the national ribat university faculty of graduate studies...
TRANSCRIPT
-
The National Ribat University
Faculty of Graduate Studies and
Scientific Research
Master Thesis in
Study of Denial of Service and
ARP Spoofing Attacks In IPv6
Networks
Provided by : Ayman Mohamed Abelgadir
Supervisor : Dr. Mohamed Awad Elshaikh
-
I
Dedication
I would like to dedicate my work to my father, who great teacher,
instilled the spirit of research, perseverance and study in myself .
And to my mother who always asking God for compromise me ,
and to my dear wife for her continuous support, and also to my
brothers, my daughters, and my children.
-
II
ACKNOWLEDGMENTS
First of all, I wish to offer my sincere gratitude to Dr.
Mohammed Awad Elshaikh, my thesis supervisor, for his
guidance, advice, encouragement and suggestions during my
study. He has led me to the world of IPv6. His knowledge and
hard work stimulated my interest to do research in the area of IPv6.
I would like to thank Eng. Ahmed Ali for his continuous
support and Eng. Mohamed Mahgoub from Nile Center For
Technology and Research for his strong help.
Finally, I wish to thanks my wife for her continuing love,
understanding, and encouragement.
-
III
ABSTRACT
In the lights of today and future advancing technologies, IPv6
internet protocol demand , becomes crucial for its usages &
benefits.
This thesis describes IPv6 packets structure , headers and
address the details of all of the Internet Control Message Protocol
Version 6 (ICMP6) and its various messages' types.
The thesis describes the built & utilization of messages to
visualize IPv6 based cyber-attacks, (DOS)& ARP poisoning , on
IPv6 networks
And tracking of this messages through ICMPv6 by packet analyzer
, open source tools, to capture packets frames and analyzed them
to reached the results which approved the existence of attacks on
-
IV
IPv6,and the traces of simulated attacks extend form the link layer
to the application layer.
المستخلص
IPv6ـتتتتتتتال و مستتتق , ي تبت ا اداتتاار الستتا في ظل تطور التقنية المتنامي حاليا
األهم نظاا دستخااماته و الطلب عليه.
و تتطاق ةالتف تتتتيل لل اوتو و IPv6 مكونات هذا ال حث تواتتتتو ة تتتتور عامة
ICMPv6 . و الاسائل المستخامة فيه و انواعها
للواو DOS & ARP ما توضت هذ الاستائل يفية استتخاال الهتمات مو نو
ي حيث تم متاةبة هذ الاسائل ةمااق ة وتستيل تحا ات IPv6للشت كات التي تستخال
تحليل النتائج التي و مفتوحة الم ا ري ةبض اد واتاستخاال ة ICMPv6ال اوتكو
مو تأ ا مو وجو هتماتفي هذا ال حث تم راتتتتتتاهتا ومقارنتها ةبا تنفيذ التتار
-
V
و ت تتتتتل اااها الي Link layerت اأ مو المستتتتتتوا ال اني DOS & ARPالنو
. IPv6في ةيئة ش كات Application layerمستوا التط يقات
Contents
1.1 Introduction…………………………………………………….….1
1.2 Problem Statement…………………………………….…………..3
1.3 Research Objective………………………………….…………….3
1.4 Research Methodology…………………………………………...3
1.5 Research Scope………………….………………….……………..4
1.6 Research Question…………………………………………….…..4
1.7 Thesis Structure…………………………………………………...4
2. Pervious work and literature review………………………………..5
2.1 Brief Overview of IPv6.…………………………………………..5
2.2 IPv6 Security…….………………………………………………..6
2.3 IPv6 Security Impact……………………………………………...6
2.4 IPv6 Packet Security…….………………………………………..7
-
VI
2.5 Packet Headers……………………………………………………7
2.6 Extension Headers………………………………………………..8
2.7 Internet Control Message Protocol Version 6 (ICMP6)…………. 9
2.7.1 Information Messages………………………………………….10
2.7.2 Error Messages…...…………………………………………...10
2.8. NeighborDiscovery…………………………………………….12
2.8.1 The Router Solicitation message………………………………12
2.8.2 The Router Advertisement message…………………………...12
2.8.3 The NeighborSolicitation message…………………………….12
2.8.4 The NeighborAdvertisement message…………………………12
2.8.5 The NeighborRedirect Message……...………………………..13
2.9. Pervious work and literature review…………………………….14
2.9.1 Study of IPv6 Security vulnerabilities ………………………...14
2.9.2 DOS attack in IPv6 networks and counter measurement….......15
2.9.3 Vulnerabilities and Threats in IPv6 Environment.... ……….…17
2.9.4 Mitigation IPv6 Vulnerabilities……………….…………….…18
3. Result & Analysis…………………………………………………23
3.1. Tools…………………………………………………………….23
3.1.1 Virtual Box Application version 4.3.12………………………..23
3.1.2 Wireshark………………………………………………………24
3.1.3 The Hacker Choice……...…………………………………….25
3.1.4 Snort...………………………………………………………….26
3.1.5 Network design and equipment………………………………..26
3.1.5.1 Dell Laptop…………………………………………………..26
3.1.5.2 Ubuntu.........…………………………………………………27
3.1.5.3 Kali……..……………………………………………………27
3.1.5.4 Network Topology…………………………………………...27
3.2Experiments………………………………………………………29
-
VII
3.2.1 The ARP poisoning Attack…………………………………….29
3.2.1.1 Normal operation of the IPv6 network………………………29
3.2.1.2 First ARP poisoning Attack………………………………….35
3.2.1.3 Second ARP poisoning Attack……...……………………...45
3.2.1.4 Third ARP poisoning Attack…...…………………………..53
3.2.2 The Denial of Service Attack…...……………………………..59
3.2.2.1 First Denial Of Service( DOS) Attack……………………….59
3.2.2.2 Second Denial Of Service( DOS) Attack…...………………64
3.2.2.3 Third Denial Of Service( DOS) Attack...…………………...69
3.2.2.4 Mitigation The (DOS) attack by Snort IPS……..…………....75
4 Conclusion & Recommendation for future work .............................77
4.1 Result …….…….…………………………………………….....77
4.2 Recommendation…….………………………………………….78
Bibliography..….………………….…………………………...……79
LIST OF FIGURES
Figure 2.1 IPv6 Packet Headers………………………………………...7
Figure 2.2 IPv6 Extension Headers ....................................................... 8
Figure 2.3 Sequence of Extension Headers ............................................ 9
Figure 2.4 Extension Headers Arrangements ......................................... 9
Figure 3.1 Network Diagram ............................................................. 27
Figure 3.2 Moniter Of Packets in Normal Operation ............................ 30
Figure 3.3 Accessing website in normal operation ............................... 31
Figure 3.4 Activity diagram for normal operation ................................ 34
Figure 3.5 Packets before first ARP attack .......................................... 36
Figure 3.6 pinging replay by server .................................................... 36
Figure 3.7 Solicitation and advertisement message before firstARP…....37
Figure 3.8 Monitor of packets in firstARP ........................................... 38
Figure 3.9 Explain how attacker work ................................................. 39
Figure 3.10 Pinging in first ARP attack ............................................... 39
-
VIII
Figure 3.11Packet for accessing website before first ARP .................... 40
Figure 3.12 Accesing website before first ARP .................................... 40
Figure 3.13 In first ARP attacker replay instead of server ..................... 41
Figure 3.14 In first ARP web service unavailable................................. 41
Figure 3.15 Attacker machine spoofed to client in first ARP ................. 42
Figure 3.16 Router solicitation message in second ARP ....................... 46
Figure 3.17 Pinging after second ARP ................................................ 46
Figure 3.18 Continue advertisement message in second ARP .............. 47
Figure 3.19 The attacker success in second ARP ................................. 48
Figure 3.20 Web services stopped in second ARP ................................ 48
Figure 3.21 Man-in-the Middle in second ARP .................................... 49
Figure 3.22 Attacker machine spoofed in second ARP ......................... 49
Figure 3.23 Advertisement and solicitation in third ARP ...................... 54
Figure 3.24 Recived packets in third ARP ........................................... 55
Figure 3.25 Attacker spoofed in third ARP .......................................... 55
Figure 3.26 Activity diagram for ARP spoofed ........................................ 58
Figure 3.27 Attacker advertisement in first DOS .................................. 60
Figure 3.28 Solicitation message in first DOS ..................................... 61
Figure 3.29 Packets before second DOS .............................................. 65
Figure 3.30 Second DOS webserver not respond ................................. 66
Figure 3.31 Pinging to webserver in third DOS.................................... 70
Figure 3.32 Normal operation before third DOS .................................. 70
Figure 3.33 Continue advertisement in third DOS .................................. 71
Figure 3.34 Activity diagram for DOS attack ......................................... 74
Figure 3.35 Snort IPS blocking DOS attack ............................................ 76
Figure 3.36 Activity diagram for mitigate DOS attack ............................ 76
-
IX
LIST OF TABLE
Table (2.1) Error Message Code.................................................10
Table (2.2) Time Exceeded Code….…………………………..11
Table ( 2.3) ICMPv6 error message ..……………………….…11
Table (2.4) IPv4 ARP and IPv6 Neighbors Discovery....………13
Table (3.1) IPv6 and link layer addresses………………………28
-
X
List of Abbreviations
The following is a table of abbreviations .symbols and notations
used within the topic of this thesis.
