Download - Charla ipv6
![Page 2: Charla ipv6](https://reader035.vdocuments.us/reader035/viewer/2022081401/559455231a28ab8b118b4632/html5/thumbnails/2.jpg)
2
1. Brief introduction to IPv6
2. Some security risks in IPv6
3. Research results
4. Demo
Seguridad en IPv6
![Page 3: Charla ipv6](https://reader035.vdocuments.us/reader035/viewer/2022081401/559455231a28ab8b118b4632/html5/thumbnails/3.jpg)
3
1. Brief introduction to IPv6
![Page 4: Charla ipv6](https://reader035.vdocuments.us/reader035/viewer/2022081401/559455231a28ab8b118b4632/html5/thumbnails/4.jpg)
4
Some interesting aspects of IPv6
The main driver for IPv6 is its
increased address space
IPv6 uses 128-bit addresses
There are different address types (unicast,
anycast, and multicast) and different address
scopes (link-local, global, etc.)
It’s common for a node to be using, at any given time,
several addresses, of multiple types and scopes.
![Page 5: Charla ipv6](https://reader035.vdocuments.us/reader035/viewer/2022081401/559455231a28ab8b118b4632/html5/thumbnails/5.jpg)
5
Some interesting aspects of IPv6
The “end-to-end principle” …
Each device will have a
globally-unique address.
NATs will be no longer needed.
![Page 6: Charla ipv6](https://reader035.vdocuments.us/reader035/viewer/2022081401/559455231a28ab8b118b4632/html5/thumbnails/6.jpg)
6
Hacking IPv6
![Page 7: Charla ipv6](https://reader035.vdocuments.us/reader035/viewer/2022081401/559455231a28ab8b118b4632/html5/thumbnails/7.jpg)
7
Hacking IPv6 - parasite6: icmp neighbor solitication/advertisement spoofer, puts you as
man-in-the-middle, same as ARP mitm (and parasite)
- alive6: an effective alive scanng, which will detect all systems listening to
this address
- fake_router6: announce yourself as a router on the network, with the
highest priority
- redir6: redirect traffic to you intelligently (man-in-the-middle) with a clever
icmp6 redirect spoofer
- toobig6: mtu decreaser with the same intelligence as redir6
- dos-new-ip6: detect new ip6 devices and tell them that their chosen IP
collides on the network (DOS).
- trace6: very fast traceroute6 with supports ICMP6 echo request and TCP-
SYN
- flood_router6: flood a target with random router advertisements
- flood_advertise6: flood a target with random neighbor advertisements
- exploit6: known ipv6 vulnerabilities to test against a target
- denial6: a collection of denial-of-service tests againsts a target
- fuzz_ip6: fuzzer for ipv6
- implementation6: performs various implementation checks on ipv6
- implementation6d: listen daemon for implementation6 to check behind a fw
- fake_mld6: announce yourself in a multicast group on the net
- fake_mld26: same but for MLDv2
![Page 8: Charla ipv6](https://reader035.vdocuments.us/reader035/viewer/2022081401/559455231a28ab8b118b4632/html5/thumbnails/8.jpg)
8
Hacking IPv6
IPv6(dst="2a02:9001:0:ffff:80:58:105:253")/
IPv6ExtHdrRouting(type=0,addresses=["2a02:9001:0:57::6"])/ ICMPv6EchoRequest()
#!/usr/bin/pythonfrom
scapy.all import * def aleatorio():
ff=str(RandIP6()) ff=ff[20:39]
return ff
for i in range(1,100000): packet=IPv6(src="2001:5c0:1400:a:8000:0:580c:3aa",dst="2a02:9008:3:111:"
+(aleatorio()))/ICMPv6EchoRequest() send(packet,iface="sit1")
![Page 9: Charla ipv6](https://reader035.vdocuments.us/reader035/viewer/2022081401/559455231a28ab8b118b4632/html5/thumbnails/9.jpg)
9
2. Some security risks in IPv6
![Page 10: Charla ipv6](https://reader035.vdocuments.us/reader035/viewer/2022081401/559455231a28ab8b118b4632/html5/thumbnails/10.jpg)
10
IPv4 Attack Example
Internal
Network
Victim is
attacked !!!
![Page 11: Charla ipv6](https://reader035.vdocuments.us/reader035/viewer/2022081401/559455231a28ab8b118b4632/html5/thumbnails/11.jpg)
11
IPv6 Connectivity Schema
Public Prefix
assigned 2a02:9008:3::/64
Administration
Administration
No NAT Needed with IPv6
No internal network needed
Direct connectivity
2a02:9008:3::1
![Page 12: Charla ipv6](https://reader035.vdocuments.us/reader035/viewer/2022081401/559455231a28ab8b118b4632/html5/thumbnails/12.jpg)
12
IPv6 Phishing Attack Example
Public Prefix assigned
2a02:9008:3::/64
Default Passwords
Brute Force (Hydra) Exploit Known Vulnerabilities
Victim is
attacked !!!
