Hackin9

Packet Tunneling IPv6 over IPv4 protocol 41 (Toredo or 6to4) is nothing new. It was first introduce in RFC 2473 in December 1998 and has been in use since ~2002. Depending of the age of your home router, it may already have some form of IPv6 support. As an example, the Linksys WRT610N router version 1.0 has a hidden page http://router/System.asp that adds support for protocol 41 and this support is listed as Vista Premium.



To check if your router is allowing protocol 41 to flow freely in and out of your home network, you can run a sniffer against the external IP of your router looking for that protocol. You can use either tcpdump or Wireshark to verify. Using tcpdump, you can issues the following command:



tcpdump -ns 0 -i eth1 proto 41

19:11:47.447246 IP XX.245.121.230 ZZ.246.188.99: IP6 2001:0:5ef5:79fb:2ce5:306e:8dd6:7711 2002:63f6:bc63:0:6975:9942:470:7a02: ICMP6, echo request, seq 14021, length 12

19:11:49.470610 IP XX.245.121.238 ZZ.246.188.99: IP6 2001:0:5ef5:79fb:2ce5:306e:8dd6:7711 2002:63f6:bc63:0:6975:9942:470:7a02: ICMP6, echo request, seq 21435, length 12

19:12:59.648790 IP YYY.228.192.53 ZZ.246.188.99: IP6 2002:d3e4:c035::d3e4:c035.54377 2002:63f6:bc63:0:6975:9942:470:7a02.52538: Flags [S], seq 588108466, win 8192, options [mss 1220,nop,wscale 8,nop,nop,sackOK], length 0

19:13:02.653077 IP YYY.228.192.53 ZZ.246.188.99: IP6 2002:d3e4:c035::d3e4:c035.54377 2002:63f6:bc63:0:6975:9942:470:7a02.52538: Flags [S], seq 588108466, win 8192, options [mss 1220,nop,wscale 8,nop,nop,sackOK], length 0

19:13:08.647639 IP YYY.228.192.53 ZZ.246.188.99: IP6 2002:d3e4:c035::d3e4:c035.54377 2002:63f6:bc63:0:6975:9942:470:7a02.52538: Flags [S], seq 588108466, win 8192, options [mss 1220,nop,nop,sackOK], length 0

19:17:57.403065 IP ZZ.246.188.99 192.88.99.1: IP6 2002:63f6:bc63:0:580:ed30:dc11:1d1b.51050 2607:f0d0:3001:62:1::52.80: Flags [S], seq 2581307596, win 8192, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0

19:17:57.443256 IP 192.88.99.1 ZZ.246.188.99: IP6 2607:f0d0:3001:62:1::52.80 2002:63f6:bc63:0:580:ed30:dc11:1d1b.51050: Flags [S.], seq 4094422909, ack 2581307597, win 5760, options [mss 1440,nop,nop,sackOK,nop,wscale 9], length 0

19:17:57.445276 IP ZZ.246.188.99 192.88.99.1: IP6 2002:63f6:bc63:0:580:ed30:dc11:1d1b.51050 2607:f0d0:3001:62:1::52.80: Flags [.], ack 1, win 258, length 0





Even if you are not setup for IPv6, there may be a lot of interesting data flowing your way. For example, from my router I can see ICMP6 echo requests, TCP traffic attempting to connect to strange ports and of course my own outbound 6to4 traffic. The last 3 traces are a 3-way handshake associated with web traffic connecting to the Wireshark website via IPv6 6to4 tunnel. Note that IP 192.88.188.99 is listed as a 6TO4-RELAY-ANYCAST-IANA-RESERVED address.

If your home router supports some form of IPv6, native, Toredo or 6to4 and would like to share that information, post it via our contact page.

[1] http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xml

[2] http://tools.ietf.org/html/rfc2473

[3] http://www.cert.org/blogs/certcc/2009/08/managing_ipv6_part_i.html

[4] https://isc.sans.edu/ipinfo.html?ip=192.88.99.1

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Facebook's Graph Search could be a powerful tool for steering people toward products and services on the social networking site, and marketers are starting to wrestle with the impact it may have on their brands.
 

Mobile virus writers pay to Google Play
WA today
Banking customers are the target of a new Android malware package seeking to infiltrate the Google Play store. Photo: Getty Images. An explosion in mallicious software -malware - targeting Android smartphone users is being fueled in part by a budding ...

and more »
 

Citizens' rights to be free from searches don't hold everywhere. At border crossings, as in airports, people can be searched by authorities as a matter of routine course. But what should the standard be for not just rummaging through a briefcase, but for when the government wants to dig deep into the files on our electronic gadgets—even looking at deleted files?

