Herbert Study of computer science at the university of applied sciences in Fulda (Germany). Christoph Weber First Hack is more the 30 year ago, and i am still active. Both currently working for a big ISP in Switzerland in the development Team for datacenter, network and security.- integration of IPv6 in our datacenter environment- IPv4 + IPv6 Security- IPv4 old world routing / switching

  3. Disclaimer + Warning This is our own study and analysis, or is based on public available information ! All information are our private work and ideas ! Represents our meaning ! No relation to the company, we currently work for it ! Warning ! ALL information's are for internal and testing purpose only ! Don’t do this at home !

  4. agenda DNS Problem- bruteforce / reverse WLAN - sniffing / mDNS / Mobile Devices OSPFv3 implementation problems- wrong integration 6RD security - attack ipv4 from ipv6 (anti)spoofing- Example Hurricane Electric Tunnel Broker

  5. DNS Hostnames Naming scheme DNS Server the new target on IPv6 DNS bruteforce Reverse DNS bruteforce

  6. find the target with DNS DNSbased on DNS Information, the Public Server are easy to find. - create your own dig-script , thc tool dnsdict6(You need a good hostname list…) Sys and Net-Admins mostly use the last 4 (or 8) characters of the IPv6 address range (simpler to remember and to write) Scanningsimply address, because sysadmin’s are lazy (or geeks) :1 :53 :80 :def :affe :c5c0 :cafe :babe Because most Company use a IPv6 addressing plan, it’s easy to find more targets.

  7. find the target with DNS Bruteforce the DNS Server with a „large optimized“ Hostname-file.

  8. find the target with DNS Sample: switch.ch autoconfig by hand

  9. Reverse DNS Sample Environment: 2001:DB8::/32 there is 2001:DB8:FF::/48 which has reverse DNS hosted in a zone called F.F.0.0.8.b.d.0.1.0.0.2.ip6.arpa. For simpler handling we call F.F.0.0.8.b.d.0.1.0.0.2.ip6.arpa. => X In the given the zone name we can query 0.X, 1.X, 2.X … up to and including f.X. Most of these queries will return an NXDOMAIN rcode; this means the name does not exist, but very importantly, this can usually be construed to mean that no longer name exists either. Suppose that in this case, two of the names (0.X and f.X) do not return NXDOMAIN – instead they return NOERROR. This means the nameserver has a reason to not deny existence, and in this case, that reason is that a longer name exists.

  10. X.0 -> NXDOMAIN X.1 -> NXDOMAIN X.2 -> NXDOMAIN X.3 -> NXDOMAIN X.4 -> NOERROR X.4.0 -> NXDOMAIN X.4.1 -> NXDOMAIN X.4.2 -> NOERROR X.4.2.0 -> NOERROR X.4.2.0.0 -> NOERROR X.4.2.0.0.0 -> NXDOMAIN X.4.2.0.0.1 -> NOERROR X.4.2.0.0.1.0 -> NOERROR . . . X.4.2.0.0.1.0.0.F.F.0.0.0.1.0.1.2.A.F.F.E -> www.whatever.com Reverse DNS NXDOMAIN -> next , same level NOERROR -> next, on level lower

  11. Reverse DNS Tools, for reverse dns scan ip6-arpa-scan.py root@blubberli:#./ip6-arpa-scan.py 0.2.6.0.1.0.0.2.ip6.arpa 195.186.1.110 64 base 0.2.6.0.1.0.0.2.ip6.arpa server 195.186.1.110 limit 41 c.d.0.0.0.0.2.6.0.1.0.0.2.ip6.arpa., 1630 queries done, 365 found, 0.00% done dnsrevenum6 root@blubberli:dnsrevenum6 195.186.1.110 2001:620::/48 Starting DNS reverse enumeration of 2001:620:: on server 195.186.1.110 Found: scsnms.switch.ch. is 2001:620::1 Found: NET-HOST-LOOPBACK.switch.ch. is 2001:620:: Found: domreg.nic.ch. is 2001:620::4 Found: merapi.switch.ch. is 2001:620::5 Found: mamp1.switch.ch. is 2001:620::a Found: atitlan.switch.ch. is 2001:620::2 Found: manaro.switch.ch. is 2001:620::14 Found: lopevi.switch.ch. is 2001:620::1a

  12. Reverse DNS root@blubberli:./dnsrevenum6 195.186.1.110 2001:620::/48 Starting DNS reverse enumeration of 2001:620:: on server 195.186.1.110 Found: NET-HOST-LOOPBACK.switch.ch. is 2001:620:: Found: scsnms.switch.ch. is 2001:620::1 Found: atitlan.switch.ch. is 2001:620::2 Found: domreg.nic.ch. is 2001:620::4 Found: merapi.switch.ch. is 2001:620::5 Found: mamp1.switch.ch. is 2001:620::a Found: manaro.switch.ch. is 2001:620::14 Found: lopevi.switch.ch. is 2001:620::1a Found: tbutest.switch.ch. is 2001:620::2a Found: snmp-trap.lan.switch.ch. is 2001:620::162 . . . Found: htabi-swiBE2.switch.ch. is 2001:620:0:fff9::2 Found: swiLS2-G2-4.switch.ch. is 2001:620:0:fffb::1 Found: swiGE2-10GE-3-2.switch.ch. is 2001:620:0:fffc::1 Found: swiIBM2-G1-2.switch.ch. is 2001:620:0:fffd::1 Found 1111 entries.

