This is a guest post from Antonios Atlasis.
Last year, during the IPv6 Security Summit of Troopers 14 I had the pleasure to present publicly, for first time, my IPv6 Penetration Testing / Security Assessment framework called Chiron, while later, it was also presented at Brucon 14 as part of the 5×5 project. This year, I am returning back to the place where it all started, to the beautiful city of Heidelberg to give another workshop about Chiron at the IPv6 Security Summit of Troopers 15. But, is it just another workshop with the known Chiron features or has something changed?
I would say a lot :). The most significant enhancements are described below.
First of all, MLD capabilities have been added. You can very easily construct simple MLD version 1 and version 2 packets of all types (Request, Report, Done), but also really huge and complicated ones which incorporate many multicast address records, several source addresses per multicast records, arbitrary types of Reports, etc. This capabilities have already been used for our MLD research which provided really interesting results (by the way, these results will also be presented at the IPv6 Security Summit during our MLD talk).
Based on MLD, a very handy local-link reconnaissance option has been added which allows not only the detection of hosts that do not respond to other reconnaissance techniques, but also their OS fingerprinting. And this is achieved by sending a single packet which can also be spoofed using the source address of the legitimate IPv6 router. Not that bad, is it?
Furthermore a new module has been added, an attacking one, which (apart from implementing well-known attacks like Man-in-the-Middle ones using SLAAC attacks) also incorporates a fake DHCPv6 server. What’s the big deal with it? Well, as all the other Chiron modules, it can be combined with the underlying library that allows the crafting of completely arbitrary IPv6 chains which results, among else, in DHCPv6 Guard Evasion.
Last but not least, the Chiron proxy now auto-configures iptables, while its performance has also been improved significantly. This means that, if you find a way to evade, let’s say an IDPS device, it is now a piece of cake to connect via ssh or launch, let’s say, nikto against a web server, even if port 22 or port 80 are blocked. This module really turns theory into practice.
The above features will not only be demonstrated, but the attendants will have the chance to test them on their own during a CTF which will take place at the end of the workshop. And a small surprise may follow. So, see you all there 🙂
Until then, all the best!
Antonios