IPv6 Host Discovery for Attackers and Defenders

[Music] after lunch so this may be a sleepy recession advice I think over you first thing you notice is why bother with making these expose discovery I can't worry about this I brought some things for tenders networks thanks for attackers begin from the outside standing so if your original [Music] so I think this traffic can be happening you're not passing it out pass the signal grabbers doing that so it can be active even if you have a case to be aware of possible possible ways that you can discover information about above system that your other being again a little bit more about why so six using it it's enabled by default local segments even if you're not supposed to

be using it again so if you get a rap for the species capable it's gonna request a v6 address your providers table that's going to give it to you so your device may be accessible somebody's device may be accessible they may not know about their cloud providers making it easier that's a check box depending on which some people are just enabling we can do it [Music] there's a reasonable probability of similar security so certainly that in the visible but a lot of the devices out there don't necessarily perfect maybe better eye than before less 196 what's familiar those territories important and heart opposed inventory is whether these would be six traceroute is still trace route command aims a little different be

six and you're still paying stuff ICMP layer it's still the same it's just people just the IP layer or anything that's extracting packets or dealing directly with any later that needs to change so what's neat about the enter space I need more hemisphere so instead of that's between the segments you've got colons and instead I see fit you've got 16 bits per segment versus four times much larger I need FFA so if you're a business and you need is a converse basis or service writer is a lot of cases going to give you a / 48 as any bits of address space that you can decimal which is great lot of IP addresses the need for that is

essentially reduced it's not all it's not all these are any good a / 56 is fairly common as well - 72 bits this 564 is that generally recommended minimum allocation so the recommendation from you inherited right the Reaper registries is if you know there's only going to be a single second site subnet so they assigned us 564 I'm not all surprises are doing that I may be somewhat less than that but even on a cable modem you're going to have everybody addresses there there's a new mattress discovery messing mechanism so heart is not part of my 26 miracle discovery and local ad versus global addresses are edible local addresses are only used on the local segment single a

BCP minor brings same wrap table monitoring these are all common ways to make those discovery today collection [Music] discovery commands nbtstat net the list what's the same is really too much o most of your host discovery mechanisms will still work thanks for just scanning we'll talk more about that later look like these I've mentioned this a little bit v6 machine v6 enabled you're always going to have a v6 address it's not never it's used for adverse autumn assignment name is neighbor discovery some other things even your neighbors probably I'm gonna see most of this segment because it doesn't really need to know that you've got two machines are and he's talked to each other they're

doing discovery to me though this can facilitate silent toasts that never talk outside segments so this is normally use cases for this containers maybe like this and that container is maybe only talking to applications that live on that segment pack tank doesn't happen directly to the containers you patch the host so it may never actually need to talk outside of the segment so that's a normal use case but it's also a technique used by malicious or compromised host so it does make be aware of that local psychic traffic that's becoming more a few people so a lot of times flex is terrific on that later three boundaries so that are rather an eight-way whatever you want to

call it because of all this local traffic and the local only IP addresses there can a lot of traffic that you're not going to seeing that so it's instead of doing it a layer three boundary it really don't want to do that at basically every single switch to S flow is this kind of a redundant protocol for switches that's going to become some visibility a lot of probably something like Staffie or something there may be some may want to consider a firewall rule host pretty common for local broadcasts I've been opening the broadcast and result in the service degradation and ordaz sit so similar here with this multicast in some more things to address every subscriber image

and then DP replaces art for a v6 there's a potential or neighbor - Tyesha so 2456 hosts there with the expands that address space of ipv6 you can potentially have a much larger number of theoretical IDs on Linux if you want to look at your your 86 neighborhood there's a slightly different command so I mean - snicks neighbors show an NDP mind if you want another like you use it to like look at what's going on that's a neat tool - and maybe your your client or whoever james hasn't maybe not updated there so somebody v6 awareness I can't can be again the few things that work that still work from the attacker perspective and DNS finding stuff via