Abbreviation Definition
ACK Acknowledge
AH Authentication Header
ARP Address Resolution Protocol
Attacker Machine Linux Kali system
Capture Monitor Computer running wireshark application
to capture data in the network
-
XI
Client Computer in the network used to access
the server
CPU Central Processing Unit
DAD Duplicate Address Detection
DHCP Dynamic Host Configuration Protocol
DNS Domain Name System
DOS Denial of Service
Dst Destination of Packets going
ESP Encrypted Security Payload
GUI Graphical User Interface
HTTP Hyper Text Transfer Protocol
ICMP Internet Control Message Protocol
ICMPv4 Internet Control Message Protocol
version4
ICMPv6 Internet Control Message Protocol
version6
IGMP Internet Group Management Protocol
IP Internet Protocol
IPv4 Internet Protocol version 4
IPv6 Internet Protocol version 6
MITM Man - In- The-Middle
MTU Maximum Transmission Unit
NIC Network Interface Card
NIDS Network Intrusion Detection System
NIPS Network Intrusion Prevention System
Ping Packet Internet Groper
RFC Request For Comment
Src Source of sending Packets
-
XII
SYN Synchronize
TCP Transfer Control Protocol
THC The Hacker Choice
Webserver Linux server hosted test web site and web
services
-
1
CHAPTER ONE
1.1. Introduction
Internet Protocol Address ( IP ) is a shorter way of saying Internet
Protocol Address. IP address is the numbers assigned to computer
network interfaces. Although used names to refer to the things seek on
the Internet, such as www.example.org , computers translate these
names into numerical addresses so they can send data to the right
location. So when sending an email , visiting a web site, the computers
sends data packets to the IP address of the other end of the connection
and receives packets destined for its own IP address[1].
There is two type of ip addresses , the old is Internet Protocol Address
version4( IPv4 )is the fourth version in the development of the Internet
Protocol and the first version of the protocol widely deployed, and they
support three different types of addressing modes[2].
The second one is Internet Protocol Address version6 (IPv6) which
intended to replace IPv4 in the worldwide Internet mainly due to the
address exhaustion of IPv4. IPv6 extremely enhances the address space
from 32 bits to 128 bits. It means the future expansion of the Internet is
now dependent on the successful global deployment of the next
generation of Internet protocol[3].
IPv4 address created in way that nodes must be concern about security
(its end to end model ) , these why IPv4 addressing based network
suffers from security . Today original Internet continues to be
completely transparent and no security framework provides for resilient
against general threats and attack, an example in Denial of service
attack certain services are flooded with a large amount of illegitimate
http://www.example.org/
-
2
request that render the target system unreachable by legitimate users.
The result of Denial of service attack from an architectural vulnerability
of IPv4 is the broadcast flooding .Also the small address space of IPv4's
can facilitate malicious code distribution and other scan port or
reconnaissance attack .In IPv4 network , the Address Resolution
Protocol (ARP) is responsible for mapping a host's IP address with its
physical or MAC address. In case of forged ARP response are
broadcasted with incorrect mapping information that could force
packets to be sent to the wrong destination and the ARP poisoning
occurs .However , many techniques have been developed to overcome
some of the IPv4 security limitations , like Network address Translation
and Network Address Port Translation ,also IPsec facilitated the use of
encryption communication[4].
IPv6 address security it’s similar to IPv4 security .Transporting packets
mechanism in the network almost the same. The mostly unaffected layer
is upper layer which is responsible for transporting application data.
However, because IPv6 mandates (IPsec),it has often been stated that
IPv6 is more secure than IPv4, Although this may be true in an ideal
environment with well-coded applications, a robust identity
infrastructure, and efficient key management, in reality the same
problems that plague IPv4 IPsec deployment will affect IPv6 IPsec
deployment. IPv6 is not protected with any kind of cryptography.
Additionally, because most security breaches occur at the application
level.
The IPv6 security features introduced mainly by way of two dedicated
extension headers which is the Authentication Header (AH) and the
Encrypted Security Payload (ESP), with complementary capabilities.
-
3
The two headers can be used together to provide all the security features
simultaneously. Also IPv6 support another new features IPv6 including
increased address space, auto configuration, QoS capabilities, and
network-layer security. All these IPv6 features can be used to prevent
various network attack methods including IP spoofing, some Denial of
Service attacks (where IP Spoofing has been employed), data
modification and sniffing activity[4].
1.2. Problem Statement
According of the rapid migration from Internet Protocol version 4
(IPv4) to Internet Protocol version 6 (IPv6), is it possible to say that
still there is attacks can happen in a solely IPv6 networks which inherit
from previous IPv4, such as ARP spoofing attack and Denial of service
attack ? these two types of attacks were chosen because are abundance
, prevalence and easier to implement in IPv4 network.
1.3. The Main Objective
1. Observe the effect of ARP poisoning and Denial of service
attack in IPv6 networks .
2. Approve that these two types of attacks can happen in IPv6
networks.
3. Mitigate the Denial of service attack by using Snort software.
1.4. Methodology
Exploit the link layer in IPv6 protocol against the ARP spoofing and
Denial of service attacks, via different scenarios of experiment’s and
captured logged.
-
4
1.5. Research Scope
This thesis is limited to result of exploit ARP spoofing and Denial of
service attacks on virtual environment of computers and servers which
used IPv6.
1.6. Research Questions
Is there attacks can be happened in IPv6 network up to these date
?
Is the same type of attacks which effect the IPv4 networks can
conceder as threats to IPv6 networks ?
How can we mitigate the security issue due to Denial of Service
in IPv6 Networks ?
1.7. Thesis Structure In this thesis, the researcher has deep concentrated on effect of (Denial
of Service and ARP poisoning attacks on IPv6 networks.
Chapter two deals with technical background of IPv6 through of the
terms: IPv6 features, security & security impact, packet security, packet
headers, extension headers, internet control message protocol version6,
and Neighbor Discovery .Also chapter two including pervious work and
literature review for study of IPv6 security vulnerabilities, denial of
service attack in IPv6 networks and counter measurements,
Vulnerabilities and Threats in IPv6 Environment and 3.9.4
Mitigating IPv6 Vulnerabilities.
Chapter three provides the network topology, tools and result with
details analysis.
Chapter four describe the conclusion and recommendation for future
work.
-
5
CHAPTER TWO
2. Pervious Work and Literature Review
The new version of internet protocol IP version 6 has new technical
features and specifications.
2.1. Brief Overview Of IPv6
IPv6 (Internet Protocol Version6) is also called IPng (Internet Protocol
next generation) and it is the newest version of the internet protocol
.IPv6 is the replacement to internet protocol version4. It was designed
as an evolutionary upgrade to the internet protocol and will , in fact,
coexist with older IPv4 for some time. IPv6 is designed to allow the
Internet to grow steadily, both in terms of the number of hosts connected
and the total amount of data traffic transmitted. While increasing the
pool of addresses is one of the most often-talked about benefit of IPv6,
there are other important technological changes in IPv6 that will
improve the IP protocol:[5]
-No more NAT (Network Address Translation)
- Auto-configuration
- No more private address collisions
- Better multicast routing
- Simpler header format
- Simplified, more efficient routing
- True quality of service (QoS), also called "flow labeling"
- Built-in authentication and privacy support
- Flexible options and extensions
- Easier administration (no DHCP)
-
6
2.2. IPv6 Security IPv6 security is in many ways the same as IPv4 security. The basic
mechanisms for transporting packets across the network stay mostly not
changed and the upper-layer protocols that transport the actual
application data are mostly unaffected. However(But), because IPv6
mandates (Command/ Order) the inclusion of IP Security(IPsec), it has
often been stated that IPv6 is more secure than IPv4. Although this may
be true in an ideal environment with well-coded applications, a robust
(strong/ Healthy) identity( unique ) infrastructure (Setup/ structure), and
efficient key management, in reality the same problems that plague (
Infection/ Outbreak) IPv4 IPsec deployment will affect IPv6 IPsec
deployment. Therefore, IPv6 is usually deployed ( installed/arranged)
without cryptographic protections of any kind. Additionally, because
most security breaches occur at the application level, even the
successful deployment of IPsec with IPv6 does not guarantee any
additional security for those attacks beyond the valuable ability to
determine the source of the attack[6].
