ensimag – 4mmsr : student seminarensiwiki.ensimag.fr/images/3/36/4mmsr-2011-2012... · ipv6 vuln:...

18/04/2012

Ensimag – 4MMSR : Student Seminar

Recent Advances in IPv6

insecurities – Marc

”van hauser” Heuse –

27th CCC 2010

[email protected] [email protected]

1 / 18http://ensiwiki.ensimag.fr/index.php/4MMSR

http://ensiwiki.ensimag.fr/index.php/4MMSR

18/04/2012 Recent Advances in IPv6 insecurities - Marc "van hauser" Heuse - 27C3/CCC 2010

Marc ”van hauser” Heuse [03][04]

IT-Security career :

1995 : The Hacker's Choice (IT-Research group)

1997-2007 : some IT-security jobs as a consultant

2007 : independant IT-researcher

Many conferences and Publications :

Pacsec, CCC Congress, Hackito Ergo Sum

2000 : ”Authentifizierung unter Linux mit PAM”

2001 : ”Irgendwo ist immer eine Lücke”

2006 : SuSE - Installation of a secure web server

2011 : ”Safer Six”, ”IPv6 ein security Albtraum”

2 / 18

4MMSR 2011-2012



Summary

Background: IPv6 reminders

Van Hauser's IPv6 vulnerabilities

Kick the default router

Router Advertisement flooding

Taking over the Multicast Listener Discovery Protocol

Anybody sniffing

Counter-measures

Conclusion

3 / 18

4MMSR 2011-2012



IPv6 reminders [06]

Adress format :

2001:0db8:3c4d:0015:0000:0000:1a2f:1a2b

Site Prefix :

Link-local, always the same local adress: fe80::

Global which permitted mobility: Provider Prefix

Multicast integrated like a standard: ff02 ::

4 / 18

Site Prefix

Subnet ID

Interface ID

4MMSR 2011-2012

http://intranet.ensimag.fr/KIOSK/Ensimag/2A/opt/Reseaux/pdf/R2A-5-Network_layer-ipv6-3.pdf



IPv6 Reminders

Enough adress for the next decade :

One subnet

Four billion times the size of the internet

Packet format :

IPv4 : 2564 adresses

IPv6 : 25616 adresses

5 / 18

Ipv6 HeaderNext Header : 43

Extension Ipv6 HeadersNext Header : ...

UDP Header Payload

4MMSR 2011-2012



IPv6 : Autoconfiguration

Router Sollicitation (RS) : sent by booting nodes to request RAs for configuring the interfaces

Router Advertisement (RA) : sent periodically by routers to the all-nodes multicast adress

6 / 18

4MMSR 2011-2012



IPv6 vuln: Kick the default router

7 / 18

Send own RA

But the target can ignore this RA :

No RS sent

Previous RA still valid

4MMSR 2011-2012

TARGET

Impact of the attack

Take the legitimate router's place

Confidentiality, Integrity, Authenticity of data

Loss of privacy, network unavailable anymore




8 / 18

RA format [08]:

Code1B

Checksum2B

Cur. Hop Limit1B

M, O, Reserved1B

Router Lifetime2B

Reachable Time4B

Retrans. Timer4B

Type=1341B

OptionsVariable Size

4MMSR 2011-2012




9 / 18

1. Spoof RA of default router with 0 lifetime

2. Send own RA

4MMSR 2011-2012

TARGET

No more network access for the Target

RA's Integrity failed



IPv6 vuln: RA flooding

Attacker floods the network with random router announcements

Updating the routing tables and configuring IPv6 addresses, requires lots of CPU resources (ie. 100%)

No more CPU resources available until the flooding is terminated

RA's Authenticity failed

10 / 18

4MMSR 2011-2012



IPv6 vuln: RA flooding

Demonstration :

> flood_router6 eth0

11 / 18

4MMSR 2011-2012

TARGET

Millions of RA sent



Multicast Listener Discovery

Routers use MLD to learn which multicast addresses have listeners on each of their attached links.

How does MLD Protocol work :

1 . Sends periodically MLD general query messages

2 . MLD Report to all rooters : ex : I am a DNS server

DNS server

4MMSR 2011-2012

12 / 18

DNS traffic routed to A

MLD general query router



IPv6 vuln in MLD Protocol How is it possible that the protocol goes wrong?

Goal

Availability (DoS: hosts don't receive traffic anymore)

Van Hauser's Methodology

Attacker spoofs A MLD Done message, ie: A ceases to listen to a multicast address (first try)

Attacker becomes the MLD general query router with the smallest router address FE80:: (second try)

Attacker spoofs a MLD general query message with multicast all-router MAC adress

With MAC 33-33-00-00-00-02, the router takes the packet, but the host doesn't

13 / 18

4MMSR 2011-2012

DNS serverMLD general query router

1 . Spoofs MLD general query message as fe80 :: with special MAC

2 . Whenever an MLD Report message is sent by a server, spoofing the same message again as MLD done message



IPv6 vuln: Anybody sniffing

Sniffing : read all of packets that travel through a network and join all of multicast groups

How can we detect that someone is sniffing?

Send a query on a specific unused multicast adress

Demonstration

Sniffing with wireshark, I see you...