2a02:9008:3::1
Don’t work
too hard
No scpecial vulnerability in
the routers is needed.
No interaction from the
clients is needed
![Page 13: Charla ipv6](https://reader035.vdocuments.us/reader035/viewer/2022081401/559455231a28ab8b118b4632/html5/thumbnails/13.jpg)
13
Users also exposed
End-to-end model
2a02:9008:3::1
2a02:9008:3::a36:1
2a02:9008:3::a35:2
2a02:9008:3::a46:8
2a02:9008:3::a86:6
Vulnerable
services !!
![Page 14: Charla ipv6](https://reader035.vdocuments.us/reader035/viewer/2022081401/559455231a28ab8b118b4632/html5/thumbnails/14.jpg)
14
3. Research results
![Page 15: Charla ipv6](https://reader035.vdocuments.us/reader035/viewer/2022081401/559455231a28ab8b118b4632/html5/thumbnails/15.jpg)
15
Administration Services exposed in Internet
We made a research to check if this
was a real risk, and we discovered
that indeed it is…
We collected public information
avaliable in Internet about IPv6
prefixes asigned by LIRs
![Page 16: Charla ipv6](https://reader035.vdocuments.us/reader035/viewer/2022081401/559455231a28ab8b118b4632/html5/thumbnails/16.jpg)
16
IPv4 Connectivity
![Page 17: Charla ipv6](https://reader035.vdocuments.us/reader035/viewer/2022081401/559455231a28ab8b118b4632/html5/thumbnails/17.jpg)
17
Administration Services exposed in Internet
We Scanned some of those prefixes just
using nmap
Only some of the first IPs of each prefix…
![Page 18: Charla ipv6](https://reader035.vdocuments.us/reader035/viewer/2022081401/559455231a28ab8b118b4632/html5/thumbnails/18.jpg)
18
Administration Services exposed in Internet
![Page 19: Charla ipv6](https://reader035.vdocuments.us/reader035/viewer/2022081401/559455231a28ab8b118b4632/html5/thumbnails/19.jpg)
19
Administration Services exposed in Internet
Mail services in IPv6 SPAM nightmare is
coming…
![Page 20: Charla ipv6](https://reader035.vdocuments.us/reader035/viewer/2022081401/559455231a28ab8b118b4632/html5/thumbnails/20.jpg)
20
4. Demo …
![Page 21: Charla ipv6](https://reader035.vdocuments.us/reader035/viewer/2022081401/559455231a28ab8b118b4632/html5/thumbnails/21.jpg)
21
1. Windows 7
2. Linux (Backtrack)
3. Mac OS
Tunneling…
![Page 22: Charla ipv6](https://reader035.vdocuments.us/reader035/viewer/2022081401/559455231a28ab8b118b4632/html5/thumbnails/22.jpg)
22
NDP
Public Prefix
2a02:9008:3:f0f0:/64
2a02:9008:3:f0f0:437:af0:665:8
2a02:9008:3:f0f0:889:acb:9999:1
2a02:9008:3:f0f0:7676:bbb:9:10 2a02:9008:3:f0f0:437:af0:665:8
2a02:9008:3:f0f0:437:af0:665:8
![Page 23: Charla ipv6](https://reader035.vdocuments.us/reader035/viewer/2022081401/559455231a28ab8b118b4632/html5/thumbnails/23.jpg)
23
NDP Flooding … 2a02:9008:3:f0f0:437:af0:665:8
2a02:9008:3:f0f0:889:acb:9999:1
2a02:9008:3:f0f0:7676:bbb:9:10
2a02:9008:3:f0f0:437:af0:665:8
CAM Table
11:22:33:44:55:66 - 2a02:9008:3:f0f0:437:af0:665:8 66:55:44:33:22:11 - 2a02:9008:3:f0f0:7676:bbb:9:10
… - …
2a02:9008:3:f0f0:RAND Public Prefix
2a02:9008:3:f0f0:/64
![Page 24: Charla ipv6](https://reader035.vdocuments.us/reader035/viewer/2022081401/559455231a28ab8b118b4632/html5/thumbnails/24.jpg)
24
NDP Flooding in action…
![Page 25: Charla ipv6](https://reader035.vdocuments.us/reader035/viewer/2022081401/559455231a28ab8b118b4632/html5/thumbnails/25.jpg)
25
Questions ???
Rafa Sánchez Gómez [email protected] @R_a_ff_a_e_ll_o
es.linkedin.com/in/rafasanchezgomez