2.3. IPv6 Security Impact Many security issues in IPv6 remain the same as in IPv4, but IPv6 also
has new features that affect system and network security, as well as
potentially (actually) impacting on policies and procedures. IPv6 and
IPv4 usually operate completely independently over the same Layer 2
infrastructure, so additional and separate IPv6 security mechanisms
must be implemented. Many areas will need overhauling
(Repairing/ Fixing), such as firewalls, monitoring, and security
appliance. It is important to keep that IPv6 is young operationally and
may have issues not yet encountered (faced), or even imagined[7].
-
7
2.4. IPv6 Packet Security Unlike IPv4, IPsec security is mandated (assigned/ Authorized) in the
IPv6 protocol specification. Allowing IPv6 packet authentication and/or
payload encryption via the Extension Headers. However, IPsec is not
automatically implemented; it must be configured and used with a
security key exchange.
2.5. Packet Headers An Internet Protocol version 6 (IPv6) data packet comprises of two main
parts: the header and the payload. The first 40 bytes/octets (40x8 = 320
bits) of an IPv6 packet comprise of the header (see Figure 2.1) that
contains the following fields:
(Figure 2.1):IPv6 Packet Headers
The wonder of IPv6 lies in its header. An IPv6 address is 4 times larger
than IPv4, but surprisingly, the header of an IPv6 address is only 2 times
larger than that of IPv4. IPv6 headers have one Fixed Header and zero
or more Optional (Extension) Headers. All the necessary information
that is essential for a router is kept in the Fixed Header. The Extension
Header contains optional information that helps routers to understand
how to handle a packet/flow.
-
8
Source address (128 bits) The 128-bit source address field contains the
IPv6 address of the originating node of the packet. It is the address of
the originator of the IPv6 packet.
Destination address (128 bits) The 128-bit contains the destination
address of the recipient node of the IPv6 packet. It is the address of the
intended recipient of the IPv6 packet.
2.6. Extension Headers
Extension Headers In IPv6, the Fixed Header contains only that much
information which is necessary, avoiding those information which is
either not required or is rarely used. All such information is put between
the Fixed Header and the Upper layer header in the form of Extension
Headers. Each Extension Header is identified by a distinct value. When
extension headers are used, IPv6 fixed header’s next header field points
to the first extension header. If there is one more extension header, then
the first extension header's next-header’s field points to the second one,
and so on. The last Extension header’s next-header’s field points to the
upper layer header. Thus, all the headers points to the next one in a
linked list manner. If the next header field contains the value 59,it
indicates that there are no headers after this header, not even upper layer
header. The following extension headers must be supported as per RFC
2460: in (Figure 2.2).
(Figure 2)
(Figure 2.2):IPv6 Extension Headers
-
9
The sequence of extension headers should be as showed below
(Figure 2.3): Sequence of Extension Headers
These headers, should be processed by First and subsequent
destinations. And also by final destination. Extension headers are
arranged one after another in a linked list manner, as depicted in the
following diagram in (Figure 2.4) [8].
(Figure 2.4): Extension Headers Arrangements
2.7. Internet Control Message Protocol Version 6 (ICMP6)
The Internet Control Message Protocol Version 6 (ICMPv6) is the
successor of ICMPv4 and is mandatory for the IPv6 network to operate
at all.ICMPv6 is used by IPv6 nodes to report errors encountered in
processing packets, and to perform other internet-layer functions, such
as diagnostics (ICMPv6 “ping).ICMPv6 is an integral (Basic/ important
) part of IPv6, and the base protocol (all the messages and behavior
required by this specification) MUST be fully implemented by every
IPv6 node. Therefore, it replaces not only ICMPv4, but also other
network related protocols such as the Address Resolution Protocol
(ARP) for the resolving of link-layer addresses or the Internet Group
-
11
Management Protocol (IGMP) which is used for the establishment of
multicast group memberships[9].
2.7.1 Information Messages
They are two type of information message:
The echo – request or solicitation messages, contain the identifier and
sequence number and type 128.
The Replay or advertisement message, also contain identifier and
sequence number and type is 129 .
2.7.2 Error Messages
They are four types of ICMP errors messages: [9]
The Destination Unreachable message is sent if an IP packet cannot be
delivered. It uses the Code field of the ICMPv6 header to further
specify the reason, such as “No route to destination” or “Address
unreachable” and is sent to the source address of the invoking
(appealing/begging) packet. And the possible code is mention below
in table (2.1)
Table (2.1) : Error Message Code
Code 0 No route to destination
Code 1 Communication administratively
prohibited
Code 3 Address unreachable
Code 4 Port unreachable
The ICMPv6 error messages identifies the Packet Too Big message. It
is sent backward to the source if the router cannot deliver the IP packet
due to smaller maximum transmission unit (MTU) values on the
forwarding link. Therefore, the Packet Too Big message stores the MTU
-
11
of the next hop link to inform the originating node to fragment its future
packets with this size. This feature is used by the “Path MTU
Discovery” (RFC 1981) which identifies the smallest MTU along the
path from the source to the destination node by simply sending packets
to the destination node until a direct reply instead of a Message Too Big
error message comes back.
Time exceeded is the error message. It is sent back to the originating
node if the Hop Limit value in the IPv6 header reaches its limit of 0.
This could either indicate a routing loop or a Hop Limit value that was
set too low from the source node. This error message is well-known for
its use with the trace route utility which is used to discover the path that
a packet takes on its way through the destination network.
Table (2.2) :Time Exceeded Code
Code 0 Hop limit exceeded
Code 1 Fragment reassembly time exceeded
The ICMPv6 error message is the Parameter (Restriction/Limit)
Problem. It is sent if an IPv6 node cannot process an IPv6 packet due to
an error in its header or any of the extension headers. All ICMPv6 error
messages contain the original IPv6 header and as much data from the
original IPv6 packet as possible, until the ICMPv6 message size is
fulfilled. These information reveal to which connection they belong and
are used by statefull firewalls for their security decisions.
Table ( 2.3) :ICMPv6 error message
Code 0 Erroneous header field
Code 1 Unrecognized next Header type
Code 2 Unrecognized IPv6 option
-
12
2.8. Neighbor Discovery
Neighbor Discovery is a family of different functions related to other
IPv6 nodes on the same link such as finding routers and other nodes,
maintaining reachability information about active neighbors (Neighbor
Unreachability Detection - NUD) or configuring their own unique IPv6
addresses via Auto configuration (Duplicate Address Detection – DAD
). The corresponding (parallel/ Matching) five ICMPv6 messages with
Neighbor Discovery are specified below: [10]
2.8.1 The Router Solicitation message
Which is ICMPv6 informational message type 133, is sent by a node in
order to discover any routers on the link? It is therefore sent to the all-
routers multicast address ff02::2. As an option, this message carries the
link-layer address of the requesting node. This has the advantage that
the responding router directly knows to which node the answering
packet should be sent. If a router is present on the link, it answers
immediately with a Router Advertisement[11].
2.8.2 The Router Advertisement message
It is ICMPv6 informational message type 134 and contain one or more
prefixes, the prefixes have lifetime, and used stateless or state full auto
configuration.
2.8.3 The Neighbor Solicitation message
It is ICMPv6 informational message type 135, and used by the node to
get Link Layer address of neighbor.
2.8.4 The Neighbor Advertisement message
It is ICMPv6 informational message type 136, and through it the
Neighbor solicitation response to.
-
13
2.8.5 The Neighbor Redirect Message
It is ICMPv6 informational message type 136 , It is sent from a router
to a node in order to indicate a more appropriate first-hop node along
the path to the destination network. This can either be another router on
the same link or a directly connected Neighbor node in the case that the
originating node did not expect it on the same link due to other used
IPv6 prefixes. A redirect message contains two addresses, namely the
Target Address which is the best next hop and the Destination Address
which is the address of the destination of the original IPv6 packet. The
table (2.4) below comparing between IPv6 neighbors Discovery and
IPv4 ARP.
Table (2.4) : IPv4 ARP and IPv6 Neighbors Discovery
-
14
2.9. Pervious work and literature review
At the start of the internet services, ipv4 protocol approved design came
out of as the base of networks and instrumented for internet protocol. It
was mostly used for makes observations & Developments purposes.
Security was not a major concern in that part of the time. Because of
that Internet protocol version 4 way of doing things has the lower
limit security options compared with the latest Internet protocol version
six version, and later when security issues became the central important
point for IP-based networks. Since the Internet protocol version 4 way
of doing things has its limits in security, the top layer security protocols
have been introduced. Let’s say, digital signatures, the process of
disguising/masking a message methods, Authentication, Access
Control, Internet Protocol Security, Secure Socket Layer (SSL), http S,
and so on. In spite of upper layer security architecture ,the lower layers
still unprotected and not protected on the public network. Attacker or
trespasser use these opportunity to gather information about Internet
protocol version 4 based systems and their communications. This bug
leads the network with Internet protocol version six way of doing things
based to Dos attacks, spoofed attacks, and network capture. Even with
higher security concerns in the design of the Internet protocol version
4 way of doing things, this way of doing things is still exposed to being
hurt/damage for these kinds of attacks.
