(presented at Hack In the Box, Amsterdam, 14th April 2017)
Multicast DNS and DNS Service Discovery are two protocols used for Zero Configuration Networking purposes from several devices and various vendors. Due to their objective of assisting Zero Configuration Networking, these protocols, which assume a “cooperating participants” environment, have some inherent weaknesses, like the “generous” broadcasting of a lot of information, and the use of easily “spoofable” messages. While these problems have been identified and related research has been published, a complete and in-depth threat analysis of all the potential attacking vectors has not been presented yet. This paper aims at filling this gap by providing a thorough study of the attack surface of these two protocols. By following closely the RFC specifications, potential attack vectors and specific testing scenarios are identified, which are examined using real life implementations. Specifically, these attacks are tested against popular devices, implementations and Operating Systems by using a tool specifically developed for this purpose, both for IPv4 and IPv6 environments. As it is shown, if this “cooperating participants” environment cannot be guaranteed, the usage of such protocols should highly be reconsidered. Finally, specific countermeasures suitable for mitigating the identified threats are also proposed.
(presented at IPv6 Security Summit @Troopers 16, March 11, Heidelberg)
Backbone networks have been changing on layer-3 the last few years due to the worldwide operational deployment of IPv6 from several Internet Service Providers. According to the Cisco Labs measurements, at the end of 2015 the IPv6 transit Autonomous Systems are more than 75% in Western Europe on an average, with some countries reaching even 92%. While a decent amount of research has been performed concerning the IPv6 security implications on local area networks, this is not the case regarding its impact on backbone IP networks. The assumption that the potential attack vectors in IPv6 networks should be the same as in the case of IPv4 is rather naïve given the new functionalities that IPv6 introduces. This study will discuss the most significant IPv6-related security issues on backbone networks, describing why the evasion of Access Control Lists is rather inevitable. Hands-on experimental results of three different well-known vendors will demonstrate these issues. By analysing the root cause of the problem we will be able to propose very specific mitigation techniques, both in terms of device implementation (so as to protect our networks in short-term), but also regarding the philosophy of the Internet Protocol itself and how this should be changed in the long run.
(presented at IPv6 Security Summit @Troopers 15, March 18, Heidelberg)
(presented at Deepsec 2014, November 20-21, Vienna)Abstract
Multicast Listener Discovery (MLD) and its successor, MLDv2, is a protocol of the IPv6 suite used by IPv6 routers for discovering multicast listeners on a directly attached link, much like IGMP is used in IPv4. Most of the modern Operating Systems (OS), like Windows, Linux and FreeBSD, not only come pre-configured with IPv6 enabled, but they also start-up by sending MLDv2 traffic, which is repeated periodically. Despite of the out-of-the-box usage of MLDv2, it is one of the IPv6 protocols that have not be studied yet to a suitable extent, especially as far as its potential security implications are concerned. These ones can vary from OS fingerprinting on the local-link by sniffing the wire passively, to amplified DoS attacks. In this presentation, we will first study and analyse the default behaviour of some of the most popular OS. During this study, we will examine whether the specific OS implementations conform to the security measures defined by the corresponding RFCs, and if not, what are the potential security implications. Then, by diving into the specifications of the protocol, we will discuss potential security issues related with the design of MLD and how they can be exploited by attackers. Finally, specific security mitigation techniques will be proposed to defend against them, which will allow us to to secure IPv6 networks to the best possible extend in the emerging IPv6 era. There will be demos and a tool release. ;-)
(presented at BlackHat EU 2014, October 16-17, Amsterdam)Abstract
The forthcoming depletion of IPv4 addresses is now closer than ever. For instance, ARIN states that they are currently in phase three of a 4-phased "IPv4 Countdown Plan," being already down
to about 0.9/8s in aggregate. On the other hand, RIPE NCC has reached its last /8 IPv4 address space quite some time ago. Moreover, the nodes of the networks (end-hosts, networking devices,
security devices, etc.) are already pre-configured with IPv6 connectivity, at least to some extent. All the latest popular Operating Systems, from Windows to Linux or FreeBSD, send IPv6
messages out-of-the-box while the hosts are reachable by using at least IPv6 link-local addresses. So, IPv6 is finally here and it is definitely going to stay.
