ensimag – 4mmsr : student seminarensiwiki.ensimag.fr/images/3/36/4mmsr-2011-2012... · ipv6 vuln:...
TRANSCRIPT
18/04/2012
Ensimag – 4MMSR : Student Seminar
Recent Advances in IPv6
insecurities – Marc
”van hauser” Heuse –
27th CCC 2010
[email protected] [email protected]
1 / 18http://ensiwiki.ensimag.fr/index.php/4MMSR
18/04/2012 Recent Advances in IPv6 insecurities - Marc "van hauser" Heuse - 27C3/CCC 2010
Marc ”van hauser” Heuse [03][04]
IT-Security career :
1995 : The Hacker's Choice (IT-Research group)
1997-2007 : some IT-security jobs as a consultant
2007 : independant IT-researcher
Many conferences and Publications :
Pacsec, CCC Congress, Hackito Ergo Sum
2000 : ”Authentifizierung unter Linux mit PAM”
2001 : ”Irgendwo ist immer eine Lücke”
2006 : SuSE - Installation of a secure web server
2011 : ”Safer Six”, ”IPv6 ein security Albtraum”
2 / 18
4MMSR 2011-2012
18/04/2012 Recent Advances in IPv6 insecurities - Marc "van hauser" Heuse - 27C3/CCC 2010
Summary
Background: IPv6 reminders
Van Hauser's IPv6 vulnerabilities
Kick the default router
Router Advertisement flooding
Taking over the Multicast Listener Discovery Protocol
Anybody sniffing
Counter-measures
Conclusion
3 / 18
4MMSR 2011-2012
18/04/2012 Recent Advances in IPv6 insecurities - Marc "van hauser" Heuse - 27C3/CCC 2010
IPv6 reminders [06]
Adress format :
2001:0db8:3c4d:0015:0000:0000:1a2f:1a2b
Site Prefix :
Link-local, always the same local adress: fe80::
Global which permitted mobility: Provider Prefix
Multicast integrated like a standard: ff02 ::
4 / 18
Site Prefix
Subnet ID
Interface ID
4MMSR 2011-2012
18/04/2012 Recent Advances in IPv6 insecurities - Marc "van hauser" Heuse - 27C3/CCC 2010
IPv6 Reminders
Enough adress for the next decade :
One subnet
Four billion times the size of the internet
Packet format :
IPv4 : 2564 adresses
IPv6 : 25616 adresses
5 / 18
Ipv6 HeaderNext Header : 43
Extension Ipv6 HeadersNext Header : ...
UDP Header Payload
4MMSR 2011-2012
18/04/2012 Recent Advances in IPv6 insecurities - Marc "van hauser" Heuse - 27C3/CCC 2010
IPv6 : Autoconfiguration
Router Sollicitation (RS) : sent by booting nodes to request RAs for configuring the interfaces
Router Advertisement (RA) : sent periodically by routers to the all-nodes multicast adress
6 / 18
4MMSR 2011-2012
18/04/2012 Recent Advances in IPv6 insecurities - Marc "van hauser" Heuse - 27C3/CCC 2010
IPv6 vuln: Kick the default router
7 / 18
Send own RA
But the target can ignore this RA :
No RS sent
Previous RA still valid
4MMSR 2011-2012
TARGET
Impact of the attack
Take the legitimate router's place
Confidentiality, Integrity, Authenticity of data
Loss of privacy, network unavailable anymore
18/04/2012 Recent Advances in IPv6 insecurities - Marc "van hauser" Heuse - 27C3/CCC 2010
IPv6 vuln: Kick the default router
8 / 18
RA format [08]:
Code1B
Checksum2B
Cur. Hop Limit1B
M, O, Reserved1B
Router Lifetime2B
Reachable Time4B
Retrans. Timer4B
Type=1341B
OptionsVariable Size
4MMSR 2011-2012
18/04/2012 Recent Advances in IPv6 insecurities - Marc "van hauser" Heuse - 27C3/CCC 2010
IPv6 vuln: Kick the default router
9 / 18
1. Spoof RA of default router with 0 lifetime
2. Send own RA
4MMSR 2011-2012
TARGET
No more network access for the Target
RA's Integrity failed
18/04/2012 Recent Advances in IPv6 insecurities - Marc "van hauser" Heuse - 27C3/CCC 2010
IPv6 vuln: RA flooding
Attacker floods the network with random router announcements
Updating the routing tables and configuring IPv6 addresses, requires lots of CPU resources (ie. 100%)
No more CPU resources available until the flooding is terminated
RA's Authenticity failed
10 / 18
4MMSR 2011-2012
18/04/2012 Recent Advances in IPv6 insecurities - Marc "van hauser" Heuse - 27C3/CCC 2010
IPv6 vuln: RA flooding
Demonstration :
> flood_router6 eth0
11 / 18
4MMSR 2011-2012
TARGET
Millions of RA sent
18/04/2012 Recent Advances in IPv6 insecurities - Marc "van hauser" Heuse - 27C3/CCC 2010
Multicast Listener Discovery
Routers use MLD to learn which multicast addresses have listeners on each of their attached links.
