security of ipv6 and dnssec for penetration testers
play

Security of IPv6 and DNSSEC for penetration testers Vesselin - PowerPoint PPT Presentation

Dec 29, 2022 •275 likes •625 views

Security of IPv6 and DNSSEC for penetration testers Vesselin Hadjitodorov Master education System and Network Engineering June 30, 2011 Agenda Introduction DNSSEC security IPv6 security Conclusion Questions Security of IPv6

  1. Security of IPv6 and DNSSEC for penetration testers Vesselin Hadjitodorov Master education System and Network Engineering June 30, 2011

  2. Agenda ● Introduction ● DNSSEC security ● IPv6 security ● Conclusion ● Questions Security of IPv6 and DNSSEC for penetration testers - Vesselin Hadjitodorov 2 of 33

  3. Introduction ● DNSSEC was developed to fix security vulnerabilities of DNS. – DNSSEC solves them by introducing signatures ● IPv4 address pool is exhausted. – IPv6 has a much larger address space. ● Companies and ISP are switching to Ipv6. ● These protocols are still not fully researched. Security of IPv6 and DNSSEC for penetration testers - Vesselin Hadjitodorov 3 of 33

  4. Research questions What are the security issues of IPv6 and DNSSEC and how to perform penetration tests in order to identify them ? ● Are the issues new or were present before ? ● Are there issues during the IPv6 transition period ? ● What tools can be used for performing penetration tests ? ● How to perform tests on the large IPv6 scopes ? Security of IPv6 and DNSSEC for penetration testers - Vesselin Hadjitodorov 4 of 33

  5. DNSSEC security Security of IPv6 and DNSSEC for penetration testers - Vesselin Hadjitodorov 5 of 33

  6. DNSSEC security issues ● DNSSEC zone walking ● DNSSEC implementation issues ● DNS DoS amplification attack – DNSSEC has larger RRs Security of IPv6 and DNSSEC for penetration testers - Vesselin Hadjitodorov 6 of 33

  7. DNSSEC zone walking (1/2) ● NSEC RR are used to provide authenticated denial of existence for DNS data. – NSEC RR of a domain contain the name of the next domain in the DNS zone. – NSEC RR form a chain which can be used to enumerate domains by “walking” the chain. ● NSEC3 RR was developed to fix the problem. – NSEC3 uses hashes of the domains in the zone. – Hashes can be brute-forced. Security of IPv6 and DNSSEC for penetration testers - Vesselin Hadjitodorov 7 of 33

  8. DNSSEC zone walking (2/2) smtp.ipv6.os3.nl. 3600 INNSEC sunni.ipv6.os3.nl. AAAA NSEC RRSIG sunni.ipv6.os3.nl. 3600 INNSEC tummi.ipv6.os3.nl. AAAA NSEC RRSIG tummi.ipv6.os3.nl. 3600 INNSEC vpnsmurf.ipv6.os3.nl. AAAA NSEC RRSIG Security of IPv6 and DNSSEC for penetration testers - Vesselin Hadjitodorov 8 of 33

  9. DNSSEC implementation issues ● Most of the vulnerabilities related to DNSSEC are bugs in the implementations. – They can result in: ● cache poisoning ● DoS – These vulnerabilities can also apply to DNS. Security of IPv6 and DNSSEC for penetration testers - Vesselin Hadjitodorov 9 of 33

  10. DNSSEC penetration testing tools Security of IPv6 and DNSSEC for penetration testers - Vesselin Hadjitodorov 10 of 33

  11. DNSSEC penetration testing tools ● Nmap – offers “zone walking” feature ● Nessus – detects implementation specific issues ● OpenVAS – detects implementation specific issues using plugins ● Dig – can query for DNSSEC RRs and validate DNSSEC Security of IPv6 and DNSSEC for penetration testers - Vesselin Hadjitodorov 11 of 33

  12. IPv6 security Security of IPv6 and DNSSEC for penetration testers - Vesselin Hadjitodorov 12 of 33

  13. IPv6 security issues ● Neighbor Discovery Protocol – NS / NA spoofing – comparable to ARP spoofing in IPv4 – RS / RA spoofing – comparable to rogue DHCP server on IPv4 – ... ● Routing header type 0 ● Implementations ● Transition techniques ● IPv6 smurfing ● Low awareness of IPv6 autoconfiguration Security of IPv6 and DNSSEC for penetration testers - Vesselin Hadjitodorov 13 of 33

