the national ribat university faculty of graduate studies...

The National Ribat University

Faculty of Graduate Studies and

Scientific Research

Master Thesis in

Study of Denial of Service and

ARP Spoofing Attacks In IPv6

Networks

Provided by : Ayman Mohamed Abelgadir

Supervisor : Dr. Mohamed Awad Elshaikh

I

Dedication

I would like to dedicate my work to my father, who great teacher,

instilled the spirit of research, perseverance and study in myself .

And to my mother who always asking God for compromise me ,

and to my dear wife for her continuous support, and also to my

brothers, my daughters, and my children.

II

ACKNOWLEDGMENTS

First of all, I wish to offer my sincere gratitude to Dr.

Mohammed Awad Elshaikh, my thesis supervisor, for his

guidance, advice, encouragement and suggestions during my

study. He has led me to the world of IPv6. His knowledge and

hard work stimulated my interest to do research in the area of IPv6.

I would like to thank Eng. Ahmed Ali for his continuous

support and Eng. Mohamed Mahgoub from Nile Center For

Technology and Research for his strong help.

Finally, I wish to thanks my wife for her continuing love,

understanding, and encouragement.

III

ABSTRACT

In the lights of today and future advancing technologies, IPv6

internet protocol demand , becomes crucial for its usages &

benefits.

This thesis describes IPv6 packets structure , headers and

address the details of all of the Internet Control Message Protocol

Version 6 (ICMP6) and its various messages' types.

The thesis describes the built & utilization of messages to

visualize IPv6 based cyber-attacks, (DOS)& ARP poisoning , on

IPv6 networks

And tracking of this messages through ICMPv6 by packet analyzer

, open source tools, to capture packets frames and analyzed them

to reached the results which approved the existence of attacks on

IV

IPv6,and the traces of simulated attacks extend form the link layer

to the application layer.

المستخلص

IPv6ـتتتتتتتال و مستتتق , ي تبت ا اداتتاار الستتا في ظل تطور التقنية المتنامي حاليا

األهم نظاا دستخااماته و الطلب عليه.

و تتطاق ةالتف تتتتيل لل اوتو و IPv6 مكونات هذا ال حث تواتتتتو ة تتتتور عامة

ICMPv6 . و الاسائل المستخامة فيه و انواعها

للواو DOS & ARP ما توضت هذ الاستائل يفية استتخاال الهتمات مو نو

ي حيث تم متاةبة هذ الاسائل ةمااق ة وتستيل تحا ات IPv6للشت كات التي تستخال

تحليل النتائج التي و مفتوحة الم ا ري ةبض اد واتاستخاال ة ICMPv6ال اوتكو

مو تأ ا مو وجو هتماتفي هذا ال حث تم راتتتتتتاهتا ومقارنتها ةبا تنفيذ التتار

V

و ت تتتتتل اااها الي Link layerت اأ مو المستتتتتتوا ال اني DOS & ARPالنو

. IPv6في ةيئة ش كات Application layerمستوا التط يقات

Contents

1.1 Introduction…………………………………………………….….1

1.2 Problem Statement…………………………………….…………..3

1.3 Research Objective………………………………….…………….3

1.4 Research Methodology…………………………………………...3

1.5 Research Scope………………….………………….……………..4

1.6 Research Question…………………………………………….…..4

1.7 Thesis Structure…………………………………………………...4

2. Pervious work and literature review………………………………..5

2.1 Brief Overview of IPv6.…………………………………………..5

2.2 IPv6 Security…….………………………………………………..6

2.3 IPv6 Security Impact……………………………………………...6

2.4 IPv6 Packet Security…….………………………………………..7

VI

2.5 Packet Headers……………………………………………………7

2.6 Extension Headers………………………………………………..8

2.7 Internet Control Message Protocol Version 6 (ICMP6)…………. 9

2.7.1 Information Messages………………………………………….10

2.7.2 Error Messages…...…………………………………………...10

2.8. NeighborDiscovery…………………………………………….12

2.8.1 The Router Solicitation message………………………………12

2.8.2 The Router Advertisement message…………………………...12

2.8.3 The NeighborSolicitation message…………………………….12

2.8.4 The NeighborAdvertisement message…………………………12

2.8.5 The NeighborRedirect Message……...………………………..13

2.9. Pervious work and literature review…………………………….14

2.9.1 Study of IPv6 Security vulnerabilities ………………………...14

2.9.2 DOS attack in IPv6 networks and counter measurement….......15

2.9.3 Vulnerabilities and Threats in IPv6 Environment.... ……….…17

2.9.4 Mitigation IPv6 Vulnerabilities……………….…………….…18

3. Result & Analysis…………………………………………………23

3.1. Tools…………………………………………………………….23

3.1.1 Virtual Box Application version 4.3.12………………………..23

3.1.2 Wireshark………………………………………………………24

3.1.3 The Hacker Choice……...…………………………………….25

3.1.4 Snort...………………………………………………………….26

3.1.5 Network design and equipment………………………………..26

3.1.5.1 Dell Laptop…………………………………………………..26

3.1.5.2 Ubuntu.........…………………………………………………27

3.1.5.3 Kali……..……………………………………………………27

3.1.5.4 Network Topology…………………………………………...27

3.2Experiments………………………………………………………29

VII

3.2.1 The ARP poisoning Attack…………………………………….29

3.2.1.1 Normal operation of the IPv6 network………………………29

3.2.1.2 First ARP poisoning Attack………………………………….35

3.2.1.3 Second ARP poisoning Attack……...……………………...45

3.2.1.4 Third ARP poisoning Attack…...…………………………..53

3.2.2 The Denial of Service Attack…...……………………………..59

3.2.2.1 First Denial Of Service( DOS) Attack……………………….59

3.2.2.2 Second Denial Of Service( DOS) Attack…...………………64

3.2.2.3 Third Denial Of Service( DOS) Attack...…………………...69

3.2.2.4 Mitigation The (DOS) attack by Snort IPS……..…………....75

4 Conclusion & Recommendation for future work .............................77

4.1 Result …….…….…………………………………………….....77

4.2 Recommendation…….………………………………………….78

Bibliography..….………………….…………………………...……79

LIST OF FIGURES

Figure 2.1 IPv6 Packet Headers………………………………………...7

Figure 2.2 IPv6 Extension Headers ....................................................... 8

Figure 2.3 Sequence of Extension Headers ............................................ 9

Figure 2.4 Extension Headers Arrangements ......................................... 9

Figure 3.1 Network Diagram ............................................................. 27

Figure 3.2 Moniter Of Packets in Normal Operation ............................ 30

Figure 3.3 Accessing website in normal operation ............................... 31

Figure 3.4 Activity diagram for normal operation ................................ 34

Figure 3.5 Packets before first ARP attack .......................................... 36

Figure 3.6 pinging replay by server .................................................... 36

Figure 3.7 Solicitation and advertisement message before firstARP…....37

Figure 3.8 Monitor of packets in firstARP ........................................... 38

Figure 3.9 Explain how attacker work ................................................. 39

Figure 3.10 Pinging in first ARP attack ............................................... 39

VIII

Figure 3.11Packet for accessing website before first ARP .................... 40

Figure 3.12 Accesing website before first ARP .................................... 40

Figure 3.13 In first ARP attacker replay instead of server ..................... 41

Figure 3.14 In first ARP web service unavailable................................. 41

Figure 3.15 Attacker machine spoofed to client in first ARP ................. 42

Figure 3.16 Router solicitation message in second ARP ....................... 46

Figure 3.17 Pinging after second ARP ................................................ 46

Figure 3.18 Continue advertisement message in second ARP .............. 47

Figure 3.19 The attacker success in second ARP ................................. 48

Figure 3.20 Web services stopped in second ARP ................................ 48

Figure 3.21 Man-in-the Middle in second ARP .................................... 49

Figure 3.22 Attacker machine spoofed in second ARP ......................... 49

Figure 3.23 Advertisement and solicitation in third ARP ...................... 54

Figure 3.24 Recived packets in third ARP ........................................... 55

Figure 3.25 Attacker spoofed in third ARP .......................................... 55

Figure 3.26 Activity diagram for ARP spoofed ........................................ 58

Figure 3.27 Attacker advertisement in first DOS .................................. 60

Figure 3.28 Solicitation message in first DOS ..................................... 61

Figure 3.29 Packets before second DOS .............................................. 65

Figure 3.30 Second DOS webserver not respond ................................. 66

Figure 3.31 Pinging to webserver in third DOS.................................... 70

Figure 3.32 Normal operation before third DOS .................................. 70

Figure 3.33 Continue advertisement in third DOS .................................. 71

Figure 3.34 Activity diagram for DOS attack ......................................... 74

Figure 3.35 Snort IPS blocking DOS attack ............................................ 76

Figure 3.36 Activity diagram for mitigate DOS attack ............................ 76

IX

LIST OF TABLE

Table (2.1) Error Message Code.................................................10

Table (2.2) Time Exceeded Code….…………………………..11

Table ( 2.3) ICMPv6 error message ..……………………….…11

Table (2.4) IPv4 ARP and IPv6 Neighbors Discovery....………13

Table (3.1) IPv6 and link layer addresses………………………28

X

List of Abbreviations

The following is a table of abbreviations .symbols and notations

used within the topic of this thesis.

