Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2017-09-13 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

No IPv6? Challenge Accepted! (Part 1)

Published: 2017-09-13
Last Updated: 2017-09-13 14:18:52 UTC
by Rob VandenBrink (Version: 1)
0 comment(s)

I recently had an internal penetration test with a client.  During the initial discussions, where the client set the scope and so on, I asked if they had any IPv6 in their environment (mainly because I'm hoping that someday, someone will say yes).  Their answer was an emphatic "no".  My answer to that was "Challenge Accepted?", and they ruled IPv6 in scope with a "knock yourself out, there's nothing there".

As many of you know, IPv6 is enabled on most modern operating systems, and if a path is found, IPv6 is usually prefered over IPv4.  In most organizations though, IPv6 is disabled on the routers and firewalls - so there's nowhere for IPv6 to go and no way for IPv6 to be auto-configured (aside from Locally Administered Addressing).  That is, until there's a malicious actor (that'd be me) in the environment.

You don't have to look far for tools to exploit the IPv6 protocol.  Kali has the most excellent THC IPv6 Attack Toolkit installed (https://github.com/vanhauser-thc/thc-ipv6).  Using this toolkit is pretty straigtforward (I only list the tools I commonly use below):

Enumeration Tools:
alive6 is a quick and dirty "what IPv6 hosts are on my network segement?" tool
dump_router6  will (as you'd expect) dump any IPv6 routers on the local segment.  In a production environment, "netstat -rn" will usually do the trick also.
passive_discovery6 combines a number of features, doing passive discovery of the entire network segment, and lifting all the information from the IPv6 multicast packets (which is used instead of broadcasts like ARP in IPv6).

Attack Tools:
fake_dhcps6 and fake_dns6d stand up malicious DHCP and DNS servers, which allow you to give victim hosts "real" IPv6 addresses that can be routed, and resolve DNS queries to malicious IPv6 host addresses.
fake_router26 and fake_router6 are the "go to" Man in the Middle attack tools for IPv6 - these allow you to stand up a default router for IPv6, which will be prefered over existing IPv4 routers.  Note that you need to set up a mechanism to forward IPv6 packets.  This means you need to enable IPv6 forwarding, then either tunnel IPv6 outbound, usually to an internet gateway, or nat/proxy the IPv6 packets back to IPv4 (which you then forward to the "real" IPv4 router).  What this means is that there's some thought and preparation required to mount this attack.  

Mounting an IPv6 Man in the Middle attack is as simple as: "fake_router6 eth0  BAD1::00/64" (the last parameter is the network - either your "fake" IPv6 network, or your customer's real IPv6 network).  Note that you then have to do the other half - send the victim stations' packets on to their destination (stay tuned for that in my next post).

kill_router6 allows you to take any production IPv6 router offline.  So far I haven't needed this tool, IPv6 just isn't widely implemented in corporate clients I generally work with.

More info on using the THC attack toolkit can be found here: https://tools.kali.org/information-gathering/thc-ipv6

Defenses against these attacks?
The defenses against IPv6 router hijack attacks lie primarily in an organization's switches.  Enabling a feature called "RA Guard" to simply block Router Advertisements (defending against the fake router attack tools):
int Ethernet x/y
    ipv6 nd raguard

If you don't have an IPS on every segment, enabling RA guard on switches will create a syslog event - you can monitor for that with your SEIM, or even easier, look for it directly on your syslog server ( https://isc.sans.edu/forums/diary/Syslog+Skeet+Shooting+Targetting+Real+Problems+in+Event+Logs/19449/ ) .  The log entry you are looking for is:
"ICMPv6-ND: Received RA from FE80::1 on Vlan72"  (of course the vlan number will vary)

Configuring a policy for Neighbor Discovery (ND) can defend against the IPv6 reconnassance tools:
ipv6 nd inspection policy NDPOLICY
    drop-unsecure
    sec-level minimum 2
    device-role monitor

int Ethernet x/y
    ipv6 nd inspection attach-policy NDPOLICY vlan add all

Then don't configure any "trusted" ports for RA (Router Advertisements)

Of course, on any segment that you have an IPS sensor you can use that too, if you don't have IPv6 running in production then if you detect any IPv6 RA packets, DNS responses from a local IP or a DHCP6 responses, these should all be classified as attacks, and dealt with some sense of priority.

