IPv6 Some ISP related security Problems

Sina Herbert / Christoph Weber

Swinog 10.5.2012Version 1.02

about us

• Sina Herbert Study of computer science at the university of applied sciences in Fulda (Germany).

• Christoph Weber First Hack is more the 30 year ago, and i am still active.

• Both currently working for a big ISP in Switzerland in the development Team for datacenter, network and security.- integration of IPv6 in our datacenter environment- IPv4 + IPv6 Security- IPv4 old world routing / switching

Disclaimer + Warning

• This is our own study and analysis, or is based on public available information !

• All information are our private work and ideas !

• Represents our meaning !• No relation to the company,

we currently work for it !Warning ! • ALL information's are for internal and testing

purpose only ! • Don’t do this at home !

agenda

• DNS Problem- bruteforce / reverse

• WLAN - sniffing / mDNS / Mobile Devices

• OSPFv3 implementation problems- wrong integration

• 6RD security - attack ipv4 from ipv6

• (anti)spoofing- Example Hurricane Electric Tunnel Broker

DNS

• Hostnames• Naming scheme• DNS Server the new target on IPv6 • DNS bruteforce• Reverse DNS bruteforce

find the target with DNS

• DNSbased on DNS Information, the Public Server are easy to find. - create your own dig-script , thc tool dnsdict6(You need a good hostname list…)

• Sys and Net-Admins mostly use the last 4 (or 8) characters of the IPv6 address range (simpler to remember and to write)

• Scanningsimply address, because sysadmin’s are lazy (or geeks) :1 :53 :80 :def :affe :c5c0 :cafe :babe

• Because most Company use a IPv6 addressing plan, it’s easy to find more targets.

find the target with DNS

• Bruteforce the DNS Server with a „large optimized“ Hostname-file.

find the target with DNS

Sample: switch.ch

autoconfig

by hand

Reverse DNS

Sample Environment: 2001:DB8::/32 there is 2001:DB8:FF::/48 which has reverse DNS hosted in a zone called F.F.0.0.8.b.d.0.1.0.0.2.ip6.arpa. For simpler handling we call F.F.0.0.8.b.d.0.1.0.0.2.ip6.arpa. => X

In the given the zone name we can query 0.X, 1.X, 2.X … up to and including f.X. Most of these queries will return an NXDOMAIN rcode; this means the name does not exist, but very importantly, this can usually be construed to mean that no longer name exists either. Suppose that in this case, two of the names (0.X and f.X) do not return NXDOMAIN – instead they return NOERROR. This means the nameserver has a reason to not deny existence, and in this case, that reason is that a longer name exists.

X.0 -> NXDOMAINX.1 -> NXDOMAINX.2 -> NXDOMAINX.3 -> NXDOMAIN X.4 -> NOERRORX.4.0 -> NXDOMAIN X.4.1 -> NXDOMAIN X.4.2 -> NOERRORX.4.2.0 -> NOERRORX.4.2.0.0 -> NOERROR X.4.2.0.0.0 -> NXDOMAIN X.4.2.0.0.1 -> NOERRORX.4.2.0.0.1.0 -> NOERROR...X.4.2.0.0.1.0.0.F.F.0.0.0.1.0.1.2.A.F.F.E -> www.whatever.com

Reverse DNS

NXDOMAIN -> next , same levelNOERROR -> next, on level lower

Reverse DNS

Tools, for reverse dns scan

ip6-arpa-scan.pyroot@blubberli:#./ip6-arpa-scan.py 0.2.6.0.1.0.0.2.ip6.arpa 195.186.1.110 64base 0.2.6.0.1.0.0.2.ip6.arpa server 195.186.1.110 limit 41 c.d.0.0.0.0.2.6.0.1.0.0.2.ip6.arpa., 1630 queries done, 365 found, 0.00% done

dnsrevenum6root@blubberli:dnsrevenum6 195.186.1.110 2001:620::/48Starting DNS reverse enumeration of 2001:620:: on server 195.186.1.110Found: scsnms.switch.ch. is 2001:620::1Found: NET-HOST-LOOPBACK.switch.ch. is 2001:620::Found: domreg.nic.ch. is 2001:620::4Found: merapi.switch.ch. is 2001:620::5Found: mamp1.switch.ch. is 2001:620::aFound: atitlan.switch.ch. is 2001:620::2Found: manaro.switch.ch. is 2001:620::14Found: lopevi.switch.ch. is 2001:620::1a