Abbreviation Definition

ACK Acknowledge

AH Authentication Header

ARP Address Resolution Protocol

Attacker Machine Linux Kali system

Capture Monitor Computer running wireshark application

to capture data in the network

XI

Client Computer in the network used to access

the server

CPU Central Processing Unit

DAD Duplicate Address Detection

DHCP Dynamic Host Configuration Protocol

DNS Domain Name System

DOS Denial of Service

Dst Destination of Packets going

ESP Encrypted Security Payload

GUI Graphical User Interface

HTTP Hyper Text Transfer Protocol

ICMP Internet Control Message Protocol

ICMPv4 Internet Control Message Protocol

version4

ICMPv6 Internet Control Message Protocol

version6

IGMP Internet Group Management Protocol

IP Internet Protocol

IPv4 Internet Protocol version 4

IPv6 Internet Protocol version 6

MITM Man - In- The-Middle

MTU Maximum Transmission Unit

NIC Network Interface Card

NIDS Network Intrusion Detection System

NIPS Network Intrusion Prevention System

Ping Packet Internet Groper

RFC Request For Comment

Src Source of sending Packets

XII

SYN Synchronize

TCP Transfer Control Protocol

THC The Hacker Choice

Webserver Linux server hosted test web site and web

services

1

CHAPTER ONE

1.1. Introduction

Internet Protocol Address ( IP ) is a shorter way of saying Internet

Protocol Address. IP address is the numbers assigned to computer

network interfaces. Although used names to refer to the things seek on

the Internet, such as www.example.org , computers translate these

names into numerical addresses so they can send data to the right

location. So when sending an email , visiting a web site, the computers

sends data packets to the IP address of the other end of the connection

and receives packets destined for its own IP address[1].

There is two type of ip addresses , the old is Internet Protocol Address

version4( IPv4 )is the fourth version in the development of the Internet

Protocol and the first version of the protocol widely deployed, and they

support three different types of addressing modes[2].

The second one is Internet Protocol Address version6 (IPv6) which

intended to replace IPv4 in the worldwide Internet mainly due to the

address exhaustion of IPv4. IPv6 extremely enhances the address space

from 32 bits to 128 bits. It means the future expansion of the Internet is

now dependent on the successful global deployment of the next

generation of Internet protocol[3].

IPv4 address created in way that nodes must be concern about security

(its end to end model ) , these why IPv4 addressing based network

suffers from security . Today original Internet continues to be

completely transparent and no security framework provides for resilient

against general threats and attack, an example in Denial of service

attack certain services are flooded with a large amount of illegitimate

http://www.example.org/

2

request that render the target system unreachable by legitimate users.

The result of Denial of service attack from an architectural vulnerability

of IPv4 is the broadcast flooding .Also the small address space of IPv4's

can facilitate malicious code distribution and other scan port or

reconnaissance attack .In IPv4 network , the Address Resolution

Protocol (ARP) is responsible for mapping a host's IP address with its

physical or MAC address. In case of forged ARP response are

broadcasted with incorrect mapping information that could force

packets to be sent to the wrong destination and the ARP poisoning

occurs .However , many techniques have been developed to overcome

some of the IPv4 security limitations , like Network address Translation

and Network Address Port Translation ,also IPsec facilitated the use of

encryption communication[4].

IPv6 address security it’s similar to IPv4 security .Transporting packets

mechanism in the network almost the same. The mostly unaffected layer

is upper layer which is responsible for transporting application data.

However, because IPv6 mandates (IPsec),it has often been stated that

IPv6 is more secure than IPv4, Although this may be true in an ideal

environment with well-coded applications, a robust identity

infrastructure, and efficient key management, in reality the same

problems that plague IPv4 IPsec deployment will affect IPv6 IPsec

deployment. IPv6 is not protected with any kind of cryptography.

Additionally, because most security breaches occur at the application

level.

The IPv6 security features introduced mainly by way of two dedicated

extension headers which is the Authentication Header (AH) and the

Encrypted Security Payload (ESP), with complementary capabilities.

3

The two headers can be used together to provide all the security features

simultaneously. Also IPv6 support another new features IPv6 including

increased address space, auto configuration, QoS capabilities, and

network-layer security. All these IPv6 features can be used to prevent

various network attack methods including IP spoofing, some Denial of

Service attacks (where IP Spoofing has been employed), data

modification and sniffing activity[4].

1.2. Problem Statement

According of the rapid migration from Internet Protocol version 4

(IPv4) to Internet Protocol version 6 (IPv6), is it possible to say that

still there is attacks can happen in a solely IPv6 networks which inherit

from previous IPv4, such as ARP spoofing attack and Denial of service

attack ? these two types of attacks were chosen because are abundance

, prevalence and easier to implement in IPv4 network.

1.3. The Main Objective

1. Observe the effect of ARP poisoning and Denial of service

attack in IPv6 networks .

2. Approve that these two types of attacks can happen in IPv6

networks.

3. Mitigate the Denial of service attack by using Snort software.

1.4. Methodology

Exploit the link layer in IPv6 protocol against the ARP spoofing and

Denial of service attacks, via different scenarios of experiment’s and

captured logged.

4

1.5. Research Scope

This thesis is limited to result of exploit ARP spoofing and Denial of

service attacks on virtual environment of computers and servers which

used IPv6.

1.6. Research Questions

Is there attacks can be happened in IPv6 network up to these date

?

Is the same type of attacks which effect the IPv4 networks can

conceder as threats to IPv6 networks ?

How can we mitigate the security issue due to Denial of Service

in IPv6 Networks ?

1.7. Thesis Structure In this thesis, the researcher has deep concentrated on effect of (Denial

of Service and ARP poisoning attacks on IPv6 networks.

Chapter two deals with technical background of IPv6 through of the

terms: IPv6 features, security & security impact, packet security, packet

headers, extension headers, internet control message protocol version6,

and Neighbor Discovery .Also chapter two including pervious work and

literature review for study of IPv6 security vulnerabilities, denial of

service attack in IPv6 networks and counter measurements,

Vulnerabilities and Threats in IPv6 Environment and 3.9.4

Mitigating IPv6 Vulnerabilities.

Chapter three provides the network topology, tools and result with

details analysis.

Chapter four describe the conclusion and recommendation for future

work.

5

CHAPTER TWO

2. Pervious Work and Literature Review

The new version of internet protocol IP version 6 has new technical

features and specifications.