However, what IPv6 does not forgive is the lack of security awareness. IPv6 is not IPv4 with just extended address space. Several times in the past has been shown that this "new" layer-3 protocol, apart from the huge address space and other new functionalities, it also brings with it several security issues. In this talk, we are going to present our latest research findings regarding the evasion of high-end commercial and open-source IDPS, all with latest patches, extending our previously presented work even further. These techniques allow the attackers to launch any kind of attack against their targets, from port scanning to SQLi, while remaining undetected. During the talk, not only these issues will be demonstrated with live demos, but, moreover, the used techniques that allow attackers to exploit even a really minor detail in the design of the IPv6 protocol will be described in detail and simple ways to reproduce them will be given. Finally, specific mitigation techniques will be proposed, both short-term and long-term ones, in order to protect your network from them.
(presented at Brucon 2014 5x5, 26-27 September 2014, Ghent)
In this talk, an open-source security assessment and penetration testing framework specifically designed for IPv6 networks will be presented. This framework, instead of supporting some of the most well-known attacks against IPv6, as other known toolkits do, it offers its users the capability to construct almost any type of completely arbitrary IPv6 packets, and hence, to launch any kind of IPv6-related attacks, either known ones or any other attacks that its users can imagine. Its main focus is actually on IPv6 Extension headers, an IPv6 feature discussed quite enough in the security literature, but up to now there wasn't any tool to exploit them easily and to a full extend.
This mutli-threaded IPv6 attacking framework is written in Python and it is based on Scapy, but without requiring any knowledge about it. It is comprised of the following modules: a) an IPv6 Scanner, b) an IPv6 Local Link Tool, and c) an IPv4-to-IPv6 Proxy. All the above modules are supported by a common library that allows the creation of completely arbitrary IPv6 header chains, fragmented or not.
By using the aforementioned capabilities, this new tool can be used for various penetration testing and security assessment activities, from trivial ones like network scanning and Neighbour Discovery related attacks to some more advanced ones, such as evading security devices like IDPS or firewalls, fuzzing IPv6-capable devices regarding the handling of IPv6 Extension Headers, etc.
Any potential IPv6 weaknesses that may be found by using this framework can be exploited not only by the other modules of the framework, but, by using the IPv6-to-IPv4 proxy, by any other penetration testing tools, even if these do not support IPv6 natively.
While being simple to use, this framework retains all the necessary features and flexibility needed by ethical hackers and researchers to accomplish their goals and construct any kind of IPv6 packets they wish. It is also modular and expandable, making it a suitable candidate for being the Swiss army knife of the ethical hackers' IPv6 toolkit arsenal.
During the development of this new IPv6 attacking framework, its author used it to discover several ways of evading security devices, like IDPS, by abusing IPv6 Extension headers and some of their features. You can use just your imagination and this tool to find a lot more. Enjoy!
(presented at BlackHat US 2014, August 6-7, Las Vegas)Abstract
IPv6 era is here, either if you already use it or if you continue to ignore it. However, even in the last case, this does not mean that your nodes (end-hosts, networking devices, security
devices) are not already pre-configured with IPv6 connectivity, at least to some extent. At the same time, ARIN states that they are currently in phase three of a 4-phased IPv4 Countdown
Plan, being already down to about 0.9/8s in aggregate. On the other hand, RIPE NCC has reached its last /8 IPv4 address space quite some time ago.
And what IPv6 does not forgive for sure is the lack of security awareness. Several times in the past it has been shown that this new layer-3 protocol, apart from the huge address space and other new functionalities, it also brings with it several security issues. In this talk, it will be shown that significant security issues still remain unsolved. Specifically, three different but novel techniques will be presented that allow attackers to exploit even a really minor detail in the design of the IPv6 protocol to make security devices like high-end commercial IDPS devices completely blind. These techniques allow the attackers to launch any kind of attack against their targets, from port scanning to SQLi, while remaining undetected. Moreover, in this talk, after presenting detailed analysis of the attacks and the corresponding exploitation results against IDPS devices, potential security implications to other security devices, like firewalls will also be examined. Finally, specific mitigation techniques will be proposed, both short-term and long-term ones, in order to protect your network from them.
(presented at Troopers14 – IPv6 Security Summit 2014, March 18, 2014, Heidelberg)Abstract
This workshop presents an update of the corresponding #TR13 session. We’ll provide an overview what – IPv6-wise – works & what doesn’t, on major commercial security products (firewalls, IPSs and others). This includes results from extensive lab testing as for the handling of extension headers and fragmentation (and practical examples of different policies to handle this stuff). Furthermore we’ll focus on the actual capabilities when it comes to filtering on the application/content layer, an area where appropriate IPv6 support was (and is?), well, a bit lacklustre.