Reverse DNS

root@blubberli:./dnsrevenum6 195.186.1.110 2001:620::/48Starting DNS reverse enumeration of 2001:620:: on server 195.186.1.110Found: NET-HOST-LOOPBACK.switch.ch. is 2001:620::Found: scsnms.switch.ch. is 2001:620::1Found: atitlan.switch.ch. is 2001:620::2Found: domreg.nic.ch. is 2001:620::4Found: merapi.switch.ch. is 2001:620::5Found: mamp1.switch.ch. is 2001:620::aFound: manaro.switch.ch. is 2001:620::14Found: lopevi.switch.ch. is 2001:620::1aFound: tbutest.switch.ch. is 2001:620::2aFound: snmp-trap.lan.switch.ch. is 2001:620::162...Found: htabi-swiBE2.switch.ch. is 2001:620:0:fff9::2Found: swiLS2-G2-4.switch.ch. is 2001:620:0:fffb::1Found: swiGE2-10GE-3-2.switch.ch. is 2001:620:0:fffc::1Found: swiIBM2-G1-2.switch.ch. is 2001:620:0:fffd::1Found 1111 entries.

DNS Security

• Prepare for a large amount of query‘s • DoS Protect your DNS Infrastructure• Rate limit DNS query‘s (if possible)• Only provide necessary information• consider the DNS logs.

PWLAN

• PWLAN Sniffing • Find the User• mDNS Attack• RA

mDNS / Zeroconf

• Zeroconf with mDNS is a very good place, to find devices in the network.

• Multicast addresses ipv6 ff02::fb port 5353 ipv4 224.0.0.251 port 5353

• Turned „ON“ bye default in many systemssome Ubuntu / Fedora (avahi)iMac / iPhone / iPads …

Mobile Devices

• HTC

• iPhone

a day on „Zürich“ Main Station

Find the iPhone user

• Find the user….

Find the next user…

RA Attacks

• Other possibilities Router Advertisments

./flood_advertise6 eth3 Starting to flood network with neighbor advertisements on eth3 (Press Control-C to end, a dot is printed for every 100 packet):

........................................................

........................................................

........................................................

........................................................

........................................................

........................................................

........................................................

........................................................

........................................................

......................................^C

Andorid 2.2

Android

• HTC Desire S (Android Version 2.3.5)

Android

• Only 16 ipv6 addresses on the interface, but more „routes“ for networks, „inserted“ by RA

OSPFv3

• OSPFv3 authentication - Cisco - Checkpoint

OSPFv3 authentication

• For example the configuration with Cisco – AH

• ipv6 ospf authentication ipsec spi spi md5 [key-encryption-type {key | null}]

– ESP• ipv6 ospf encryption {ipsec spi spi esp encryption-

algorithm [[key-encryption-type] key] authentication-algorithm [key-encryption-type] key | null}

OSPFv3 authentication

• Works with Cisco …– But when changing from AH to ESP

– The AH session is still active, the same by changing the password. This can be cause issues e.g. by changing the password only on one side.

– Furthermore, if there are more OSPFv3 connections, there will also be needed an IPSEC connection for each of it and this costs high CPU load.

– So , what will be the best practice …

OSPFv3 authentication

• with Check Point– Capability of IPSEC with IPSO

(IPSO = OS for Checkpoint Hardware)

OSPFv3

• Basic OSPFv3 configuration works with IPSO, but what happens, if a not so conventional packet occurs … lets try this:

• Returns …upsNokiaIP690:117> show ipv6 ospf3 neighbors

NokiaIP690:118>

Solution Check Point

• Doesn‘t support IPSO with IPv6• IPv6 support only with GAIA• GAIA doesn‘t support IPv6 dynamic routing

Nice to know OSPFv3 RFC 2740

– “However, unlike in IPv4, IPv6 allows LSAs with unrecognized LS types to be labeled "Store and flood the LSA, as if type understood””.