  14. Neighbor Discovery Protocol ● NDP uses ICMPv6 packets to performs functions similar to ARP in IPv4. ● No authentication mechanism built into ICMPv6, allowing packets to be spoofed. ● Spoofed packets can cause redirection of traffic and DoS. ● These vulnerabilities are limited to the local network. ● Most of the NDP attacks are implemented by Van Hauser in the IPv6 attack toolkit. Security of IPv6 and DNSSEC for penetration testers - Vesselin Hadjitodorov 14 of 33

  15. NDP host redirection spoofing (1/2) ● Redirection is used by a router to inform a host of a better route to a particular destination. ● The NDP redirect has a security mechanism: – A copy of the packet causing the redirection must be included in the NDP redirect message. ● What if the attacker can cause the victim to send a predictable message ? Security of IPv6 and DNSSEC for penetration testers - Vesselin Hadjitodorov 15 of 33

  16. NDP host redirection spoofing (2/2) 1 . The Attacker sends to the Victim an ICMPv6 echo request, with spoofed source address claiming to be originating from the router. 2. The Victim replies to the router with ICMPv6 echo reply. 3. The Attacker knows that the Victim is going to reply and can use the reply message to craft the NDP redirect packet, which advertises the Attacker as a better route to the Router. 4. Now all the traffic which is going from the Victim to the Router goes to the Attacker. The Attacker can sniff the packets and redirect them to the Router in order to stay unnoticed. Security of IPv6 and DNSSEC for penetration testers - Vesselin Hadjitodorov 16 of 33

  17. Duplicate Address Detection attack ● In IPv6 network it is not allowed the same IP address to be shared by several host. ● A host must verify if an IP is free before using it. – The host sends NS and waits for NA message ● An attacker can pretend to use every IP in the network. – This will create DoS since the host won't be able to obtain an IP address. Security of IPv6 and DNSSEC for penetration testers - Vesselin Hadjitodorov 17 of 33

  18. Neighbor Solicitation flooding ● Routers can store limited number of ND cache entries (similar to CAM tables in switches). ● A flood with NS messages can result in: – the router might stop learning new entries – the router might delete legitimate old entries – router crash ● Some hosts might use a “new” IPv6 address for each TCP connection as a security mechanism, resulting in a NS flooding. Security of IPv6 and DNSSEC for penetration testers - Vesselin Hadjitodorov 18 of 33

  19. Routing header type 0 (RH0) ● RH0 is used to force a packet to follow strictly predefined path between network nodes. ● The same IP address may be included more than once. ● RH0 can be exploited to cause: – amplification attack (via packet bouncing) – bypassing of firewalls ● RH0 is deprecated since December 2007. Security of IPv6 and DNSSEC for penetration testers - Vesselin Hadjitodorov 19 of 33

  20. Implementation issues ● Large number of the vulnerabilities in IPv6 are caused by bad implementations. ● They can result in: – DoS – security policies bypassing – buffer overflow ● It is likely that implementations will go better when IPv6 is adopted widely. Security of IPv6 and DNSSEC for penetration testers - Vesselin Hadjitodorov 20 of 33

  21. Transition techniques issues Security of IPv6 and DNSSEC for penetration testers - Vesselin Hadjitodorov 21 of 33

  22. Dual-stack networks ● Systems can be subject to attack on both IPv4 and IPv6. ● A firewall may not be enforcing the same policy for IPv4 as for IPv6 traffic due to: – Misconfiguration – Usage of firewall with limited IPv6 functionality ● This can result in exposing internal services to the Internet. Security of IPv6 and DNSSEC for penetration testers - Vesselin Hadjitodorov 22 of 33

  23. Tunneled IPv6 over IPv4 ● IPv6 address are globally routable, thus allowing hosts behind NAT to be addressed – If the hosts were not protected, they will requite installing a firewall before using tunneled IPv6. ● Encapsulated IPv6 traffic could pass unnoticed by the firewall. ● The tunneling programs require opening a port in the firewall that could be used for attacks. Security of IPv6 and DNSSEC for penetration testers - Vesselin Hadjitodorov 23 of 33

