380 likes | 609 Views
Yuji Ukai, Senior Software Engineer Ryan Permeh, Founding Software Engineer Ryoji Kanai, Software Engineer. PacSec 2006 Conference The fourth annual PacSec conference November 27-30 2006, at the Aoyama Diamond Hall in Tokyo, Japan. Retina. Development Core Team. Network Security Scanner.
E N D
Yuji Ukai, Senior Software Engineer Ryan Permeh, Founding Software Engineer Ryoji Kanai, Software Engineer PacSec 2006 Conference The fourth annual PacSec conference November 27-30 2006, at the Aoyama Diamond Hall in Tokyo, Japan. Retina Development Core Team Network Security Scanner
The American Department of Defense announced that they will move their network to IPv6. Because of this, IPv6 is currently in the spotlight in the U.S. All network devices should be updated to support IPv6Security products must also updated to keep up Network security scanner must have be able to scan an IPv6 network. Most of the core technologies based on IPv4 can still be used, but we are facing some new issues. We will describe some of the issues and some possible solutions to the problem of security risk management in an IPv6 network. Introduction
IPv6 is rapidly becoming more popular since the DoD IPv6 announcement.- DoD will switch their network to IPv6 across the board.- This network is responsible for supporting soldiers and signal communications.All new network devices purchased should already support IPv6. The US Department of Commerce is investigating the economic effect of IPv6.The governments and militaries in Germany, France, U.K., China, and Korea and Japan all have plans to push IPv6 forward in their networks. Many vendors, ISPs, and research institutes have accelerated their R&D for IPv6 deployment. Security risk management solutions must consider the implications of supporting IPv6 as well. IPv6 networking
Scan the network. Collect the assets and their vulnerability information. Analyze the threat, vulnerability, and importance of asset. Know the risk factors on the network and take action to fix them. We must deploy accurate and fast vulnerabilityscanning to manage the risk on their network appropriately. Supporting IPv6 might have a bad effect on the accuracy and speed of a traditional scanningmethodology. - Host discovery and OS detection technique Security risk management using network security scanner
Discover the hosts using ICMP、TCP、and UDP probe. Host discovery is necessary to collect the asset information and list of targets for vulnerability scanning. Huge Address Space Secure Neighbor Discovery and CGA Privacy Enhanced Addresses Negative impact caused by supporting IPv6 - Host discovery Host Discovery
The traditional host discovery method takes very long time because the address space is expanded to 128bit- A typical IPv4 subnet may have 8 bits reserved for host addressing1 packet/sec : 5 min- A typical IPv6 subnet may have 64 bits reserved for host addressing1 packet/sec :50 billion yearshttp://www.6net.org/publications/standards/draft-chown-v6ops-port-scanning-implications- 00.txt Huge Address Space
Joint research project to reduce attacks on Neighbor Discovery (ND)ND is stateless. Vulnerable for hijacking attacks. Cryptographically secure addressing scheme Can be used to prevent and detect collision attacks http://research.microsoft.com/users/tuomaura/Publications/arkko+-wise02.pdf Secure Neighbor Discovery and CGA Address can be guessed. We can not reduce search space.
IETF scheme for generating random address bits Instead of using IEEE identifier (i.e., a link-layer MAC address)Privacy protection, etc. Generates short lived addresses with small chance of repeat Generated on boot or periodically at runtime Privacy Enhanced Addresses 64 bits 64 bits Current Address Seed or History md5 64 bits 64 bits New Address New History Set bit 6 to 0 to create global address Address can be guessed. We can not reduce search space.