2.1. Brief Overview Of IPv6

IPv6 (Internet Protocol Version6) is also called IPng (Internet Protocol

next generation) and it is the newest version of the internet protocol

.IPv6 is the replacement to internet protocol version4. It was designed

as an evolutionary upgrade to the internet protocol and will , in fact,

coexist with older IPv4 for some time. IPv6 is designed to allow the

Internet to grow steadily, both in terms of the number of hosts connected

and the total amount of data traffic transmitted. While increasing the

pool of addresses is one of the most often-talked about benefit of IPv6,

there are other important technological changes in IPv6 that will

improve the IP protocol:[5]

-No more NAT (Network Address Translation)

- Auto-configuration

- No more private address collisions

- Better multicast routing

- Simpler header format

- Simplified, more efficient routing

- True quality of service (QoS), also called "flow labeling"

- Built-in authentication and privacy support

- Flexible options and extensions

- Easier administration (no DHCP)

6

2.2. IPv6 Security IPv6 security is in many ways the same as IPv4 security. The basic

mechanisms for transporting packets across the network stay mostly not

changed and the upper-layer protocols that transport the actual

application data are mostly unaffected. However(But), because IPv6

mandates (Command/ Order) the inclusion of IP Security(IPsec), it has

often been stated that IPv6 is more secure than IPv4. Although this may

be true in an ideal environment with well-coded applications, a robust

(strong/ Healthy) identity( unique ) infrastructure (Setup/ structure), and

efficient key management, in reality the same problems that plague (

Infection/ Outbreak) IPv4 IPsec deployment will affect IPv6 IPsec

deployment. Therefore, IPv6 is usually deployed ( installed/arranged)

without cryptographic protections of any kind. Additionally, because

most security breaches occur at the application level, even the

successful deployment of IPsec with IPv6 does not guarantee any

additional security for those attacks beyond the valuable ability to

determine the source of the attack[6].

2.3. IPv6 Security Impact Many security issues in IPv6 remain the same as in IPv4, but IPv6 also

has new features that affect system and network security, as well as

potentially (actually) impacting on policies and procedures. IPv6 and

IPv4 usually operate completely independently over the same Layer 2

infrastructure, so additional and separate IPv6 security mechanisms

must be implemented. Many areas will need overhauling

(Repairing/ Fixing), such as firewalls, monitoring, and security

appliance. It is important to keep that IPv6 is young operationally and

may have issues not yet encountered (faced), or even imagined[7].

7

2.4. IPv6 Packet Security Unlike IPv4, IPsec security is mandated (assigned/ Authorized) in the

IPv6 protocol specification. Allowing IPv6 packet authentication and/or

payload encryption via the Extension Headers. However, IPsec is not

automatically implemented; it must be configured and used with a

security key exchange.

2.5. Packet Headers An Internet Protocol version 6 (IPv6) data packet comprises of two main

parts: the header and the payload. The first 40 bytes/octets (40x8 = 320

bits) of an IPv6 packet comprise of the header (see Figure 2.1) that

contains the following fields:

(Figure 2.1):IPv6 Packet Headers

The wonder of IPv6 lies in its header. An IPv6 address is 4 times larger

than IPv4, but surprisingly, the header of an IPv6 address is only 2 times

larger than that of IPv4. IPv6 headers have one Fixed Header and zero

or more Optional (Extension) Headers. All the necessary information

that is essential for a router is kept in the Fixed Header. The Extension

Header contains optional information that helps routers to understand

how to handle a packet/flow.

8

Source address (128 bits) The 128-bit source address field contains the

IPv6 address of the originating node of the packet. It is the address of

the originator of the IPv6 packet.

Destination address (128 bits) The 128-bit contains the destination

address of the recipient node of the IPv6 packet. It is the address of the

intended recipient of the IPv6 packet.

2.6. Extension Headers

Extension Headers In IPv6, the Fixed Header contains only that much

information which is necessary, avoiding those information which is

either not required or is rarely used. All such information is put between

the Fixed Header and the Upper layer header in the form of Extension

Headers. Each Extension Header is identified by a distinct value. When

extension headers are used, IPv6 fixed header’s next header field points

to the first extension header. If there is one more extension header, then

the first extension header's next-header’s field points to the second one,

and so on. The last Extension header’s next-header’s field points to the

upper layer header. Thus, all the headers points to the next one in a

linked list manner. If the next header field contains the value 59,it

indicates that there are no headers after this header, not even upper layer

header. The following extension headers must be supported as per RFC

2460: in (Figure 2.2).

(Figure 2)

(Figure 2.2):IPv6 Extension Headers

9

The sequence of extension headers should be as showed below

(Figure 2.3): Sequence of Extension Headers

These headers, should be processed by First and subsequent

destinations. And also by final destination. Extension headers are

arranged one after another in a linked list manner, as depicted in the

following diagram in (Figure 2.4) [8].

(Figure 2.4): Extension Headers Arrangements

2.7. Internet Control Message Protocol Version 6 (ICMP6)

The Internet Control Message Protocol Version 6 (ICMPv6) is the

successor of ICMPv4 and is mandatory for the IPv6 network to operate

at all.ICMPv6 is used by IPv6 nodes to report errors encountered in

processing packets, and to perform other internet-layer functions, such

as diagnostics (ICMPv6 “ping).ICMPv6 is an integral (Basic/ important

) part of IPv6, and the base protocol (all the messages and behavior

required by this specification) MUST be fully implemented by every

IPv6 node. Therefore, it replaces not only ICMPv4, but also other

network related protocols such as the Address Resolution Protocol

(ARP) for the resolving of link-layer addresses or the Internet Group

11

Management Protocol (IGMP) which is used for the establishment of

multicast group memberships[9].

2.7.1 Information Messages

They are two type of information message:

The echo – request or solicitation messages, contain the identifier and

sequence number and type 128.

The Replay or advertisement message, also contain identifier and

sequence number and type is 129 .

2.7.2 Error Messages

They are four types of ICMP errors messages: [9]

The Destination Unreachable message is sent if an IP packet cannot be

delivered. It uses the Code field of the ICMPv6 header to further

specify the reason, such as “No route to destination” or “Address

unreachable” and is sent to the source address of the invoking

(appealing/begging) packet. And the possible code is mention below

in table (2.1)

Table (2.1) : Error Message Code

Code 0 No route to destination

Code 1 Communication administratively

prohibited

Code 3 Address unreachable

Code 4 Port unreachable

The ICMPv6 error messages identifies the Packet Too Big message. It

is sent backward to the source if the router cannot deliver the IP packet

due to smaller maximum transmission unit (MTU) values on the

forwarding link. Therefore, the Packet Too Big message stores the MTU

11

of the next hop link to inform the originating node to fragment its future

packets with this size. This feature is used by the “Path MTU

Discovery” (RFC 1981) which identifies the smallest MTU along the

path from the source to the destination node by simply sending packets

to the destination node until a direct reply instead of a Message Too Big

error message comes back.

Time exceeded is the error message. It is sent back to the originating

node if the Hop Limit value in the IPv6 header reaches its limit of 0.

This could either indicate a routing loop or a Hop Limit value that was

set too low from the source node. This error message is well-known for

its use with the trace route utility which is used to discover the path that

a packet takes on its way through the destination network.

Table (2.2) :Time Exceeded Code

Code 0 Hop limit exceeded

Code 1 Fragment reassembly time exceeded

The ICMPv6 error message is the Parameter (Restriction/Limit)

Problem. It is sent if an IPv6 node cannot process an IPv6 packet due to

an error in its header or any of the extension headers. All ICMPv6 error

messages contain the original IPv6 header and as much data from the

original IPv6 packet as possible, until the ICMPv6 message size is

fulfilled. These information reveal to which connection they belong and

are used by statefull firewalls for their security decisions.

Table ( 2.3) :ICMPv6 error message

Code 0 Erroneous header field

Code 1 Unrecognized next Header type

Code 2 Unrecognized IPv6 option

12

2.8. Neighbor Discovery

Neighbor Discovery is a family of different functions related to other

IPv6 nodes on the same link such as finding routers and other nodes,

maintaining reachability information about active neighbors (Neighbor

Unreachability Detection - NUD) or configuring their own unique IPv6

addresses via Auto configuration (Duplicate Address Detection – DAD

). The corresponding (parallel/ Matching) five ICMPv6 messages with

Neighbor Discovery are specified below: [10]

2.8.1 The Router Solicitation message

Which is ICMPv6 informational message type 133, is sent by a node in

order to discover any routers on the link? It is therefore sent to the all-

routers multicast address ff02::2. As an option, this message carries the

link-layer address of the requesting node. This has the advantage that

the responding router directly knows to which node the answering

packet should be sent. If a router is present on the link, it answers

immediately with a Router Advertisement[11].

2.8.2 The Router Advertisement message

It is ICMPv6 informational message type 134 and contain one or more

prefixes, the prefixes have lifetime, and used stateless or state full auto

configuration.

2.8.3 The Neighbor Solicitation message

It is ICMPv6 informational message type 135, and used by the node to

get Link Layer address of neighbor.