– “Uncontrolled introduction of such LSAs could cause a stub area's link-state database to grow larger than its component routers' capacities.”

Attack a Routing devices

• Fact: - Most Network Devices handle IPv6 Traffic in Software, not in hardware- more CPU Power for handling IPv6 extensions Headers - the routing table becomes much bigger

• Samples Packets with a hop-by-hop option headerPackets with the same destination IPv6 address as that of routersPackets that fail the scope enforcement checkPackets that exceed the MTU of the output linkPackets with a TTL that is less than or equal to 1…..

Antispoofing

• Verify ANTI-spoofing !

• Possible IPv6 Addresses. - Link Local Address - Site Local Addess- Unique Local Address- Multicast- Any other IPv6 address- localhost- ….

Hurricane Electric's Tunnel

• Spoofing from Source IP‘s

HE Tunnel:- ULA - 6Bone- Any Global IPv6 Address

Miredo/Teredo- not possible

Some ISP‘s- Sometimes ULA- Sometimes ALL

Spoof Test

Source System root@blubberli:thc-1.9-chw# ./spoof6 eth3 2001:0:ffff::beef .Sending ICMPv6 Packets to eth3 from spoofed fdbb:7d77:bc07:affe::1Sending ICMPv6 Packets to eth3 from spoofed 2001:db8::12001::1Sending ICMPv6 Packets to eth3 from spoofed 2002::1Sending ICMPv6 Packets to eth3 from spoofed 3FFE::1Sending ICMPv6 Packets to eth3 from spoofed 2001:503:ba3e::2:30Sending ICMPv6 Packets to eth3 from spoofed 2001:500:2f::fSending ICMPv6 Packets to eth3 from spoofed 2001:500:1::803f:235Sending ICMPv6 Packets to eth3 from spoofed 2001:503:c27::2:30Sending ICMPv6 Packets to eth3 from spoofed 2001:7fd::1Sending ICMPv6 Packets to eth3 from spoofed 2001:dc3::35Sending ICMPv6 Packets to eth3 from spoofed 2001:4860:4860::8888Sending ICMPv6 Packets to eth3 from spoofed 2001:4860:4860::8844Sending ICMPv6 Packets to eth3 from spoofed ffff:ffff:ffff:ffff:ffff:ffff:fffff:ffffDone!

On the Target System with tcpdump: fdbb:7d77:bc07:affe::1 > 2001:X:ffff::beef ICMP6, packet too big, mtu 0, length 48fdbb:7d77:bc07:affe::1 > 2001:X:ffff::beef ICMP6, echo request, seq 0, length 48 2001:470:94df:1::ffff > 2001:X:ffff::beef ICMP6, packet too big, mtu 0, length 482001:470:94df:1::ffff > 2001:X:ffff::beef ICMP6, echo request, seq 0, length 482002::1 > 2001:X:ffff::beef ICMP6, packet too big, mtu 0, length 482002::1 > 2001:X:ffff::beef ICMP6, echo request, seq 0, length 483ffe::1 > 2001:X:ffff::beef ICMP6, packet too big, mtu 0, length 483ffe::1 > 2001:X:ffff::beef ICMP6, echo request, seq 0, length 482001:503:ba3e::2:30 > 2001:X:ffff::beef ICMP6, packet too big, mtu 0, length 482001:503:ba3e::2:30 > 2001:X:ffff::beef ICMP6, echo request, seq 0, length 48

(Info: the 2001:X:ffff::beef is a spaceholder for the real IPv6 address)

6RD Security Problems

• 6RD Client • 6RD IPv6 -> IPv4 DoS

Sample „Free“

6RD Address Building

Link Prefix is build with the IPv6 Prefix (/28 - /32)CPE IPv4 Address 32 bit 0-4 bit Subnet ID 64 bit Interface ID