Multicast Neighbor Discovery Ethernet Vendor ID DHCPv6 State Tables Neighbor Cache Target IPv4 Stack instead Local Discovery and Distributed Architecture IPv6 Discovery Solutions
Multicast is a core component of IPv6 We can get some live IP addresses using multicast Typically site or link local Certain IPv6 Functions require multicast, so you are likely to have responses Common groups: FF02:0:0:0:0:0:0:1 – All nodes on the local link FF02:0:0:0:0:0:0:2 – All routers on the local link FF02:0:0:0:0:0:1:3 – All DHCP agents on the local link IPv6 Layer 3 – Multicast
Neighbor Discovery is an ICMPv6 specific service Peer Discovery (layer 3 ARP)Sent by a node to determine the link-layer address of a neighbor.Neighbor discovery can act as a link local ping replacement. Some hosts may block multicast pings, but none should block multicast ND solicitations. Router DiscoveryHost requests routers to generate Router Advertisements Packet immediately. IPv6 Layer 3 – Neighbor Discovery
It is typical to have the low 64 bits of the IPv6 Header comrpised of the Interface Identifier Interface is typically EUI-64 representation of the layer 2 Address Part of this can be guessed (Layer 2 Vendor ID), reducing search space EUI-64 : http://standards.ieee.org/regauth/oui/tutorials/EUI64.html Vendor-id : http://standards.ieee.org/regauth/oui/oui.txt Ethernet Vendor ID 00-01-02 00-07-E9 00-05-B5 00-E0-4C
DHCPv6 must keep internal state tables to track IP’s that were granted Examining in memory or on disk representation of this will turn up live IP’s May be logs, SQL database, an application API, or even hooking the server process Requires access to the server and rights to do this DHCPv6 State Tables MSDN: DWORD DHCP_API_FUNCTIONDhcpEnumSubnetClients( DHCP_CONST WCHAR*ServerIpAddress, DHCP_IP_ADDRESSSubnetAddress, DHCP_RESUME_HANDLE*ResumeHandle, DWORDPreferredMaximum, LPDHCP_CLIENT_INFO_ARRAY*ClientInfo, DWORD*ClientsRead, DWORD*ClientsTotal ); DWORD DHCP_API_FUNCTIONDhcpEnumSubnets( DHCP_CONST WCHAR*ServerIpAddress, DHCP_RESUME_HANDLE*ResumeHandle, DWORDPreferredMaximum, LPDHCP_IP_ARRAY*EnumInfo, DWORD*ElementsRead, DWORD*ElementsTotal );
Every IPv6 router and host must keep a neighbor cacheWe can get some live IP addresses. Similar to an ARP cache in IPv4 Contains Live Addresses and their associated layer 2 addresses Can be accessed via SNMP or OS/Application specific APIs SNMP OID – .1.3.6.1.2.1.55.1.12 Windows – C:\research>netsh interface ipv6 show neighbors Interface 6: Local Area Connection Internet Address Physical Address Type fe80::210:a4ff:feb6:b972 00-10-a4-b6-b9-72 Stale fe80::211:25ff:fe5a:cd63 00-11-25-5a-cd-63 Permanent Linux – # ip -6 neigh show fe80::201:23ff:fe45:6789 dev eth0 lladdr 00:01:23:45:67:89 router nud reachable Neighbor Cache
Mixed mode networks often have both IPv4 and IPV6 addresses, use the ipv4 instead! IPv6 transition addressing schemes often embed ipv4 addresses in their scheme, potentially reducing the address search space (ISATAP , 6to4 Transitional Addresses) Target IPv4
IPv6 designed to make internal visibility good, buyt external visibility poor Internal network discovery becomes somewhat easier External still a challenge Many distributed scanners Closer to the source, able to use ND and multicast Distributes workload acrossmany platforms Local Discovery and Distributed Architecture
Detect OS type remotely without credentials. OS detection is necessary to manage the asset information and accurate vulnerability scanning. We can detect the remote OS type by examining the differences in TCP/IP implementation, network service banners, and other factors.We can use most of the OS detection methods designed for an IPv4 network, However, the IPv4 ICMP OS detection method can not be used as is.Currently, If a target closes all TCP and UDP ports, we can not detect the remote OS. Negative impact caused by supporting IPv6 - OS detection Remote OS detection
We detect the remote OS type by using the differences in TCP/IP implementations Send some packets and analyze the responses. Basics of remote OS detection TCP OS detection(Nmap method) - Send some specially crafted TCP packets and analyze the responses - OS is identified by some parameters (Window Size,TCP options, etc) ICMPv4 OS detection(Xprobe method) - Send some specially crafted ICMP packets and analyze the responses - OS is identified by ICMP types and some IP parameters. - It does not depend on open ports. ICMPv6 OS detection - Send some specially crafted ICMPv6 packets and analyze the responses - IPv6 doesn't support ICMPv4, so we need a new method for IPv6.
ICMPv4 OS detection Test packet • UDP Unreachable Port • ICMP Echo Request • ICMP Timestamp Request • ICMP Information Request • ICMP Netmask Request Parameters to use OS detection • Respond or No respond • IP Length • IP Identification • IP TOS • IP Flags • IP Fragment Offset • IP TTL • Checksum X remote ICMP based OS fingerprinting techniques Ofir Arkin and Fyodor Yarochikin http://www.sys-security.com/
ICMPv6 Echo Request ICMPv6 Echo Request (Invalid Code) UDP Unreachable Port ICMPv6 Multicast Listener Discovery ICMPv6 Neighbor Solicitation Windows XP SP2 Windows Vista Beta 2 Build 5384 Solaris 10 Linux Fedora 2.6.15 FreeBSD 6.0 ICMPv6 OSdetection - Test packets and targets Test packets Targets
Type = 129 Check sum Code = 0 Identifier Sequence Number Data . . . ICMPv6 Echo request / HopLimit - Probe&Response Probe- ICMPv6 Echo Request Type = 128 Check sum Code = 0 ICMPv6 Echo Request Identifier Sequence Number Data . . . Response - ICMPv6 Echo Reply Version Traffic Class Flow Label IPv6 Payload Length Next Header Hop Limit ICMPv6 Echo Reply
ICMPv6 Echo request / HopLimit - Characteristics Responsepacket - HopLimit ICMPv6 Echo Reply HopLimit 128 64 255 Windows XP Windows Vista Linux FreeBSD Solaris
ICMPv6 Echo request / Invalid Code - Probe&Response Probe- ICMPv6 Echo Request with invalid code Type = 128 Check sum Code = 1 ICMPv6 Echo Request Identifier Sequence Number Data . . . "Code" parameter in ICMPv6 Echo Request should be 0 (RFC2463) However, most implementations don’t check the code parameter.