  24. IPv6 penetration testing tools Security of IPv6 and DNSSEC for penetration testers - Vesselin Hadjitodorov 24 of 33

  25. IPv6 penetration testing tools ● Nmap – partial support of IPv6, still in development ● Nessus – requires the scanning engine to be run under Linux or Mac OS X ● Netcat6 – full support of IPv6 ● Metasploit – 19 of 224 payloads are using IPv6 ● THC IPv6 attack toolkit – designed for testing IPv6 netwroks Security of IPv6 and DNSSEC for penetration testers - Vesselin Hadjitodorov 25 of 33

  26. Enumeration of IPv6 hosts Security of IPv6 and DNSSEC for penetration testers - Vesselin Hadjitodorov 26 of 33

  27. Enumeration of IPv6 hosts ● IPv6 subnets are /64 – This is 4 294 967 296 times the size of IPv4. ● New approaches have to be used in order to enumerate hosts in IPv6 networks. – Reducing the address space – DNS Security of IPv6 and DNSSEC for penetration testers - Vesselin Hadjitodorov 27 of 33

  28. Enumeration of IPv6 host by reducing the address space ● Reducing the address space can be done by analyzing patterns in the address. ● In most cases IPv6 address are not random, but are generated using a system: – Consecutive ordered – Autoconfiguration ● hosts with embedded MAC address ● hosts with embedded IPv4 address Security of IPv6 and DNSSEC for penetration testers - Vesselin Hadjitodorov 28 of 33

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Email Authentication for Penetration Testers 29.12.2019, 36c3 Andrew Konstantjnov,

Email Authentication for Penetration Testers 29.12.2019, 36c3 Andrew Konstantjnov,

Email Authentication for Penetration Testers 29.12.2019, 36c3 Andrew Konstantjnov, andrejs@cert.lv Who am I? Andrew, andrejs@cert.lv 679A C8D4 A391 6736 D558 07C1 D3D9 0B7C 666A EDCD Currently work for: cert.lv Previously worked

861 views • 56 slides
DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you invented DNSSEC. Well, the basic ideas, anyway: Sign all DNS records. Signatures let you verify answer to DNS query, without having to trust the

835 views • 49 slides
An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security

An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security

An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security Extension (DNS SEC) attach special kind of information called criptographic signatures to the queries and response that let your computer false

609 views • 34 slides
DNSSEC security without maintenance ... with the right software and registry Petr paek

DNSSEC security without maintenance ... with the right software and registry Petr paek

DNSSEC security without maintenance ... with the right software and registry Petr paek petr.spacek@nic.cz 2019-02-03 1w Redraw max 1y 6m 3m 1m 5d 1h 1d 30 ~ 19 % DNSSEC? Who cares? DNSSEC Validation Capability Metrics

433 views • 25 slides
DNSSEC.CZ CZ.NIC - http://www.nic.cz Ondrej Filip / ondrej.filip @nic.cz Oct 26 2011, Dakar,

DNSSEC.CZ CZ.NIC - http://www.nic.cz Ondrej Filip / ondrej.filip @nic.cz Oct 26 2011, Dakar,

DNSSEC.CZ CZ.NIC - http://www.nic.cz Ondrej Filip / ondrej.filip @nic.cz Oct 26 2011, Dakar, ICANN DNSSEC WS 1 DNSSEC penetration About 17% domains is signed That means ~ 145.000 domains! (of 856.000) Check numbers at

180 views • 17 slides
IPv6 Protocol IPv6 Protocol Does it solve all the security problems of IPv4? Franjo Majstor

IPv6 Protocol IPv6 Protocol Does it solve all the security problems of IPv4? Franjo Majstor

IPv6 Protocol IPv6 Protocol Does it solve all the security problems of IPv4? Franjo Majstor EMEA Consulting Engineer fmajstor@cisco.com Cisco Systems, Inc. 1 fmajstor@cisco.com, IPv6 Security Agenda IPv6 Primer IPv6 Protocol

241 views • 21 slides
IPv6 Security David Kelsey (STFC-RAL) ISGC2016, Taipei 16 March 2016 Outline Introduction

IPv6 Security David Kelsey (STFC-RAL) ISGC2016, Taipei 16 March 2016 Outline Introduction