2.9.1 Study of IPv6 Security vulnerabilities [12]
-
15
These project study and focuses on exploring Man-In-The-Middle
(MITM), Denial of Service and reconnaissance attacks in solely IPv6
based networks.
Scanners are the first tools used for reconnaissance attack to explore the
network and open ports in the network. The large size of IPv6 addresses
scanning is very challenging by using traditional scanning methods
therefore in their project instead they crafted multicast addressing which
is more or less detrimental in respect of the time needed.
The Denial of service attacks were done with three different ways but
all of them its locally with ICMPv6 redirect massages and router
advertisement message .They tried to prove that Denial of service
attacks are still present impacts in IPv6 based networks. Operating
Systems do not protect their routing tables from fake routes thus leads
to inject Denial of service attacks on the hosts.
2.9.2 Denial of Service attack in IPv6 networks and counter
measurements [13]
This project study and expresses the different IPv6 based cyber-attacks
which could result in the Denial of Service (DoS) on the IPv6 network.
IPv6 is the next generation internet protocol and the demand of its
benefits is implacable. So its concentrated on investigating the strength
of some possible methods of launching the DoS on future solely IPv6
networks with open source tools. Moreover, it is based to signify how
differently some network devices respond to this type of attack either
locally or remotely in respect of the CPU utilization and the bandwidth
usage. Packet analyzer is used to capture and analyze these attacks. The
DoS attacks in this project include the protocols IPv6, ICMPv6 and TCP
-
16
with two different category methods and variety of different IPv6
extension headers and packet formats.
This project has different kinds of attacks that result with low impress
on local area devices like default gateway and simultaneously very high
impact on targets devices with another autonomous system number that
an attacker would never have administrative privileges on.
The DoS attacks with flooding abrupt IPv6 network traffic from one
attacker node was performed with various test cases on different parts
of network areas. The monitoring and analysis were done on these
traffics captured by Wireshark and routers status via CLI and then
statistics were built for each method and their test cases. The test cases
packet structure was built according to the captured packets at the
attacker’s outbound interface and the source code of the tools.
DoS attacks experimented in this thesis includes IPv6 extension
header with IPv6 fragmentation mechanism and result on the packets
were not able to be forwarded out of the local area router. On other hand
when done the evaluation of the fragmentation mechanism was
examined, abrupt traffics were originated with two differ-rent
bandwidth limitations from the attacker node, it cause to maximal DoS
attack on the routers, and the effects were high enough for the router to
become hang-up or halt .
When an IPv6 access-list implemented on a router as a counter
measurement also in order to stop the abrupt traffic types based on the
source and destination addresses, the router nodes were most impacted
against the abrupt IPv6 traffic and in some cases caused total halt in
network functionality due to the maximum CPU utilization, and the
-
17
result of DoS on a router was extreme and an access-list which was
tested in the research found a to be not a solution to handle the attacks.
2.9.3 Vulnerabilities and Threats in IPv6 Environment[14]
This thesis reviews IPv6 security with focus on Local Area Networks
and IDS/IPS systems It compares IPv4 and IPv6 threats, vulnerabilities
and gives basic security recommendations. Selected IPv6 attacks and
onstrated in simulated attacker/victim scenario on exploits are dem
IPv6 network.
These experiments are then used to set up guidelines for evaluating
usability of IDS/IPS appliances against IPv6-specific threats.
The goal of this work was to gather knowledge of IPv6 security and
related threats, then look into this area from perspective of current
IDS/IPS solutions and afterwards transform the gained knowledge into
practical guidelines how to assess usability of these systems. The first
part of this work contains comprehensive and up-to-date com-prison of
IPv4 and IPv6 related threats with references to corresponding RFCs.
This part may be useful as a reference for future work. However, any
such potential work should take into account that IPv6 is very dynamic
and still developing technology. In fact, some of the information may
become outdated in a couple of months. The second part focused on
particular attacks and IDS/IPS appliance
assessment. I see the main contribution of this work in description of
the selected attacks. Even though several ready-to-use tools for
penetration testing exist, none of them comes with any kind of
documentation. Original intention was to test physical and virtual
-
18
appliance with same firmware and compare performance results.
However, issue in the VMware virtual infrastructure was found during
the testing so I decided, after consultation with the thesis supervisor, to
scratch the results as untrustworthy. Testing of additional
functionalities of the physical appliance was performed as a substitute.
The overall results of the assessment are unsatisfactory. It is necessary
to mention that the situation among the majority of other vendors is
very similar. I strongly believe that such testing will help to improve
IPv6 capabilities and hopefully even the protocol itself. There is a
wide range of possibilities for future work as well as challenges in the
area of IPv6 security.
The most current one would be transition mechanisms from IPv4 to
IPv6 and its coexistence. Further development of testing tools and tests
cases would be advisable as well.
In conclusion, it can not be decided whether IPv6 is by design more
secure than IPv4. It is just different, maybe more different than many
expected.
Wider deployment or testing of IPv6 capable solutions in real-world
scenarios
3.9.4 Mitigating IPv6 Vulnerabilities[15]
-
19
This paper reviews some of the improvements associated with the new
Internet Protocol version 6, with an emphasis on its security-related
functionality. At the end it concludes summarizing some of the most
common security concerns the new suite of protocols creates.
Mitigating security issues in IPv6 is important from an economic
standpoint as well. New companies who want to start their business
will be handed out only IPv6 addresses and if the other big
organizations want to keep their business growing, they have to
provide services to these new companies so as to generate more
revenue. All the communication will happen over IPv6 and if security
is weak, then the communication can be compromised. Since IPv6 is
in an early stage, more testing needs to be done to find out all the
loopholes and resolve them. Vulnerabilities in IPv6 include
Transmission Control Protocol (TCP) SYN flood attack, type-zero
header attack, Domain Name System (DNS) attacks, tunneling issues,
and fragmentation and extension vulnerabilities .The scope of this
research is limited to researching on some of these known
vulnerability issues and proposing solutions to mitigate some of the
security attacks caused due to such vulnerabilities, thereby making
IPv6 more secure. The aim of this research is to lessen some of those
security concerns and provide practical solutions to make IPv6 more
secure and adaptable.
Sub-problems for the research question
In order to answer the following question
How can we mitigate the security issues caused due to the IPv6
protocol header, focusing on the issues which are specific to
only IPv6?
-
21
What different security risks are associated due to RFC non-
compliant network devices and what can be done in order to
mitigate them ?
What are the threats associated with the dual stack architecture
and what are the implementation and architecture considerations
for the same ?
Three sub-problems have been identified , they are as follows
The first sub-problem deals with the issues that are specific only to
IPv6. Unlike IPv4, Internet Control Message Protocol (ICMP) is a
required component of IPv6 and hence the firewall policy needs to be
added in order to account for all the ICMPv6 type messages (which is
optional in IPv4). Neighbor discovery uses ICMPv6 messages to find
out the link layer address for the connected interface, find the
neighboring routers and various other functions, making the role of
ICMPv6 in IPv6 to be quite broad. Hence, care must be taken that the
policies which are set related to ICMPv6 protocol account for all these
different message types. Also, this problem of setting ICMPv6 firewall
policy is an important one since quite a large amount of attacks can be
in the form of ICMPv6 messages. The scope of this research related to
the first sub problem is to test the different operating systems with
respect to the Cisco ASA firewall and Juniper SRX firewalls and come
up with the basic rule set which can be used by the vendors to ensure
that the basic ICMPv6 related malicious packets are prevented from
entering into the internal network.
The second sub-problem is about the RFC non-compliant network
devices. Not all IPv6 enabled devices support IPv6 completely and
different platforms have different performance characteristics with
respect to IPv6 attacks. RFC 2460 states that the extension headers of
a particular type should appear only once (except in the case of
-
21
destination options header) . The optional information in IPv6 is
encoded in the extension headers. Different end-user operating
systems such as Red Hat, Ubuntu, and FreeBSD react differently to
extension headers. Also, extension headers have caused some of the
devices running these operating systems to completely ignore the layer
4 (OSI model- transport layer) segment and this vulnerability has been
used to exploit the internal network . Some of the OS platforms do not
comply with the RFC 2460 and do allow more than one extension
header of a particular type in a single packet. The scope of this
research is to test the effect of sending malicious packets on different
platforms in this case and coming up with a detailed analysis on the
performance of various operating systems.
The third sub-problem is related to the threats associated with the dual
stack nature of the network. All the organizations throughout the world
cannot change their network to IPv6 overnight, so the networks will
remain dual stack for a significant period of time. IPv6 will be
gradually deployed as IPv4 will only be supported for legacy services
and clients. Initially, there will be islands of IPv6 networks separated
by IPv4 networks. There has to be a way in which IPv6 networks can
communicate through IPv4 networks. This is accomplished with the
help of tunneling. Teredo tunnels are essential for users behind NAT
devices so that they can communicate with the external IPv6 networks.
