Abusing ICMPv6 to Manipulate Network Traffic

presentation before the mid-afternoon break is if it's a stifovich thank you ibiza thank you [Applause] okay first of all thanks for your time it's nice to see people again uh gathering live and and exchanging information and not watching them through the display so i guess after the two years of pandemic it's you know something that we all wished for anyway enough the um small talk let's see what's what's on the menu today uh we're gonna be talking about abusing icmp uh version six to manipulate the network traffic so my name is youtipovic here's the email address that you can query for whatever questions you might have and then there's also a blog that i write from time to time when i come

across um well interesting thing um from from the area of cyber security um this particular topic hasn't been published yet i wanted to share this first with you guys and then um publish it hopefully if it's any worth um a little bit about the agenda first we're going to just shortly explain what the icmp is now i know a lot of people probably know very well but i just want to make sure that those who are not familiar with the protocol understand the basics so that we're on the same page and they can you know follow the the presentation then we're going to take um a little deeper dive into the icmp and um explain what the icmp messages are how

they operate and how we use and misuse them then i'm going to i'm going to give you the description of the two attacks that were in the scope of this presentation one actually deals with the route injection the other one is traffic direction um they're both facilitated by abusing the icmp messages so you know just to eliminate any confusion they are both in the scope of icmp manipulation then we are going to identify the root cause so essentially we will be identifying the setups and the parameters of your operating systems that allow or disallow this this attack from happening and then i'm going to show you the communication with vendor the reason for that is um

after these number of experiments that i did and after realizing the behavior of the systems i wasn't quite sure whether the systems were designed to work that way or maybe it was about flaw in the design and maybe they were supposed to behave a bit differently and then at the end in the summary i'm going to give you the recommendations and and suggestions how you may prevent those attacks from happening so let's start with the icmp what it is it stands for the internet control message protocol now i deliberately emphasize this control part because um that means that the protocol is able to diagnose various conditions that happen in the network sometimes it's able to mitigate it

um automatically sometimes they it just provides you the kind of an error message that may indicate the the root cause issue for example um rooting loops or packets not being forwarded to their desired destination is definitely one one of the groups of of the difficulties you might have i'm sure many of you know destination host unreachable destination net or port unreachable and so on and so forth so this particular message is actually processed and the result of of one of the icmp messages that are specially designed to deal with those defects another maybe less known is when packets are being too big to pass through the routing devices so this command just simulates it so it says packets needs to be

fragmented but the don't fragment flag was set so that in other words means i constructed deliberately uh packet with excessive size that the network wasn't able to transmit and i explicitly said i don't want packets to be fragmented so the device saw the packet which was excessive and said hey i need to fragment it but you you disable this fragmentation so i'm there's nothing i can do with it and then the next group of issues is when the network is congested this this particular issue when the network is congested is um one of the is part of the of one of the attack that that i'm going to present so um long story short the purpose of the ic

mp is network error reporting whatever or for the number of conditions that happen in the network where your traffic may not flow um as expected it will make sure to notify you what's going on so what's the basic assumption of the icmp abuse i want to make kind of an introduction before we dive uh deeper into the icmp abuse so the the difference uh between the upper and the lower part of the slide or the protocols is um no protocol inherent authentication so we have examples where you can perform various attacks and where protocols operate um yeah regularly and they do not impose any type of authentication for example our poisoning right so address resolution protocol

that maps your ip address against the hardware address you can inject poison change the the entries in in that table without any authentication s smtp abuse simple mail transfer protocol is exactly um the same so you you probably know that um you can connect directly to the smtp port and then you would able to use various commands like in early days you you would you could verify the uh whether the email address is valid or not for the smtp you can even compose and send those emails and all that without the authentication um then dhcp ip allocation the same thing you have dhcp client on your laptop you connect to your network you get the ip address all good the problem

is there is no inherent authentication in this protocol so this that means in other words that you may inject arbitrary payload into the dhcp packets so you know you might wonder so what well in one of the presentation i i had last year i actually demonstrated the capability that if your network is configured to allow a location of ip addresses only to a certain type of devices for example your windows clients that are equipped with the digitally signed certificate issued by your company right so it checks whether this is okay if not then um you're not getting the ip address so what was possible to do was to construct the payload for dhcp request such that it masqueraded the