A "watershed" decision from a federal appeals court today ruled that the government must have "reasonable suspicion" to do such an intensive computer search. However, the judges also ruled that standard was met in the search in question, which involved child pornography being brought across the border from Mexico. The US Court of Appeals for the 9th Circuit, sitting "en banc," reversed a lower court's decision to suppress an intensive forensic analysis of a laptop belonging to a traveler, Howard Cotterman, which resulted in a discovery of child pornography. 

The search started out as a "cursory review at the border but transformed into a forensic examination of Cotterman's hard drive." The court acknowledged it was a "watershed case" with implications for what kind of privacy rights all Americans can expect with regards to password-protected files on their computers.

Read 16 remaining paragraphs | Comments

 
Multiple 360 Systems Devices Hardcoded Password Security Bypass Vulnerability
 
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2013-0765 Remote Code Execution Vulnerability
 
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2013-0772 Out-of-Bounds Read Vulnerability
 
The number of new undergraduate computing majors in U.S. computer science departments increased more than 29% last year, a pace called "astonishing" by the Computing Research Association.
 
The Office of Information Technology at the U.S. Department of Veterans Affairs has disputed a finding by the agency's Inspector General that several
 
No Microsoft browser rival would comment on, much less confirm, that it reported the omission of the browser ballot to European antitrust regulators -- an omission that led to a $732 million fine this week against Microsoft.
 
Mobile carriers should deploy a number of safeguards to protect their customers against a growing problem of unauthorized billing through mobile payments, the U.S. Federal Trade Commission said in a report released Friday.
 
Brooklyn-based Sprezzat wants to modernize caller ID for people's smartphones with a little help from Twitter and Facebook.
 
Oracle JavaFX CVE-2012-5078 Remote Security Vulnerability
 
Facebook's redesigned News Feed may help keep users flooded with information from quitting the social network, anlaysts said.
 

Thursday was another grim day for Internet security as contestants at the Pwn2Own hacker competition exploited flaws in Adobe's Reader and Flash programs, allowing them to take full control of the computers they ran on. Oracle's Java was also, once again, felled.

The exploits, which fetched more than $160,000 in prizes, were impressive because they pierced a wall of defenses erected by some of the brightest minds in the field of software engineering. Those defenses included an anti-exploit "sandbox," which Adobe engineers added to Reader in 2010 and have been improving ever since. The mechanism isolates Web content in a restricted container that's sealed off from sensitive operating-system functions, such as writing files to disk or making system changes.

Until last month, no active attack had successfully bypassed the Reader sandbox protection. On Thursday, the defense suffered another significant blow when George Hotz, who hacked Sony's PlayStation 3 in 2010 at age 21, was also able to circumvent the Reader sandbox. The feat won him $70,000.

Read 5 remaining paragraphs | Comments

 
Recent reports from antivirus companies seem to suggest that the number of Android malware threats is growing. However, there are still many skeptics who think that the extent of the problem is exaggerated.
 
The NASA Mars rover Curiosity is running again after engineers put it to sleep for a day this week to protect it from a powerful solar storm.
 
The National Institute of Standards and Technology (NIST) and Stanford University have partnered to save for posterity over 15,000 software programs created in the early days of microcomputing.
 
LinuxSecurity.com: Updated xulrunner packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having critical [More...]
 
LinuxSecurity.com: Multiple security issues were identified and fixed in OpenJDK (icedtea6): The 2D component in Oracle Java SE 7 Update 15 and earlier, 6 Update 41 and earlier, and 5.0 Update 40 and earlier allows remote attackers [More...]
 
LinuxSecurity.com: Multiple vulnerabilities was found and corrected in Wireshark: * DRDA dissector infinite loop (CVE-2012-5239). * USB dissector infinite loop * ISAKMP dissector crash [More...]
 
LinuxSecurity.com: Updated ruby packages that fix two security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate [More...]
 
LinuxSecurity.com: Updated ruby packages that fix one security issue are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate [More...]
 
LinuxSecurity.com: Updated qemu-kvm packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having [More...]
 
LinuxSecurity.com: Updated kvm packages that fix one security issue are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having [More...]
 
LinuxSecurity.com: Several security issues were fixed in Django.
 
LinuxSecurity.com: OpenJDK could be made to crash or run programs as your login if it opened aspecially crafted file.
 
LinuxSecurity.com: Multiple vulnerabilities has been found and corrected in gnutls: A flaw was found in the way the TLS/SSL (Transport Layer Security/Secure Sockets Layer) protocols handled session renegotiation. A man-in-the-middle attacker could use this flaw [More...]
 