Teredo tunnels bypass the NAT devices and it is difficult to investigate
the Teredo traffic since they work on random port numbers . Teredo
tunnels can also bypass the firewalls and the security based controls
need to be made intelligent in regards to Teredo tunnels . Hence,
applying firewall policies becomes very difficult in case of Teredo
traffic. The solution should be presented in such a way that it supports
end-to-end host security.
-
22
This third sub-problem deals with researching some of the potential
threats due to Teredo tunnels which can be overlooked by most
organizations and proposing a solution on how to tackle the same.
-
23
CHAPTER THREE
3.Results & Analysis
This chapter start by defines briefly in different section the tools
which used in this research to implement the experiments , and
describe the network environment and topology.
This chapter deals with definition of ARP poisoning attack , normal
operation of the IPv6 network before attack , and implement the attack
in three different scenarios with observation and analysis the result
after tracking and comparing the messages which reciprocal between
machines' over ICMPv6 protocol via link layer address and describe
how the attacker success to impersonates the web server and Man-In-
The Middle appearance has been proven.
Then jump to shortly idea of Denial of service attack , and observe
the IPv6 network before attack appearance. The attack done in three
different cases and the result been observed and analyzed by tracking
the advertisement messages which sourced from attacker machine to
flooded the network and successfully Denial of service attack take
place.
The last section in this chapter contain the mitigation of Denial of
service attack by Snort software which acting as IPS , and describe the
setting which used in Snort application to blocking these attack and the
affect of used IPS.
3.1Tools
3.1.1 Virtual Box Application version 4.3.12
VirtualBox is apowerful x86 and AMD64/Intel64 virtualization product
for enterprise as well as home use. and it is a general-purpose full
-
24
virtualize for x86 hardware, targeted at server, desktop and embedded
use, and extremely feature rich, high performance product for enterprise
customers, it is also the only professional solution that is freely available
as Open Source Software under the terms of the GNU General Public
License (GPL) version 2[16].
3.1.2 Wireshark
Wireshark is an IP based network protocol analyzer and sniffer. It reads
packets from the network by the help of pcap, tcpdump and etc. and
details them into easy understandable way. It is an open source network
analyzer founded in 1998. It works in two different modes
“Promiscuous” and “Non-Promiscuous”. The difference between them
is, in promiscuous mode node’s NIC can sniffs or read from all the
traffic packets on the channel while in non-promiscuous mode it only
reads the packets belonging to the hosted node. Wireshark supports rich
set of features to represent IP packet information ,Following are a few
of them[17].
Live capture and offline analysis.
Deep inspection of hundreds of protocols, with more being added
all the time.
Standard three-pane packet browser. Its default fields include;
packet number, time, source address, destination address, name of
the protocol, information about the protocol.
Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC,
ATM,
Decryption support for many protocols, including IPsec, ISAKMP,
Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2.
-
25
3.1.3 The Hacker Choice
(THC-IPv6) is an open source toolkit maintained by “Van Hauser".
THC allows the penetration test on the IPv6 protocol to challenge the
weaknesses of node. This toolkit includes over 50 separate tools that
allow performing such a task on IPv6 based protocols and headers. The
THC tool is capable of IPv6 node Discovery, IPv6 router impersonate,
and initiate DoS attacks. THC is an assembled hacker group from
around the world. It is an open source community who develops and
expose the security vulnerability of IP based networks. The aim of their
project is to expose the security breaches of products. THC are founded
in 1995 and it has been published scientific thesis and releases security
penetration tools [18 ].
Some of the tools that THC allows:
“parasite6”: ICMPv6 Neighbor solicitation/advertisement spoofer
that can be used to launch Man-In-The-Middle attack.
“flood_router26”: to flood the target /64 networks with router
advertisement messages to make a bottle neck
“fake_router6”: To advertise a node as a highest priority router on
the network to redirect the traffic to the defined node
“redir6”: This tool takes advantage of the icmp6 redirect spoofer to
launch man-in-the-middle attack.
“denial6”: Seven different methods of denial-of-service tests
against a target by taking advantage of the IPv6 extension header
mechanism[19].
-
26
3.1.4 Snort[20]
Snort is a free and open source network intrusion prevention system
(NIPS) and network intrusion detection system (NIDS), created by
Martin Roesch in 1998. It working on deference operating system
such as Linux , Windows .
Snort can operate in three different modes namely tap (passive),
inline, and inline-test. Snort policies and rules can be configured
in these three modes too . Snort uses a simple, lightweight rules
description language that is flexible and quite powerful[21].
3.1.5 Network design and equipment's
This section describe the machines hardware specifications & operating
system including application and software which installed and the main
function of machines.
3.1.5.1 Dell laptop
With windows 7 64 bit operating system running by Intel core I7
2.00GHz and Ram 6 GB, which used for installed Oracle VM virtual
Box Manager Application and used the virtualization technology to
create Ubuntu Linux server 14.04 and Kali Linux Server 3.14.1.Also
I installed WierShark version 2.0.5 application for capture Package
between mention servers. And Snort version 2.9.11 application as
Intrusion Prevention System .
-
27
3.1.5.2 Ubuntu
Linux server version 14.0.4 used as Web server with Intel core I7
2.00GHz and Ram 6 GB.
3.1.5.3 Kali
Linux Server version 3.14.1 used as hacking machine with certain tools,
and serve by Intel Core I7 2.00GHz, 2GB Memory.
3.1.5.4 Network Topology
(Figure 3.1):Illustrated Diagram for Interfaces in the Lab
-
28
The pervious diagram showed the details of network adapters which
target in this project, and the name of machines including the operating
system [figure3.1].
Table (3.1):IPv6 and link layer addresses
Machine Name IPv6 address Link layer address
Webserver 2001:abcd:2/64 08:00:27:A:8C:B3
Client 2001:abcd:1/64 08:00:27:00:90:DA
Attacker 2001:abcd:4/64 08:00:27:80:A0:CA
The table (3.1) contain the IPv6 and link layer address for Attacker
machine , Web server ,Client access & monitor terminal .
-
29
3.2 Experiments
3.2.1 The ARP poisoning Attack
ARP spoofing is the technique of forging fake ARP messages on a
network. The attacker updates a host's ARP cache with false information
via spoofed ARP Replies. In this attack, an attacker places himself in
the middle of two hosts that are communicating. The attacker makes
sure that all traffic between the hosts pass through him and is able to see
the entire traffic the attacker effectively used the Neighbor solicitation
and Neighbor advertisement messages to perform a Man-in-the-Middle
attack .
3.2.1.1 Normal operation of the IPv6 network
Qualification
All devices are off.
Client & capture monitor does not have any networking service
such as DHCP or DNS.
Client & capture monitor is ON and capturing network traffic on
Virtual Box Host-only Network.
IP forwarding has been turned OFF in Attacker machine.
-
31
Experiment
Turn on computer “Client & capture monitor” and “Web
Server”.
Wait till Client & capture monitor” and “Web Server stabilize.
Client & capture monitor sends 10 pings to Web Server.
From client via browser open web site [2001:abcd::2]
Save Capture as normal-operation.
Observation
The traffic between web server and client before attack its seem that are
running normal and smoothly, these resulted out from captured data in
the detailed packets number15upto34in figure3.2,and accessing web
services from the access machine ,as shown in figure 3.3
(Figure 3.2):Monitor Of Packets in Normal Operation
In the figure 3.2 above, the client sent its Neighbor solicitation for
webserver from its link layer address over ICMPv6 and the webserver
replay in Neighbor advertisement with its link address also. When the
client make echo request ping, the server replay with echo normally and
-
31
the IP6 appeared in source and destination packets instead of link layer
address.
And the client access website in the webserver via TCP and HTTP
normally without need for more solicitation and advertisement
messages.
(Figure 3.3):accessing website in normal operation
Analysis
From the frame number 15 below, the server sent its neighbor
solicitation for client via its link layer address (8c:b3) over ICMPv6.
No Src Dst P/Length Info 15 fe80::a00:27ff:fea6:8cb3 2001:abcd::1 ICMPv6 86 Neighbor Solicitation for 2001:abcd::1 from 08:00:27:a6:8c:b3
Frame 15: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on interface 0 Ethernet II, Src: CadmusCo_a6:8c:b3 (08:00:27:a6:8c:b3), Dst: CadmusCo_00:90:da (08:00:27:00:90:da) Internet Protocol Version 6, Src: fe80::a00:27ff:fea6:8cb3, Dst: 2001:abcd::1 Internet Control Message Protocol v6
-
32
From the frame number 16 , The client replay to the webserver from its
link layer address (90:da) over ICMPv6 by sending IPv6mcast
neighbor solicitation.
