Discussion:
[ipv6hackers] Remote assesment of fragmentation policy
Mathias Morbitzer
2015-04-01 13:47:57 UTC
Permalink
Hi IPv6 hackers,

I would like to asses the fragmentation ID assignment policy (incremental, random, per-host/local counter, ...) of a remote host. For this, I need the host to send me multiple packets with the extension header for fragmentation. Now, my question is how to make the remote host respond with the extension header?

1) The first possibility would the a ICMPv6 Echo Request with a lot of data. However, the Windows firewall blocks those by default, and also other firewalls tend to filter Echo Requests.

2) Another thing I thought about were atomic fragments. However, since those are basically deprecated and also cause issues with some hosts, I think this is also not a good solution.

3) The last thing I could come up with where services like DNS, which also tend to reply with a lot of data that needs to be fragmented. However, this would require the remote host to run such a services, and is therefore very limiting.

So I was wondering if somebody has another idea for a probe that I could use to get the extension header for fragmentation in the response?


Thanks for your help,
Mathias
Marc Heuse
2015-04-01 17:46:44 UTC
Permalink
Hi Mathias,

just use the toobig6 tool from the thc-ipv6 package:

toobig6 eth0 TARGET-IP6 YOUR-IP6 64

then it should send all packets with an atomic fragmentation header to
you (well, most systems do that silly thing now).

Greets,
Marc
Post by Mathias Morbitzer
Hi IPv6 hackers,
I would like to asses the fragmentation ID assignment policy (incremental, random, per-host/local counter, ...) of a remote host. For this, I need the host to send me multiple packets with the extension header for fragmentation. Now, my question is how to make the remote host respond with the extension header?
1) The first possibility would the a ICMPv6 Echo Request with a lot of data. However, the Windows firewall blocks those by default, and also other firewalls tend to filter Echo Requests.
2) Another thing I thought about were atomic fragments. However, since those are basically deprecated and also cause issues with some hosts, I think this is also not a good solution.
3) The last thing I could come up with where services like DNS, which also tend to reply with a lot of data that needs to be fragmented. However, this would require the remote host to run such a services, and is therefore very limiting.
So I was wondering if somebody has another idea for a probe that I could use to get the extension header for fragmentation in the response?
Thanks for your help,
Mathias
_______________________________________________
Ipv6hackers mailing list
http://lists.si6networks.com/listinfo/ipv6hackers
--
--
Marc Heuse
Mobil: +49 177 9611560
Fax: +49 30 37309726
www.mh-sec.de

Marc Heuse - IT-Security Consulting
Winsstr. 68
10405 Berlin

Ust.-Ident.-Nr.: DE244222388
PGP: AF3D 1D4C D810 F0BB 977D 3807 C7EE D0A0 6BE9 F573
Mathias Morbitzer
2015-04-01 20:25:40 UTC
Permalink
Hi Marc,

I want to implement the probes into Nmaps IPv6 OS fingerprinting system. Therefore, the probes should also work in the future.

For sure, atomic fragments would currently work to get the fragmentation policy from most hosts (however, not linux). But there is already a draft RFC which deprecates them and they can also cause a DoS on some systems, so that's why I was wondering if somebody has an alternative.

