Yuji Ukai, Senior Software Engineer

Ryan Permeh, Founding Software Engineer

Ryoji Kanai, Software Engineer

RetinaNetwork Security Scanner

DevelopmentCore Team

PacSec 2006 ConferenceThe fourth annual PacSec conference November 27-30 2006, at the Aoyama Diamond Hall in Tokyo, Japan.

2Introduction

• The American Department of Defense announced that they will

move their network to IPv6. Because of this, IPv6 is currently

in the spotlight in the U.S.

• All network devices should be updated to support IPv6Security products must also updated to keep up

• Network security scanner must have be able to scan an IPv6

network. Most of the core technologies based on IPv4 can still be

used, but we are facing some new issues.

• We will describe some of the issues and some possible solutions to the problem of security risk management in an IPv6 network.

3IPv6 networking

• IPv6 is rapidly becoming more popular since the DoD IPv6 announcement.

- DoD will switch their network to IPv6 across the board.- This network is responsible for supporting soldiers and signal communications.

All new network devices purchased should already support IPv6.

• The US Department of Commerce is investigating the economic effect of IPv6.The governments and militaries in Germany, France, U.K., China, and Korea and Japan all have plans to push IPv6 forward in their networks.

• Many vendors, ISPs, and research institutes have accelerated their R&D for IPv6 deployment.

• Security risk management solutions must consider the implications of supporting IPv6 as well.

4Security risk management using network security scanner

• Scan the network.• Collect the assets and their vulnerability information. • Analyze the threat, vulnerability, and importance of asset.• Know the risk factors on the network and take action

to fix them.

• We must deploy accurate and fast vulnerabilityscanning to manage the risk on their network appropriately.

• Supporting IPv6 might have a bad effect on the accuracy and speed of a traditional scanningmethodology.

- Host discovery and OS detection technique

5

IPv6Host Discovery

6Negative impact caused by supporting IPv6 - Host discovery

• Discover the hosts using ICMP 、 TCP 、 and UDP probe.

• Host discovery is necessary to collect the asset information and list of targets for vulnerability scanning.

• Huge Address Space

• Secure Neighbor Discovery and CGA

• Privacy Enhanced Addresses

Host Discovery

7Huge Address Space

• The traditional host discovery method takes very long time because the address space is expanded to 128bit

- A typical IPv4 subnet may have 8 bits reserved for host addressing 　 1 packet/sec : 5 min

- A typical IPv6 subnet may have 64 bits reserved for host addressing 1 packet/sec : 50 billion years

http://www.6net.org/publications/standards/draft-chown-v6ops-port-scanning-implications- 00.txt

8Secure Neighbor Discovery and CGA

• Joint research project to reduce attacks on Neighbor Discovery (ND)ND is stateless. Vulnerable for hijacking attacks.

• Cryptographically secure addressing scheme

• Can be used to prevent and detect collision attacks

http://research.microsoft.com/users/tuomaura/Publications/arkko+-wise02.pdf

Address can be guessed. We can not reduce search space.

9Privacy Enhanced Addresses

• IETF scheme for generating random address bits

• Instead of using IEEE identifier (i.e., a link-layer MAC address)Privacy protection, etc.

• Generates short lived addresses with small chance of repeat

• Generated on boot or periodically at runtime

Current Address Seed or History

64 bits 64 bits

md5

64 bits 64 bits

Set bit 6 to 0 to create global address

New Address New History

Address can be guessed. We can not reduce search space.

10IPv6 Discovery Solutions

• Multicast

• Neighbor Discovery

• Ethernet Vendor ID

• DHCPv6 State Tables

• Neighbor Cache

• Target IPv4 Stack instead

• Local Discovery and Distributed Architecture

11IPv6 Layer 3 – Multicast

Multicast is a core component of IPv6

We can get some live IP addresses using multicast

• Typically site or link local

• Certain IPv6 Functions require multicast, so you are likely to have responses

• Common groups:

– FF02:0:0:0:0:0:0:1 – All nodes on the local link

– FF02:0:0:0:0:0:0:2 – All routers on the local link

– FF02:0:0:0:0:0:1:3 – All DHCP agents on the local link

12IPv6 Layer 3 – Neighbor Discovery

• Neighbor Discovery is an ICMPv6 specific service

• Peer Discovery (layer 3 ARP)Sent by a node to determine the link-layer address of a neighbor.Neighbor discovery can act as a link local ping replacement. Some hosts may block multicast pings, but none should block multicast ND solicitations.