2.8.4 The Neighbor Advertisement message

It is ICMPv6 informational message type 136, and through it the

Neighbor solicitation response to.

13

2.8.5 The Neighbor Redirect Message

It is ICMPv6 informational message type 136 , It is sent from a router

to a node in order to indicate a more appropriate first-hop node along

the path to the destination network. This can either be another router on

the same link or a directly connected Neighbor node in the case that the

originating node did not expect it on the same link due to other used

IPv6 prefixes. A redirect message contains two addresses, namely the

Target Address which is the best next hop and the Destination Address

which is the address of the destination of the original IPv6 packet. The

table (2.4) below comparing between IPv6 neighbors Discovery and

IPv4 ARP.

Table (2.4) : IPv4 ARP and IPv6 Neighbors Discovery

14

2.9. Pervious work and literature review

At the start of the internet services, ipv4 protocol approved design came

out of as the base of networks and instrumented for internet protocol. It

was mostly used for makes observations & Developments purposes.

Security was not a major concern in that part of the time. Because of

that Internet protocol version 4 way of doing things has the lower

limit security options compared with the latest Internet protocol version

six version, and later when security issues became the central important

point for IP-based networks. Since the Internet protocol version 4 way

of doing things has its limits in security, the top layer security protocols

have been introduced. Let’s say, digital signatures, the process of

disguising/masking a message methods, Authentication, Access

Control, Internet Protocol Security, Secure Socket Layer (SSL), http S,

and so on. In spite of upper layer security architecture ,the lower layers

still unprotected and not protected on the public network. Attacker or

trespasser use these opportunity to gather information about Internet

protocol version 4 based systems and their communications. This bug

leads the network with Internet protocol version six way of doing things

based to Dos attacks, spoofed attacks, and network capture. Even with

higher security concerns in the design of the Internet protocol version

4 way of doing things, this way of doing things is still exposed to being

hurt/damage for these kinds of attacks.

2.9.1 Study of IPv6 Security vulnerabilities [12]

15

These project study and focuses on exploring Man-In-The-Middle

(MITM), Denial of Service and reconnaissance attacks in solely IPv6

based networks.

Scanners are the first tools used for reconnaissance attack to explore the

network and open ports in the network. The large size of IPv6 addresses

scanning is very challenging by using traditional scanning methods

therefore in their project instead they crafted multicast addressing which

is more or less detrimental in respect of the time needed.

The Denial of service attacks were done with three different ways but

all of them its locally with ICMPv6 redirect massages and router

advertisement message .They tried to prove that Denial of service

attacks are still present impacts in IPv6 based networks. Operating

Systems do not protect their routing tables from fake routes thus leads

to inject Denial of service attacks on the hosts.

2.9.2 Denial of Service attack in IPv6 networks and counter

measurements [13]

This project study and expresses the different IPv6 based cyber-attacks

which could result in the Denial of Service (DoS) on the IPv6 network.

IPv6 is the next generation internet protocol and the demand of its

benefits is implacable. So its concentrated on investigating the strength

of some possible methods of launching the DoS on future solely IPv6

networks with open source tools. Moreover, it is based to signify how

differently some network devices respond to this type of attack either

locally or remotely in respect of the CPU utilization and the bandwidth

usage. Packet analyzer is used to capture and analyze these attacks. The

DoS attacks in this project include the protocols IPv6, ICMPv6 and TCP

16

with two different category methods and variety of different IPv6

extension headers and packet formats.

This project has different kinds of attacks that result with low impress

on local area devices like default gateway and simultaneously very high

impact on targets devices with another autonomous system number that

an attacker would never have administrative privileges on.

The DoS attacks with flooding abrupt IPv6 network traffic from one

attacker node was performed with various test cases on different parts

of network areas. The monitoring and analysis were done on these

traffics captured by Wireshark and routers status via CLI and then

statistics were built for each method and their test cases. The test cases

packet structure was built according to the captured packets at the

attacker’s outbound interface and the source code of the tools.

DoS attacks experimented in this thesis includes IPv6 extension

header with IPv6 fragmentation mechanism and result on the packets

were not able to be forwarded out of the local area router. On other hand

when done the evaluation of the fragmentation mechanism was

examined, abrupt traffics were originated with two differ-rent

bandwidth limitations from the attacker node, it cause to maximal DoS

attack on the routers, and the effects were high enough for the router to

become hang-up or halt .

When an IPv6 access-list implemented on a router as a counter

measurement also in order to stop the abrupt traffic types based on the

source and destination addresses, the router nodes were most impacted

against the abrupt IPv6 traffic and in some cases caused total halt in

network functionality due to the maximum CPU utilization, and the

17

result of DoS on a router was extreme and an access-list which was

tested in the research found a to be not a solution to handle the attacks.

2.9.3 Vulnerabilities and Threats in IPv6 Environment[14]

This thesis reviews IPv6 security with focus on Local Area Networks

and IDS/IPS systems It compares IPv4 and IPv6 threats, vulnerabilities

and gives basic security recommendations. Selected IPv6 attacks and

onstrated in simulated attacker/victim scenario on exploits are dem

IPv6 network.

These experiments are then used to set up guidelines for evaluating

usability of IDS/IPS appliances against IPv6-specific threats.

The goal of this work was to gather knowledge of IPv6 security and

related threats, then look into this area from perspective of current

IDS/IPS solutions and afterwards transform the gained knowledge into

practical guidelines how to assess usability of these systems. The first

part of this work contains comprehensive and up-to-date com-prison of

IPv4 and IPv6 related threats with references to corresponding RFCs.

This part may be useful as a reference for future work. However, any

such potential work should take into account that IPv6 is very dynamic

and still developing technology. In fact, some of the information may

become outdated in a couple of months. The second part focused on

particular attacks and IDS/IPS appliance

assessment. I see the main contribution of this work in description of

the selected attacks. Even though several ready-to-use tools for

penetration testing exist, none of them comes with any kind of

documentation. Original intention was to test physical and virtual

18

appliance with same firmware and compare performance results.

However, issue in the VMware virtual infrastructure was found during

the testing so I decided, after consultation with the thesis supervisor, to

scratch the results as untrustworthy. Testing of additional

functionalities of the physical appliance was performed as a substitute.

The overall results of the assessment are unsatisfactory. It is necessary

to mention that the situation among the majority of other vendors is

very similar. I strongly believe that such testing will help to improve

IPv6 capabilities and hopefully even the protocol itself. There is a

wide range of possibilities for future work as well as challenges in the

area of IPv6 security.

The most current one would be transition mechanisms from IPv4 to

IPv6 and its coexistence. Further development of testing tools and tests

cases would be advisable as well.

In conclusion, it can not be decided whether IPv6 is by design more

secure than IPv4. It is just different, maybe more different than many

expected.

Wider deployment or testing of IPv6 capable solutions in real-world

scenarios

3.9.4 Mitigating IPv6 Vulnerabilities[15]

19

This paper reviews some of the improvements associated with the new

Internet Protocol version 6, with an emphasis on its security-related

functionality. At the end it concludes summarizing some of the most

common security concerns the new suite of protocols creates.

Mitigating security issues in IPv6 is important from an economic

standpoint as well. New companies who want to start their business

will be handed out only IPv6 addresses and if the other big

organizations want to keep their business growing, they have to

provide services to these new companies so as to generate more

revenue. All the communication will happen over IPv6 and if security

is weak, then the communication can be compromised. Since IPv6 is

in an early stage, more testing needs to be done to find out all the

loopholes and resolve them. Vulnerabilities in IPv6 include

Transmission Control Protocol (TCP) SYN flood attack, type-zero

header attack, Domain Name System (DNS) attacks, tunneling issues,

and fragmentation and extension vulnerabilities .The scope of this

research is limited to researching on some of these known

vulnerability issues and proposing solutions to mitigate some of the

security attacks caused due to such vulnerabilities, thereby making

IPv6 more secure. The aim of this research is to lessen some of those

security concerns and provide practical solutions to make IPv6 more

secure and adaptable.

Sub-problems for the research question

In order to answer the following question

How can we mitigate the security issues caused due to the IPv6

protocol header, focusing on the issues which are specific to

only IPv6?

21

What different security risks are associated due to RFC non-

compliant network devices and what can be done in order to

mitigate them ?

