Method 1: Fragmentation
This part is the base of fragmentation bypasses. The way this is exploited is by how firewalls / IDS or RA Guard check an IPv6 packet. First of all for routers that have work as a firewall to (like in my test setups, pfSense acts both as a router and as a firewall) or just routers in general, as long as the "Hop-by-Hop" Next Header is not specified, routers will not perform "deep" inspection of the packets, this means they will only look at the information needed from the IPv6 Header to forward the packet (which is usually the first packet unless specified otherwise). Which of course makes it easy do "hide" malicious data in the other fragments (e.g. Spoofed RA).With firewalls, they most commonly only look at the unfragmentable part of the packet and check that for any malicious intent. Another way is to spread the attack into multiple fragmented packets that seemingly look safe but when reassembeld by the destination host, make a malicious packet. As you can see in figure one, a firewall will most likely only look at the unfragmentable part, so if they put an attack in the second fragment (like a RA) this could go unnoticed
Figure 1: Fragmentation. [1]
Method 2: Large Destination Header Option
Another method to try and bypass a firewall / RA Guard is by spoofing a large Destination Header with more than 2kb of payload of useless data causing it to be split (fragmented). Usually Firewalls will then only check the remainder of the Destiantion Header Option payload in the next fragment and thus a packet like an RA could be added. Since this is a Destination Header Option, routers should not inspect this packet since it is only ment to be checked at the destination. An added "bonus" with this bypass is that due to the large payload of the Destination Header Option you could inadvertadly crash the firewall since it should not have to process such a large Option. This only happens with firewalls that have low resources / not alot of processing power or badly configured ones. In figure 2 it is shown how such a large destination header fragmentation works.
Figure 2: Large destination bypass [2]
Method 3: Hop-by-Hop Header Option
The third method is also somewhere along the lines of the second methode, only this time you do it with Hop-by-Hop Header option. You again craft a Hop-by-Hop option that is to large to be fit in one packet so that it is fragmented. In the second packet you then add an RA (for your attack) after the fragmented Hop-by-Hop option. Again, routers will only look at the second fragment for the Hop-by-Hop information and will not see the RA that follows the option. I refer back to figure 2 for this bypass, as the only thing that changes is the Dest. Opt. Header into the hop-by-hop Option Header.
Conclusion
As you can see there are a few ways you can try to bypass staple IPv6 network security machines like firewalls and RA Guard. The reason I discussed multiple of essentialy the same concept is that some firewalls protect agains some attacks or some routers protect against some attacks. E.g. If you test this bypass on your firewall but you let the fragments overlap, this will almost centainly be picked up by any modern / updated firewall whereas if you use the Large destination option header bypass instead, the attack might still work. In general alot of these bypasses can be caught if you use deep packet inspection but it is worth considering that of course this slows down traffic into your network significantly and a complex well constructed packet could still be passed through.
There are other ways you could try to spoof the packets into fragmentation with different payloads, different options etc. These are the most easily tested since they are included in the THC IPv6 Toolkit as option in various attacks.
References:
[1] Cisco: IPv6 Security by Eric Vyncke
[2] http://blog.si6networks.com/
https://tools.ietf.org/html/rfc6980
http://tools.ietf.org/search/rfc5722
http://www.si6networks.com/presentations/deepsec2011/fgont-deepsec2011-hacking-ipv6-networks.pdf
https://tools.ietf.org/html/draft-krishnan-ipv6-hopbyhop-05
https://tools.ietf.org/html/rfc2460
Geen opmerkingen:
Een reactie posten