Yuji Ukai, Senior Software Engineer

1

• Yuji Ukai, Senior Software Engineer
• Ryan Permeh, Founding Software Engineer
• Ryoji Kanai, Software Engineer

Retina
Development Core Team
Network Security Scanner
2
Introduction

• The American Department of Defense announced that
  they will
• move their network to IPv6. Because of this,
  IPv6 is currently
• in the spotlight in the U.S.
• All network devices should be updated to support
  IPv6Security products must also updated to keep
  up
• Network security scanner must have be able to
  scan an IPv6
• network. Most of the core technologies based on
  IPv4 can still be
• used, but we are facing some new issues.
• We will describe some of the issues and some
  possible solutions to the problem of security
  risk management in an IPv6 network.

3
IPv6 networking

• IPv6 is rapidly becoming more popular since the
  DoD IPv6 announcement. - DoD will switch their
  network to IPv6 across the board.- This network
  is responsible for supporting soldiers and signal
  communications.All new network devices
  purchased should already support IPv6.
• The US Department of Commerce is investigating
  the economic effect of IPv6.The governments and
  militaries in Germany, France, U.K., China, and
  Korea and Japan all have plans to push IPv6
  forward in their networks.
• Many vendors, ISPs, and research institutes have
  accelerated their RD for IPv6 deployment.
• Security risk management solutions must consider
  the implications of supporting IPv6 as well.

4
Security risk management using network security
scanner

• Scan the network.
• Collect the assets and their vulnerability
  information.
• Analyze the threat, vulnerability, and importance
  of asset.
• Know the risk factors on the network and take
  action
• to fix them.
• We must deploy accurate and fast
  vulnerabilityscanning to manage the risk on
  their network
• appropriately.
• Supporting IPv6 might have a bad effect on the
  accuracy and speed of a traditional
  scanningmethodology. - Host discovery and OS
  detection technique

5
IPv6Host Discovery
6
Negative impact caused by supporting IPv6 - Host
discovery
Host Discovery

• Discover the hosts using ICMP?TCP?and UDP probe.
• Host discovery is necessary to collect the asset
  information and list of targets for vulnerability
  scanning.
• Huge Address Space
• Secure Neighbor Discovery and CGA
• Privacy Enhanced Addresses

7
Huge Address Space

• The traditional host discovery method takes very
  long time because the address space is expanded
  to 128bit- A typical IPv4 subnet may have 8
  bits reserved for host addressing 1 packet/sec
  5 min- A typical IPv6 subnet may have 64
  bits reserved for host addressing 1 packet/sec
  50 billion yearshttp//www.6net.org/publicatio
  ns/standards/draft-chown-v6ops-port-scanning-impli
  cations- 00.txt

8
Secure Neighbor Discovery and CGA

• Joint research project to reduce attacks on
  Neighbor Discovery (ND)ND is stateless.
  Vulnerable for hijacking attacks.
• Cryptographically secure addressing scheme
• Can be used to prevent and detect collision
  attacks
• http//research.microsoft.com/users/tuomaura/Publi
  cations/arkko-wise02.pdf

Address can be guessed. We can not reduce search
space.
9
Privacy Enhanced Addresses

• IETF scheme for generating random address bits
• Instead of using IEEE identifier (i.e., a
  link-layer MAC address)Privacy protection, etc.
• Generates short lived addresses with small chance
  of repeat
• Generated on boot or periodically at runtime

64 bits
64 bits
Current Address
Seed or History
md5
64 bits
64 bits
New Address
New History
Set bit 6 to 0 to create global address
Address can be guessed. We can not reduce search
space.
10
IPv6 Discovery Solutions

• Multicast
• Neighbor Discovery
• Ethernet Vendor ID
• DHCPv6 State Tables
• Neighbor Cache
• Target IPv4 Stack instead
• Local Discovery and Distributed Architecture

11
IPv6 Layer 3 Multicast

• Multicast is a core component of IPv6
• We can get some live IP addresses using
  multicast
• Typically site or link local
• Certain IPv6 Functions require multicast, so you
  are likely to have responses
• Common groups
• FF020000001 All nodes on the local link
• FF020000002 All routers on the local
  link
• FF020000013 All DHCP agents on the local
  link

12
IPv6 Layer 3 Neighbor Discovery

• Neighbor Discovery is an ICMPv6 specific service
• Peer Discovery (layer 3 ARP)Sent by a node to
  determine the link-layer address of a
  neighbor.Neighbor discovery can act as a link
  local ping replacement. Some hosts may block
  multicast pings, but none should block multicast
  ND solicitations.
• Router DiscoveryHost requests routers to
  generate Router Advertisements Packet
  immediately.

