Project 13x: IPv6 DoS with sendpees6 (10 pts.)

Purpose

Untrusted devices on an IPv6 network can send unauthorized packets which spoof routers and other devices on the network, enabling various man-in-the-middle and denial-of-service attacks, as we have seen in several other projects. The planned solution for this problem is Secure Neighbor Discovery (SeND) which assigns each device a Cryptographically Generated Address, rather than using the MAC address or a random number. The host portion of the IPv6 address (the rightmost 64 bits) then depends on an RSA signature, and each device has its own private key. So receiving devices can verify that packets came from the proper source, by performing cryptographic computations.

However, as you might have guessed, this places a burden on the machine receiving the packets. This DoS attack wastes CPU time on the target by just sending a lot of signed packets which it must verify. In my tests, it affects both Ubuntu Linux and Windows 7 similarly.

What you need

Windows Target Setup

On the Windows target machine, open a Command Prompt and execute the IPCONFIG command. Find the IPv6 address and record it.

Right-click the taskbar (at the bottom of the Windows desktop) and click "Start Task Manager". Click the Performance tab so you can see the CPU usage. It should be near 0%, as shown below on this page.

Installing thc-ipv6 on the Linux Attacker

You need the thc-ipv6 attack suite installed on your Linux Attacker. If you use Backtrack, it's already installed. If you are using Ubuntu, you will need to install it, as explained here:

http://samsclass.info/ipv6/scan-google.html

Testing the Networking

On the Linux attacker, in a Terminal window, execute these commands. In the second command, use your Windows target's IPv6 address instead of the example shown, and use the correct interface at the end, which may not be eth0.
sudo /etc/init.d/networking start

cd /pentest/spoofing/thc-ipv6

ping6 -c 4 fe80::887:4229:5f43:81c6%eth0

You should get replies. If you do not, you need to troubleshoot your networking. When BackTrack 4 R2 stops networking properly, I have been able to fix it by running Wireshark, sniffing. The interface seems to work better when operated in promiscuous mode.

Attacking the Windows Machine

On the Linux attacker, in a Terminal window, execute this command. (If you are on an isolated network, you can just attack the whole network segment with a multicast address of ff02::1, as shown in the figure.)
./sendpees eth0 1024 dead:: fe80::887:4229:5f43:81c6
You should see the CPU rise on the target machine. It may not go to 100%, but you should see it rise, as shown below on this page.

Saving a Screen Image

Make sure you can see a CPU increase on the target. If the increase is very small, and you are sure the network is working, try opening several Terminal windows on the attacker and running the attack in all of them at once.

Save a screen shot of this image with this filename:

Proj 13x from Your Name

Turning in Your Project

Email the image to [email protected] with a subject line of
Proj 13x from Your Name

Comparing Windows and Linux

Here is a screen image comparing Windows 7 and Ubuntu Linux undergoing the same attack. As you can see, they both have similar elevated CPU usage: Windows is at 40%, and Linux is at 37%.

References

For a description of SeND and the CGA, see:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6553/white_paper_c11-563156.html


Last modified 4-10-2011 6 pm