How does MLD Protocol work :
1 . Sends periodically MLD general query messages
2 . MLD Report to all rooters : ex : I am a DNS server
DNS server
4MMSR 2011-2012
12 / 18
DNS traffic routed to A
MLD general query router
18/04/2012 Recent Advances in IPv6 insecurities - Marc "van hauser" Heuse - 27C3/CCC 2010
IPv6 vuln in MLD Protocol How is it possible that the protocol goes wrong?
Goal
Availability (DoS: hosts don't receive traffic anymore)
Van Hauser's Methodology
Attacker spoofs A MLD Done message, ie: A ceases to listen to a multicast address (first try)
Attacker becomes the MLD general query router with the smallest router address FE80:: (second try)
Attacker spoofs a MLD general query message with multicast all-router MAC adress
With MAC 33-33-00-00-00-02, the router takes the packet, but the host doesn't
13 / 18
4MMSR 2011-2012
DNS serverMLD general query router
1 . Spoofs MLD general query message as fe80 :: with special MAC
2 . Whenever an MLD Report message is sent by a server, spoofing the same message again as MLD done message
18/04/2012 Recent Advances in IPv6 insecurities - Marc "van hauser" Heuse - 27C3/CCC 2010
IPv6 vuln: Anybody sniffing
Sniffing : read all of packets that travel through a network and join all of multicast groups
How can we detect that someone is sniffing?
Send a query on a specific unused multicast adress
Demonstration
Sniffing with wireshark, I see you...
14 / 18
4MMSR 2011-2012
18/04/2012 Recent Advances in IPv6 insecurities - Marc "van hauser" Heuse - 27C3/CCC 2010
Counter-measures
15 / 18
4MMSR 2011-2012
Counter-measure Efficient against Security property guaranteed
Windows FireWall RA flooding Availability of CPU
IPSec (with Authentication) integrated in the standard
Vuln in MLD Protocol
Kick the default router
Availability of network traffic
ConfidentialityIntegrity
AuthenticityPrivacy
SEND
Secure Client Configuration
Limitations: ● IPSec difficulties with NAT● The last two tools are supported almost nowhere● Secure Client Configuration not complete about
what you can or can't disable on the network
18/04/2012 Recent Advances in IPv6 insecurities - Marc "van hauser" Heuse - 27C3/CCC 2010
Conclusion
16 / 18
4MMSR 2011-2012
Cool stuffs with IPv6
Stateless Autoconfiguration
Routing simplified: no check control for headers to limit packets transit time in routers
Jumbograms: IPv4 packets are limited to 64Ko, IPv6 packets can be up to 4Go
Mobile phones recognition in local network
Futur 4G services only available in IPv6
IPv6 day: June 8th 2011
Further informations
Automatic (6to4, Teredo) and configurated tunnels
Header translation
Application-Level Gateway
But still some vulnerabilities
THC-ipv6: the first and still only toolkit for security testing ipv6 networks
18/04/2012 Recent Advances in IPv6 insecurities - Marc "van hauser" Heuse - 27C3/CCC 2010
Questions?