13
Ethernet Vendor ID

• It is typical to have the low 64 bits of the IPv6
  Header comrpised of the Interface Identifier
• Interface is typically EUI-64 representation of
  the layer 2 Address
• Part of this can be guessed (Layer 2 Vendor ID),
  reducing search space
• EUI-64 http//standards.ieee.org/regauth/oui/tut
  orials/EUI64.html
• Vendor-id http//standards.ieee.org/regauth/oui/
  oui.txt

00-01-02
00-07-E9
00-05-B5
00-E0-4C
14
DHCPv6 State Tables

• DHCPv6 must keep internal state tables to track
  IPs that were granted
• Examining in memory or on disk representation of
  this will turn up live IPs
• May be logs, SQL database, an application API, or
  even hooking the server process
• Requires access to the server and rights to do
  this

MSDN
DWORD DHCP_API_FUNCTION DhcpEnumSubnetClients(
DHCP_CONST WCHAR ServerIpAddress,
DHCP_IP_ADDRESS SubnetAddress,
DHCP_RESUME_HANDLE ResumeHandle, DWORD
PreferredMaximum, LPDHCP_CLIENT_INFO_ARRAY
ClientInfo, DWORD ClientsRead, DWORD
ClientsTotal )
DWORD DHCP_API_FUNCTION DhcpEnumSubnets(
DHCP_CONST WCHAR ServerIpAddress,
DHCP_RESUME_HANDLE ResumeHandle, DWORD
PreferredMaximum, LPDHCP_IP_ARRAY EnumInfo,
DWORD ElementsRead, DWORD ElementsTotal )
15
Neighbor Cache

• Every IPv6 router and host must keep a neighbor
  cacheWe can get some live IP addresses.
• Similar to an ARP cache in IPv4
• Contains Live Addresses and their associated
  layer 2 addresses
• Can be accessed via SNMP or OS/Application
  specific APIs
• SNMP OID
• .1.3.6.1.2.1.55.1.12
• Windows
• C\researchgtnetsh interface ipv6 show neighbors
• Interface 6 Local Area Connection
• Internet Address
  Physical Address Type
• fe80210a4fffeb6b972
  00-10-a4-b6-b9-72 Stale
• fe8021125fffe5acd63
  00-11-25-5a-cd-63 Permanent
• Linux
• ip -6 neigh show
• fe8020123fffe456789 dev eth0 lladdr
  000123456789 router nud reachable

16
Target IPv4

• Mixed mode networks often have both IPv4 and IPV6
  addresses, use the ipv4 instead!
• IPv6 transition addressing schemes often embed
  ipv4 addresses in their scheme, potentially
  reducing the address search space (ISATAP , 6to4
  Transitional Addresses)

17
Local Discovery and Distributed Architecture

• IPv6 designed to make internal visibility good,
  buyt external visibility poor
• Internal network discovery becomes somewhat
  easier
• External still a challenge
• Many distributed scanners
• Closer to the source, able to use ND and
  multicast
• Distributes workload acrossmany platforms

18
IPv6OS Detection
19
Negative impact caused by supporting IPv6 - OS
detection
Remote OS detection

• Detect OS type remotely without credentials.
• OS detection is necessary to manage the asset
  information and accurate vulnerability scanning.
  
• We can detect the remote OS type by examining the
  differences in TCP/IP implementation, network
  service banners, and other factors. We can use
  most of the OS detection methods designed for an
  IPv4 network, However, the IPv4 ICMP OS detection
  method can not be used as is.Currently, If a
  target closes all TCP and UDP ports, we can not
  detect the remote OS.

20
Basics of remote OS detection

• We detect the remote OS type by using the
  differences in TCP/IP implementations
• Send some packets and analyze the responses.