identity of the client so for example i had the script running on the linux and then i injected the signature of windows client or hp laserjet printer or cisco ap access point and then i was able to actually um disguised as a different type of client bgp rooting protocol the same it has no inherent authentication now there is md5 based authentication option but it's not the inherent feature of the protocol of the application layer it's imposed by the lower layers of aussie model so the first group are some of the examples of the protocols that do not use authentication hence their exploitation is kind of easier than the second group so the second group is

dot one x pop3 https um ssh telnet ftp all of those protocols require some form of authentication like dot one x again maybe for those not familiar with with the acronym is the protocol that will verify the identity of your client not only identity some other features too before it's allowed to access the network so the idea is someone comes with the wrong laptop plugs it into your corporate network and he gets the ip address and can do whatever he wants no dot one x will make sure okay there is a specific type of the device there is a digital certificate issued by your company and so on pop3 um is the protocol that downloads

messages from the into your inbox your email messages into your inbox and again it it requires authentication to identify the owner of the inbox https i'm not wasting my words on that you all know e-banking shopping all those sites require some kind of authentication again ssh telnet ftp you know even the old ones ancient ones like telnet and ftp still require authentication so having understood that let's just briefly outline the difference or the similarities between icmp version 6 and version 4 message types maybe it wasn't clear v4 and v6 refers to the ip addresses like ipv version 4 and ipv6 but essentially if we abstract some low-level technical details icmp version 4 and 6 are the same or very similar in terms of

their common functionality so the both protocols must be able to handle um certain conditions that that occur in the network and give you a proper error message so um let's see what icmp v6 message types are briefly said icmp message types are specific messages that are designated to deal with specific condition in the network so there's a long list right it's it's not exhaustive you can you can have a look at its complete description uh into this url uh the two that we will be talking about today are the router advertisement and redirect messages but you will recognize some others that are well known like echo request echo reply pack it's too big time exceeded and so on so

each one of these is able to manage specific condition so let's see now the difference between legitimate and legitimate use and abuse of the protocols legitimate use is when your network device or devices announce issue with the network congestion and require that the network traffic is rooted via alternative ip address now that obviously is legitimate i p address your router whatever the abuse happens when the attacker inserts the rogue device that constructs the network redirect packets via the attacker's device now this is a bit complicated so let me just clarify this last sentence so rogue device is with the attacker's device that he possesses and inserts somewhere into the network um constructs what does it mean

constructs that means that we are building the packet from the scratch that means we are using the tools that allow us to change each single header of the package thus allowing us to you know change its parameters according to our needs and then finally the result of those packets will be redirection of the traffic via the attacker's device so the typical scenario looks like this so the client wants to load google.com it sends its packet to a default gateway which normally forwards the packets to the internet and loads the loads the desired site however in a legitimate case of a network problem the default gateway responds with well you know what i cannot process your traffic please use the

alternative gateway and then via icmp message that instructs the the user to redirect the traffic um the the network stack will do that automatically and send the packets where via alternative gateway now um the two attacks that we're going to talk about is our icmp redirect and router discovery protocol i'm not talking about any kinds of floods or or denial of service so the icmp redirect is the when the gateway is no longer uh the best route so it it sends a message telling you know what use the alternative route or the alternative ip address now when abusing this another gateway this alternative route is actually attackers control device so to make it more graphical you have the

router on the upper right corner who that injects the payload the the icmp redirect message into the victim and as a result victim redirects all of its traffic through the attacker's control device now in this case you see the router and the laptop being two separate device this is not the restriction or the requirement of the attack you can have one device serving both roles so the example would be you deploy linux with your attacking scripts that inject the traffic and you run some kind of network monitor to to capture the traffic uh the other attack router discovery or advertisement message is very straightforward that essentially means that the attacker will inject the root specific route into the victim's

local routing table so the design of the attacks the first one is the well easier one to to understand the attacker will simply inject the arbitrary ipv6 root i i called it that beef just because it's simple to remember and and to to notice in in various artifacts so this route gets injected into the victim host and now the victim host can actually reach the the desired route or the desired ip addresses via the attacker so let's see a little bit of the mechanics of the attack so on the right hand side you have actually the packet that causes this injection so um it's the router advertisement that's a specific um icmp message type you can see it in

other rectangle that it has its id 134 so it's one of those icmp messages we were talking about and then at the bottom of the right hand side you see the prefix that's actually the payload that is contained in the router advertisement this essentially says hey you know what inject the root for that beef and that's it on the left hand side you simply inspect the local routing table of the of the linux host and you will see this route gets happily injected and it says the dead beef is reachable via the ipv6 address of your attacking of your right hand side attacking device um i'm not going to bother you a lot with with the theory around the packet