• Router DiscoveryHost requests routers to generate Router Advertisements Packet immediately.

13Ethernet Vendor ID

• It is typical to have the low 64 bits of the IPv6 Header comrpised of the Interface Identifier

• Interface is typically EUI-64 representation of the layer 2 Address

• Part of this can be guessed (Layer 2 Vendor ID), reducing search space

EUI-64 : http://standards.ieee.org/regauth/oui/tutorials/EUI64.html

Vendor-id : http://standards.ieee.org/regauth/oui/oui.txt

00-01-02

00-05-B5

00-07-E9

00-E0-4C

14DHCPv6 State Tables

• DHCPv6 must keep internal state tables to track IP’s that were granted

• Examining in memory or on disk representation of this will turn up live IP’s

• May be logs, SQL database, an application API, or even hooking the server process

• Requires access to the server and rights to do this

DWORD DHCP_API_FUNCTION DhcpEnumSubnetClients( DHCP_CONST WCHAR* ServerIpAddress,

DHCP_IP_ADDRESS SubnetAddress, DHCP_RESUME_HANDLE* ResumeHandle,

DWORD PreferredMaximum, LPDHCP_CLIENT_INFO_ARRAY* ClientInfo,

DWORD* ClientsRead, DWORD* ClientsTotal );

DWORD DHCP_API_FUNCTION DhcpEnumSubnets( DHCP_CONST WCHAR* ServerIpAddress,

DHCP_RESUME_HANDLE* ResumeHandle, DWORD PreferredMaximum,

LPDHCP_IP_ARRAY* EnumInfo, DWORD* ElementsRead,

DWORD* ElementsTotal );

MSDN:

15Neighbor Cache

• Every IPv6 router and host must keep a neighbor cacheWe can get some live IP addresses.

• Similar to an ARP cache in IPv4• Contains Live Addresses and their associated layer 2 addresses• Can be accessed via SNMP or OS/Application specific APIs

SNMP OID – .1.3.6.1.2.1.55.1.12

Windows –C:\research>netsh interface ipv6 show neighborsInterface 6: Local Area ConnectionInternet Address Physical Address Typefe80::210:a4ff:feb6:b972 00-10-a4-b6-b9-72 Stalefe80::211:25ff:fe5a:cd63 00-11-25-5a-cd-63 Permanent

Linux –# ip -6 neigh show fe80::201:23ff:fe45:6789 dev eth0 lladdr 00:01:23:45:67:89 router nud reachable

16Target IPv4

• Mixed mode networks often have both IPv4 and IPV6 addresses, use the ipv4 instead!

• IPv6 transition addressing schemes often embed ipv4 addresses in their scheme, potentially reducing the address search space (ISATAP , 6to4 Transitional Addresses)

17Local Discovery and Distributed Architecture

• IPv6 designed to make internal visibility good, buyt external visibility poor

• Internal network discovery becomes somewhat easier

• External still a challenge

• Many distributed scanners

• Closer to the source, able to use ND and multicast

• Distributes workload acrossmany platforms

18

IPv6OS Detection

19Negative impact caused by supporting IPv6 - OS detection

• Detect OS type remotely without credentials.

• OS detection is necessary to manage the asset information and accurate vulnerability scanning.

• We can detect the remote OS type by examining the differences in TCP/IP implementation, network service banners, and other factors.

We can use most of the OS detection methods designed for an IPv4 network, However, the IPv4 ICMP OS detection method can not be used as is.

Currently, If a target closes all TCP and UDP ports, we can not detect the remote OS.

Remote OS detection

20Basics of remote OS detection

• We detect the remote OS type by using the differences in TCP/IP implementations

• Send some packets and analyze the responses.

TCP OS detection (Nmap method)

- Send some specially crafted TCP packets and analyze the responses - OS is identified by some parameters (Window Size,TCP options, etc)

ICMPv4 OS detection (Xprobe method)

- Send some specially crafted ICMP packets and analyze the responses

- OS is identified by ICMP types and some IP parameters. - It does not depend on open ports.

ICMPv6 OS detection

- Send some specially crafted ICMPv6 packets and analyze the responses

- IPv6 doesn't support ICMPv4, so we need a new method for IPv6.