14 / 18

4MMSR 2011-2012



Counter-measures

15 / 18

4MMSR 2011-2012

Counter-measure Efficient against Security property guaranteed

Windows FireWall RA flooding Availability of CPU

IPSec (with Authentication) integrated in the standard

Vuln in MLD Protocol

Kick the default router

Availability of network traffic

ConfidentialityIntegrity

AuthenticityPrivacy

SEND

Secure Client Configuration

Limitations: ● IPSec difficulties with NAT● The last two tools are supported almost nowhere● Secure Client Configuration not complete about

what you can or can't disable on the network



Conclusion

16 / 18

4MMSR 2011-2012

Cool stuffs with IPv6

Stateless Autoconfiguration

Routing simplified: no check control for headers to limit packets transit time in routers

Jumbograms: IPv4 packets are limited to 64Ko, IPv6 packets can be up to 4Go

Mobile phones recognition in local network

Futur 4G services only available in IPv6

IPv6 day: June 8th 2011

Further informations

Automatic (6to4, Teredo) and configurated tunnels

Header translation

Application-Level Gateway

But still some vulnerabilities

THC-ipv6: the first and still only toolkit for security testing ipv6 networks



Questions?

17 / 18

4MMSR 2011-2012



Sources

[01] : Recent Advances in Ipv6 Securities, Marc ”van hauser” Heuse, 2010 : http://events.ccc.de/congress/2010/Fahrplan/attachments/1808_vh_thc-recent_advances_in_ipv6_insecurities.pdf

[02] : Recent Advances in Ipv6 Securities Marc ”van hauser” Heuse, 27th chaos communication congress, december 2010 : http://www.youtube.com/watch?v=c7hq2q4jQYw

[03] : Marc "van Hauser" Heuse's official website : http://www.mh-sec.de/

[04] : ”Marc "van Hauser" Heuse” : http://www.govcert.nl/english/symposium/Symposium+2011/Speakers/marc-heuse-2011.html

[05] : THC official website, Ipv6 page : http://www.thc.org/thc-ipv6/

[06] : Network layer-3 : https://intranet.ensimag.fr/KIOSK/Ensimag/2A/opt/Reseaux/pdf/R2A-5-Network_layer-3.pdf

[07] : RFC2710 - Multicast listener discovery for Ipv6 : http://tools.ietf.org/html/rfc2710

[08] : RFC4861 - Neighbor Discovery for Ipv6 : http://tools.ietf.org/html/rfc4861

[09] : Attacking the IPv6 Protocol Suite, Van Hauser, 2008 http://www.ipv6security.nl/documents/vh_thc-ipv6_attack.pdf

[10] : MSDN Library : Multicast Listener Discovery : http://msdn.microsoft.com/en-us/library/ms882958.aspx

4MMSR 2011-2012

18 / 18

http://events.ccc.de/congress/2010/Fahrplan/attachments/1808_vh_thc-recent_advances_in_ipv6_insecurities.pdf

http://www.youtube.com/watch?v=c7hq2q4jQYw

http://www.mh-sec.de/%20

http://www.govcert.nl/english/symposium/Symposium+2011/Speakers/marc-heuse-2011.html

http://www.thc.org/thc-ipv6/

https://intranet.ensimag.fr/KIOSK/Ensimag/2A/opt/Reseaux/pdf/R2A-5-Network_layer-3.pdf

http://tools.ietf.org/html/rfc2710

http://tools.ietf.org/html/rfc4861

http://www.ipv6security.nl/documents/vh_thc-ipv6_attack.pdf

http://msdn.microsoft.com/en-us/library/ms882958.aspx



Marc ”van hauser” Heuse

Hobbies[01]

backpacking in remote countries

vegetarian cooking with friends

ballroom dancing

nlp and larp

Two programs in the top 20 best security tools in the world[02]

Works and worked with the best

Symantec, Vodafone

European Central Bank2 / 9

4MMSR 2011-2012



Student Question 1

3 / 9

4MMSR 2011-2012

Is there an equivalent for ARP spoofing in IPv6 ?



ARP spoofing <=> ND spoofing

4 / 9

4MMSR 2011-2012

1. NS 2. NA

Neighbor Discovery Protocol (ND)

Neighbor Sollicitation (NS) : A answers on all-nodes multicast what is B MAC address

Neighbor Advertisement (NA) : B answers with his MAC address

A B

● Attacker claims to be every system on the LAN

● Availability : DoS, A can not find B



Student Question 2

5 / 9

4MMSR 2011-2012

Just « plug in and go » seems to be cool, are there possibilities to prevent the

connection of a new node?



Dupplicate Address Detection DoS

4MMSR 2011-2012

1. NS 2. NA

Dupplicate address Detection Protocol

1. Neighbor Sollicitation (NS) : A answers on all-nodes multicast if its IP is available

2. If no answer, A can take the address

B

● Attacker claims to be every system on the LAN

● Availability : DoS on the connection

6 / 9



Student Question 3

7 / 9

4MMSR 2011-2012

You said that there are no broadcasts in IPv6, how can we perform a remote alive scan ?



Identify remote systems

Find network addresses

In DataBases

Search-engines

Use DNS

Find alive systems

DHCP attributes addresses sequentially

By hand : find always the same patterns

Marc Heuse's example

Around 20 seconds to find 90-95% of servers

8 / 9

ensimag – 4mmsr : student seminarensiwiki.ensimag.fr/images/3/36/4mmsr-2011-2012... · ipv6 vuln:...

Documents