structure i'm just going to say this we are using this icmp v6 options the the lower part of the packet that actually specifies our payload so it's this one here this prefix you see it belongs to the icmp v6 option paragraph um the rest of the explanations about the package you can find here but we're not going into this now um let me clarify this kind of ugly construct um kind of cryptic stuff so it it's a construct that that was made in in scopi so scopy is a network library that that is used in conjunction with python and it's one of its features is the capability to construct the packet from the scratch that means

you can change and alter every single part of the package including layer three layer two headers and and and so on so what this means is we're generating the icmp v6 we know that and this stands for network discovery it's it's a subset of of um of the functionality and that um ra is router advertisement and then the next payload is root info root info is a specific message type in the rotary advertisement that does our injection and you see the the prefix which is um which is our route that we inject so the examples were tried with various operating systems so i was just experimenting to see if um if the vulnerability is actually

applicable to all of them this is again the the same attack but a different variation so i you know i changed the prefix and and i launched the attack against windows this time um i think this one shows the windows 2019 so again the same thing um you see the the root being injected into into the local table so um with the same payload so essentially we can confirm at this stage that both linux and windows servers are vulnerable to this same um attack or that the the same concept so why or what what is exactly the the root cause on windows there is this feature called router discovery um it's it's one of the attributes

assigned to to the interface and by default it's enabled

root cause in linux is essentially the same it's just labeled differently we will be explaining those parameters a little bit later when i'm going to talk about what you can do to to prevent the attacks but essentially those um maybe not very intuitive underlying ra stands for router advertisement and as you might imagine or as you might know one would be would be representing the the feature that's enabled whereas zero would show that the same feature is disabled okay so i'm just going to explain the the the two combined attacks and and their logic so bear with me with this one it looks ugly but but it's actually not so the right hand side is the attacker's

side the left-hand side is victim server so in my concrete example i had this router on the upper right corner which was mimicked by kali kali is a linux platform design for pen testers so but you could actually do the same with any other linux or even windows and the windows 10 is a different device but as i said in the beginning you can perform the same attacks by having both luther and and this device at the end being the same device so we started by um cali injecting the dead beef root into the windows or any other things that i tried and then essentially the result is if if you ping or try to access anything um

in the in the dead beef root range the the request would be simply forwarded to your attacking device that injected the root so that that essentially concludes the first attack now the second phase uh i superimposed another script that injects the icmp redirect packets into the victim so what this will do is it will tell the victim you know what when you're sending traffic to your dead beef stuff you're no longer sending it to your um kali device or or let's say legitimate device that you would in normal circumstances have but rather you will redirect the whole traffic through the attacker in this case windows 10 client as a result of that any traffic that's

initiated on the victim server be it ftp web h ssh ping will actually be redirected um through the attacker's device now obviously the choice of what you're going to do with scenario is yours like you can simply inspect the traffic and then capture potentially sensitive data or you may alter the traffic and you can simply you know put it into the dev null and and cause the denial of service um the the one kind of dangerous scenario is where you have configured attacker device to forward this traffic even further to the legitimate device so the the user the victim doesn't have a feeling that anything's is wrong but then you're tunneling all the traffic through your

device and do we with it whatever you want so um again uh just a little bit of lower details around icmp redirect essentially we choose or define the ipv6 address that we want to use as as our attacker's device and we defined that in the tgt which stands for target essentially telling the traffic you know what all the traffic destined for destination should actually be redirected to to the target so again uh just to outline the setup windows 10 is a target in our case um and destination is um the the the traffic destined for that beef is is redirected through um through the attacker now this slide just shows you the the structure of the packet again um

the important thing is you see that the type of the message which is redirect you are you also see that that type has that specific id and the two important parameters that we are using actually abusing are the target address which represents our device that's intercepting the traffic and the destination address that is actually the um aimed legitimate destination again um not going too deep into the the structure here um so you recognize the target and destination address these are the two fields that i was using that was enough to um to complete those attacks uh there are some other options in in in the lower icmpv6 options layer but um i did not touch this at all

so if you want to find out more uh about specific features or specific attributes of of the packets that you might want to misuse i recommend you loading the rfc um it's pretty long document but on the other hand you get very nice and clear explanations what exactly the target address is what is the destination address i know from my own experience like i couldn't figure out the difference when i first read that you know like target destination is the same well it's not and then um each message with with specific type is is described so um i you know highly recommend that stuff if you want to dig in deeper um this one is actually the complete