21ICMPv4 OS detection

Test packet

Parameters to use OS detection• Respond or No respond• IP Length• IP Identification• IP TOS • IP Flags • IP Fragment Offset• IP TTL• Checksum

• UDP Unreachable Port• ICMP Echo Request• ICMP Timestamp Request• ICMP Information Request• ICMP Netmask Request

X remote ICMP based OS fingerprinting techniquesOfir Arkin and Fyodor Yarochikin

http://www.sys-security.com/

22ICMPv6 OS detection - Test packets and targets

• ICMPv6 Echo Request

• ICMPv6 Echo Request (Invalid Code)

• UDP Unreachable Port

• ICMPv6 Multicast Listener Discovery

• ICMPv6 Neighbor Solicitation

• Windows XP SP2

• Windows Vista Beta 2 Build 5384

• Solaris 10

• Linux Fedora 2.6.15

• FreeBSD 6.0

Test packets

Targets

23ICMPv6 Echo request / HopLimit - Probe&Response

Probe - ICMPv6 Echo Request

Response - ICMPv6 Echo Reply

Flow Label

Payload Length

Type = 129 Code = 0 Check sum

Identifier Sequence Number

Data . . .

Version Traffic Class

Next Header Hop LimitIPv6

ICMPv6Echo Reply

Type = 128 Code = 0 Check sum

Identifier Sequence Number

Data . . .

ICMPv6Echo Request

24ICMPv6 Echo request / HopLimit - Characteristics

OS HopLimit

Windows XP 128

Windows Vista 128

Solaris 255

Linux 64

FreeBSD 64

Response packet - HopLimitICMPv6 Echo Reply HopLimit

128 64 255

SolarisWindows XPWindows Vista

LinuxFreeBSD

25ICMPv6 Echo request / Invalid Code - Probe&Response

Probe - ICMPv6 Echo Request with invalid code

Type = 128 Code = 1 Check sum

Identifier Sequence Number

Data . . .

ICMPv6Echo Request

"Code" parameter in ICMPv6 Echo Request should be 0 (RFC2463)

However, most implementations don’t check the code parameter.

26ICMPv6 Echo request / Invalid Code - Characteristics

OS Response

Windows XP Yes

Windows Vista Yes

Solaris Yes

Linux Yes

FreeBSD No

ResponseICMPv6 Echo Reply HopLimit

128 64 255

SolarisWindows XPWindows Vista

ICMPv6 Echo ReplyInvalid Code

Yes No

LinuxFreeBSD

27UDP Port Unreachable / Probe&Response

Probe - Send a UDP packet over IPv6 to closed port

Type = 1 Code = 4 Check sum

Unused ICMPv6Destination

Unreachable As much of invoking packet as will fit without the ICMPv6 packetexceeding the minimum IPv6 MTU

Flow Label

Payload Length

Destination Port

UDP Data Length UDP Check Sum

Data . . .

Version Traffic Class

Next Header Hop LimitIPv6

UDPSource Port

Response - ICMPv6 Destination Unreachable Message is sent back from the target

Port Unreachable

Closed Port

28UDP Port Unreachable / Characteristics

OS Response

Windows XP Yes

Windows Vista No

Solaris Yes

Linux Yes

FreeBSD No

ResponseICMPv6 Echo Reply HopLimit

128 64 255

Solaris

ICMPv6 Echo ReplyInvalid Code

Yes No

LinuxFreeBSD

"A destination node SHOULD send a Destination Unreachable message with Code 4 in response to a packet for which the transport protocol (e.g., UDP) has no listener, if that transport protocol has no alternative means to inform the sender."

RFC2463

→ Not "MUST"

UDPPort Unreachable

Yes No

WindowsVista

WindowsXP

29ICMPv6 Multicast Listener Discovery / Probe&Response

Probe - Send Multicast Listener Discovery (MLDv1) packet to the target

Response - Multicast Listener Report is sent back from target

The purpose MLD is to enable router to discover the presence of multicast listeners

Type = 130 Code = 0 Check sum

Maximum Response Delay (0x0000) Reserved

Multicast Address ( All 0x00)

ICMPv6Multicast Listener

Discovery

Type = 131 or 143 Code = 0 Check sum

ICMPv6Multicast Listener

Discovery Multicast Listener Report (Depend of Type field)

30MLDv1 vs MLDv2

- MLDv2 = Added sender information (source address) on MLDv1- MLDv1 Query and MLDv2 Query have same ICMPv6 Type(130). IPv6 node recognize the MLD version by checking the length of packet.- Some implementations make response by MLDv2 even if the query is MLDv1. Some implementations don't make any response.

