cansecwest/core06
van Hauser – THC / nruns GmbH
Title: Attacking the IPv6 protocol suite

This talk was a solid discussion on the weaknesses of IPv6 (caused by its complexity). The research was very well represented in his slides and tools are available for all of these weaknesses. The majority of these exploits were DoS or man-in-the-middle strategies. Overall, very solid presentation.

I missed core05 but it appears that this material was presented at the last pacsec.
http://pacsec.jp/core05/psj05-vanhauser-en.pdf
The presentation today was a little updated but not by much.

He covered how the Blackhats have been leveraging v6 for sometime now as a means to evade detection of their backdoor applications (malware or trojan applications installed after the host is compromised and then used for a their bidding) Most of the scanning and sniffing tools a few years back did not even have v6 capabilities. It was the best cloaking and they got it for free.

Heck, as you read this posting, I’ll bet that you have IPv6 enabled on your machine and don’t even know it. For the people not afraid of a command line, most OS’s will take a ‘netstat –a’ at the shell and line items with udp6 and tcp6 are the services right now running and bound to a v6 address LIVE ON THE NETWORK! Applications do a wildcard bind() and bang, you have a v6 socket in a *.* LISTEN state.

THC has a IPv6 Attack Toolkit that looks very promising.
It is a IPv6 packet factory library. Constraints today are:
- Linux 2.6.x only
- Little endian, 32bit
- Ethernet and raw mode

Let me describe a few applications based on this THC library:

Application: ‘alive6’ is the tool for end-point discovery

Application: ‘parasite6’ is a man-in-the-middle tool that leverages the discovery and solicitation of v6.

Application: ‘dos-new-ipv6’ abuses the init stage of the stack where it will check the network to see if someone is using an address that it has picked as a candidate by always answering “YEAH DUDE, I AM USING THAT ONE” to every single test. The host that is trying to come on the network never gets there because all addresses appear to be in use. ☺

Application: ‘fake_router6’ essentially abuses the RA (router advertisements) and is able to get in the middle of victim and rest of the network by becoming the default router.

Note: No v4 broadcasting in v6, instead you have multicast.
Application: ‘smurf6’ for can be used for local segment smurfs
Application: ‘rsmurf6’ reverses the login and instead of traditional one-to-many-to-one amplification, it is a one-to-one-to-many

Application: ‘redir6’ abuses ICMP redirect in the same was it was abused in IPv4.

The key issues were:
- In IPv6, network based worms will not be as effective in finding their next victim with the current scanning methods in v4.
- DNS will become a primary target.
- more Client-to-Server like WMF exploitation strategies will emerge
- Native IPSEC support will reduce your exposure significantly but will rarely be used for many reasons.
- All of these tools exploit the complexity of the protocol itself.

I completely agree with all of this research.
Very nice presentation and highly educational to customers and vendors alike.

--tk