DNS works search engines sure there's actually gotta support Google stuff application analysis and what the application is doing with the code level and again traceroute expands rather than sister BGP working license that that kind of host or these subnet level discovery we just touched a lot of information about the applications what IP ranges organizations still work generally most things above the acne later the choosing for source of information today was over thanks for just scamming so that's a common thread for standing to be invested research and reconnaissance from an external perspective here we go you may have authorization to scan the network but you notice inside the network research memory contents becomes more important space more difficult to

find my person just by brute force and finding ways to use that the data from your reconnaissance quickly and effectively to improve your scanning processes so the scanning TV scanning manageable so the broad abroad address space in your class 64 64 bits of address space you're probably not going to stay in that before so your name bring data from other sources which in several already there's a many other suggests a lot of with the current stuff if you're doing extensive reconnaissance and analysis as part of them or an engagement a lot of that stuff still works that information is becoming more important a good before Stan it's important so just just because v6 is available might be fun to play with

having a good before skiing will help inform your be sixty and a lot of times we're gonna line up and this is obviously going to be different and there's some some shortcuts that people may use for addressing also ups that are actually in use so you have to discover them if somebody's got a device that's using your assistant something to try some neighbor caps I have issues I've mentioned this briefly so if this knife 64 is the smallest subnet that that gets assigned and that's to the 64 potential neighbor man things obviously know Bose can hold em any potential neighbor mappings so if that people fills up there's potential for post- so you could have a hostess and

but your skin misses it because that neighbor discovered a table visible so that has some implications for scan rate there's some extra incentive to paralyze your scan understand your network scan to scan multiple subnets simultaneously there's there is a potential for a service that device mother's going to go down but other devices on that on that network main may not be able to get there and entries him into that neighbor the neighbor table so they may not be able to get outside their segment for some period of time obviously internal person trying to scan their network trying to understand the hosts inventory you don't want a US or so if you're coming the outside I don't want to have

a service that's an indication of something might be happening packets not flowing generally not going to make Britain client unless it's a kind of a specific type of exercise a a little bit more in the attached besides us using very much incomplete neighbor discovery entries are generally held for three seconds so just running a quick calculation if there's a 512 entry limit that generally means you can scan probably about a hundred and seventy unique IDs per second on that segment without busting that neighbor discovery catch if they time is longer just over five seconds it's about a hundred you can do the math and I'm breaking it down but again controlling your scan rate becomes

[Applause]

[Music]

paralyzing your stands reduce their subnet sizes again to reduce the risk of busting the neighbor discovery table which could could actually make standing a little easier so there's something to keep an eye out for there's some benefits today for an admin but there's also benefits to having a broad address pool with hosts that are hard to find so gaining a foothold so when you especially from that outside when you start to skin you don't necessarily know a huge amount about the network but there's some initial initial techniques that you can use to start to get a foothold so some of yous are going to be configured with a nice abuse of mind your ravenous new dns servers and to be

servers a common fundamental infrastructure life along those lines are probably going to use AI things that are fairly easy for the administrators to remember and and configure a lot of this assignments only use the last bite sometimes last two bites so that gives you two date posts berries of the scan to a thousand or fifty six or to the sixteen sixty five times most again both very easy to scan quick examples are rather common router gateways for ipv6 so that one : one only 250 for work order now that sense the the last X X number that is becoming a common IP for routers and gateways and then you've got single left up to coladas depending on how we have been

was feeling for that some of my piece made that port number so people may assign : 53 to their DNS server using to remember again if people are doing this if you're only checking 1024 below to the 10 that's a thousand host again to the 16 65,000 ports 65,000 post again not very difficult to scan that a very reasonable on that time because I can be six months is hex anybody gets the kind of reference in the corner you can talk about that later but it essentially uses a lot of the use of monotony Manik devices to enhance ease of use going some examples of some heck strings feed yard mode whole bunch of stuff you're

good at that I need you better firmware developments these are common in that area before in so it's it can can be embedded so they can a few quick details they can take an ipv6 prefix and then just put your ipv4 addresses at the end of it this is a quick example of breaking out one 1716 networked into so you have a prefix that's this to 2001 deviate and then this is the equivalent one 7 to 16 1 0 slash 24 and that's kind of and if repeated twice both the Sun that handing out the address so if they're doing that then that may reduce their ipv4 their effective ipv6 equipment to the same as

their ipv4 footprint so if they have a slash 24 well that's a lot of your addresses to scan 516 is a really big ipv4 subnet but still manageable address to ever set of scary strategic randomization so one way to try to cover as much area as possible if you have a large address space you can say ok how many address how many IP addresses can I see on the amount of time that I so threw together a quick example you can ask in a million apiece and 24 hours you've got five days to leave Stan that's five million IDs so you can so you can compete at n number of random hosts so you could compute a number of