Cisco covers IPv6 First Hop Security in much more detail here: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/xe-3s/ip6f-xe-3s-book/ip6-snooping.pdf - I'd recommend looking at encryption and signing of the IPv6 infrastructure functions if you're standing up an IPv6 infrastructure, and not just defending against rogue IPv6 in an IPv4 network.

Stay tuned, in the next installments to this story I'll cover some handy IPv6 NAT/Proxy attack techniques, a soup-to-nuts IPv6 based Man in the Middle attack, as well as defenses you can implement on on firewalls.

Have I missed anything important in this post?  Do you use a different set of tools to attack IPv6 - maybe Scapy or Metasploit?  Please, post your tools or approaches for discussion in our comment form

===============
Rob VandenBrink
Compugen

 

Keywords: IPv6
0 comment(s)

Microsoft Patch Tuesday September 2017

Published: 2017-09-13
Last Updated: 2017-09-13 03:32:24 UTC
by Johannes Ullrich (Version: 1)
9 comment(s)

 

Below we do have our quick summary table for today's Microsoft patches. I am still working on getting this set up a bit better based on the new Microsoft patch Tuesday process.

Title CVE
Publicly Disclosed? Exploited? Impact Rating
.NET Framework Remote Code Execution Vulnerability CVE-2017-8759
Not Publicly Disclosed Exploited! Remote Code Execution Important
Broadcom BCM43xx Remote Code Execution Vulnerability CVE-2017-9417
Publicly Disclosed Not Exploited Remote Code Execution Important
Device Guard Security Feature Bypass Vulnerability CVE-2017-8746
Publicly Disclosed Not Exploited Security Feature Bypass Important
Graphics Component Information Disclosure Vulnerability CVE-2017-8695
Not Publicly Disclosed Not Exploited Information Disclosure Important
Hyper-V Denial of Service Vulnerability CVE-2017-8704
Not Publicly Disclosed Not Exploited Denial of Service Important
Hyper-V Information Disclosure Vulnerability CVE-2017-8706
Not Publicly Disclosed Not Exploited Information Disclosure Important
Hyper-V Information Disclosure Vulnerability CVE-2017-8707
Not Publicly Disclosed Not Exploited Information Disclosure Important
Hyper-V Information Disclosure Vulnerability CVE-2017-8711
Not Publicly Disclosed Not Exploited Information Disclosure Important
Hyper-V Information Disclosure Vulnerability CVE-2017-8712
Not Publicly Disclosed Not Exploited Information Disclosure Important
Hyper-V Information Disclosure Vulnerability CVE-2017-8713
Not Publicly Disclosed Not Exploited Information Disclosure Important
Internet Explorer Memory Corruption Vulnerability CVE-2017-8747
Not Publicly Disclosed Not Exploited Remote Code Execution Critical
Internet Explorer Memory Corruption Vulnerability CVE-2017-8749
Not Publicly Disclosed Not Exploited Remote Code Execution Critical
Internet Explorer Spoofing Vulnerability CVE-2017-8733
Not Publicly Disclosed Not Exploited Spoofing Important
Microsoft Bluetooth Driver Spoofing Vulnerability CVE-2017-8628
Not Publicly Disclosed Not Exploited Spoofing Important
Microsoft Browser Information Disclosure Vulnerability CVE-2017-8736
Not Publicly Disclosed Not Exploited Information Disclosure Important
Microsoft Browser Memory Corruption Vulnerability CVE-2017-8750
Not Publicly Disclosed Not Exploited Remote Code Execution Critical
Microsoft Edge Information Disclosure Vulnerability CVE-2017-8597
Not Publicly Disclosed Not Exploited Information Disclosure Important
Microsoft Edge Information Disclosure Vulnerability CVE-2017-8643
Not Publicly Disclosed Not Exploited Information Disclosure Important
Microsoft Edge Information Disclosure Vulnerability CVE-2017-8648
Not Publicly Disclosed Not Exploited Information Disclosure Important
Microsoft Edge Memory Corruption Vulnerability CVE-2017-11766
Not Publicly Disclosed Not Exploited Remote Code Execution Critical
Microsoft Edge Memory Corruption Vulnerability CVE-2017-8731
Not Publicly Disclosed Not Exploited Remote Code Execution Critical
Microsoft Edge Memory Corruption Vulnerability CVE-2017-8734
Not Publicly Disclosed Not Exploited Remote Code Execution Critical