IPv6 Security David Kelsey (STFC-RAL) ISGC2016, Taipei 16 March 2016 Outline Introduction to WLCG & IPv6 IPv6 security & threats IPv6 protocol attacks Issues for site network & security teams Issues for sys admins

501 views • 34 slides
DNS/DNSSEC/DPRIVE IETF 96 Hackathon Problem Solved DNS security and

DNS/DNSSEC/DPRIVE IETF 96 Hackathon Problem Solved DNS security and

DNS/DNSSEC/DPRIVE IETF 96 Hackathon Problem Solved DNS security and privacy enhancements and interoperabilty Method of Solution multiple user stories, multiple open source prototypes Highlight 1: DNSSEC

246 views • 12 slides
Balanced Security for IPv6 CPE draft-v6ops-vyncke-balanced-ipv6-security IETF86 Orlando M. Gysi,

Balanced Security for IPv6 CPE draft-v6ops-vyncke-balanced-ipv6-security IETF86 Orlando M. Gysi,

Balanced Security for IPv6 CPE draft-v6ops-vyncke-balanced-ipv6-security IETF86 Orlando M. Gysi, G. Leclanche, E. Vyncke, R. Anfinsen Status -00 posted on 25 January 2013 Some comments on the list (see later) Problem Statement

378 views • 10 slides
Vincent van der Eijk && Erik Lamers Comparing IPv4 port security to IPv6 port security

Vincent van der Eijk && Erik Lamers Comparing IPv4 port security to IPv6 port security

A Comparative Security Evaluation for IPv4 and IPv6 Addresses Vincent van der Eijk && Erik Lamers Comparing IPv4 port security to IPv6 port security Scanning the Internet for profit, ethically. 2 Why do we need to know this? IPv6

279 views • 16 slides
(Mobile SSL Failure (Mobile SSL Failure Stardate: 92492.76 Who are these guys? Who are these

(Mobile SSL Failure (Mobile SSL Failure Stardate: 92492.76 Who are these guys? Who are these

(Mobile SSL Failure (Mobile SSL Failure Stardate: 92492.76 Who are these guys? Who are these guys? Penetration Testers at LinkedIn Tony Trummer - Staff Security Engineer aka SecBro Tushar Dalvi - Sr. Security Engineer & Pool Hustler

1.17k views • 68 slides
TLS and DNSSEC wrap-up CS 161: Computer Security Prof. David Wagner April 14, 2013 DNSSEC

TLS and DNSSEC wrap-up CS 161: Computer Security Prof. David Wagner April 14, 2013 DNSSEC

TLS and DNSSEC wrap-up CS 161: Computer Security Prof. David Wagner April 14, 2013 DNSSEC Mallory attacks! www.google.com A? Clients ns1.evil.com www.google.com. A 6.6.6.6 Resolver DNSSEC Mallory attacks! www.google.com A?

510 views • 30 slides
Mobile IPv6 Security Arnaud Ebalard - EADS Corporate Research Center France Guillaume Valadon - The

Mobile IPv6 Security Arnaud Ebalard - EADS Corporate Research Center France Guillaume Valadon - The

Mobile IPv6 Security Arnaud Ebalard - EADS Corporate Research Center France Guillaume Valadon - The University of Tokyo / Laboratoire dInformatique de Paris 6 Summary IPv6 Mobile IPv6 Security and Mobile IPv6 Protections by

669 views • 50 slides
The Security Impact of IPv6 How I Learned to Stop Worrying and Love IPv6 Johannes B. Ullrich,

The Security Impact of IPv6 How I Learned to Stop Worrying and Love IPv6 Johannes B. Ullrich,

The Security Impact of IPv6 How I Learned to Stop Worrying and Love IPv6 Johannes B. Ullrich, Ph.D. jullrich@sans.edu 1 Housekeeping This presentation consists of slides and audio. If you are experiencing any problems/ issues,

1.12k views • 56 slides
Security Impacts of Security Impacts of Abusing IPv6 Extension Headers Abusing IPv6 Extension

Security Impacts of Security Impacts of Abusing IPv6 Extension Headers Abusing IPv6 Extension

Security Impacts of Security Impacts of Abusing IPv6 Extension Headers Abusing IPv6 Extension Headers Antonios Atlasis antonios.atlasis@cscss.org Centre for Strategic Cyberspace + Security Science Bio Independent IT Security

