Discovering Dual Stack Hosts with IP_MAP

IPv4 and IPv6 stacks can interoperate in order to make the v4 to v6 migration pretty smooth. Hence IPv4 hosts could run dual IP stack. Most firewalls with IPv6 support have separate rule-sets for IPv6 and IPv4.

Modern operating systems such as Linux have their IPv6 stack enabled by default and many system administrators are unaware of issues that may arise from employing both stacks. Common mistakes involve missing coordination between rule sets and access policies of different stacks. Linux provides builtin packet filtering capabilities in kernel spaces but unfortunately IPv4 ruleset defined with iptables are not coordinated on IPv6 stack without manually specifying IPv6 rules with iptables6. The same could be applied on ISO/OSI upper layers where access policies have been implemented on application side.


IPv6 Link-Local Address

IPv6 hosts automatically assign to each of their interfaces a unique address
based on the L2 address when no external source of network addressing information is available. These addresses refer only to a particular broadcast domain. Router will not forward datagrams using link-local addresses at all.

Link-local addresses have the prefix of FE80::/64. The last 64 bits of the IPv6 address is derived from the L2 address of related network adapter in such a way:
  • 0xFF and 0xFE are inserted between the third and fourt byte of mac-address
  • second low order bit of the first byte of MAC Address gets complemented
L2 Address 00:22:15:eb:19:4f gets IPv6 Link-local address fe80::222:15ff:feeb:194f


Neighbor Discovery Protocol

" IPv6 nodes on the same link use Neighbor Discovery to discover each other's presence, to determine each other's link-layer addresses, to find routers and to maintain reachability information about the paths to active neighbors. " RFC 2461

To determine the link-layer address of a neighbor an ICMPv6 Neighbor Solicitation is sent by a node. Solicited node answer with a ICMPv6 Neighbor Advertisement to announce it's link-layer address. As you guess ICMPv6 Neighbor Discover Protocol has replaced ARP in IPv4.

They replaced ARP to safely ensure Link Layer address translation. IPv6 header includes the AH header to authenticate the datagram. To this aim ICMPv6 gets encapsulated in IPv6 and AH extension neighbor spoofing should be avoided. It sounds like a novel in a perfect world to me but they still did it!


Solicited Node Address

In IPv4, the ARP Request frame is sent to the MAC-level broadcast, disturbing all nodes on the broadcast domain. For IPv6, instead of disturbing all IPv6 nodes on the local link , the solicited-node multicast address is used as the host destination for ICMPv6 Neighbor Solicitation message.

The solicited-node multicast address consists of the prefix FF02::1:FF00:0/104 and the last 24-bits of the IPv6 address that is being resolved. Node with link-local IPv6 address FE80::20B:6AFF:FE47:194F is listening for multicast traffic at the solicited-node address FF02::1:FF47:194F. Something similar happens at L2 where a multicast prefixed ethernet datagram with 33:33 is sent.


What is ip_map?

ip_map is an auxiliary module for Metasploit to be used for enumerating dual stack hosts. It means that it follows a two step process:


ARP sweep
For each target hosts refered by its IPv4 address it sends an arp-request claiming for the L2 Address. If host responds with arp-reply it's L2, L3 address get added to the array nodes


ICMPv6 ND sweep
For each elements of array nodes the L2 address component is extracted and used to get:
  • Solicited-Node multicast L2 address
  • Solicited-Node multicast L3 address
  • Node Link-local address

An ICMPv6 ND Solicitation packet is built and injected into the wire awaiting for corresponding ICMPv6 Neighbor Advertisement (if any).


How to ip_map?

Download msf trunk
svn co http://www.metasploit.com/svn/framework3/trunk /framework

Download and install pcaprub from rubyforge
svn co http://pcaprub.rubyforge.org/svn pcaprub
cd pcabrub
ruby extconf.rb && make && sudo make install

Download and install racket ( 1.0.7 at the moment of writing)
sudo gem install --source http://spoofed.org/files/racket racket

Create resource file for msf: ndpsweep.msf:
use auxiliary/scanner/discovery/ip_map
setg INTERFACE eth0
setg SHOST 192.168.2.100
setg SMAC 00:21:5d:61:7f:c0
setg RHOSTS 192.168.2.0/24
run
exit

Download and install ip_map
svn co http://msf-hack.googlecode.com/svn/trunk
cp ip_map.rb /framework/modules/auxiliary/scanner/discovery/

Start msf framework
sudo MSF_LOCAL_LIB=/var/lib/gems/1.8/gems/racket-1.0.7 ./msfconsole -r ./ndsweep.msf



Watch module in action

7 commenti:

Unknown ha detto...

That rocks!

Rob ha detto...

Bravo Belch, ti aggiungo ai feed di EW!

belch ha detto...

Tnx!!!!

belch ha detto...
Questo commento è stato eliminato dall'autore.
mascalzone ha detto...

you rocks, guy! indeed ;)

belch ha detto...

Racket has been updated with my ICMPv6 contributions. Now to use ip_map inside msf you don't have to install racket. msfconsole can now be started without supplying additional gem path:

sudo ./msfconsole -r ./ndsweep.msf

belch ha detto...

Submitted to msf trac as issue 788:

http://www.metasploit.com/redmine/issues/788

Posta un commento