TCP OS detection (Nmap method) - Send some
specially crafted TCP packets and analyze the
responses - OS is identified by some parameters
(Window Size,TCP options, etc) ICMPv4 OS
detection (Xprobe method) - Send some specially
crafted ICMP packets and analyze the responses -
OS is identified by ICMP types and some IP
parameters. - It does not depend on open
ports. ICMPv6 OS detection - Send some
specially crafted ICMPv6 packets and analyze the
responses - IPv6 doesn't support ICMPv4, so we
need a new method for IPv6.
21
ICMPv4 OS detection
Test packet

• UDP Unreachable Port
• ICMP Echo Request
• ICMP Timestamp Request
• ICMP Information Request
• ICMP Netmask Request

Parameters to use OS detection

• Respond or No respond
• IP Length
• IP Identification
• IP TOS
• IP Flags
• IP Fragment Offset
• IP TTL
• Checksum

X remote ICMP based OS fingerprinting
techniques Ofir Arkin and Fyodor
Yarochikin http//www.sys-security.com/
22
ICMPv6 OS detection - Test packets and targets
Test packets

• ICMPv6 Echo Request
• ICMPv6 Echo Request (Invalid Code)
• UDP Unreachable Port
• ICMPv6 Multicast Listener Discovery
• ICMPv6 Neighbor Solicitation
• Windows XP SP2
• Windows Vista Beta 2 Build 5384
• Solaris 10
• Linux Fedora 2.6.15
• FreeBSD 6.0