No Src Dst P/Length Info 16 fe80::d953:a236:d606:890c ff02::1:ffa6:8cb3 ICMPv6 86 Neighbor Solicitation for fe80::a00:27ff:fea6:8cb3 from 08:00:27:00:90:da
Frame 16: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on interface 0 Ethernet II, Src: CadmusCo_00:90:da (08:00:27:00:90:da), Dst: IPv6mcast_ff:a6:8c:b3 (33:33:ff:a6:8c:b3) Internet Protocol Version 6, Src: fe80::d953:a236:d606:890c, Dst: ff02::1:ffa6:8cb3 Internet Control Message Protocol v6
In frame 17 the webserver replay back to client in neighbor
advertisement with its link address also
No Src Dst P/Length Info 17 fe80::a00:27ff:fea6:8cb3 fe80::d953:a236:d606:890c ICMPv6 86 Neighbor Advertisement fe80::a00:27ff:fea6:8cb3 (sol, ovr) is at 08:00:27:a6:8c:b3
Frame 17: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on interface 0 Ethernet II, Src: CadmusCo_a6:8c:b3 (08:00:27:a6:8c:b3), Dst: CadmusCo_00:90:da (08:00:27:00:90:da) Internet Protocol Version 6, Src: fe80::a00:27ff:fea6:8cb3, Dst: fe80::d953:a236:d606:890c Internet Control Message Protocol v6
In frame 18 The client replay back to webserver in neighbor
advertisement with its link address also.
No Src Dst P/Length Info 18 2001:abcd::1 fe80::a00:27ff:fea6:8cb3 ICMPv6 86 Neighbor Advertisement 2001:abcd::1 (sol, ovr) is at 08:00:27:00:90:da Frame 18: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on interface 0 Ethernet II, Src: CadmusCo_00:90:da (08:00:27:00:90:da), Dst: CadmusCo_a6:8c:b3 (08:00:27:a6:8c:b3) Internet Protocol Version 6, Src: 2001:abcd::1, Dst: fe80::a00:27ff:fea6:8cb3 Internet Control Message Protocol v6
-
33
In frame 19 the client make echo request ping via its IPv6 address
(2001:abcd::1) over internet control message protocol (ICMPv6).
No Src Dst P/Length Info 19 2001:abcd::1 2001:abcd::2 ICMPv6 94 Echo (ping) request id=0x0001, seq=21, hop limit=128 (reply in 20)
Frame 19: 94 bytes on wire (752 bits), 94 bytes captured (752 bits) on interface 0 Ethernet II, Src: CadmusCo_00:90:da (08:00:27:00:90:da), Dst: CadmusCo_a6:8c:b3 (08:00:27:a6:8c:b3) Internet Protocol Version 6, Src: 2001:abcd::1, Dst: 2001:abcd::2 Internet Control Message Protocol v6
In frame 20 the webserver replay by echo replay ping via its IPv6
address (2001:abcd::2) over internet control message protocol
(ICMPv6) and the IPv6 appeared in source and destination packages
instead of link layer address.
No Src Dst P/Length Info 20 2001:abcd::2 2001:abcd::1 ICMPv6 94 Echo (ping) reply id=0x0001, seq=21, hop limit=64 (request in 19)
Frame 20: 94 bytes on wire (752 bits), 94 bytes captured (752 bits) on interface 0 Ethernet II, Src: CadmusCo_a6:8c:b3 (08:00:27:a6:8c:b3), Dst: CadmusCo_00:90:da (08:00:27:00:90:da) Internet Protocol Version 6, Src: 2001:abcd::2, Dst: 2001:abcd::1 Internet Control Message Protocol v6
In frame 29 below, when the client start to browse web site from
webserver , the client sent [SYN] to server over Transmission Control
Protocol (TCP) in port 80 .
No Src Dst P/Length Info 29 2001:abcd::1 2001:abcd::2 TCP 86 49425 → 81 [SYN] Seq=0 Win=8192 Len=0 MSS=1440 WS=256 SACK_PERM=1
Frame 29: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on interface 0 Ethernet II, Src: CadmusCo_00:90:da (08:00:27:00:90:da), Dst: CadmusCo_a6:8c:b3 (08:00:27:a6:8c:b3) Internet Protocol Version 6, Src: 2001:abcd::1, Dst: 2001:abcd::2 Transmission Control Protocol, Src Port: 49425 (49425), Dst Port: 80 (80), Seq: 0, Len: 0
-
34
In frame 30 The server replay to the client by sending [SYN,ACK]
No Src Dst P/Length Info 30 2001:abcd::2 2001:abcd::1 TCP 86 81 → 49425 [SYN, ACK] Seq=0 Ack=1 Win=28800 Len=0 MSS=1440 SACK_PERM=1 WS=128
Frame 30: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on interface 0 Ethernet II, Src: CadmusCo_a6:8c:b3 (08:00:27:a6:8c:b3), Dst: CadmusCo_00:90:da (08:00:27:00:90:da) Internet Protocol Version 6, Src: 2001:abcd::2, Dst: 2001:abcd::1 Transmission Control Protocol, Src Port: 80 (80), Dst Port: 49425 (49425),Seq:0,Ack: 1, Len: 0
In the figure below describe the normal operation on activity diagram
(Figure 3.4):Activity diagram for normal operation
-
35
3.2.1.2 First ARP poisoning Attack
Qualification
All devices are off.
Client & capture monitor does not have any networking service
such as DHCP or DNS.
Client & capture monitor is ON and capturing network traffic on
Virtual Box Host-only Network.
IP forwarding has been turned OFF in Attacker machine.
Experiment
Turn on computer “Client & capture monitor” and “Web Server”.
Wait till Client & capture monitor” and “Web Server stabilize.
Client & capture monitor sends 10 pings to Web Server.
from client via browser open web site [2001:abcd::2]
Turn on Attacker machine
Lunch attack by command #atk6-parasite6 eth0 2001: abcd::2
fake-mac.
Client & capture monitor sends 10 pings to Web Server.
from client via browser open web site [2001:abcd::2]
Save Capture as ARP-first-attack
Observation
Before the attack started in (step 6) Client & capture monitor is able to
ping the Web Server successfully as showing below in Figure 3.5, and
the packets captured from number 1 up to 8 in Figure 3.5 prove that.
-
36
Figure 3.5:Packets before first ARP attack
Its clear in the figure above that the client sent its Neighbor solicitation
for webserver from its link layer address over ICMPv6, and the
webserver replay in Neighbor advertisement with its link layer address
also and the ping echo request and replay take place in figure 3.6 .
Figure 9
(Figure 3.6):pinging replay by server
After the attack has started the echo request results and analysis in the
following:
-
37
Web server replies to the Neighbor Solicitation of Client computer with
its own Neighbor Advertisement the Figure 3.7 below shown the
packets captured from 46 up47 as output .
Figure 3.7:solicitation and advertisement message before first ARP
The client access and the server used their link layer address for
Neighbor solicitation and advertisement over ICMPv6 , the attacker
repeatedly sends spoofed Neighbor advertisement messages and
overrides other entries . The Neighbor advertisements sent by both the
Attacker and web server have the override flag set to 1.
The attacker send a Neighbor advertisement to client computer saying
that it has the IP that belongs to web server , as its clear in figure3.8
-
38
(Figure 3.8):Monitor of packets in first ARP
In the detailed package in Figure 3.8, the attacker send continues
advertisement message over its link layer address as the source address
to the link layer address of client access station , and used IPv6 address
of the webserver for its tricky message.
Now, the ping request sent by Client computer to web server ,replayed
by the Attacker since the attacker is impersonating the web server.
However the attacker generates a Neighbor solicitation message to find
the real destination of the packet. Then, the attacker forwards the reply
to client computer and the ARP completes successfully and evolve to a
Man-in-the-Middle attack. These appear in Figure 3.8 on the logged
packets from 127 up 129. But the web server in these case been
unreachable ,and the Man-in-the-Middle attack unable to forward the
message instead of the web server , just hacking the client computer
,these prove by Figure 3.8 because the client unable to access webserver
.
-
39
(Figure 3.9) explain how attacker work
In the below screen the ping request echo from the client not reached
the server, and replayed by time out, but the attacker replay by Neighbor
advertisement by its own link address ,and the webserver no longer been
reachable via its link layer address, and also the attacker can capture any
data between the client and server .
(Figure 3.10):Pinging in first ARP attack
At the upper layer exactly in application layer its observed that ,before
the attack start ,the client can access web site [2001:abcd::2] on web
server ,so the web application services running fine on the server and
the network traffic mutual aid normally between client and the web
-
41
server , the Figure 3.11 reflects that and the detailed packets from 29 up
to 32 in Figure 3.11 confirm that.
