Date post: | 02-Jul-2015 |
Category: |
Technology |
Upload: | navajanegra |
View: | 1,484 times |
Download: | 0 times |
2
1. Brief introduction to IPv6
2. Some security risks in IPv6
3. Research results
4. Demo
Seguridad en IPv6
3
1. Brief introduction to IPv6
4
Some interesting aspects of IPv6
The main driver for IPv6 is its
increased address space
IPv6 uses 128-bit addresses
There are different address types (unicast,
anycast, and multicast) and different address
scopes (link-local, global, etc.)
It’s common for a node to be using, at any given time,
several addresses, of multiple types and scopes.
5
Some interesting aspects of IPv6
The “end-to-end principle” …
Each device will have a
globally-unique address.
NATs will be no longer needed.
6
Hacking IPv6
7
Hacking IPv6 - parasite6: icmp neighbor solitication/advertisement spoofer, puts you as
man-in-the-middle, same as ARP mitm (and parasite)
- alive6: an effective alive scanng, which will detect all systems listening to
this address
- fake_router6: announce yourself as a router on the network, with the
highest priority
- redir6: redirect traffic to you intelligently (man-in-the-middle) with a clever
icmp6 redirect spoofer
- toobig6: mtu decreaser with the same intelligence as redir6
- dos-new-ip6: detect new ip6 devices and tell them that their chosen IP
collides on the network (DOS).
- trace6: very fast traceroute6 with supports ICMP6 echo request and TCP-
SYN
- flood_router6: flood a target with random router advertisements
- flood_advertise6: flood a target with random neighbor advertisements
- exploit6: known ipv6 vulnerabilities to test against a target
- denial6: a collection of denial-of-service tests againsts a target
- fuzz_ip6: fuzzer for ipv6
- implementation6: performs various implementation checks on ipv6
- implementation6d: listen daemon for implementation6 to check behind a fw
- fake_mld6: announce yourself in a multicast group on the net
- fake_mld26: same but for MLDv2
8
Hacking IPv6
IPv6(dst="2a02:9001:0:ffff:80:58:105:253")/
IPv6ExtHdrRouting(type=0,addresses=["2a02:9001:0:57::6"])/ ICMPv6EchoRequest()
#!/usr/bin/pythonfrom
scapy.all import * def aleatorio():
ff=str(RandIP6()) ff=ff[20:39]
return ff
for i in range(1,100000): packet=IPv6(src="2001:5c0:1400:a:8000:0:580c:3aa",dst="2a02:9008:3:111:"
+(aleatorio()))/ICMPv6EchoRequest() send(packet,iface="sit1")
9
2. Some security risks in IPv6
10
IPv4 Attack Example
Internal
Network
Victim is
attacked !!!
11
IPv6 Connectivity Schema
Public Prefix
assigned 2a02:9008:3::/64
Administration
Administration
No NAT Needed with IPv6
No internal network needed
Direct connectivity
2a02:9008:3::1
12
IPv6 Phishing Attack Example
Public Prefix assigned
2a02:9008:3::/64
Default Passwords
Brute Force (Hydra) Exploit Known Vulnerabilities
Victim is
attacked !!!
2a02:9008:3::1
Don’t work
too hard
No scpecial vulnerability in
the routers is needed.
No interaction from the
clients is needed
13
Users also exposed
End-to-end model
2a02:9008:3::1
2a02:9008:3::a36:1
2a02:9008:3::a35:2
2a02:9008:3::a46:8
2a02:9008:3::a86:6
Vulnerable
services !!
14
3. Research results
15
Administration Services exposed in Internet
We made a research to check if this
was a real risk, and we discovered
that indeed it is…
We collected public information
avaliable in Internet about IPv6
prefixes asigned by LIRs
16
IPv4 Connectivity
17
Administration Services exposed in Internet
We Scanned some of those prefixes just
using nmap
Only some of the first IPs of each prefix…
18
Administration Services exposed in Internet
19
Administration Services exposed in Internet
Mail services in IPv6 SPAM nightmare is
coming…
20
4. Demo …
21
1. Windows 7
2. Linux (Backtrack)
3. Mac OS
Tunneling…
22
NDP
Public Prefix
2a02:9008:3:f0f0:/64
2a02:9008:3:f0f0:437:af0:665:8
2a02:9008:3:f0f0:889:acb:9999:1
2a02:9008:3:f0f0:7676:bbb:9:10 2a02:9008:3:f0f0:437:af0:665:8
2a02:9008:3:f0f0:437:af0:665:8
23
NDP Flooding … 2a02:9008:3:f0f0:437:af0:665:8
2a02:9008:3:f0f0:889:acb:9999:1
2a02:9008:3:f0f0:7676:bbb:9:10
2a02:9008:3:f0f0:437:af0:665:8
CAM Table
11:22:33:44:55:66 - 2a02:9008:3:f0f0:437:af0:665:8 66:55:44:33:22:11 - 2a02:9008:3:f0f0:7676:bbb:9:10
… - …
2a02:9008:3:f0f0:RAND Public Prefix
2a02:9008:3:f0f0:/64
24
NDP Flooding in action…
25
Questions ???
Rafa Sánchez Gómez [email protected] @R_a_ff_a_e_ll_o
es.linkedin.com/in/rafasanchezgomez