Cheers,
Mathias
Post by Marc Heuse
Hi Mathias,
toobig6 eth0 TARGET-IP6 YOUR-IP6 64
then it should send all packets with an atomic fragmentation header to
you (well, most systems do that silly thing now).
Greets,
Marc
Post by Mathias Morbitzer
Hi IPv6 hackers,
I would like to asses the fragmentation ID assignment policy (incremental, random, per-host/local counter, ...) of a remote host. For this, I need the host to send me multiple packets with the extension header for fragmentation. Now, my question is how to make the remote host respond with the extension header?
1) The first possibility would the a ICMPv6 Echo Request with a lot of data. However, the Windows firewall blocks those by default, and also other firewalls tend to filter Echo Requests.
2) Another thing I thought about were atomic fragments. However, since those are basically deprecated and also cause issues with some hosts, I think this is also not a good solution.
3) The last thing I could come up with where services like DNS, which also tend to reply with a lot of data that needs to be fragmented. However, this would require the remote host to run such a services, and is therefore very limiting.
So I was wondering if somebody has another idea for a probe that I could use to get the extension header for fragmentation in the response?
Thanks for your help,
Mathias
_______________________________________________
Ipv6hackers mailing list
http://lists.si6networks.com/listinfo/ipv6hackers
--
--
Marc Heuse
Mobil: +49 177 9611560
Fax: +49 30 37309726
www.mh-sec.de
Marc Heuse - IT-Security Consulting
Winsstr. 68
10405 Berlin
Ust.-Ident.-Nr.: DE244222388
PGP: AF3D 1D4C D810 F0BB 977D 3807 C7EE D0A0 6BE9 F573
_______________________________________________
Ipv6hackers mailing list
http://lists.si6networks.com/listinfo/ipv6hackers
Antonios Atlasis
2015-04-01 20:42:11 UTC
Permalink
Hi Matthias,

Why not using a Dest Opt Ext Hdr in the fragmentable part with several
dummy Option data (can be more than a thousand bytes) and as a layer 4
protocol whatever you like? Having a quick look at RFC 2460 will help you
figure out how Dest Opt should look like.

Best

Antonios
Post by Mathias Morbitzer
Hi Marc,
I want to implement the probes into Nmaps IPv6 OS fingerprinting system.
Therefore, the probes should also work in the future.
For sure, atomic fragments would currently work to get the fragmentation
policy from most hosts (however, not linux). But there is already a draft
RFC which deprecates them and they can also cause a DoS on some systems, so
that's why I was wondering if somebody has an alternative.
Cheers,
Mathias
Post by Marc Heuse
Hi Mathias,
toobig6 eth0 TARGET-IP6 YOUR-IP6 64
then it should send all packets with an atomic fragmentation header to
you (well, most systems do that silly thing now).
Greets,
Marc
Post by Mathias Morbitzer
Hi IPv6 hackers,
I would like to asses the fragmentation ID assignment policy
(incremental, random, per-host/local counter, ...) of a remote host. For
this, I need the host to send me multiple packets with the extension header
for fragmentation. Now, my question is how to make the remote host respond
with the extension header?
Post by Marc Heuse
Post by Mathias Morbitzer
1) The first possibility would the a ICMPv6 Echo Request with a lot of
data. However, the Windows firewall blocks those by default, and also other
firewalls tend to filter Echo Requests.
Post by Marc Heuse
Post by Mathias Morbitzer
2) Another thing I thought about were atomic fragments. However, since
those are basically deprecated and also cause issues with some hosts, I
think this is also not a good solution.
Post by Marc Heuse
Post by Mathias Morbitzer
3) The last thing I could come up with where services like DNS, which
also tend to reply with a lot of data that needs to be fragmented. However,
this would require the remote host to run such a services, and is therefore
very limiting.
Post by Marc Heuse
Post by Mathias Morbitzer
So I was wondering if somebody has another idea for a probe that I
could use to get the extension header for fragmentation in the response?
Post by Marc Heuse
Post by Mathias Morbitzer
Thanks for your help,
Mathias
_______________________________________________
Ipv6hackers mailing list
http://lists.si6networks.com/listinfo/ipv6hackers
--
--
Marc Heuse
Mobil: +49 177 9611560
Fax: +49 30 37309726
www.mh-sec.de
Marc Heuse - IT-Security Consulting
Winsstr. 68
10405 Berlin
Ust.-Ident.-Nr.: DE244222388
PGP: AF3D 1D4C D810 F0BB 977D 3807 C7EE D0A0 6BE9 F573
_______________________________________________
Ipv6hackers mailing list
http://lists.si6networks.com/listinfo/ipv6hackers
_______________________________________________
Ipv6hackers mailing list
http://lists.si6networks.com/listinfo/ipv6hackers
Mathias Morbitzer
2015-04-02 11:23:28 UTC
Permalink
Hi Antonios,

To my understanding, I would be only able to cause fragmentation of packets I send, not of the ones I receive.