What are the threats associated with the dual stack architecture

and what are the implementation and architecture considerations

for the same ?

Three sub-problems have been identified , they are as follows

The first sub-problem deals with the issues that are specific only to

IPv6. Unlike IPv4, Internet Control Message Protocol (ICMP) is a

required component of IPv6 and hence the firewall policy needs to be

added in order to account for all the ICMPv6 type messages (which is

optional in IPv4). Neighbor discovery uses ICMPv6 messages to find

out the link layer address for the connected interface, find the

neighboring routers and various other functions, making the role of

ICMPv6 in IPv6 to be quite broad. Hence, care must be taken that the

policies which are set related to ICMPv6 protocol account for all these

different message types. Also, this problem of setting ICMPv6 firewall

policy is an important one since quite a large amount of attacks can be

in the form of ICMPv6 messages. The scope of this research related to

the first sub problem is to test the different operating systems with

respect to the Cisco ASA firewall and Juniper SRX firewalls and come

up with the basic rule set which can be used by the vendors to ensure

that the basic ICMPv6 related malicious packets are prevented from

entering into the internal network.

The second sub-problem is about the RFC non-compliant network

devices. Not all IPv6 enabled devices support IPv6 completely and

different platforms have different performance characteristics with

respect to IPv6 attacks. RFC 2460 states that the extension headers of

a particular type should appear only once (except in the case of

21

destination options header) . The optional information in IPv6 is

encoded in the extension headers. Different end-user operating

systems such as Red Hat, Ubuntu, and FreeBSD react differently to

extension headers. Also, extension headers have caused some of the

devices running these operating systems to completely ignore the layer

4 (OSI model- transport layer) segment and this vulnerability has been

used to exploit the internal network . Some of the OS platforms do not

comply with the RFC 2460 and do allow more than one extension

header of a particular type in a single packet. The scope of this

research is to test the effect of sending malicious packets on different

platforms in this case and coming up with a detailed analysis on the

performance of various operating systems.

The third sub-problem is related to the threats associated with the dual

stack nature of the network. All the organizations throughout the world

cannot change their network to IPv6 overnight, so the networks will

remain dual stack for a significant period of time. IPv6 will be

gradually deployed as IPv4 will only be supported for legacy services

and clients. Initially, there will be islands of IPv6 networks separated

by IPv4 networks. There has to be a way in which IPv6 networks can

communicate through IPv4 networks. This is accomplished with the

help of tunneling. Teredo tunnels are essential for users behind NAT

devices so that they can communicate with the external IPv6 networks.

Teredo tunnels bypass the NAT devices and it is difficult to investigate

the Teredo traffic since they work on random port numbers . Teredo

tunnels can also bypass the firewalls and the security based controls

need to be made intelligent in regards to Teredo tunnels . Hence,

applying firewall policies becomes very difficult in case of Teredo

traffic. The solution should be presented in such a way that it supports

end-to-end host security.

22

This third sub-problem deals with researching some of the potential

threats due to Teredo tunnels which can be overlooked by most

organizations and proposing a solution on how to tackle the same.

23

CHAPTER THREE

3.Results & Analysis

This chapter start by defines briefly in different section the tools

which used in this research to implement the experiments , and

describe the network environment and topology.

This chapter deals with definition of ARP poisoning attack , normal

operation of the IPv6 network before attack , and implement the attack

in three different scenarios with observation and analysis the result

after tracking and comparing the messages which reciprocal between

machines' over ICMPv6 protocol via link layer address and describe

how the attacker success to impersonates the web server and Man-In-

The Middle appearance has been proven.

Then jump to shortly idea of Denial of service attack , and observe

the IPv6 network before attack appearance. The attack done in three

different cases and the result been observed and analyzed by tracking

the advertisement messages which sourced from attacker machine to

flooded the network and successfully Denial of service attack take

place.

The last section in this chapter contain the mitigation of Denial of

service attack by Snort software which acting as IPS , and describe the

setting which used in Snort application to blocking these attack and the

affect of used IPS.

3.1Tools

3.1.1 Virtual Box Application version 4.3.12

VirtualBox is apowerful x86 and AMD64/Intel64 virtualization product

for enterprise as well as home use. and it is a general-purpose full

24

virtualize for x86 hardware, targeted at server, desktop and embedded

use, and extremely feature rich, high performance product for enterprise

customers, it is also the only professional solution that is freely available

as Open Source Software under the terms of the GNU General Public

License (GPL) version 2[16].

3.1.2 Wireshark

Wireshark is an IP based network protocol analyzer and sniffer. It reads

packets from the network by the help of pcap, tcpdump and etc. and

details them into easy understandable way. It is an open source network

analyzer founded in 1998. It works in two different modes

“Promiscuous” and “Non-Promiscuous”. The difference between them

is, in promiscuous mode node’s NIC can sniffs or read from all the

traffic packets on the channel while in non-promiscuous mode it only

reads the packets belonging to the hosted node. Wireshark supports rich

set of features to represent IP packet information ,Following are a few

of them[17].

Live capture and offline analysis.

Deep inspection of hundreds of protocols, with more being added

all the time.

Standard three-pane packet browser. Its default fields include;

packet number, time, source address, destination address, name of

the protocol, information about the protocol.

Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC,

ATM,

Decryption support for many protocols, including IPsec, ISAKMP,

Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2.

25

3.1.3 The Hacker Choice

(THC-IPv6) is an open source toolkit maintained by “Van Hauser".

THC allows the penetration test on the IPv6 protocol to challenge the

weaknesses of node. This toolkit includes over 50 separate tools that

allow performing such a task on IPv6 based protocols and headers. The

THC tool is capable of IPv6 node Discovery, IPv6 router impersonate,

and initiate DoS attacks. THC is an assembled hacker group from

around the world. It is an open source community who develops and

expose the security vulnerability of IP based networks. The aim of their

project is to expose the security breaches of products. THC are founded

in 1995 and it has been published scientific thesis and releases security

penetration tools [18 ].

Some of the tools that THC allows:

“parasite6”: ICMPv6 Neighbor solicitation/advertisement spoofer

that can be used to launch Man-In-The-Middle attack.

“flood_router26”: to flood the target /64 networks with router

advertisement messages to make a bottle neck

“fake_router6”: To advertise a node as a highest priority router on

the network to redirect the traffic to the defined node

“redir6”: This tool takes advantage of the icmp6 redirect spoofer to

launch man-in-the-middle attack.

“denial6”: Seven different methods of denial-of-service tests

against a target by taking advantage of the IPv6 extension header

mechanism[19].

26

3.1.4 Snort[20]

Snort is a free and open source network intrusion prevention system

(NIPS) and network intrusion detection system (NIDS), created by

Martin Roesch in 1998. It working on deference operating system

such as Linux , Windows .

Snort can operate in three different modes namely tap (passive),

inline, and inline-test. Snort policies and rules can be configured

in these three modes too . Snort uses a simple, lightweight rules

description language that is flexible and quite powerful[21].

3.1.5 Network design and equipment's

This section describe the machines hardware specifications & operating

system including application and software which installed and the main

function of machines.

3.1.5.1 Dell laptop

With windows 7 64 bit operating system running by Intel core I7

2.00GHz and Ram 6 GB, which used for installed Oracle VM virtual

Box Manager Application and used the virtualization technology to

create Ubuntu Linux server 14.04 and Kali Linux Server 3.14.1.Also

I installed WierShark version 2.0.5 application for capture Package

between mention servers. And Snort version 2.9.11 application as

Intrusion Prevention System .

27

3.1.5.2 Ubuntu

Linux server version 14.0.4 used as Web server with Intel core I7

2.00GHz and Ram 6 GB.

3.1.5.3 Kali

Linux Server version 3.14.1 used as hacking machine with certain tools,

and serve by Intel Core I7 2.00GHz, 2GB Memory.

3.1.5.4 Network Topology

(Figure 3.1):Illustrated Diagram for Interfaces in the Lab

28

The pervious diagram showed the details of network adapters which

target in this project, and the name of machines including the operating

system [figure3.1].