ICMPv6 Echo request / Invalid Code - Characteristics Response ICMPv6 Echo Reply HopLimit 128 64 255 Windows XP Windows Vista Solaris ICMPv6 Echo Reply Invalid Code Yes No FreeBSD Linux
UDP Port Unreachable / Probe&Response Probe- Send a UDP packet over IPv6 to closed port Version Traffic Class Flow Label IPv6 Payload Length Next Header Hop Limit Source Port Destination Port UDP UDP Data Length UDP Check Sum Data . . . Closed Port Response - ICMPv6 Destination Unreachable Message is sent back from the target Port Unreachable Type = 1 Check sum Code = 4 ICMPv6 Destination Unreachable Unused As much of invoking packet as will fit without the ICMPv6 packet exceeding the minimum IPv6 MTU
UDP Port Unreachable / Characteristics RFC2463 "A destination node SHOULD send a Destination Unreachable message with Code 4 in response to a packet for which the transport protocol (e.g., UDP) has no listener, if that transport protocol has no alternative means to inform the sender." → Not "MUST" ICMPv6 Echo Reply HopLimit Response 128 64 255 UDP Port Unreachable Solaris ICMPv6 Echo Reply Invalid Code Yes No Windows XP Windows Vista Yes No FreeBSD Linux
ICMPv6 Multicast Listener Discovery / Probe&Response The purpose MLD is to enable router to discover the presence of multicast listeners Probe- Send Multicast Listener Discovery (MLDv1) packet to the target Type = 130 Check sum Code = 0 ICMPv6 Multicast Listener Discovery Maximum Response Delay (0x0000) Reserved Multicast Address ( All 0x00) Response - Multicast Listener Reportis sent back from target Type = 131 or 143 Check sum Code = 0 ICMPv6 Multicast Listener Discovery Multicast Listener Report (Depend of Type field)
MLDv1 vs MLDv2 - MLDv2 = Added sender information (source address) on MLDv1 - MLDv1 Query and MLDv2 Query have same ICMPv6 Type(130). IPv6 node recognize the MLD version by checking the length of packet. - Some implementations make response by MLDv2 even if the query is MLDv1. Some implementations don't make any response. Type = 131 Check sum Code = 0 ICMPv6 MLDv1 Multicast Listener Report Maximum Response Delay Reserved Multicast Address Type = 143 Check sum Code = 0 Reserved Multicast Address Recordの数 ICMPv6 MLDv2 Multicast Listener Report Multicast Address Record [1] Multicast Address Record [n]
ICMPv6 Multicast Listener Report / Characteristics Response ICMPv6 Echo Reply HopLimit 128 64 255 MLD Query Solaris MLD Query v1 None Windows XP Windows Vista v1 v2 FreeBSD Linux
ICMPv6 Multicast Listener Report / IPv6 Hop-By-Hop Option IPv6 Hop-By-Hop Optionis included in MLD Report response packet The sequence of options is depend on implementation Version Traffic Class Flow Label IPv6 Payload Length Next Header = 0 Hop Limit Next Header = 58 Header Ext Len IPv6 Hop-by-Hop Option ICMPv6 Hop-by-Hop Option Hop-by-Hop Option Type = 131 Check sum Code = 0 ICMPv6 Multicast Listener Discovery Multicast Listener Report (Depend on TypeField)
Type Length Data IPv6 Hop-By-Hop Option / Characteristics Option format Type 8bit option type Length 8bit option length Data Option data depend of option type Option type Option sequence
ICMPv6 Neighbor Solicitation / Probe&Response Sent by a node to determine the link-layer address of a neighbor,or to verify that a neighbor is still reachable via a cached link-layer address. Probe- Send Neighbor Solicitation to the target Type = 135 Check sum Code = 0 ICMPv6 Neighbor Solicitation Reserved Target Address = Source IPv6 Address Option Response - Neighbor Advertisement is sent back from target Type = 136 Check sum ICMPv6 Neighbor Advertisement Code = 0 Reserved S O R Router flag Target Address Solicited flag Override flag Option
ICMPv6 Neighbor Solicitation / Characteristics ・ Overrideflag
Determine the OS detection accuracy- Deploy this algorithm to more OSes- Collect more fingerprints Improve accuracy- Identify OS version- Find better parameters to be more accurate - Check the parameters related on Mobile IP and security (IPSec) ICMPv6 OS Detection- Future work
Thank you for attending ! Questions ? Contact : Yuji Ukai <yukai@eeye.com>