Let's say I send a TCP SYN, using a Destination Option Extension header with enough dummy option data that my SYN will be fragmented. Still, in the responding SYN/ACK or RST, no Destination Option header will be used, and therefore also no extension header for fragmentation since the response will not be big enough.

Or am I missing something here?

Cheers,
Mathias
Post by Antonios Atlasis
Hi Matthias,
Why not using a Dest Opt Ext Hdr in the fragmentable part with several
dummy Option data (can be more than a thousand bytes) and as a layer 4
protocol whatever you like? Having a quick look at RFC 2460 will help you
figure out how Dest Opt should look like.
Best
Antonios
Post by Mathias Morbitzer
Hi Marc,
I want to implement the probes into Nmaps IPv6 OS fingerprinting system.
Therefore, the probes should also work in the future.
For sure, atomic fragments would currently work to get the fragmentation
policy from most hosts (however, not linux). But there is already a draft
RFC which deprecates them and they can also cause a DoS on some systems, so
that's why I was wondering if somebody has an alternative.
Cheers,
Mathias
Post by Marc Heuse
Hi Mathias,
toobig6 eth0 TARGET-IP6 YOUR-IP6 64
then it should send all packets with an atomic fragmentation header to
you (well, most systems do that silly thing now).
Greets,
Marc
Post by Mathias Morbitzer
Hi IPv6 hackers,
I would like to asses the fragmentation ID assignment policy
(incremental, random, per-host/local counter, ...) of a remote host. For
this, I need the host to send me multiple packets with the extension header
for fragmentation. Now, my question is how to make the remote host respond
with the extension header?
Post by Marc Heuse
Post by Mathias Morbitzer
1) The first possibility would the a ICMPv6 Echo Request with a lot of
data. However, the Windows firewall blocks those by default, and also other
firewalls tend to filter Echo Requests.
Post by Marc Heuse
Post by Mathias Morbitzer
2) Another thing I thought about were atomic fragments. However, since
those are basically deprecated and also cause issues with some hosts, I
think this is also not a good solution.
Post by Marc Heuse
Post by Mathias Morbitzer
3) The last thing I could come up with where services like DNS, which
also tend to reply with a lot of data that needs to be fragmented. However,
this would require the remote host to run such a services, and is therefore
very limiting.
Post by Marc Heuse
Post by Mathias Morbitzer
So I was wondering if somebody has another idea for a probe that I
could use to get the extension header for fragmentation in the response?
Post by Marc Heuse
Post by Mathias Morbitzer
Thanks for your help,
Mathias
_______________________________________________
Ipv6hackers mailing list
http://lists.si6networks.com/listinfo/ipv6hackers
--
--
Marc Heuse
Mobil: +49 177 9611560
Fax: +49 30 37309726
www.mh-sec.de
Marc Heuse - IT-Security Consulting
Winsstr. 68
10405 Berlin
Ust.-Ident.-Nr.: DE244222388
PGP: AF3D 1D4C D810 F0BB 977D 3807 C7EE D0A0 6BE9 F573
_______________________________________________
Ipv6hackers mailing list
http://lists.si6networks.com/listinfo/ipv6hackers
_______________________________________________
Ipv6hackers mailing list
http://lists.si6networks.com/listinfo/ipv6hackers
_______________________________________________
Ipv6hackers mailing list
http://lists.si6networks.com/listinfo/ipv6hackers
Marc Heuse
2015-04-02 11:33:17 UTC
Permalink
Hi Mathias,
Post by Mathias Morbitzer
Hi Antonios,
To my understanding, I would be only able to cause fragmentation of
packets I send, not of the ones I receive.
I think Antonios misunderstood your question.
Post by Mathias Morbitzer
For sure, atomic fragments would currently work to get the
fragmentation policy from most hosts (however, not linux).
But there is already a draft RFC which deprecates them and they
can also cause a DoS on some systems, so that's why I was
wondering if somebody has an alternative.
the DOS would only be from that system to yours, and the same "DOS"
would happen with every fragmented packet that host would send you, even
without forcing it to set atomic fragmentation headers.