Table (3.1):IPv6 and link layer addresses

Machine Name IPv6 address Link layer address

Webserver 2001:abcd:2/64 08:00:27:A:8C:B3

Client 2001:abcd:1/64 08:00:27:00:90:DA

Attacker 2001:abcd:4/64 08:00:27:80:A0:CA

The table (3.1) contain the IPv6 and link layer address for Attacker

machine , Web server ,Client access & monitor terminal .

29

3.2 Experiments

3.2.1 The ARP poisoning Attack

ARP spoofing is the technique of forging fake ARP messages on a

network. The attacker updates a host's ARP cache with false information

via spoofed ARP Replies. In this attack, an attacker places himself in

the middle of two hosts that are communicating. The attacker makes

sure that all traffic between the hosts pass through him and is able to see

the entire traffic the attacker effectively used the Neighbor solicitation

and Neighbor advertisement messages to perform a Man-in-the-Middle

attack .

3.2.1.1 Normal operation of the IPv6 network

Qualification

All devices are off.

Client & capture monitor does not have any networking service

such as DHCP or DNS.

Client & capture monitor is ON and capturing network traffic on

Virtual Box Host-only Network.

IP forwarding has been turned OFF in Attacker machine.

31

Experiment

Turn on computer “Client & capture monitor” and “Web

Server”.

Wait till Client & capture monitor” and “Web Server stabilize.

Client & capture monitor sends 10 pings to Web Server.

From client via browser open web site [2001:abcd::2]

Save Capture as normal-operation.

Observation

The traffic between web server and client before attack its seem that are

running normal and smoothly, these resulted out from captured data in

the detailed packets number15upto34in figure3.2,and accessing web

services from the access machine ,as shown in figure 3.3

(Figure 3.2):Monitor Of Packets in Normal Operation

In the figure 3.2 above, the client sent its Neighbor solicitation for

webserver from its link layer address over ICMPv6 and the webserver

replay in Neighbor advertisement with its link address also. When the

client make echo request ping, the server replay with echo normally and

31

the IP6 appeared in source and destination packets instead of link layer

address.

And the client access website in the webserver via TCP and HTTP

normally without need for more solicitation and advertisement

messages.

(Figure 3.3):accessing website in normal operation

Analysis

From the frame number 15 below, the server sent its neighbor

solicitation for client via its link layer address (8c:b3) over ICMPv6.

No Src Dst P/Length Info 15 fe80::a00:27ff:fea6:8cb3 2001:abcd::1 ICMPv6 86 Neighbor Solicitation for 2001:abcd::1 from 08:00:27:a6:8c:b3

Frame 15: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on interface 0 Ethernet II, Src: CadmusCo_a6:8c:b3 (08:00:27:a6:8c:b3), Dst: CadmusCo_00:90:da (08:00:27:00:90:da) Internet Protocol Version 6, Src: fe80::a00:27ff:fea6:8cb3, Dst: 2001:abcd::1 Internet Control Message Protocol v6

32

From the frame number 16 , The client replay to the webserver from its

link layer address (90:da) over ICMPv6 by sending IPv6mcast

neighbor solicitation.

No Src Dst P/Length Info 16 fe80::d953:a236:d606:890c ff02::1:ffa6:8cb3 ICMPv6 86 Neighbor Solicitation for fe80::a00:27ff:fea6:8cb3 from 08:00:27:00:90:da

Frame 16: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on interface 0 Ethernet II, Src: CadmusCo_00:90:da (08:00:27:00:90:da), Dst: IPv6mcast_ff:a6:8c:b3 (33:33:ff:a6:8c:b3) Internet Protocol Version 6, Src: fe80::d953:a236:d606:890c, Dst: ff02::1:ffa6:8cb3 Internet Control Message Protocol v6

In frame 17 the webserver replay back to client in neighbor

advertisement with its link address also

No Src Dst P/Length Info 17 fe80::a00:27ff:fea6:8cb3 fe80::d953:a236:d606:890c ICMPv6 86 Neighbor Advertisement fe80::a00:27ff:fea6:8cb3 (sol, ovr) is at 08:00:27:a6:8c:b3

Frame 17: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on interface 0 Ethernet II, Src: CadmusCo_a6:8c:b3 (08:00:27:a6:8c:b3), Dst: CadmusCo_00:90:da (08:00:27:00:90:da) Internet Protocol Version 6, Src: fe80::a00:27ff:fea6:8cb3, Dst: fe80::d953:a236:d606:890c Internet Control Message Protocol v6

In frame 18 The client replay back to webserver in neighbor

advertisement with its link address also.

No Src Dst P/Length Info 18 2001:abcd::1 fe80::a00:27ff:fea6:8cb3 ICMPv6 86 Neighbor Advertisement 2001:abcd::1 (sol, ovr) is at 08:00:27:00:90:da Frame 18: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on interface 0 Ethernet II, Src: CadmusCo_00:90:da (08:00:27:00:90:da), Dst: CadmusCo_a6:8c:b3 (08:00:27:a6:8c:b3) Internet Protocol Version 6, Src: 2001:abcd::1, Dst: fe80::a00:27ff:fea6:8cb3 Internet Control Message Protocol v6

33

In frame 19 the client make echo request ping via its IPv6 address

(2001:abcd::1) over internet control message protocol (ICMPv6).

No Src Dst P/Length Info 19 2001:abcd::1 2001:abcd::2 ICMPv6 94 Echo (ping) request id=0x0001, seq=21, hop limit=128 (reply in 20)

Frame 19: 94 bytes on wire (752 bits), 94 bytes captured (752 bits) on interface 0 Ethernet II, Src: CadmusCo_00:90:da (08:00:27:00:90:da), Dst: CadmusCo_a6:8c:b3 (08:00:27:a6:8c:b3) Internet Protocol Version 6, Src: 2001:abcd::1, Dst: 2001:abcd::2 Internet Control Message Protocol v6

In frame 20 the webserver replay by echo replay ping via its IPv6

address (2001:abcd::2) over internet control message protocol

(ICMPv6) and the IPv6 appeared in source and destination packages

instead of link layer address.

No Src Dst P/Length Info 20 2001:abcd::2 2001:abcd::1 ICMPv6 94 Echo (ping) reply id=0x0001, seq=21, hop limit=64 (request in 19)

Frame 20: 94 bytes on wire (752 bits), 94 bytes captured (752 bits) on interface 0 Ethernet II, Src: CadmusCo_a6:8c:b3 (08:00:27:a6:8c:b3), Dst: CadmusCo_00:90:da (08:00:27:00:90:da) Internet Protocol Version 6, Src: 2001:abcd::2, Dst: 2001:abcd::1 Internet Control Message Protocol v6

In frame 29 below, when the client start to browse web site from

webserver , the client sent [SYN] to server over Transmission Control

Protocol (TCP) in port 80 .

No Src Dst P/Length Info 29 2001:abcd::1 2001:abcd::2 TCP 86 49425 → 81 [SYN] Seq=0 Win=8192 Len=0 MSS=1440 WS=256 SACK_PERM=1

Frame 29: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on interface 0 Ethernet II, Src: CadmusCo_00:90:da (08:00:27:00:90:da), Dst: CadmusCo_a6:8c:b3 (08:00:27:a6:8c:b3) Internet Protocol Version 6, Src: 2001:abcd::1, Dst: 2001:abcd::2 Transmission Control Protocol, Src Port: 49425 (49425), Dst Port: 80 (80), Seq: 0, Len: 0

34

In frame 30 The server replay to the client by sending [SYN,ACK]

No Src Dst P/Length Info 30 2001:abcd::2 2001:abcd::1 TCP 86 81 → 49425 [SYN, ACK] Seq=0 Ack=1 Win=28800 Len=0 MSS=1440 SACK_PERM=1 WS=128

Frame 30: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on interface 0 Ethernet II, Src: CadmusCo_a6:8c:b3 (08:00:27:a6:8c:b3), Dst: CadmusCo_00:90:da (08:00:27:00:90:da) Internet Protocol Version 6, Src: 2001:abcd::2, Dst: 2001:abcd::1 Transmission Control Protocol, Src Port: 80 (80), Dst Port: 49425 (49425),Seq:0,Ack: 1, Len: 0

In the figure below describe the normal operation on activity diagram

(Figure 3.4):Activity diagram for normal operation

35

3.2.1.2 First ARP poisoning Attack

Qualification







Experiment

Turn on computer “Client & capture monitor” and “Web Server”.



from client via browser open web site [2001:abcd::2]

Turn on Attacker machine

Lunch attack by command #atk6-parasite6 eth0 2001: abcd::2

fake-mac.


from client via browser open web site [2001:abcd::2]

Save Capture as ARP-first-attack

Observation

Before the attack started in (step 6) Client & capture monitor is able to

ping the Web Server successfully as showing below in Figure 3.5, and

the packets captured from number 1 up to 8 in Figure 3.5 prove that.