SEC Consult SA-20130308-1 :: Multiple vulnerabilities in GroundWork Monitor Enterprise (part 2)
 
[ MDVSA-2013:021 ] java-1.6.0-openjdk
 
PGP verification, Java 0-days, Bitcoins for cash, default logins, API keys, and keyboards with card readers – just some of the things that caught The H's eye this week


 
SEC Consult SA-20130308-0 :: Multiple critical vulnerabilities in GroundWork Monitor Enterprise (part 1)
 
[ MDVSA-2013:020 ] wireshark
 

Paulgear1 asked on twitter: help on interpreting RFC4890. I still havent turned on IPv6 because Im not confident in my firewall.

First of all, what is RFC4890 all about [1]? The RFC is considered informational, not a standard. Usual guidance for IPv4 is to not block ICMP error messages, but one can get away with blocking all ICMP messages.

The situation is a bit different when it comes to ICMPv6. At first sight, the protocols look very similar. There is a type, a code and a checksum making up the header. But as you dig deeper, the differences become more obvious. First of all, the protocol number for ICMPv6 is 58 (0x3a), not 1 as for ICMPv4. Secondly, the types are defined differently. In part, the ICMPv6 types are defined with firewalls in mind: Messages with a code of 1-127 are considered error messages, and 128 and up are informational messages. [2]

ICMPv6 adds two very important features. It is used for neighbor discovery instead of ARP, router advertisements which are an important part of IPv6 auto configuration. Blocking these link local ICMPv6 messages at a host based firewall is of course a very bad idea, like blocking ARP. But blocking ICMPv6 at the border is an option. Blocking ND and RA messages at a border is usually not necessary as these are sent using link local addresses, and a TTL of 255 is required for the messages to be accepted.

RFC4890 suggests that Destination Unreachable (Type 1), Packet Too Big (Type 2), Time Exceed (Type 3) and Parameter Problem (Type 4) messages must not be dropped. Among these messages, the one that is the most important in IPv6, and different from IPv4 is the Packet Too Big message. In IPv4, routers fragment packets and packet too big messages are only used by path MTU discovery. Blocking them will typically not disrupt connections, but harm performance. In IPv6, routers no longer fragment packets. Instead the source does, after receiving a Packet Too Big ICMPv6 message. If they are blocked at the firewall, connection can not be established.

Now there is one trick you can play to eliminate fragmentation of outbound traffic in IPv6: Set your MTU to 1280 bytes. This is the minimum allowed MTU for IPv6, and a packet 1280 bytes long will not require any fragmentation. But this comes at the cost of having to use more and smaller packets, again a performance penalty.

So in short: Is it a good idea to block all ICMPv6 traffic coming into your network? Probably not. The performance penalty has to be carefully weighted against the risk of allowing the packets, which is small. But then again, this is pretty much the case for IPv4 as well.

[1] http://www.ietf.org/rfc/rfc4890.txt

[2] https://tools.ietf.org/html/rfc4443

------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
A day after researchers hacked Chrome and Firefox at the Pwn2Own contest, Google and Mozilla patched their browsers Thursday.
 
Huawei enterprise division's effort to ramp up its European presence is bolstered SAP's certification of its servers to run the SAP HANA in-memory platform.
 
The Android operating system has been cleared of patent infringement in a case brought by Nokia against Android smartphone maker HTC.
 

#FFSec, March 8: Five infosec pros who stand out
CSO (blog)
@stacythayer: Stacy Thayer is founder and executive director of the SOURCE conference. SOURCE Boston is one of my favorites in terms of the content provided and the networking opportunities. She inspires infosec pros to volunteer their time in ...

 
Patents management company MPEG LA announced agreements with Google, granting the Internet giant a license to techniques that may be essential to the VP8 video codec that Google backs.
 
On the second day of Pwn2Own, no browser or plugin survived the hacking contest. Mozilla and Google have already shipped updates for Firefox and Chrome to fix the holes exploited on day one


 
Oracle MySQL Server CVE-2012-1702 Remote Security Vulnerability
 
Two Wi-Fi mobile hotspots offer very different services: The Verizon Wireless JetPack is fast but pricey while the FreedomPop Photon is limited but free.
 
The shutdown of Megaupload caused an increase in digital sales and rentals of movies, according to a study by two researchers, which is likely to give a boost to the movie industry, which has typically blamed online cyberlockers and file-sharing websites for fueling piracy.
 
IBM's decision this week to base its cloud services on OpenStack may help establish this open source platform as the standard in enterprises.
 
Motorola Mobility is cutting 1,200 staff, in addition to a reduction of 4,000 staff it announced in August, to focus on high-end devices.
 
Microsoft will be addressing seven security problems in Silverlight, Office, its server products, Internet Explorer and Windows on Tuesday. The published bulletins include four critical and three important fixes


 
CoDeSys 'Gateway Server' Multiple Security Vulnerabilities
 
Internet Storm Center Infocon Status