(presented at BlackHat AbuDhabi 2012, Abu Dhabi, December 3-6, 2012)Abstract
In 6th June of 2012, during the so called IPv6 world launch day, major ISPs, significant companies around the world, home networking equipment manufacturers (including but not limited to, Akamai, AT&T, Cisco, Facebook, Google, Microsoft Bing, Yahoo!, and other) enabled IPv6 for their products and services permanently, while more are expected to follow. But, are we really ready for this major transition from a security perspective? IPv6 introduces new features and capabilities not limited to the IPv6 huge address space. One of them is the introduction of the IPv6 Extension Headers. In this paper, it will be shown that the abuse of IPv6 Extension Headers in a way not predicted by the corresponding RFCs can lead to significant security impacts. During our experiments, the effectiveness of some of the most popular Operating Systems (Windows 7/2008, several Linuces, the latest FreeBSD and OpenBSD) on handling various malformed IPv6 datagrams is examined. As it will be shown, the abuse of the IPv6 Extension Headers creates new attack vectors which can be exploited for various purposes, such as for evading IDS, for creating covert channels by hiding data into Extension headers, etc. During our tests, the effectiveness of two of the most popular IDS against these attacks is also examined and several ways for evading them at the IP level are shown. As it is demonstrated, the launch of any type of attack at the IP layer or above (from port scanning to SQLi attacks) without being detected can be achieved by abusing IPv6 Extension headers “properly”. Finally, specific countermeasures that should be taken to handle such situations are also proposed.
(full white paper can be downloaded from here
(presented at BlackHat Europe 2012, Amsterdam, March 14-16 2012)
IP fragmentation attacks is not a new issue. There are many publications regarding their exploitation for various purposes, including, but not limited to, OS fingerprinting, IDS/IPS insertion/evasion, firewall evasion and even remote code execution. The adoption of the new IP version, IPv6, has opened new potential exploitation fields to the attackers and pen testers. In this paper, it will be examined whether fragmentation issues still remain in IPv6 implementation of some of the most popular Operating Systems and whether they can also be used for the aforementioned purposes. To this end, several fragmentation attacks will be presented and their impact will be examined. As it will be shown, most of the popular OS, such as Windows, Linux and OpenBSD are susceptible to such attacks. In each case, the corresponding proof of concept code is provided. As it will be explained, such attacks, under specific circumstances can lead to OS fingerprinting, IDS insertion/evasion and firewalls evasions. Finally, these tests will also show which OS appears to be the most immune to IPv6 fragmentation attacks.
(full white paper can be downloaded from here)
(presented at IPv6 Security Summit, Troopers 13, Heidelberg, 11-15 March 2013)
Fragmentation overlapping attacks first appeared in IPv4. As it has been shown, the different handling of overlapping fragments by various Operating Systems (OS) could lead to various security issues, from simple OS fingerprinting to remote code execution. Trying to learn from the mistakes of the past, an RFC was proposed in IPv6 that not only discourages the acceptance of IPv6 fragmentation overlapping packets, but, moreover, it specifically defines how an OS should react when such packets are received. However, as it has been shown, this is not the case for some of the most popular OS. In this presentation, various fragmentation overlapping scenarios will be tested to check if such attacks can still be successful or not. Detailed results of extensive tests will be presented and any non-compliant behaviours will be further discussed regarding the potential security implications. Finally, proper countermeasures will be proposed to handle any potential OS misbehaviour in order to mitigate any security risks.
(presentation can be downloaded here)
(presented at IPv6 Security Summit, Troopers 13, Heidelberg, 11-15 March 2013)
IPv6 introduces new features and capabilities not limited to the IPv6 huge address space. One of the most significant ones is the introduction of the IPv6 Extension Headers. In this presentation, it will be shown that the abuse of IPv6 Extension Headers in a way not predicted by the corresponding RFCs can lead to significant security impacts. As it will be shown, the abuse of the IPv6 Extension Headers creates new attack vectors which can be exploited for various purposes, such as for evading IDS, for creating covert channels by hiding data into Extension headers, etc. During our tests, the effectiveness of two of the most popular IDS against these attacks is also examined and several ways for evading them at the IP level are shown. As it is demonstrated, the launch of any type of attack at the IP layer or above without being detected can be achieved by abusing IPv6 Extension headers “properly”. Finally, specific countermeasures that should be taken to handle such situations are also proposed.
BIO: Antonios Atlasis, MPhil, PhD, is an independent IT Security analyst and researcher having over 20 years of diverse Information Technology experience. He is also an accomplished instructor and software developer and he has been granted a number of awards both for his academic work and his professional achievements. His main research interests include vulnerability discoveries in IPv6, SCADA systems and other critical protocols. Antonios is also Chief of Research of the Centre for Strategic Cyberspace + Security Science non-profit organisation.
(presentation can be downloaded from here)