Type = 131 Code = 0 Check sum

Maximum Response Delay Reserved

Multicast Address

ICMPv6 MLDv1Multicast Listener

Report

Type = 143 Code = 0 Check sum

Reserved Multicast Address Record の数

Multicast Address Record [n]

ICMPv6 MLDv2Multicast Listener

Report

Multicast Address Record [1]

31ICMPv6 Multicast Listener Report / Characteristics

OS Response

Windows XP MLDv1 Report

Windows Vista No Response

Solaris No Response

Linux MLDv2 Report

FreeBSD MLDv1 Report

Response ICMPv6 Echo Reply HopLimit

128 64 255

Solaris

v1 v2

LinuxFreeBSD

MLD Query

v1 None

WindowsVista

WindowsXP

MLD Query

32ICMPv6 Multicast Listener Report / IPv6 Hop-By-Hop Option

IPv6 Hop-By-Hop Option is included in MLD Report response packetThe sequence of options is depend on implementation

Flow Label

Payload Length

Version Traffic Class

Next Header = 0 Hop LimitIPv6

IPv6Hop-by-Hop

Option

Type = 131 Code = 0 Check sum

ICMPv6Multicast Listener

Discovery Multicast Listener Report (Depend on Type Field)

Next Header = 58 Header Ext Len

Hop-by-Hop Option

Hop-by-HopOption

ICMPv6

33IPv6 Hop-By-Hop Option / Characteristics

OS Response

Windows XP 05 -> 01

Windows Vista No Response

Solaris No Response

Linux 05 -> 01

FreeBSD 01 -> 05

Option sequence

Option format

Type Length DataType 8bit option typeLength 8bit option lengthData Option data depend of option type

Option type

00 skip over this option and continue processing the header

01 discard the packet.

10 discard the packet and, regardless of whether or not the packets's Destination Address was a multicast address, send an ICMP Parameter Problem

11 discard the packet and, only if the packet's Destination Address was not a multicast address, send an ICMP Parameter Problem

34ICMPv6 Neighbor Solicitation / Probe&ResponseSent by a node to determine the link-layer address of a neighbor,or to verify that a neighbor is still reachable via a cached link-layer address.

Probe - Send Neighbor Solicitation to the target

Response - Neighbor Advertisement is sent back from target

Type = 135 Code = 0 Check sum

Reserved

Target Address = Source IPv6 Address

ICMPv6Neighbor

Solicitation

Option

Type = 136 Code = 0 Check sum

Reserved

Target Address

ICMPv6Neighbor Advertisement

Option

R S O

Router flag

Solicited flag

Override flag

35ICMPv6 Neighbor Solicitation / Characteristics

OS Response

Windows XP Enable

Windows Vista Enable

Solaris Enable

Linux Disable

FreeBSD Disable

・ Override flag

36Fingerprint

Bit Parameter Value

Bit 7,8 Hop Limit 00=other 、 01=64, 10=128, 11=255

Bit 6 Invalid Code 0=No response, 1=Response

Bit 5 UDP Unreachable 0=No response, 1=Response

Bit 4,3 MDL Query 00=No response, 01=MLDv1, 10=MLDv2, 11=other

Bit 2,1 Hop-by-Hop Option 00=No response, 01= 01->05, 10= 05->01, 11=other

Bit 0 Neighbor Solicitation 0=Disabled, 1=Enabled

OS Fingerprint

Windows XP 10 1 1 01 10 1 0x16D

Windows Vista 10 1 0 00 00 1 0x141

Solaris 11 1 1 00 00 1 0x1E1

Linux 01 1 1 10 10 0 0x0F4

FreeBSD 01 0 0 01 01 0 0x08A

37ICMPv6 OS Detection - Future work

• Determine the OS detection accuracy

- Deploy this algorithm to more OSes- Collect more fingerprints

• Improve accuracy

- Identify OS version- Find better parameters to be more accurate - Check the parameters related on Mobile IP and security (IPSec)

38

Thank you for attending !

Questions ?

Contact : Yuji Ukai <yukai@eeye.com>