Targets
23
ICMPv6 Echo request / HopLimit - ProbeResponse
Probe - ICMPv6 Echo Request
Type 128
Check sum
Code 0
ICMPv6 Echo Request
Identifier
Sequence Number
Data . . .
Response - ICMPv6 Echo Reply
Version
Flow Label
Traffic Class
IPv6
Payload Length
Next Header
Hop Limit
ICMPv6 Echo Reply
24
ICMPv6 Echo request / HopLimit - Characteristics
Response packet - HopLimit
ICMPv6 Echo Reply HopLimit
OS HopLimit
Windows XP 128
Windows Vista 128
Solaris 255
Linux 64
FreeBSD 64
128
64
255
Solaris
Windows XP Windows Vista
Linux FreeBSD
25
ICMPv6 Echo request / Invalid Code -
ProbeResponse
Probe - ICMPv6 Echo Request with invalid code
Type 128
Check sum
Code 1
ICMPv6 Echo Request
Identifier
Sequence Number
Data . . .
"Code" parameter in ICMPv6 Echo Request should be
0 (RFC2463) However, most implementations dont
check the code parameter.
26
ICMPv6 Echo request / Invalid Code -
Characteristics
Response
ICMPv6 Echo Reply HopLimit
OS Response
Windows XP Yes
Windows Vista Yes
Solaris Yes
Linux Yes
FreeBSD No
128
64
255
Solaris
Windows XP Windows Vista
ICMPv6 Echo Reply Invalid Code
Yes
No
Linux
FreeBSD
27
UDP Port Unreachable / ProbeResponse
Probe - Send a UDP packet over IPv6 to closed port
Flow Label
Version
Traffic Class
IPv6
Payload Length
Next Header
Hop Limit
Destination Port
Source Port
UDP
UDP Data Length
UDP Check Sum
Data . . .
Closed Port
Response - ICMPv6 Destination Unreachable Message
is sent back from the target
Port Unreachable
Type 1
Code 4
Check sum
ICMPv6 Destination Unreachable
Unused
As much of invoking packet as will fit without
the ICMPv6 packet exceeding the minimum IPv6 MTU
28
UDP Port Unreachable / Characteristics
RFC2463
"A destination node SHOULD send a Destination
Unreachable message with Code 4 in response to a
packet for which the transport protocol (e.g.,
UDP) has no listener, if that transport protocol
has no alternative means to inform the sender."
? Not "MUST"
ICMPv6 Echo Reply HopLimit
Response
OS Response
Windows XP Yes
Windows Vista No
Solaris Yes
Linux Yes
FreeBSD No
128
64
255
Solaris
UDP Port Unreachable
ICMPv6 Echo Reply Invalid Code
Yes
No
Windows Vista
Windows XP
Yes
No
Linux
FreeBSD
29
ICMPv6 Multicast Listener Discovery /
ProbeResponse
The purpose MLD is to enable router to discover
the presence of multicast listeners
Probe - Send Multicast Listener Discovery (MLDv1)
packet to the target
Type 130
Code 0
Check sum
ICMPv6 Multicast Listener Discovery
Maximum Response Delay (0x0000)
Reserved
Multicast Address ( All 0x00)
Response - Multicast Listener Report is sent back
from target
Type 131 or 143
Code 0
Check sum
ICMPv6 Multicast Listener Discovery
Multicast Listener Report (Depend of Type field)
30
MLDv1 vs MLDv2
- MLDv2 Added sender information (source
address) on MLDv1 - MLDv1 Query and MLDv2 Query
have same ICMPv6 Type(130). IPv6 node recognize
the MLD version by checking the length of
packet. - Some implementations make response by
MLDv2 even if the query is MLDv1. Some
implementations don't make any response.
Type 131
Check sum
Code 0
ICMPv6 MLDv1 Multicast Listener Report
Maximum Response Delay
Reserved
Multicast Address
Type 143
Code 0
Check sum
Reserved
Multicast Address Record??
ICMPv6 MLDv2 Multicast Listener Report
Multicast Address Record 1
Multicast Address Record n
31
ICMPv6 Multicast Listener Report / Characteristics
Response
ICMPv6 Echo Reply HopLimit
OS Response
Windows XP MLDv1 Report
Windows Vista No Response
Solaris No Response
Linux MLDv2 Report
FreeBSD MLDv1 Report
128
64
255
Solaris
MLD Query
MLD Query
v1
None
Windows Vista
Windows XP
v1
v2
Linux
FreeBSD
32
ICMPv6 Multicast Listener Report / IPv6
Hop-By-Hop Option
IPv6 Hop-By-Hop Option is included in MLD Report
response packet The sequence of options is depend
on implementation
Version
Flow Label
Traffic Class
IPv6
Payload Length
Next Header 0
Hop Limit
Next Header 58
Header Ext Len
IPv6 Hop-by-Hop Option
ICMPv6
Hop-by-Hop Option
Hop-by-Hop Option
Type 131
Check sum
Code 0
ICMPv6 Multicast Listener Discovery
Multicast Listener Report (Depend on Type Field)
33
IPv6 Hop-By-Hop Option / Characteristics
Option format
Type 8bit option type Length 8bit
option length Data Option data depend of
option type
Option type
00 skip over this option and continue processing the header
01 discard the packet.
10 discard the packet and, regardless of whether or not the packets's Destination Address was a multicast address, send an ICMP Parameter Problem
11 discard the packet and, only if the packet's Destination Address was not a multicast address, send an ICMP Parameter Problem
Option sequence
OS Response
Windows XP 05 -gt 01
Windows Vista No Response
Solaris No Response
Linux 05 -gt 01
FreeBSD 01 -gt 05
34
ICMPv6 Neighbor Solicitation / ProbeResponse
Sent by a node to determine the link-layer
address of a neighbor,or to verify that a
neighbor is still reachable via a cached
link-layer address.
Probe - Send Neighbor Solicitation to the target
Type 135
Code 0
Check sum
ICMPv6 Neighbor Solicitation
Reserved
Target Address Source IPv6 Address
Option
Response - Neighbor Advertisement is sent back
from target
Type 136
Code 0
Check sum
ICMPv6 Neighbor Advertisement
Reserved
S
O
R
Router flag
Target Address
Solicited flag
Override flag
Option
35
ICMPv6 Neighbor Solicitation / Characteristics
Override flag
OS Response
Windows XP Enable
Windows Vista Enable
Solaris Enable
Linux Disable
FreeBSD Disable
36
Fingerprint
Bit Parameter Value
Bit 7,8 Hop Limit 00other?0164, 10128, 11255
Bit 6 Invalid Code 0No response, 1Response
Bit 5 UDP Unreachable 0No response, 1Response
Bit 4,3 MDL Query 00No response, 01MLDv1, 10MLDv2, 11other
Bit 2,1 Hop-by-Hop Option 00No response, 01 01-gt05, 10 05-gt01, 11other
Bit 0 Neighbor Solicitation 0Disabled, 1Enabled
OS Fingerprint
Windows XP 10 1 1 01 10 1 0x16D
Windows Vista 10 1 0 00 00 1 0x141
Solaris 11 1 1 00 00 1 0x1E1
Linux 01 1 1 10 10 0 0x0F4
FreeBSD 01 0 0 01 01 0 0x08A
37
ICMPv6 OS Detection - Future work

• Determine the OS detection accuracy- Deploy
  this algorithm to more OSes- Collect more
  fingerprints
• Improve accuracy- Identify OS version- Find
  better parameters to be more accurate - Check
  the parameters related on Mobile IP and security
  (IPSec)

38
Thank you for attending !
Questions ?
Contact Yuji Ukai ltyukai_at_eeye.comgt