reconstruction of the attack so among all those entries only the the red ones are important so um the the the thing as we mentioned started by sending uh by injecting the root into the into the victim on the left hand side so when the victim sends ping in this example being to this specific route that was injected it gets redirected to the kali which imitates our legitimate router so what what what kali does is it it will send the messages to um cause redirection of the traffic through the ip address of our choice which is our windows 10 attackers machine and then as a result any further traffic that's initiated from the victim will no longer go to the

original destination of the dead beef but it will rather be redirected to our windows 10 attacking stuff so you'll see here the the initial syn packet of the connection of of the ftp so it's port 21 right that was initiated by the victim that ended up on windows 10 so this this network capture is running on our windows 10 and after trying to make sense of of of dead behavior um i wasn't sure at this point if you know things are really meant to to work this way because on one hand i understand you know this is the legitimate capability of the protocol so the protocol and and hosts that are processing those messages must be able to respond to

you know changing conditions in the network on the other hand you know it's pretty trivial to to kind of abuse it you just construct the package you have no authentication you send the packet and it gets injected and and processed by it by the by the destination operating system so um i contacted microsoft to see you know what's what's their view and um as you can see they said look it's it's there's no flaw it's it's a legitimate design so on one hand you know i i understand this response it it makes sense on the other hand it it still leaves us with a relatively large attacking surface um against the operating systems that that

have that enabled so um the summary is actually about the suggestions that i can give you how you can mitigate those attacks we identified the root cause that the default setting allows the acceptance of the of the redirect messages and of the router advertising messages as well so one obvious mitigation is disable icmp redirect messages there are kernel parameters in both operating systems how you can do that so i'm giving you the information about ipv4 even though ipv4 wasn't in the scope but you know just to kind of outline the the similarities how you will mitigate that so you will essentially change those parameters and you will reset them to zero meaning that the operating system

won't accept those in windows it's essentially the same it's just the different way how you do it there is alternative if you for whatever reason have no possibility or or access to the operating systems to block that you can use your firewalls intrusion detection or other networking devices to block that so it's it's most likely that you will only need icmp echo and reply because from my experience from in most of the cases when you ask people you know why do you allow icmp the people will respond well we need it for diagnostic purposes to see if if hosts are alive so you you then ask the question like you mean ping echo reply yeah that's the one but do you need to

like detect if if the packets are excessive in size or something like that no no no so if your business case scenario is that you require icmp only to to check whether hosts are alive fair enough but allow only icmp echo and reply icmp is far more than than just those two messages so i just did a quick checks with with cisco and junipers with their recent os's and they both have this feature enabled so that brings us to actually com to conclusion that there are a number of networking devices with enabled redirected redirection features but you also have a number of operating systems that enable that so you end up with you know a huge pile of devices that

enable that which kind of extends the attacking surface and the probability that someone can abuse that [Music] the the yeah the question is you know what what whether you need this um capability with your oasis um if you're using the routing engine capabilities of the operating system then probably you need that but in most cases i've seen in in real life they don't require that so you should be okay with with only icmps echo and and reply that actually brings me to the end of the presentation thanks for your time i hope you didn't get to sleep um you didn't fall asleep sorry um any questions do we have any questions for yep i see one

you may have partly already answered this question but the really obvious question is why are this feature enabled by default um it's a good question i presume the reason why they have icmp redirect enabled is this is the legitimate feature of legitimate routing devices right so rooter can in any time say you know i'm congested you need to forward the traffic via alternative gateway and then if you your operating systems are not able to process that message they will you know keep pushing packets into the wrong path now in my humble opinion right that and i emphasize that in my humble opinion this guy this scenario is a little bit obsolete because honestly i haven't seen a business

scenario where where this network redirect would had would have any legitimate purpose these days you have high availability gateways you have all kinds of load balancers alternative parts routing protocols able to deal with multiple routes so you know if one gateway doesn't work you know the other node of the same routing device will overtake will choose alternative part and so on so again in my humble opinion i think this is not really a frequent scenario and i would i would think those features should be disabled by default but anyway the interesting stuff was that linux providers and and and microsoft had the same idea that it should be enabled so there must be a good reason for that i

just kind of don't don't get it totally agree with you thank you thanks

okay that looks like it if it's a thank you very much thank you guys

uh that completes the afternoon or mid-afternoon sessions so it's now uh break time i believe we'll recommence just after 15 50. okay thanks