IP addresses with within a / 48 soon to be 80 or McInnis it's 564 and just start scanning those you not obviously not everything is going to kind of find but there are some people from the Center for against Internet data analysis they actually found that they could that they found somewhere between 50 and 30% of the hosts that we're doing and using this this technique so this part is gaining a foothold this is a good way to go you know if these similar things that a sub that level so you can break it up into subnets and hosts and then figure out how many some that you can do and how many hosts per subnet branching out

so once you've got a foothold obviously you're probably not able to pull make sure with ipv6 so you use your Discover most of the seed so we know these hosts exists and then you expand out a simple a simple simple mechanism for that would be just expanding by some plus/minus range so for every IP that you know is good you scan plus minus 10 hosts plus minus 105 ease again important based on what your skin capacity is how quickly can scan what the time period is using sequence of completion so if you do a trace route you're going to have different hops along the way so this is a quick example of how a couple hops read a BA and then

one is another how well between D and B a B 1 you've got these these four hex addresses so if you can say well we know things this we know things that there's a pretty good chance but there's some addresses in the middle that are also use so you can flag those as as subnets to scan work more deeply or host for a little bit more explicitly continue to branch out so autumn assignment schemes ipv6 has a built in IP address assignment the default mechanism is stateless auto address configuration essentially using invented I Triple E IVs we often think of business MAC addresses which is generally often true there's a little bit more behind it but we don't need to

get into those details the default is to take the 60 to build 64 bits of address space first 24 are based on the UI which is the max assignment that was made to the vendor the next 16 bits are fixed in the FFT pattern then the next 24 bits are the low 24 bits of the MAC address so the least significant bits of an address so if you have a subnet you know this is a good subnet you know you're using I Triple E IDs and you know Oh they've got a whole bunch of machines from yes a certain vendor you know what that vendors are you is then that gives you to the 24 hosts at most maybe to

23rd depending on some some technical issues if you want to know what the units are I Triple E has all of those because those are all eight applications - most importantly - I Triple E often the lower 24 bits are not random machines are bought in batches deployed geographically etc although ice machine change-out break get replaced that correlation does does reduce somewhat over time

virtualization so just like with physical hardware there are MAC addresses that are signed to the virtual systems via whereas as a few matters in particular if there's an automatic back assignment from ESX and you happen to know the IP of any OS X Server you can reduce the your scan for virtual machines on that host to do today so 256 potential hosts on that on that particular via BM host there's MAC address main Commack assignments again displaying a different UI and then a reduced range of the last 24 bits for some compatibility reasons with vmware don't need to go through all these doctor has a base of the tier 2 home 42 plus the v4 address epochs can override

that and assign them manually but then doesn't do a duplicate back check for manually contributor max so most of the time you're looking at a two to three to two to three to number of IP used to scan with with dr. another place to keep amenities obviously as well there are privacy extensions for ipv6 slack which is becoming more and more common this is of this this will become less useful over time but for now it's something worth keeping in mind in terms of informing your scans and being more effective DHCP anybody that's using DHCP admins probably gonna choose a narrow range of IPs per DCP some servers still assign them sequentially so that can that can be a

benefit takeaways so expand that maybe 600 space has some opportunities for both defenders it's a little easier to hide also for attackers full visibility about the mistakes probably as if they're some human and technical factors that mean these six addresses are often are at random some knowledge in the network topology it becomes more important for a reasonably host discovery 86 research and reconnaissance also becomes more important and the ability to combine data from multiple tools so combining data from your research and your reconnaissance from network topology becomes more important and however developing this capability these capabilities also will benefit other capabilities within the organization I think even the science and any questions so question was do you

think that the DDoS attacks over ipv6 are going to go away because of they've reduced ability to scan at high rates I suspect probably not and all you need is one good scan to know what booths are there and to some extent all you need to know is what the routers IP is so you can find that via via trace route so if you can swap if you can swap their circuit then the DDoS is still effective even if it's not necessarily targeting a single host there may be some change although the larger address space also needs larger packets so your amplification factor may have this small bump to it

the so that the idea ranges I you know used here are are actually reserve ranges for documentation for for examples but yeah okay