IPv6 Prefix: 2001:db8:0123::/32 + + IPv4 10.1.2.3 => 2001:db8:0123:0A01:0203::/64

IPv6 Prefix CPE IPv4 Address Interface ID

Site Prefix

1 64 12860

28Subnet ID

IPv6 Prefix CPE IPv4 Address Interface ID

Site Prefix1 64 128

32

some ideas

IPv4 Address Part- Any other IPv4 Global Address - IPv4 Privat Address- Loopback / Management IPv4- Localhost- IPv4 Multicast (for instance Routing Protocols)- IPv4 Broadcast / Network Address- …….

IPv6 Prefix IPv4 Address Interface ID

Routing

IPv6 GlobalIPv4 6RD Kunden

Router Management

loopback localhost

IPv4 Gobal

2001:db8:0123:0A01:0203::1

10.1.2.3 [2001:db8:0123:0A01:0203::1]

Routing depending on the routing table

2001:db8:0123:0808:0808::1

8.8.8.0 [2001:db8:0123:0808:0808::1]

2001:db8:0123:C0A8:0001::1

192.

168.

0.1

[200

1:d

b8:

0123

:C0A

8:00

01::

1]

Some 6RD ISP Tests

5 well known 6RD provider tested • Swisscom • Free• ATT USA• Sakura• ISP Telfort

-> ALL allow relaying to a public IPv4 address

(other tests , result unknown)

Security

• Access only for 6RD ISP-Client to use the 6RD BR as 6RD-Relay

• 6RD BR must check, if the IPv6 Traffic is for a 6RD ISP Client or not.

• Prevent traffic relay for DoS from IPv6 to IPv4 !

questions ?

sina.herbert@online.de

christoph.weber@packetlevel.ch

Tools

Function Tools

Scanning/Surveillance: halfscan6, nmap, Scan6, Strobe

Covert Channel/Backdoor: relay6, 6tunnel, nt6tunnel, netcat6, VoodooNet, etc.

Port Bouncing: relay6, nt6tunnel, ncat, and asybo,

Denial of Service (DOS): 6tunneldos, 6To4DDos, Imps6-tools

Packet-Level attack toolkits: isic6, spak6, THC-6

Packet-Crafting: scapy, sendIP, Packit, Spack

IRC Zombies/Bots: Eggdrop, Supybot, etc.

Sniffer: snort, tcpdump, snoop, wireshark, tshark etc.

Pen Testing Tool: Metasploit

Security Warning and Disclaimer: Never ever use this tools, maybe it‘s against your local law !

terminology

• Node: Device that implements IPv6• Router: Node that forwards IPv6 Packets• Host: Any Node, that isn‘t a router• Upper Layer: Protocol layer above ipv6• Link: Medium or communication Facility over with nodes can

communicate at the link layer• Neighbors: Nodes attached on the same link• Interface: A Node‘s attachment to a link• Address: IPv6 Layer identification for an interface• Packet: IPv6 header + payload• Link MTU: Maximum Transmission Unit• Path MTU: Minimum link MTU of all links in a path between source und

destination node‘s

Tools needed

• more protocol testing tools (fuzzer..)• tool for automatic network discovery and

analysis of local traffic(ping/mld/mdns … ) -> IP + function list

• Better filter implementation in tcpdump / tshark

IPv6 hacking future

• more crypto is used, but… • still new RFC‘s• growing unknown usage creates more

attacking surface• Mobile devices are one of the next big target,

because the need a large IP address space, with will be covered with ipv6

mDNS Problems / Attack

• Internet Draft: DNS queries for names that do not end with ".local." MAY be

sent to the mDNS multicast address, if no other conventional DNS server is available. This can allow hosts on the same link to continue communicating using each other's globally unique DNS names during network outages which disrupt communication with the greater Internet.

• mDNS generates a lot of new options for fun and abuse

• Flood the network with „some“ mDNS information to fill up the tables on each devices

• Overwrite existing entries.