(Figure 3.11):packet for accessing website before first ARP
The packets exchanged normally between client and web server over
TCP protocol and client can browse the website from the server
figure3.12
(Figure 3.12):accessing website before first ARP
After attack started , when client try to access web server, the attacker
replay its [ACK] flag by [SYN] flag , and repeated send [ACK] and
[TCP Retransmission ] instead of web server, and the web site not more
-
41
been access. Figure 3.13 detailed the packets from 121 up to124 , and
Figure 3.13 confirm that web site unreachable.
(Figure 3.13):in first ARP attacker replay instead of server
The attacker received all client browsing request instead of webserver
,and replay by unreachable error , but , if there is any web site working
in attacker machine it can be reached instead of web site in the server
from client access machine if attacker prepared proper setting for trap
website.
(Figure 3.14):in first ARP web service unavailable
The attacker launches a successful attack by repeatedly sending spoofed
Neighbor advertisements to any Neighbor solicitation message
generated on the network as showing in below Figure 3.15
-
42
(Figure 3.15):attacker machine spoofed to client in first ARP
Analysis
In frame 46 after attack lunched , the client sent solicitation message
for server IPv6 address over its link address.
No Src Dst P/Length Info 46 2001:abcd::1 2001:abcd::2 ICMPv6 86 Neighbor Solicitation for 2001:abcd::2 from 08:00:27:00:90:da
Frame 46: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on interface 0 Ethernet II, Src: CadmusCo_00:90:da (08:00:27:00:90:da), Dst: CadmusCo_a6:8c:b3 (08:00:27:a6:8c:b3) Internet Protocol Version 6, Src: 2001:abcd::1, Dst: 2001:abcd::2 Internet Control Message Protocol v6
In frame 47 The server replay to client solicitation message by
advertisement message .
No Src Dst P/Length Info 47 2001:abcd::2 2001:abcd::1 ICMPv6 78 Neighbor Advertisement 2001:abcd::2 (sol)
Frame 47: 78 bytes on wire (624 bits), 78 bytes captured (624 bits) on interface 0 Ethernet II, Src: CadmusCo_a6:8c:b3 (08:00:27:a6:8c:b3), Dst: CadmusCo_00:90:da (08:00:27:00:90:da) Internet Protocol Version 6, Src: 2001:abcd::2, Dst: 2001:abcd::1 Internet Control Message Protocol v6
Form the frame number 121 up to 124 below , while the attacks
running , the client running browsing and resend repeated [SYN] to
attacker machine to its link layer address (a0:ce)
No Src Dst P/Length Info
-
43
121 2001:abcd::1 2001:abcd::2 TCP 86 [TCP Retransmission] 51121 → 81 [SYN] Seq=1 Win=8192 Len=1 MSS=1441 WS=256 SACK_PERM=1
Frame 121: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on interface 0 Ethernet II, Src: CadmusCo_00:90:da (08:00:27:00:90:da), Dst: CadmusCo_80:a0:ce (08:00:27:80:a0:ce) Internet Protocol Version 6, Src: 2001:abcd::1, Dst: 2001:abcd::2 Transmission Control Protocol, Src Port: 50021 (50021), Dst Port: 80 (80), Seq: 0, Len: 0
No Src Dst P/Length Info 122 2001:abcd::1 2001:abcd::2 TCP 86 [TCP Retransmission] 51122 → 81 [SYN] Seq=1 Win=8192 Len=1 MSS=1441 WS=256 SACK_PERM=1
Frame 122: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on interface 0 Ethernet II, Src: CadmusCo_00:90:da (08:00:27:00:90:da), Dst: CadmusCo_80:a0:ce (08:00:27:80:a0:ce) Internet Protocol Version 6, Src: 2001:abcd::1, Dst: 2001:abcd::2 Transmission Control Protocol, Src Port: 50022 (50022), Dst Port: 80 (80), Seq: 0, Len: 0
No Src Dst P/Length Info 123 2001:abcd::1 2001:abcd::2 TCP 82 [TCP Retransmission] 51121 → 81 [SYN] Seq=1 Win=8192 Len=1 MSS=1441 SACK_PERM=1
Frame 123: 82 bytes on wire (656 bits), 82 bytes captured (656 bits) on interface 0 Ethernet II, Src: CadmusCo_00:90:da (08:00:27:00:90:da), Dst: CadmusCo_80:a0:ce (08:00:27:80:a0:ce) Internet Protocol Version 6, Src: 2001:abcd::1, Dst: 2001:abcd::2 Transmission Control Protocol, Src Port: 50021 (50021), Dst Port: 80 (80), Seq: 0, Len: 0
No Src Dst P/Length Info 124 2001:abcd::1 2001:abcd::2 TCP 82 [TCP Retransmission] 51122 → 81 [SYN] Seq=1 Win=8192 Len=0 MSS=1440 SACK_PERM=1
Frame 124: 82 bytes on wire (656 bits), 82 bytes captured (656 bits) on interface 0 Ethernet II, Src: CadmusCo_00:90:da (08:00:27:00:90:da), Dst: CadmusCo_80:a0:ce (08:00:27:80:a0:ce) Internet Protocol Version 6, Src: 2001:abcd::1, Dst: 2001:abcd::2 Transmission Control Protocol, Src Port: 50022 (50022), Dst Port: 80 (80), Seq: 0, Len: 0
In frame 127 the attacker machine sent advertisement message over
the server IPv6 address 2001:abdc::2 by its link layer address (a0:ce)
to client IPv6 address .
-
44
No Src Dst P/Length Info 127 2001:abcd::2 2001:abcd::1 ICMPv6 86 Neighbor Advertisement 2001:abcd::2 (sol, ovr) is at 08:00:27:80:a0:ce
Frame 127: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on interface 0 Ethernet II, Src: CadmusCo_80:a0:ce (08:00:27:80:a0:ce), Dst: CadmusCo_00:90:da (08:00:27:00:90:da) Internet Protocol Version 6, Src: 2001:abcd::2, Dst: 2001:abcd::1 Internet Control Message Protocol v6
In frame 128 the attacker machine repeat sent advertisement message
over the server IPv6 address 2001:abdc::2 by its link layer address
(a0:ce) to client IPv6 address
No Src Dst P/Length Info 128 2001:abcd::2 2001:abcd::1 ICMPv6 86 Neighbor Advertisement 2001:abcd::2 (rtr, ovr) is at 08:00:27:80:a0:ce
Frame 128: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on interface 0 Ethernet II, Src: CadmusCo_80:a0:ce (08:00:27:80:a0:ce), Dst: CadmusCo_00:90:da (08:00:27:00:90:da) Internet Protocol Version 6, Src: 2001:abcd::2, Dst: 2001:abcd::1 Internet Control Message Protocol v6
In frame 129 below the attacker machine continue repeat sent
advertisement message over the server IPv6 address 2001:abdc::2 by
its link layer address (a0:ce) to client IPv6 address and the client
communicate with attacker link address because its used the server
IPv6 , the attacker successfully work in server place by server IPv6
address and capture and data exchange from client to server.
No Src Dst P/Length Info 129 2001:abcd::2 2001:abcd::1 ICMPv6 86 Neighbor Advertisement 2001:abcd::2 (rtr, ovr) is at 08:00:27:80:a0:ce
Frame 129: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on interface 0 Ethernet II, Src: CadmusCo_80:a0:ce (08:00:27:80:a0:ce), Dst: CadmusCo_00:90:da (08:00:27:00:90:da) Internet Protocol Version 6, Src: 2001:abcd::2, Dst: 2001:abcd::1 Internet Control Message Protocol v6
3.2.1.3 Second ARP poisoning Attack
-
45
Qualification
All devices are off.
Client & capture monitor does not have any networking service
such as DHCP or DNS.
Client & capture monitor is ON and capturing network traffic on
Virtual Box Host-only Network.
IP forwarding has been turned OFF in Attacker machine.
Experiment
Turn on computer “Client & capture monitor” and “Web
Server”.
Wait till Client & capture monitor” and “Web Server stabilize.
Turn on Attacker machine and wait for it to stabilize.
Lunch attack by command #atk6-parasite6 eth0 2001:abcd::2
fake-mac.
Client & capture monitor sends 10 pings to Web Server.
from client via browser open web site [2001:abcd::2].
Save Capture as ARP-Second-attack.
Observation
The attacker start sending multicast listener message and router
solicitation message on the network to scan and discover the link
-
46
address for its neighbors and the source for all these message the
attacker link address , as appear in Figure 3.16 the packets from
number 3 up to10 which logged by capture machine.
(Figure 3.16):Router solicitation message in second ARP
When the client device start send ping to web server while attacking
running, first replay came from web server, these cleared below by
Figure 3.17.
(Figure 3.17):pinging after second ARP
The attacker continue send repeated Neighbor advertisement ,which
captured in Figure 3.18 in the detailed packets from 55 up to 59 below
,and the link address of attacker its been in package source address with
red arrows .