689 views • 66 slides
.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

. SE-DNSSEC . SEs DNSSEC service Staffan.Hagnell@iis.se .SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the .SE zone Sep 2005 2006 Start of project 2001 .SEs challenge To make DNSSEC

584 views • 24 slides
Economic Feasibility Statement Josephine Community Libraries, Inc. (JCLI) November 2, 2016

Economic Feasibility Statement Josephine Community Libraries, Inc. (JCLI) November 2, 2016

Josephine Community Library District Economic Feasibility Statement Josephine Community Libraries, Inc. (JCLI) November 2, 2016 ACKNOWLEDGMENTS This economic feasibility statement was commissioned by the Josephine Community Libraries, Inc.

798 views • 36 slides
R& E R& E I ssu ssue 1 1: Proj ec ect Approvals I ssu ssue 2 2: : RE Progr

R& E R& E I ssu ssue 1 1: Proj ec ect Approvals I ssu ssue 2 2: : RE Progr

R& E R& E I ssu ssue 1 1: Proj ec ect Approvals I ssu ssue 2 2: : RE Progr gram Budge dget I ssu ssue 3 3:R& E L Legislat at ive Report March 15, 15, 2019 2019 Exhibit D 1 Locations of Recommended Projects

447 views • 22 slides
Synopsis of Oregon Department of Environmental Quality presentation TMDL Development and

Synopsis of Oregon Department of Environmental Quality presentation TMDL Development and

Synopsis of Oregon Department of Environmental Quality presentation TMDL Development and Temperature TMDLs in the Rogue Basin Presented by Gene Foster on Jan. 9, 2019 to the Oregon Board of Forestry. The Clean Water Act (CWA) and Oregon

252 views • 6 slides
Trends and differences in closing the gender gap in the EU Chiara Saraceno The EU may help

Trends and differences in closing the gender gap in the EU Chiara Saraceno The EU may help

Trends and differences in closing the gender gap in the EU Chiara Saraceno The EU may help upward convergence,but Country specific social, cultyral and family models are partly different Globalization (including migration) reshuffles

659 views • 34 slides
Keynote Speech Of Andrew J. Donohue Partner, Morgan, Lewis & Bockius LLP At J.P. Morgan

Keynote Speech Of Andrew J. Donohue Partner, Morgan, Lewis & Bockius LLP At J.P. Morgan

Keynote Speech Of Andrew J. Donohue Partner, Morgan, Lewis & Bockius LLP At J.P. Morgan Chase CCO & Treasurers Summit November 2, 2011 Treasurers and Chief Compliance Officers: Critical Roles, Difficult Challenge s Thank you for that

342 views • 7 slides
Black-Box Problem Diagnosis in Parallel File Systems . Kasick 1 Michael P Jiaqi Tan 2 , Rajeev

Black-Box Problem Diagnosis in Parallel File Systems . Kasick 1 Michael P Jiaqi Tan 2 , Rajeev

Black-Box Problem Diagnosis in Parallel File Systems . Kasick 1 Michael P Jiaqi Tan 2 , Rajeev Gandhi 1 , Priya Narasimhan 1 1 Carnegie Mellon University 2 DSO National Labs, Singapore Michael P . Kasick Problem Diagnosis in Parallel File

727 views • 56 slides
During the Cold War, Japan clearly understood that it was the anchor in Americas East Asian

During the Cold War, Japan clearly understood that it was the anchor in Americas East Asian

Conference Organized by the Institute for International Policy Studies, Tokyo, Japan U.S. Natl Defense Strategy & Security of Japan: U.S. Military Transformation & Beyond (Presentation by: James L. Schoff, Institute for Foreign

212 views • 17 slides
MULTI GPU PROGRAMMING WITH MPI Jiri Kraus, Senior Devtech Compute, April 4th 2016 MPI+CUDA

MULTI GPU PROGRAMMING WITH MPI Jiri Kraus, Senior Devtech Compute, April 4th 2016 MPI+CUDA

April 4-7, 2016 | Silicon Valley MULTI GPU PROGRAMMING WITH MPI Jiri Kraus, Senior Devtech Compute, April 4th 2016 MPI+CUDA System System System GDDR5 Memory GDDR5 Memory GDDR5 Memory Memory Memory Memory GPU GPU GPU CPU CPU

1.1k views • 77 slides

More recommend