Project 12x: Duplicate Address Detection with thc-ipv6 (15 pts.)

What you need

A Linux machine, real or virtual, to be the Attacker. I used BackTrack 4 R2.
Anther IPv6-enabled machine to be the Target. I used an Ubuntu 10.10 VM.
You do not need a gogo6 tunnel or any other connection to the real IPv6 Internet. This project will only use an IPv6 LAN. If you have a tunnel set up, you can leave it there, it won't do any harm.

Linux Attacker Setup

You need the thc-ipv6 attack suite installed on your Linux Attacker. If you use Backtrack, it's already installed. If you are using Ubuntu, you will need to install it, as explained here:

http://samsclass.info/ipv6/scan-google.html

On the Linux attacker, in a Terminal window, execute these commands:

sudo /etc/init.d/networking start sudo ifconfig eth0 add cc5f:974::1/64
ifconfig

You should see an ethernet interface with an inet6 address starting with cc5f:974::, as shown below on this page. (This prefix is CCSF P L4 in "Leet speak" aka 1337 sp33k.)

Adding your Target Device with Manual Addressing

We will now add your target device to the cc5f:974::/64 LAN.

On your Target device, in a Terminal window, execute these commands:

ifconfig

Look to see what the name of your interface is, and make sure it has an address beginning with fe80::, as shown below on this page. In my case, the interface is named eth1.

On your Target device, in a Terminal window, execute these commands:

sudo ifconfig eth1 add cc5f:974::2/64 ping6 -c 4 cc5f:974::1
ifconfig eth1

You should see replies from the pings, and an inet6 address starting with cc5f:974::, as shown below on this page.

On your Target device, in a Terminal window, execute these commands:

sudo ifconfig eth1 del cc5f:974::2/64 ping6 -c 4 cc5f:974::1
ifconfig eth1

This removes you from the LAN, so the pings do not get replies, and the inet6 address starting with cc5f:974:: is gone, as shown below on this page.

Using detect-new-ip6

The detect-new-ipv6 utility listens to Duplicate Address Detection messages to find any machines that join your LAN. This is a way to find machines without having to scan for them.

On the Attacker Linux machine, execute these commands. If you are using Ubuntu, thc-ipv6 is probably on your desktop rather than in the /pentest/spoofing directory.

cd /pentest/spoofing/thc-ipv6
sudo ./detect-new-ip6 eth0

You should see a message saying "Started ICMP6 DAD detection (Press Control-C to end) ..."

On your Target device, in a Terminal window, execute this command:

sudo ifconfig eth1 add cc5f:974::2/64

On the Attacker machine, you should see the new machine detected immediately, as shown below on this page.

Saving a Screen Image

Make sure you can see the "Detected new ip6 address" message. Save a screen shot of this image with this filename:

Proj 12xa from Your Name

Removing the Target from the LAN

On your Target device, in a Terminal window, execute these commands:

sudo ifconfig eth1 del cc5f:974::2/64
ifconfig eth1

This removes the Target Linux machine from the LAN.

Using dos-new-ip6 to Block New Devices from the LAN

The dos-new-ipv6 utility is nasty--it listens for devices that join and send Duplicate Address Detection messages, and lies to them, telling them that the address they want is already in use.

On the Attacker Linux machine, detect-new-ip6 should still be running. Cancel it with Ctrl+C. Then execute this command to restart it:

sudo ./detect-new-ip6 eth0

On the Attacker Linux machine, open a new Terminal window. In the new window, execute these commands:

cd /pentest/spoofing/thc-ipv6
sudo ./dos-new-ip6 eth0

You should have two Terminal windows open running both tools, as shown below on this page.

On your Target device, in a Terminal window, execute these commands:

sudo ifconfig eth1 add cc5f:974::2/64 ping6 -c 4 cc5f:974::1
ifconfig eth1

On the Attacker machine, you should see that the new machine was detected by detect-new-ip6, and told not to use that address by dos-new-ipv6, as shown below on this page.

However, when I did it on Ubuntu 10.10, the pings got replies, and the address was added to the interface anyway. This looks like a failure of Ubuntu to properly implement Duplicate Address Detection to me! My results are shown below:

Using Router Advertisements to Add the Target Machine to the LAN

On the Attacker Linux machine, open a third Terminal window. In the new window, execute these commands:

cd /pentest/spoofing/thc-ipv6
sudo ./fake_router6 eth0 cc5f:974::/64

You should have three Terminal windows open now, running:

detect-new-ip6
dos-new-ip6
fake_router6

Within a few seconds, the Ubuntu target should attempt to join the network, in response to the Router Advertisement from fake_router6.

But when it does, it informs the Attacker machine of its address in the Duplicate Address detection process. Then dos-new-ipv6 tells the Ubuntu target machine that the address is in use.

You should see addresses being detected in the detect-new-ip6 window, and the addresses being spoofed in the dos-new-ip6 window, as shown below on this page. If you don't, try disabling and re-enabling the adapter on the Linux target with sudo ifconfig eth1 down and sudo ifconfig eth1 up

Saving a Screen Image

Make sure you can see the "Detected new ip6 address" and "Spoofed packet for existing ip6" messages. Save a screen shot of this image with this filename:

Proj 12xb from Your Name

Turning in Your Project

Email the image to cnit.124@gmail.com with a subject line of

Proj 12x from Your Name

Results with a Windows 7 Target

I tried this attack on a Windows 7 target, and it only tries a few times with random addresses before giving up, with a logical error message, as shown below on this page.

So Windows handles this attack well!

Last modified 4-7-2011 2 pm