There’s No Place Like ::1 — Enumerating Local IPv6 networks
In today’s digital age, our devices expose a vast amount of data which highlights the need for cybersecurity. Without realizing it, we connect to WiFi networks and communicate with many devices on the same local network in the background. Are you certain that your devices aren’t sharing data that an attacker can leverage while you’re at a coffee shop or hotel?
Internet Protocol
IPv6 is the latest iteration of Internet Protocol (IP) and odds are your devices are chatting with other devices using this protocol. IPv6 was designed and created to address some of the shortfalls of IPv4. Larger address space (Total # of IP addresses), efficient routing, and enhanced security are just a few key reasons why IPv6 is intended to replace IPv4. There are dozens of security products that protect our devices and network communications over IPv4 but what about IPv6? Surprisingly, many security products have little or no support for IPv6. This may leave you wondering what’s the difference between these two Internet Protocols?
The header of an IP packet is similar to the information you fill out on the face of an envelope. It provides the necessary information to send your network traffic to the correct place. Since IPv4 and IPv6 addresses are different in size and appearance the cybersecurity community must innovate new novel techniques to monitor, detect, and prevent malicious events from harming your device. Unfortunately, these techniques are being implemented at a very slow rate and many security solutions have no IPv6 support. This allows attackers to communicate with vulnerable devices without a trace. Josh and I decided to take a look at what our devices may be sharing with an attacker. This led to the creation of our modular framework for enumerating IPv6 networks — IPv6Tools.
The best predictor of future behavior is … past behavior
I didn’t start out this process as an IPv6 expert (Probably still far from that today) so I decided to research older techniques used to enumerate IPv4 networks. In both IPv4 and IPv6 there are protocols that assist engineers in configuring and troubleshooting IP communications — these protocols also help us with enumeration. For instance, the most popular networking utility Ping, leverages Internet Control Message Protocol (ICMP) to test reachability of devices on IP networks. During our research, more than 80% of discovered devices responded to at least one type of ICMPv6 request. It’s very trivial to send a “Ping” to a device and retrieve a variety of information.
prototype@ubuntu:~$ ping6 fe80::1488:901c:4d03:cf78%ens33 -N namePING fe80::1488:901c:4d03:cf78%ens33(fe80::1488:901c:4d03:cf78) 56 data bytes38 bytes from fe80::1488:901c:4d03:cf78: SecDevOps.local; seq=1; ttl=6438 bytes from fe80::1488:901c:4d03:cf78: SecDevOps.local; seq=2; ttl=64
The above two figures provide insight on fields we’re able to enumerate. One thing to note is that all devices DO NOT respond to all the requests types listed above and it’s not uncommon for vendors to pick and choose which part of the Request For Comment (RFC) that they wish to follow.
Identifying the mechanism to send our Ping
When referring to IP transmissions, the most common types are Unicast, Broadcasts, and Multicast. The names of the transmission types are intuitive.
Since the goal is to enumerate a network, we must employ broadcast or multicast messages to reach many hosts and retrieve information. However, IPv6 does not support broadcast— which leaves multicast as our mechanism for reaching many hosts with a single packet. As you can see in the image above, devices belong to certain multicast groups — and there are many types of multicast groups. For instance, there is an All Routers multicast group. Routers belong to this multicast group because they are able to process and respond to specific type of messages that other devices will want to ignore. Many devices subscribe to the multicast DNS (mDNS) group — mDNS is a service that locally resolves hostnames to IP addresses and works almost identically to Domain Name Service (DNS). Windows devices leverage a common service called Link-Local Multicast Resolution (LLMNR). The beauty of mDNS is that we can query a device and politely ask for additional details about services installed. There are a lot of caveats as to when/what a device will answer but it never hurts to ask…. Here’s the exhaustive list we are using:
Using IPv6Tools to enumerate networks
As mentioned, we have built a robust set of modules and plugins that allow a user to visually audit an IPv6 enabled network. The built-in modules support enumeration of IPv6 features such as ICMPv6 and Multicast Listener Discovery (MLD). We’ve also added support for enumeration of Upper Layer Protocols (ULP) such as mDNS. The initial scan performed by the web application sends out eight IPv6 multicast packets and immediately plots the devices that responded to a force-directed graph. In fact, it’s not required to send any packets at all to begin visualizing an IPv6 enabled network because devices are very chatty and regularly send out multicast packets. We’ve deemed these protocols/features excellent place to start for enumerating IPv6 networks:
- ICMPv6 echo request
- ICMPv6 echo Name request
- MLD groups
- mDNS details
In a matter of seconds, we can enumerate and visualize an IPv6 Network! After the initial scan, IPv6Tools sends out a few mDNS and LLMNR requests which often returns services/applications running on device, multicast groups, and other IP address information. The nodes that have been enriched with mDNS and LLMNR responses are have a green arrow in the table.
Modularity
We made extending the use of our framework easy and painless. To write Python that interacts with a single a node (or multiple) should be placed in the modules folder. The template.py file is a great reference to review for writing a module.
The modname variable contains the Title Name of the module in IPv6Tools. During our research, I found a FreeBSD Denial-of-Service (DoS) Python script that exploits an ICMPv6 error checking vulnerability in FreeBSD 9.3 and below.
The above module can be executed against a node by right-clicking the node in the graph or the table. Similarly, modules can be executed directly from the Table tab.
Moving Forward
The state of IPv6 security is less than stellar but researchers are rapidly working together to fill the gap. Security is our passion and our hope is that researchers and anyone with interest in IPv6 leverages IPv6Tools as their framework to visualize and perform actions on IPv6 nodes.