-
47
(Figure 3.18):continue advertisement message in second ARP
The attacker replay to client device to achieve reaming request as a
Man-in-the-Middle, that its plump in packets number 62 up to 66 and
Figure 3.19 below prove that.
-
48
(Figure 3.19):attacker success in second ARP
(Figure 3.20): web services stopped in second ARP
In the level of application ,When the client try to browse the web site
[2001:abcd::2] in webserver ,its unable to reached it and the error
generated , because all client request for browse website replayed by the
attacker link layer address instead of webserver address the website as
in (Figure 3.20) above, and the packets captured from 110 up to 117 in
Figure 3.21 below say that the Man-in-the Middle attack its
successfully presented because the attacker address its exchange the
message with client machine as web server.
-
49
(Figure 3.21):Man-in-the Middle in second ARP
Finally the changing of the attack scenario didn’t produce any changes
in the result. But still the attacker effectively used the Neighbor
solicitation and Neighbor advertisement messages to perform ARP
poisoning attack and the form of a Man-in-the-Middle attack take place
as in the previous scenario. These declared in Figure 3.22 below , as the
attacker acting instead of web server and replay to client and gathering
all information for successfully attacks.
(Figure 3.22):attacker machine spoofed in second ARP
-
51
Analysis
In frame number 3 up to frame number 7 below the attacker start
sending multicast listener message and router solicitation message on
the network to discover the link address for its neighbors and the
source for all these message the attacker link address (a0:ce)
No Src Dst P/Length Info 3 :: ff02::16 ICMPv6 110 Multicast Listener Report Message v2
Frame 3: 110 bytes on wire (880 bits), 110 bytes captured (880 bits) on interface 0 Ethernet II, Src: CadmusCo_80:a0:ce (08:00:27:80:a0:ce), Dst: IPv6mcast_16 (33:33:00:00:00:16) Internet Protocol Version 6, Src: ::, Dst: ff02::16 Internet Control Message Protocol v6
No Src Dst P/Length Info 4 :: ff02::1:ff00:4 ICMPv6 78 Neighbor Solicitation for 2001:abcd::4
Frame 4: 78 bytes on wire (624 bits), 78 bytes captured (624 bits) on interface 0 Ethernet II, Src: CadmusCo_80:a0:ce (08:00:27:80:a0:ce), Dst: IPv6mcast_ff:00:00:04 (33:33:ff:00:00:04) Internet Protocol Version 6, Src: ::, Dst: ff02::1:ff00:4 Internet Control Message Protocol v6
No Src Dst P/Length Info 5 :: ff02::1:ff80:a0ce ICMPv6 78 Neighbor Solicitation for fe80::a00:27ff:fe80:a0ce
Frame 5: 78 bytes on wire (624 bits), 78 bytes captured (624 bits) on interface 0 Ethernet II, Src: CadmusCo_80:a0:ce (08:00:27:80:a0:ce), Dst: IPv6mcast_ff:80:a0:ce (33:33:ff:80:a0:ce) Internet Protocol Version 6, Src: ::, Dst: ff02::1:ff80:a0ce Internet Control Message Protocol v6
No Src Dst P/Length Info 6 :: ff02::16 ICMPv6 110 Multicast Listener Report Message v2
Frame 6: 110 bytes on wire (880 bits), 110 bytes captured (880 bits) on interface 0 Ethernet II, Src: CadmusCo_80:a0:ce (08:00:27:80:a0:ce), Dst: IPv6mcast_16 (33:33:00:00:00:16) Internet Protocol Version 6, Src: ::, Dst: ff02::16 Internet Control Message Protocol v6
-
51
No Src Dst P/Length Info 7 fe80::a00:27ff:fe80:a0ce ff02::16 ICMPv6 110 Multicast Listener Report Message v2
Frame 7: 110 bytes on wire (880 bits), 110 bytes captured (880 bits) on interface 0 Ethernet II, Src: CadmusCo_80:a0:ce (08:00:27:80:a0:ce), Dst: IPv6mcast_16 (33:33:00:00:00:16) Internet Protocol Version 6, Src: fe80::a00:27ff:fe80:a0ce, Dst: ff02::16 Internet Control Message Protocol v6
In frame 59 below the attacker sourced advertisement message from its
link layer address to client IPv6 address
No Src Dst P/Length Info 59 2001:abcd::2 2001:abcd::1 ICMPv6 86 Neighbor Advertisement 2001:abcd::2 (rtr, sol, ovr) is at 08:00:27:80:a0:ce
Frame 59: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on interface 0 Ethernet II, Src: CadmusCo_80:a0:ce (08:00:27:80:a0:ce), Dst: CadmusCo_00:90:da (08:00:27:00:90:da) Internet Protocol Version 6, Src: 2001:abcd::2, Dst: 2001:abcd::1 Internet Control Message Protocol v6
In frame 62 the attacker received the data which sent from client to web
server ,and its link address take place in destination direction
No Src Dst P/Length Info 62 2001:abcd::1 2001:abcd::2 ICMPv6 94 Echo (ping) request id=0x0001, seq=1081, hop limit=128 (no response found!)
Frame 62: 94 bytes on wire (752 bits), 94 bytes captured (752 bits) on interface 0 Ethernet II, Src: CadmusCo_00:90:da (08:00:27:00:90:da), Dst: CadmusCo_80:a0:ce (08:00:27:80:a0:ce) Internet Protocol Version 6, Src: 2001:abcd::1, Dst: 2001:abcd::2 Internet Control Message Protocol v6
All the request for browsing website from client [SYN]received by
attacker machine ,which clear in frame 110 and 111
No Src Dst P/Length Info 110 2001:abcd::1 2001:abcd::2 TCP 86 51288 → 81 [SYN] Seq=0 Win=8192 Len=0 MSS=1440 WS=256 SACK_PERM=1
Frame 110: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on interface 0 Ethernet II, Src: CadmusCo_00:90:da (08:00:27:00:90:da), Dst: CadmusCo_80:a0:ce (08:00:27:80:a0:ce) Internet Protocol Version 6, Src: 2001:abcd::1, Dst: 2001:abcd::2 Transmission Control Protocol, Src Port: 50288 (50288), Dst Port: 80 (80), Seq: 0, Len: 0
-
52
No Src Dst P/Length Info 111 2001:abcd::1 2001:abcd::2 TCP 86 [TCP Retransmission] 51288 → 81 [SYN] Seq=1 Win=8192 Len=1 MSS=1441 WS=256 SACK_PERM=1
Frame 111: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on interface 0 Ethernet II, Src: CadmusCo_00:90:da (08:00:27:00:90:da), Dst: CadmusCo_80:a0:ce (08:00:27:80:a0:ce) Internet Protocol Version 6, Src: 2001:abcd::1, Dst: 2001:abcd::2 Transmission Control Protocol, Src Port: 50288 (50288), Dst Port: 80 (80), Seq: 0, Len: 0
In frame 112 the client sent solicitation message form its IPv6 address
to attacker machine link address
No Src Dst P/Length Info 112 2001:abcd::1 2001:abcd::2 ICMPv6 86 Neighbor Solicitation for 2001:abcd::2 from 08:00:27:00:90:da
Frame 112: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on interface 0 Ethernet II, Src: CadmusCo_00:90:da (08:00:27:00:90:da), Dst: CadmusCo_80:a0:ce (08:00:27:80:a0:ce) Internet Protocol Version 6, Src: 2001:abcd::1, Dst: 2001:abcd::2 Internet Control Message Protocol v6
In frame 113 below the attacker successfully sent advertisement
message to client address instead of webserver, and communicate with
the client and received any data which sent to webserver
No Src Dst P/Length Info 113 2001:abcd::2 2001:abcd::1 ICMPv6 86 Neighbor Advertisement 2001:abcd::2 (sol, ovr) is at 08:00:27:80:a0:ce
Frame 113: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on interface 0 Ethernet II, Src: CadmusCo_80:a0:ce (08:00:27:80:a0:ce), Dst: CadmusCo_00:90:da (08:00:27:00:90:da) Internet Protocol Version 6, Src: 2001:abcd::2, Dst: 2001:abcd::1 Internet Control Message Protocol v6
-
53
3.2.1.4 Third ARP poisoning Attack
Qualification
All devices are off.
Client & capture monitor does not have any networking service
such as DHCP or DNS.
Client & capture monitor is ON and capturing network traffic on
Virtual Box Host-only Network.
IP forwarding has been turned OFF in Attacker machine.
Experiment
Turn on computer “Client & capture monitor” and “Web Server”.
Wait till Client & capture monitor” and “Web Server stabilize.
ping web server from client computer continuously
Turn on Attacker machine and wait for it to stabilize
Lunch attack by command #atk6-parasite6 eth0 2001:abcd::2
fake-mac.
Save Capture as ARP-Third-attack.
Observation
The attack was effective when the attack was performed whi