36

Figure 3.5:Packets before first ARP attack

Its clear in the figure above that the client sent its Neighbor solicitation

for webserver from its link layer address over ICMPv6, and the

webserver replay in Neighbor advertisement with its link layer address

also and the ping echo request and replay take place in figure 3.6 .

Figure 9

(Figure 3.6):pinging replay by server

After the attack has started the echo request results and analysis in the

following:

37

Web server replies to the Neighbor Solicitation of Client computer with

its own Neighbor Advertisement the Figure 3.7 below shown the

packets captured from 46 up47 as output .

Figure 3.7:solicitation and advertisement message before first ARP

The client access and the server used their link layer address for

Neighbor solicitation and advertisement over ICMPv6 , the attacker

repeatedly sends spoofed Neighbor advertisement messages and

overrides other entries . The Neighbor advertisements sent by both the

Attacker and web server have the override flag set to 1.

The attacker send a Neighbor advertisement to client computer saying

that it has the IP that belongs to web server , as its clear in figure3.8

38

(Figure 3.8):Monitor of packets in first ARP

In the detailed package in Figure 3.8, the attacker send continues

advertisement message over its link layer address as the source address

to the link layer address of client access station , and used IPv6 address

of the webserver for its tricky message.

Now, the ping request sent by Client computer to web server ,replayed

by the Attacker since the attacker is impersonating the web server.

However the attacker generates a Neighbor solicitation message to find

the real destination of the packet. Then, the attacker forwards the reply

to client computer and the ARP completes successfully and evolve to a

Man-in-the-Middle attack. These appear in Figure 3.8 on the logged

packets from 127 up 129. But the web server in these case been

unreachable ,and the Man-in-the-Middle attack unable to forward the

message instead of the web server , just hacking the client computer

,these prove by Figure 3.8 because the client unable to access webserver

.

39

(Figure 3.9) explain how attacker work

In the below screen the ping request echo from the client not reached

the server, and replayed by time out, but the attacker replay by Neighbor

advertisement by its own link address ,and the webserver no longer been

reachable via its link layer address, and also the attacker can capture any

data between the client and server .

(Figure 3.10):Pinging in first ARP attack

At the upper layer exactly in application layer its observed that ,before

the attack start ,the client can access web site [2001:abcd::2] on web

server ,so the web application services running fine on the server and

the network traffic mutual aid normally between client and the web

41

server , the Figure 3.11 reflects that and the detailed packets from 29 up

to 32 in Figure 3.11 confirm that.

(Figure 3.11):packet for accessing website before first ARP

The packets exchanged normally between client and web server over

TCP protocol and client can browse the website from the server

figure3.12

(Figure 3.12):accessing website before first ARP

After attack started , when client try to access web server, the attacker

replay its [ACK] flag by [SYN] flag , and repeated send [ACK] and

[TCP Retransmission ] instead of web server, and the web site not more

41

been access. Figure 3.13 detailed the packets from 121 up to124 , and

Figure 3.13 confirm that web site unreachable.

(Figure 3.13):in first ARP attacker replay instead of server

The attacker received all client browsing request instead of webserver

,and replay by unreachable error , but , if there is any web site working

in attacker machine it can be reached instead of web site in the server

from client access machine if attacker prepared proper setting for trap

website.

(Figure 3.14):in first ARP web service unavailable

The attacker launches a successful attack by repeatedly sending spoofed

Neighbor advertisements to any Neighbor solicitation message

generated on the network as showing in below Figure 3.15

42

(Figure 3.15):attacker machine spoofed to client in first ARP

Analysis

In frame 46 after attack lunched , the client sent solicitation message

for server IPv6 address over its link address.

No Src Dst P/Length Info 46 2001:abcd::1 2001:abcd::2 ICMPv6 86 Neighbor Solicitation for 2001:abcd::2 from 08:00:27:00:90:da

Frame 46: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on interface 0 Ethernet II, Src: CadmusCo_00:90:da (08:00:27:00:90:da), Dst: CadmusCo_a6:8c:b3 (08:00:27:a6:8c:b3) Internet Protocol Version 6, Src: 2001:abcd::1, Dst: 2001:abcd::2 Internet Control Message Protocol v6

In frame 47 The server replay to client solicitation message by

advertisement message .

No Src Dst P/Length Info 47 2001:abcd::2 2001:abcd::1 ICMPv6 78 Neighbor Advertisement 2001:abcd::2 (sol)

Frame 47: 78 bytes on wire (624 bits), 78 bytes captured (624 bits) on interface 0 Ethernet II, Src: CadmusCo_a6:8c:b3 (08:00:27:a6:8c:b3), Dst: CadmusCo_00:90:da (08:00:27:00:90:da) Internet Protocol Version 6, Src: 2001:abcd::2, Dst: 2001:abcd::1 Internet Control Message Protocol v6

Form the frame number 121 up to 124 below , while the attacks

running , the client running browsing and resend repeated [SYN] to

attacker machine to its link layer address (a0:ce)

No Src Dst P/Length Info

43

121 2001:abcd::1 2001:abcd::2 TCP 86 [TCP Retransmission] 51121 → 81 [SYN] Seq=1 Win=8192 Len=1 MSS=1441 WS=256 SACK_PERM=1

Frame 121: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on interface 0 Ethernet II, Src: CadmusCo_00:90:da (08:00:27:00:90:da), Dst: CadmusCo_80:a0:ce (08:00:27:80:a0:ce) Internet Protocol Version 6, Src: 2001:abcd::1, Dst: 2001:abcd::2 Transmission Control Protocol, Src Port: 50021 (50021), Dst Port: 80 (80), Seq: 0, Len: 0

No Src Dst P/Length Info 122 2001:abcd::1 2001:abcd::2 TCP 86 [TCP Retransmission] 51122 → 81 [SYN] Seq=1 Win=8192 Len=1 MSS=1441 WS=256 SACK_PERM=1


No Src Dst P/Length Info 123 2001:abcd::1 2001:abcd::2 TCP 82 [TCP Retransmission] 51121 → 81 [SYN] Seq=1 Win=8192 Len=1 MSS=1441 SACK_PERM=1


No Src Dst P/Length Info 124 2001:abcd::1 2001:abcd::2 TCP 82 [TCP Retransmission] 51122 → 81 [SYN] Seq=1 Win=8192 Len=0 MSS=1440 SACK_PERM=1


In frame 127 the attacker machine sent advertisement message over

the server IPv6 address 2001:abdc::2 by its link layer address (a0:ce)

to client IPv6 address .

44

No Src Dst P/Length Info 127 2001:abcd::2 2001:abcd::1 ICMPv6 86 Neighbor Advertisement 2001:abcd::2 (sol, ovr) is at 08:00:27:80:a0:ce

Frame 127: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on interface 0 Ethernet II, Src: CadmusCo_80:a0:ce (08:00:27:80:a0:ce), Dst: CadmusCo_00:90:da (08:00:27:00:90:da) Internet Protocol Version 6, Src: 2001:abcd::2, Dst: 2001:abcd::1 Internet Control Message Protocol v6

In frame 128 the attacker machine repeat sent advertisement message

over the server IPv6 address 2001:abdc::2 by its link layer address

(a0:ce) to client IPv6 address

No Src Dst P/Length Info 128 2001:abcd::2 2001:abcd::1 ICMPv6 86 Neighbor Advertisement 2001:abcd::2 (rtr, ovr) is at 08:00:27:80:a0:ce


In frame 129 below the attacker machine continue repeat sent

advertisement message over the server IPv6 address 2001:abdc::2 by

its link layer address (a0:ce) to client IPv6 address and the client

communicate with attacker link address because its used the server

IPv6 , the attacker successfully work in server place by server IPv6

address and capture and data exchange from client to server.