Well - either you force atomic fragments by sending a toobig to a packet
the system sends to you with a very small MTU value (see my toobig6
command) or you generate packets which forces fragmented replies.
The easiest for the fragmented replies is a large ping, e.g.
ping6 -s 1600 TARGET


Greets,
Marc
Post by Mathias Morbitzer
Hi Antonios,
To my understanding, I would be only able to cause fragmentation of packets I send, not of the ones I receive.
Let's say I send a TCP SYN, using a Destination Option Extension header with enough dummy option data that my SYN will be fragmented. Still, in the responding SYN/ACK or RST, no Destination Option header will be used, and therefore also no extension header for fragmentation since the response will not be big enough.
Or am I missing something here?
Cheers,
Mathias
Post by Antonios Atlasis
Hi Matthias,
Why not using a Dest Opt Ext Hdr in the fragmentable part with several
dummy Option data (can be more than a thousand bytes) and as a layer 4
protocol whatever you like? Having a quick look at RFC 2460 will help you
figure out how Dest Opt should look like.
Best
Antonios
Post by Mathias Morbitzer
Hi Marc,
I want to implement the probes into Nmaps IPv6 OS fingerprinting system.
Therefore, the probes should also work in the future.
For sure, atomic fragments would currently work to get the fragmentation
policy from most hosts (however, not linux). But there is already a draft
RFC which deprecates them and they can also cause a DoS on some systems, so
that's why I was wondering if somebody has an alternative.
Cheers,
Mathias
Post by Marc Heuse
Hi Mathias,
toobig6 eth0 TARGET-IP6 YOUR-IP6 64
then it should send all packets with an atomic fragmentation header to
you (well, most systems do that silly thing now).
Greets,
Marc
Post by Mathias Morbitzer
Hi IPv6 hackers,
I would like to asses the fragmentation ID assignment policy
(incremental, random, per-host/local counter, ...) of a remote host. For
this, I need the host to send me multiple packets with the extension header
for fragmentation. Now, my question is how to make the remote host respond
with the extension header?
Post by Marc Heuse
Post by Mathias Morbitzer
1) The first possibility would the a ICMPv6 Echo Request with a lot of
data. However, the Windows firewall blocks those by default, and also other
firewalls tend to filter Echo Requests.
Post by Marc Heuse
Post by Mathias Morbitzer
2) Another thing I thought about were atomic fragments. However, since
those are basically deprecated and also cause issues with some hosts, I
think this is also not a good solution.
Post by Marc Heuse
Post by Mathias Morbitzer
3) The last thing I could come up with where services like DNS, which
also tend to reply with a lot of data that needs to be fragmented. However,
this would require the remote host to run such a services, and is therefore
very limiting.
Post by Marc Heuse
Post by Mathias Morbitzer
So I was wondering if somebody has another idea for a probe that I
could use to get the extension header for fragmentation in the response?
Post by Marc Heuse
Post by Mathias Morbitzer
Thanks for your help,
Mathias
_______________________________________________
Ipv6hackers mailing list
http://lists.si6networks.com/listinfo/ipv6hackers
--
--
Marc Heuse
Mobil: +49 177 9611560
Fax: +49 30 37309726
www.mh-sec.de
Marc Heuse - IT-Security Consulting
Winsstr. 68
10405 Berlin
Ust.-Ident.-Nr.: DE244222388
PGP: AF3D 1D4C D810 F0BB 977D 3807 C7EE D0A0 6BE9 F573
_______________________________________________
Ipv6hackers mailing list
http://lists.si6networks.com/listinfo/ipv6hackers
_______________________________________________
Ipv6hackers mailing list
http://lists.si6networks.com/listinfo/ipv6hackers
_______________________________________________
Ipv6hackers mailing list
http://lists.si6networks.com/listinfo/ipv6hackers
_______________________________________________
Ipv6hackers mailing list
http://lists.si6networks.com/listinfo/ipv6hackers
--
Marc Heuse
www.mh-sec.de