  13. DNS Security Prepare for a large amount of query‘s DoS Protect your DNS Infrastructure Rate limit DNS query‘s (if possible) Only provide necessary information consider the DNS logs.

  14. PWLAN PWLAN Sniffing Find the User mDNS Attack RA

  15. mDNS / Zeroconf Zeroconf with mDNS is a very good place, to find devices in the network. Multicast addresses ipv6 ff02::fb port 5353 ipv4 224.0.0.251 port 5353 Turned „ON“ bye default in many systemssome Ubuntu / Fedora (avahi)iMac / iPhone / iPads …

  16. Mobile Devices HTC iPhone

  17. a day on „Zürich“ Main Station

  18. Find the iPhone user Find the user….

  19. Find the next user…

  20. RA Attacks Other possibilities Router Advertisments ./flood_advertise6 eth3 Starting to flood network with neighbor advertisements on eth3 (Press Control-C to end, a dot is printed for every 100 packet): ..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................^C

  21. Andorid 2.2

  22. Android HTC Desire S (Android Version 2.3.5)

  23. Android Only 16 ipv6 addresses on the interface, but more „routes“ for networks, „inserted“ by RA

  24. OSPFv3 OSPFv3 authentication- Cisco - Checkpoint

  25. OSPFv3 authentication For example the configuration with Cisco AH ipv6 ospf authenticationipsecspispi md5 [key-encryption-type {key | null}] ESP ipv6 ospf encryption {ipsecspispi esp encryption-algorithm [[key-encryption-type] key] authentication-algorithm [key-encryption-type] key | null}

  26. OSPFv3 authentication Works with Cisco … But when changing from AH to ESP The AH session is still active, the same by changing the password. This can be cause issues e.g. by changing the password only on one side. Furthermore, if there are more OSPFv3 connections, there will also be needed an IPSEC connection for each of it and this costs high CPU load. So , what will be the best practice …

  27. OSPFv3 authentication with Check Point Capability of IPSEC with IPSO (IPSO = OS for Checkpoint Hardware)

  28. OSPFv3 Basic OSPFv3 configuration works with IPSO, but what happens, if a not so conventional packet occurs … lets try this: Returns …ups NokiaIP690:117> show ipv6 ospf3 neighbors NokiaIP690:118>

  29. Solution Check Point Doesn‘t support IPSO with IPv6 IPv6 support only with GAIA GAIA doesn‘t support IPv6 dynamic routing

  30. Nice to know OSPFv3 RFC 2740 “However, unlike in IPv4, IPv6 allows LSAs with unrecognized LS types to be labeled "Store and flood the LSA, as if type understood””. “Uncontrolled introduction of such LSAs could cause a stub area's link-state database to grow larger than its component routers' capacities.”

  31. Attack a Routing devices Fact: - Most Network Devices handle IPv6 Traffic in Software, not in hardware- more CPU Power for handling IPv6 extensions Headers - the routing table becomes much bigger Samples Packets with a hop-by-hop option headerPackets with the same destination IPv6 address as that of routersPackets that fail the scope enforcement checkPackets that exceed the MTU of the output linkPackets with a TTL that is less than or equal to 1…..

  32. Antispoofing Verify ANTI-spoofing ! Possible IPv6 Addresses. - Link Local Address - Site Local Addess- Unique Local Address- Multicast- Any other IPv6 address- localhost- ….

  33. Hurricane Electric's Tunnel Spoofing from Source IP‘sHE Tunnel:- ULA - 6Bone- Any Global IPv6 Address Miredo/Teredo- not possibleSome ISP‘s- Sometimes ULA- Sometimes ALL