No Src Dst P/Length Info 129 2001:abcd::2 2001:abcd::1 ICMPv6 86 Neighbor Advertisement 2001:abcd::2 (rtr, ovr) is at 08:00:27:80:a0:ce


3.2.1.3 Second ARP poisoning Attack

45

Qualification







Experiment

Turn on computer “Client & capture monitor” and “Web

Server”.


Turn on Attacker machine and wait for it to stabilize.

Lunch attack by command #atk6-parasite6 eth0 2001:abcd::2

fake-mac.


from client via browser open web site [2001:abcd::2].

Save Capture as ARP-Second-attack.

Observation

The attacker start sending multicast listener message and router

solicitation message on the network to scan and discover the link

46

address for its neighbors and the source for all these message the

attacker link address , as appear in Figure 3.16 the packets from

number 3 up to10 which logged by capture machine.

(Figure 3.16):Router solicitation message in second ARP

When the client device start send ping to web server while attacking

running, first replay came from web server, these cleared below by

Figure 3.17.

(Figure 3.17):pinging after second ARP

The attacker continue send repeated Neighbor advertisement ,which

captured in Figure 3.18 in the detailed packets from 55 up to 59 below

,and the link address of attacker its been in package source address with

red arrows .

47

(Figure 3.18):continue advertisement message in second ARP

The attacker replay to client device to achieve reaming request as a

Man-in-the-Middle, that its plump in packets number 62 up to 66 and

Figure 3.19 below prove that.

48

(Figure 3.19):attacker success in second ARP

(Figure 3.20): web services stopped in second ARP

In the level of application ,When the client try to browse the web site

[2001:abcd::2] in webserver ,its unable to reached it and the error

generated , because all client request for browse website replayed by the

attacker link layer address instead of webserver address the website as

in (Figure 3.20) above, and the packets captured from 110 up to 117 in

Figure 3.21 below say that the Man-in-the Middle attack its

successfully presented because the attacker address its exchange the

message with client machine as web server.

49

(Figure 3.21):Man-in-the Middle in second ARP

Finally the changing of the attack scenario didn’t produce any changes

in the result. But still the attacker effectively used the Neighbor

solicitation and Neighbor advertisement messages to perform ARP

poisoning attack and the form of a Man-in-the-Middle attack take place

as in the previous scenario. These declared in Figure 3.22 below , as the

attacker acting instead of web server and replay to client and gathering

all information for successfully attacks.

(Figure 3.22):attacker machine spoofed in second ARP

51

Analysis

In frame number 3 up to frame number 7 below the attacker start

sending multicast listener message and router solicitation message on

the network to discover the link address for its neighbors and the

source for all these message the attacker link address (a0:ce)

No Src Dst P/Length Info 3 :: ff02::16 ICMPv6 110 Multicast Listener Report Message v2

Frame 3: 110 bytes on wire (880 bits), 110 bytes captured (880 bits) on interface 0 Ethernet II, Src: CadmusCo_80:a0:ce (08:00:27:80:a0:ce), Dst: IPv6mcast_16 (33:33:00:00:00:16) Internet Protocol Version 6, Src: ::, Dst: ff02::16 Internet Control Message Protocol v6

No Src Dst P/Length Info 4 :: ff02::1:ff00:4 ICMPv6 78 Neighbor Solicitation for 2001:abcd::4

Frame 4: 78 bytes on wire (624 bits), 78 bytes captured (624 bits) on interface 0 Ethernet II, Src: CadmusCo_80:a0:ce (08:00:27:80:a0:ce), Dst: IPv6mcast_ff:00:00:04 (33:33:ff:00:00:04) Internet Protocol Version 6, Src: ::, Dst: ff02::1:ff00:4 Internet Control Message Protocol v6

No Src Dst P/Length Info 5 :: ff02::1:ff80:a0ce ICMPv6 78 Neighbor Solicitation for fe80::a00:27ff:fe80:a0ce

Frame 5: 78 bytes on wire (624 bits), 78 bytes captured (624 bits) on interface 0 Ethernet II, Src: CadmusCo_80:a0:ce (08:00:27:80:a0:ce), Dst: IPv6mcast_ff:80:a0:ce (33:33:ff:80:a0:ce) Internet Protocol Version 6, Src: ::, Dst: ff02::1:ff80:a0ce Internet Control Message Protocol v6

No Src Dst P/Length Info 6 :: ff02::16 ICMPv6 110 Multicast Listener Report Message v2

Frame 6: 110 bytes on wire (880 bits), 110 bytes captured (880 bits) on interface 0 Ethernet II, Src: CadmusCo_80:a0:ce (08:00:27:80:a0:ce), Dst: IPv6mcast_16 (33:33:00:00:00:16) Internet Protocol Version 6, Src: ::, Dst: ff02::16 Internet Control Message Protocol v6

51

No Src Dst P/Length Info 7 fe80::a00:27ff:fe80:a0ce ff02::16 ICMPv6 110 Multicast Listener Report Message v2

Frame 7: 110 bytes on wire (880 bits), 110 bytes captured (880 bits) on interface 0 Ethernet II, Src: CadmusCo_80:a0:ce (08:00:27:80:a0:ce), Dst: IPv6mcast_16 (33:33:00:00:00:16) Internet Protocol Version 6, Src: fe80::a00:27ff:fe80:a0ce, Dst: ff02::16 Internet Control Message Protocol v6

In frame 59 below the attacker sourced advertisement message from its

link layer address to client IPv6 address

No Src Dst P/Length Info 59 2001:abcd::2 2001:abcd::1 ICMPv6 86 Neighbor Advertisement 2001:abcd::2 (rtr, sol, ovr) is at 08:00:27:80:a0:ce


In frame 62 the attacker received the data which sent from client to web

server ,and its link address take place in destination direction

No Src Dst P/Length Info 62 2001:abcd::1 2001:abcd::2 ICMPv6 94 Echo (ping) request id=0x0001, seq=1081, hop limit=128 (no response found!)

Frame 62: 94 bytes on wire (752 bits), 94 bytes captured (752 bits) on interface 0 Ethernet II, Src: CadmusCo_00:90:da (08:00:27:00:90:da), Dst: CadmusCo_80:a0:ce (08:00:27:80:a0:ce) Internet Protocol Version 6, Src: 2001:abcd::1, Dst: 2001:abcd::2 Internet Control Message Protocol v6

All the request for browsing website from client [SYN]received by

attacker machine ,which clear in frame 110 and 111

No Src Dst P/Length Info 110 2001:abcd::1 2001:abcd::2 TCP 86 51288 → 81 [SYN] Seq=0 Win=8192 Len=0 MSS=1440 WS=256 SACK_PERM=1


52

No Src Dst P/Length Info 111 2001:abcd::1 2001:abcd::2 TCP 86 [TCP Retransmission] 51288 → 81 [SYN] Seq=1 Win=8192 Len=1 MSS=1441 WS=256 SACK_PERM=1


In frame 112 the client sent solicitation message form its IPv6 address

to attacker machine link address

No Src Dst P/Length Info 112 2001:abcd::1 2001:abcd::2 ICMPv6 86 Neighbor Solicitation for 2001:abcd::2 from 08:00:27:00:90:da

Frame 112: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on interface 0 Ethernet II, Src: CadmusCo_00:90:da (08:00:27:00:90:da), Dst: CadmusCo_80:a0:ce (08:00:27:80:a0:ce) Internet Protocol Version 6, Src: 2001:abcd::1, Dst: 2001:abcd::2 Internet Control Message Protocol v6

In frame 113 below the attacker successfully sent advertisement

message to client address instead of webserver, and communicate with

the client and received any data which sent to webserver

No Src Dst P/Length Info 113 2001:abcd::2 2001:abcd::1 ICMPv6 86 Neighbor Advertisement 2001:abcd::2 (sol, ovr) is at 08:00:27:80:a0:ce


53

3.2.1.4 Third ARP poisoning Attack

Qualification







Experiment

Turn on computer “Client & capture monitor” and “Web Server”.


ping web server from client computer continuously

Turn on Attacker machine and wait for it to stabilize

Lunch attack by command #atk6-parasite6 eth0 2001:abcd::2

fake-mac.

Save Capture as ARP-Third-attack.

Observation

The attack was effective when the attack was performed whi

the national ribat university faculty of graduate studies...

Documents