17 / 18
4MMSR 2011-2012
18/04/2012 Recent Advances in IPv6 insecurities - Marc "van hauser" Heuse - 27C3/CCC 2010
Sources
[01] : Recent Advances in Ipv6 Securities, Marc ”van hauser” Heuse, 2010 : http://events.ccc.de/congress/2010/Fahrplan/attachments/1808_vh_thc-recent_advances_in_ipv6_insecurities.pdf
[02] : Recent Advances in Ipv6 Securities Marc ”van hauser” Heuse, 27th chaos communication congress, december 2010 : http://www.youtube.com/watch?v=c7hq2q4jQYw
[03] : Marc "van Hauser" Heuse's official website : http://www.mh-sec.de/
[04] : ”Marc "van Hauser" Heuse” : http://www.govcert.nl/english/symposium/Symposium+2011/Speakers/marc-heuse-2011.html
[05] : THC official website, Ipv6 page : http://www.thc.org/thc-ipv6/
[06] : Network layer-3 : https://intranet.ensimag.fr/KIOSK/Ensimag/2A/opt/Reseaux/pdf/R2A-5-Network_layer-3.pdf
[07] : RFC2710 - Multicast listener discovery for Ipv6 : http://tools.ietf.org/html/rfc2710
[08] : RFC4861 - Neighbor Discovery for Ipv6 : http://tools.ietf.org/html/rfc4861
[09] : Attacking the IPv6 Protocol Suite, Van Hauser, 2008 http://www.ipv6security.nl/documents/vh_thc-ipv6_attack.pdf
[10] : MSDN Library : Multicast Listener Discovery : http://msdn.microsoft.com/en-us/library/ms882958.aspx
4MMSR 2011-2012
18 / 18
18/04/2012 Recent Advances in IPv6 insecurities - Marc "van hauser" Heuse - 27C3/CCC 2010
Marc ”van hauser” Heuse
Hobbies[01]
backpacking in remote countries
vegetarian cooking with friends
ballroom dancing
nlp and larp
Two programs in the top 20 best security tools in the world[02]
Works and worked with the best
Symantec, Vodafone
European Central Bank2 / 9
4MMSR 2011-2012
18/04/2012 Recent Advances in IPv6 insecurities - Marc "van hauser" Heuse - 27C3/CCC 2010
Student Question 1
3 / 9
4MMSR 2011-2012
Is there an equivalent for ARP spoofing in IPv6 ?
18/04/2012 Recent Advances in IPv6 insecurities - Marc "van hauser" Heuse - 27C3/CCC 2010
ARP spoofing <=> ND spoofing
4 / 9
4MMSR 2011-2012
1. NS 2. NA
Neighbor Discovery Protocol (ND)
Neighbor Sollicitation (NS) : A answers on all-nodes multicast what is B MAC address
Neighbor Advertisement (NA) : B answers with his MAC address
A B
● Attacker claims to be every system on the LAN
● Availability : DoS, A can not find B
18/04/2012 Recent Advances in IPv6 insecurities - Marc "van hauser" Heuse - 27C3/CCC 2010
Student Question 2
5 / 9
4MMSR 2011-2012
Just « plug in and go » seems to be cool, are there possibilities to prevent the
connection of a new node?
18/04/2012 Recent Advances in IPv6 insecurities - Marc "van hauser" Heuse - 27C3/CCC 2010
Dupplicate Address Detection DoS
4MMSR 2011-2012
1. NS 2. NA
Dupplicate address Detection Protocol
1. Neighbor Sollicitation (NS) : A answers on all-nodes multicast if its IP is available
2. If no answer, A can take the address
B
● Attacker claims to be every system on the LAN
● Availability : DoS on the connection
6 / 9
18/04/2012 Recent Advances in IPv6 insecurities - Marc "van hauser" Heuse - 27C3/CCC 2010
Student Question 3
7 / 9
4MMSR 2011-2012
You said that there are no broadcasts in IPv6, how can we perform a remote alive scan ?
18/04/2012 Recent Advances in IPv6 insecurities - Marc "van hauser" Heuse - 27C3/CCC 2010
Identify remote systems
Find network addresses
In DataBases
Search-engines
Use DNS
Find alive systems
DHCP attributes addresses sequentially
By hand : find always the same patterns
Marc Heuse's example
Around 20 seconds to find 90-95% of servers
8 / 9