Microsoft Edge Memory Corruption Vulnerability CVE-2017-8751
Not Publicly Disclosed Not Exploited Remote Code Execution Critical
Microsoft Edge Remote Code Execution Vulnerability CVE-2017-8757
Not Publicly Disclosed Not Exploited Remote Code Execution Critical
Microsoft Edge Security Feature Bypass Vulnerability CVE-2017-8723
Publicly Disclosed Not Exploited Security Feature Bypass Moderate
Microsoft Edge Security Feature Bypass Vulnerability CVE-2017-8754
Not Publicly Disclosed Not Exploited Security Feature Bypass Important
Microsoft Edge Spoofing Vulnerability CVE-2017-8724
Not Publicly Disclosed Not Exploited Spoofing Important
Microsoft Edge Spoofing Vulnerability CVE-2017-8735
Not Publicly Disclosed Not Exploited Spoofing Moderate
Microsoft Exchange Cross-Site Scripting Vulnerability CVE-2017-8758
Not Publicly Disclosed Not Exploited Elevation of Privilege Important
Microsoft Exchange Information Disclosure Vulnerability CVE-2017-11761
Not Publicly Disclosed Not Exploited Information Disclosure Important
Microsoft Graphics Component Remote Code Execution CVE-2017-8696
Not Publicly Disclosed Not Exploited Remote Code Execution Critical
Microsoft Office Defense in Depth Update ADV170015
Publicly Disclosed Exploited! Defense in Depth N/A
Microsoft Office Memory Corruption Vulnerability CVE-2017-8630
Not Publicly Disclosed Not Exploited Remote Code Execution Important
Microsoft Office Memory Corruption Vulnerability CVE-2017-8631
Not Publicly Disclosed Not Exploited Remote Code Execution Important
Microsoft Office Memory Corruption Vulnerability CVE-2017-8632
Not Publicly Disclosed Not Exploited Remote Code Execution Important
Microsoft Office Memory Corruption Vulnerability CVE-2017-8744
Not Publicly Disclosed Not Exploited Remote Code Execution Important
Microsoft Office Publisher Remote Code Execution CVE-2017-8725
Not Publicly Disclosed Not Exploited Remote Code Execution Important
Microsoft Office Remote Code Execution CVE-2017-8567
Not Publicly Disclosed Not Exploited Remote Code Execution Important
Microsoft PDF Remote Code Execution Vulnerability CVE-2017-8728
Not Publicly Disclosed Not Exploited Remote Code Execution Critical
Microsoft PDF Remote Code Execution Vulnerability CVE-2017-8737
Not Publicly Disclosed Not Exploited Remote Code Execution Critical
Microsoft SharePoint Cross Site Scripting Vulnerability CVE-2017-8745
Not Publicly Disclosed Not Exploited Elevation of Privilege Important
Microsoft SharePoint XSS Vulnerability CVE-2017-8629
Not Publicly Disclosed Not Exploited Elevation of Privilege Important
NetBIOS Remote Code Execution Vulnerability CVE-2017-0161
Not Publicly Disclosed Not Exploited Remote Code Execution Critical
PowerPoint Remote Code Execution Vulnerability CVE-2017-8742
Not Publicly Disclosed Not Exploited Remote Code Execution Important
PowerPoint Remote Code Execution Vulnerability CVE-2017-8743
Not Publicly Disclosed Not Exploited Remote Code Execution Important
Remote Desktop Virtual Host Remote Code Execution Vulnerability CVE-2017-8714
Not Publicly Disclosed Not Exploited Remote Code Execution Important
Scripting Engine Information Disclosure Vulnerability CVE-2017-8739
Not Publicly Disclosed Not Exploited Information Disclosure Important
Scripting Engine Memory Corruption Vulnerability CVE-2017-11764
Not Publicly Disclosed Not Exploited Remote Code Execution Critical
Scripting Engine Memory Corruption Vulnerability CVE-2017-8649
Not Publicly Disclosed Not Exploited Remote Code Execution Critical
Scripting Engine Memory Corruption Vulnerability CVE-2017-8660
Not Publicly Disclosed Not Exploited Remote Code Execution Critical
Scripting Engine Memory Corruption Vulnerability CVE-2017-8729
Not Publicly Disclosed Not Exploited Remote Code Execution Critical
Scripting Engine Memory Corruption Vulnerability CVE-2017-8738
Not Publicly Disclosed Not Exploited Remote Code Execution Critical
Scripting Engine Memory Corruption Vulnerability CVE-2017-8740
Not Publicly Disclosed Not Exploited Remote Code Execution Critical