  34. Spoof Test Source System root@blubberli:thc-1.9-chw# ./spoof6 eth3 2001:0:ffff::beef . Sending ICMPv6 Packets to eth3 from spoofed fdbb:7d77:bc07:affe::1 Sending ICMPv6 Packets to eth3 from spoofed 2001:db8::12001::1 Sending ICMPv6 Packets to eth3 from spoofed 2002::1 Sending ICMPv6 Packets to eth3 from spoofed 3FFE::1 Sending ICMPv6 Packets to eth3 from spoofed 2001:503:ba3e::2:30 Sending ICMPv6 Packets to eth3 from spoofed 2001:500:2f::f Sending ICMPv6 Packets to eth3 from spoofed 2001:500:1::803f:235 Sending ICMPv6 Packets to eth3 from spoofed 2001:503:c27::2:30 Sending ICMPv6 Packets to eth3 from spoofed 2001:7fd::1 Sending ICMPv6 Packets to eth3 from spoofed 2001:dc3::35 Sending ICMPv6 Packets to eth3 from spoofed 2001:4860:4860::8888 Sending ICMPv6 Packets to eth3 from spoofed 2001:4860:4860::8844 Sending ICMPv6 Packets to eth3 from spoofed ffff:ffff:ffff:ffff:ffff:ffff:fffff:ffff Done! On the Target System with tcpdump: fdbb:7d77:bc07:affe::1 > 2001:X:ffff::beef ICMP6, packet too big, mtu 0, length 48 fdbb:7d77:bc07:affe::1 > 2001:X:ffff::beef ICMP6, echo request, seq 0, length 48 2001:470:94df:1::ffff > 2001:X:ffff::beef ICMP6, packet too big, mtu 0, length 48 2001:470:94df:1::ffff > 2001:X:ffff::beef ICMP6, echo request, seq 0, length 48 2002::1 > 2001:X:ffff::beef ICMP6, packet too big, mtu 0, length 48 2002::1 > 2001:X:ffff::beef ICMP6, echo request, seq 0, length 48 3ffe::1 > 2001:X:ffff::beef ICMP6, packet too big, mtu 0, length 48 3ffe::1 > 2001:X:ffff::beef ICMP6, echo request, seq 0, length 48 2001:503:ba3e::2:30 > 2001:X:ffff::beef ICMP6, packet too big, mtu 0, length 48 2001:503:ba3e::2:30 > 2001:X:ffff::beef ICMP6, echo request, seq 0, length 48 (Info: the 2001:X:ffff::beef is a spaceholder for the real IPv6 address)

  35. 6RD Security Problems 6RD Client 6RD IPv6 -> IPv4 DoS

  36. Sample „Free“

  37. 6RD Address Building Link Prefix is build with the IPv6 Prefix (/28 - /32)CPE IPv4 Address 32 bit 0-4 bit Subnet ID 64 bit Interface ID IPv6 Prefix: 2001:db8:0123::/32 + + IPv4 10.1.2.3 => 2001:db8:0123:0A01:0203::/64

  38. some ideas IPv4 Address Part Any other IPv4 Global Address IPv4 Privat Address Loopback / Management IPv4 Localhost IPv4 Multicast (for instance Routing Protocols) IPv4 Broadcast / Network Address …….

  39. Routing 2001:db8:0123:0A01:0203::1 2001:db8:0123:0808:0808::1 2001:db8:0123:C0A8:0001::1 192.168.0.1 [2001:db8:0123:C0A8:0001::1] 10.1.2.3 [2001:db8:0123:0A01:0203::1] 8.8.8.0 [2001:db8:0123:0808:0808::1] Routing depending on the routing table

  40. Some 6RD ISP Tests 5 well known 6RD provider tested Swisscom Free ATT USA Sakura ISP Telfort -> ALL allow relaying to a public IPv4 address (other tests , result unknown)

  41. Security Access only for 6RD ISP-Client to use the 6RD BR as 6RD-Relay 6RD BR must check, if the IPv6 Traffic is for a 6RD ISP Client or not. Prevent traffic relay for DoS from IPv6 to IPv4 !

  42. questions ? sina.herbert@online.de christoph.weber@packetlevel.ch

  43. Tools Security Warning and Disclaimer: Never ever use this tools, maybe it‘s against your local law !

  44. terminology Node: Device that implements IPv6 Router: Node that forwards IPv6 Packets Host: Any Node, that isn‘t a router Upper Layer: Protocol layer above ipv6 Link: Medium or communication Facility over with nodes can communicate at the link layer Neighbors: Nodes attached on the same link Interface: A Node‘s attachment to a link Address: IPv6 Layer identification for an interface Packet: IPv6 header + payload Link MTU: Maximum Transmission Unit Path MTU: Minimum link MTU of all links in a path between source und destination node‘s

  45. Tools needed more protocol testing tools (fuzzer..) tool for automatic network discovery and analysis of local traffic(ping/mld/mdns … ) -> IP + function list Better filter implementation in tcpdump / tshark

  46. IPv6 hacking future more crypto is used, but… still new RFC‘s growing unknown usage creates more attacking surface Mobile devices are one of the next big target, because the need a large IP address space, with will be covered with ipv6

  47. mDNS Problems / Attack Internet Draft: DNS queries for names that do not end with ".local." MAY be sent to the mDNS multicast address, if no other conventional DNS server is available. This can allow hosts on the same link to continue communicating using each other's globally unique DNS names during network outages which disrupt communication with the greater Internet. mDNS generates a lot of new options for fun and abuse Flood the network with „some“ mDNS information to fill up the tables on each devices Overwrite existing entries.

More Related