Scripting Engine Memory Corruption Vulnerability CVE-2017-8741
Not Publicly Disclosed Not Exploited Remote Code Execution Critical
Scripting Engine Memory Corruption Vulnerability CVE-2017-8748
Not Publicly Disclosed Not Exploited Remote Code Execution Critical
Scripting Engine Memory Corruption Vulnerability CVE-2017-8752
Not Publicly Disclosed Not Exploited Remote Code Execution Critical
Scripting Engine Memory Corruption Vulnerability CVE-2017-8753
Not Publicly Disclosed Not Exploited Remote Code Execution Critical
Scripting Engine Memory Corruption Vulnerability CVE-2017-8755
Not Publicly Disclosed Not Exploited Remote Code Execution Critical
Scripting Engine Memory Corruption Vulnerability CVE-2017-8756
Not Publicly Disclosed Not Exploited Remote Code Execution Critical
September 2017 Flash Security Update ADV170013
Not Publicly Disclosed Not Exploited Remote Code Execution Critical
Uniscribe Remote Code Execution Vulnerability CVE-2017-8692
Not Publicly Disclosed Not Exploited Remote Code Execution Important
Win32k Elevation of Privilege Vulnerability CVE-2017-8675
Not Publicly Disclosed Not Exploited Elevation of Privilege Important
Win32k Elevation of Privilege Vulnerability CVE-2017-8720
Not Publicly Disclosed Not Exploited Elevation of Privilege Important
Win32k Graphics Information Disclosure Vulnerability CVE-2017-8683
Not Publicly Disclosed Not Exploited Information Disclosure Important
Win32k Graphics Remote Code Execution Vulnerability CVE-2017-8682
Not Publicly Disclosed Not Exploited Remote Code Execution Critical
Win32k Information Disclosure Vulnerability CVE-2017-8677
Not Publicly Disclosed Not Exploited Information Disclosure Important
Win32k Information Disclosure Vulnerability CVE-2017-8678
Not Publicly Disclosed Not Exploited Information Disclosure Important
Win32k Information Disclosure Vulnerability CVE-2017-8680
Not Publicly Disclosed Not Exploited Information Disclosure Important
Win32k Information Disclosure Vulnerability CVE-2017-8681
Not Publicly Disclosed Not Exploited Information Disclosure Important
Win32k Information Disclosure Vulnerability CVE-2017-8687
Not Publicly Disclosed Not Exploited Information Disclosure Important
Windows DHCP Server Remote Code Execution Vulnerability CVE-2017-8686
Not Publicly Disclosed Not Exploited Remote Code Execution Critical
Windows Elevation of Privilege Vulnerability CVE-2017-8702
Not Publicly Disclosed Not Exploited Elevation of Privilege Important
Windows GDI+ Information Disclosure Vulnerability CVE-2017-8676
Not Publicly Disclosed Not Exploited Information Disclosure Critical
Windows GDI+ Information Disclosure Vulnerability CVE-2017-8684
Not Publicly Disclosed Not Exploited Information Disclosure Important
Windows GDI+ Information Disclosure Vulnerability CVE-2017-8685
Not Publicly Disclosed Not Exploited Information Disclosure Important
Windows GDI+ Information Disclosure Vulnerability CVE-2017-8688
Not Publicly Disclosed Not Exploited Information Disclosure Important
Windows Information Disclosure Vulnerability CVE-2017-8710
Not Publicly Disclosed Not Exploited Information Disclosure Important
Windows Kernel Information Disclosure Vulnerability CVE-2017-8679
Not Publicly Disclosed Not Exploited Information Disclosure Important
Windows Kernel Information Disclosure Vulnerability CVE-2017-8708
Not Publicly Disclosed Not Exploited Information Disclosure Important
Windows Kernel Information Disclosure Vulnerability CVE-2017-8709
Not Publicly Disclosed Not Exploited Information Disclosure Important
Windows Kernel Information Disclosure Vulnerability CVE-2017-8719
Not Publicly Disclosed Not Exploited Information Disclosure Important
Windows Security Feature Bypass Vulnerability CVE-2017-8716
Not Publicly Disclosed Not Exploited Security Feature Bypass Important
Windows Shell Remote Code Execution Vulnerability CVE-2017-8699
Not Publicly Disclosed Not Exploited Remote Code Execution Important

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute
STI|Twitter|

Keywords:
9 comment(s)
Diary Archives