PGP: AF3D 1D4C D810 F0BB 977D 3807 C7EE D0A0 6BE9 F573
Enno Rey
2015-04-02 11:48:40 UTC
Permalink
Hi,
Post by Marc Heuse
would happen with every fragmented packet that host would send you, even
without forcing it to set atomic fragmentation headers.
Well - either you force atomic fragments by sending a toobig to a packet
the system sends to you with a very small MTU value (see my toobig6
command) or you generate packets which forces fragmented replies.
The easiest for the fragmented replies is a large ping, e.g.
ping6 -s 1600 TARGET
that would assume/imply that your 1600 byte ping reaches the target, in order to generate a similar size pong, which I think would be a (methodology-wise) quite dangerous assumption.
to me "forced large DNS responses" seem the best/most reliable way to generate fragmented response traffic, albeit with the limitations Mathias mentioned in this initial mail. one should keep in mind that fragmentation is not foreseen in the IPv6 world anyway, so "any reasonable IPv6 stack" [note the contradiction in adiecto, for most current OS ;-)] will avoid it, until forced to employ it by an ULP.

cheers

Enno
Post by Marc Heuse
Greets,
Marc
Post by Mathias Morbitzer
Hi Antonios,
To my understanding, I would be only able to cause fragmentation of packets I send, not of the ones I receive.
Let's say I send a TCP SYN, using a Destination Option Extension header with enough dummy option data that my SYN will be fragmented. Still, in the responding SYN/ACK or RST, no Destination Option header will be used, and therefore also no extension header for fragmentation since the response will not be big enough.
Or am I missing something here?
Cheers,
Mathias
Post by Antonios Atlasis
Hi Matthias,
Why not using a Dest Opt Ext Hdr in the fragmentable part with several
dummy Option data (can be more than a thousand bytes) and as a layer 4
protocol whatever you like? Having a quick look at RFC 2460 will help you
figure out how Dest Opt should look like.
Best
Antonios
Post by Mathias Morbitzer
Hi Marc,
I want to implement the probes into Nmaps IPv6 OS fingerprinting system.
Therefore, the probes should also work in the future.
For sure, atomic fragments would currently work to get the fragmentation
policy from most hosts (however, not linux). But there is already a draft
RFC which deprecates them and they can also cause a DoS on some systems, so
that's why I was wondering if somebody has an alternative.
Cheers,
Mathias
Post by Marc Heuse
Hi Mathias,
toobig6 eth0 TARGET-IP6 YOUR-IP6 64
then it should send all packets with an atomic fragmentation header to
you (well, most systems do that silly thing now).
Greets,
Marc
Post by Mathias Morbitzer
Hi IPv6 hackers,
I would like to asses the fragmentation ID assignment policy
(incremental, random, per-host/local counter, ...) of a remote host. For
this, I need the host to send me multiple packets with the extension header
for fragmentation. Now, my question is how to make the remote host respond
with the extension header?
Post by Marc Heuse
Post by Mathias Morbitzer
1) The first possibility would the a ICMPv6 Echo Request with a lot of
data. However, the Windows firewall blocks those by default, and also other
firewalls tend to filter Echo Requests.
Post by Marc Heuse
Post by Mathias Morbitzer
2) Another thing I thought about were atomic fragments. However, since
those are basically deprecated and also cause issues with some hosts, I
think this is also not a good solution.
Post by Marc Heuse
Post by Mathias Morbitzer
3) The last thing I could come up with where services like DNS, which
also tend to reply with a lot of data that needs to be fragmented. However,
this would require the remote host to run such a services, and is therefore
very limiting.
Post by Marc Heuse
Post by Mathias Morbitzer
So I was wondering if somebody has another idea for a probe that I
could use to get the extension header for fragmentation in the response?
Post by Marc Heuse
Post by Mathias Morbitzer
Thanks for your help,
Mathias
_______________________________________________
Ipv6hackers mailing list
http://lists.si6networks.com/listinfo/ipv6hackers
--
--
Marc Heuse
Mobil: +49 177 9611560
Fax: +49 30 37309726
www.mh-sec.de
Marc Heuse - IT-Security Consulting
Winsstr. 68
10405 Berlin
Ust.-Ident.-Nr.: DE244222388
PGP: AF3D 1D4C D810 F0BB 977D 3807 C7EE D0A0 6BE9 F573
_______________________________________________
Ipv6hackers mailing list
http://lists.si6networks.com/listinfo/ipv6hackers
_______________________________________________
Ipv6hackers mailing list
http://lists.si6networks.com/listinfo/ipv6hackers
_______________________________________________
Ipv6hackers mailing list
http://lists.si6networks.com/listinfo/ipv6hackers
_______________________________________________
Ipv6hackers mailing list
http://lists.si6networks.com/listinfo/ipv6hackers
--
Marc Heuse
www.mh-sec.de
PGP: AF3D 1D4C D810 F0BB 977D 3807 C7EE D0A0 6BE9 F573
_______________________________________________
Ipv6hackers mailing list
http://lists.si6networks.com/listinfo/ipv6hackers
--
Enno Rey

ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de
Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902

Handelsregister Mannheim: HRB 337135
Geschaeftsfuehrer: Enno Rey

=======================================================
Blog: www.insinuator.net || Conference: www.troopers.de
Twitter: @Enno_Insinuator
=======================================================
Antonios Atlasis
2015-04-02 16:45:44 UTC
Permalink
Hi Matthias,

no, you do not miss anything; as Marc said, I misunderstood your question
:(

For the rest, I agree with your concerns and Enno's comments.

Best

Antonios
Post by Mathias Morbitzer
Hi Antonios,
To my understanding, I would be only able to cause fragmentation of
packets I send, not of the ones I receive.
Let's say I send a TCP SYN, using a Destination Option Extension header
with enough dummy option data that my SYN will be fragmented. Still, in the
responding SYN/ACK or RST, no Destination Option header will be used, and
therefore also no extension header for fragmentation since the response
will not be big enough.
Or am I missing something here?
Cheers,
Mathias
On Wed, 1 Apr 2015 23:42:11 +0300, Antonios Atlasis <
Post by Antonios Atlasis
Hi Matthias,
Why not using a Dest Opt Ext Hdr in the fragmentable part with several
dummy Option data (can be more than a thousand bytes) and as a layer 4
protocol whatever you like? Having a quick look at RFC 2460 will help you
figure out how Dest Opt should look like.
Best
Antonios
Post by Mathias Morbitzer
Hi Marc,
I want to implement the probes into Nmaps IPv6 OS fingerprinting
system.
Post by Antonios Atlasis
Post by Mathias Morbitzer
Therefore, the probes should also work in the future.
For sure, atomic fragments would currently work to get the
fragmentation
Post by Antonios Atlasis
Post by Mathias Morbitzer
policy from most hosts (however, not linux). But there is already a
draft
Post by Antonios Atlasis
Post by Mathias Morbitzer
RFC which deprecates them and they can also cause a DoS on some
systems, so
Post by Antonios Atlasis
Post by Mathias Morbitzer
that's why I was wondering if somebody has an alternative.
Cheers,
Mathias
Post by Marc Heuse
Hi Mathias,
toobig6 eth0 TARGET-IP6 YOUR-IP6 64
then it should send all packets with an atomic fragmentation header
to
Post by Antonios Atlasis
Post by Mathias Morbitzer
Post by Marc Heuse
you (well, most systems do that silly thing now).
Greets,
Marc
Post by Mathias Morbitzer
Hi IPv6 hackers,
I would like to asses the fragmentation ID assignment policy
(incremental, random, per-host/local counter, ...) of a remote host.
For
Post by Antonios Atlasis
Post by Mathias Morbitzer
this, I need the host to send me multiple packets with the extension
header
Post by Antonios Atlasis
Post by Mathias Morbitzer
for fragmentation. Now, my question is how to make the remote host
respond
Post by Antonios Atlasis
Post by Mathias Morbitzer
with the extension header?
Post by Marc Heuse
Post by Mathias Morbitzer
1) The first possibility would the a ICMPv6 Echo Request with a
lot of
Post by Antonios Atlasis
Post by Mathias Morbitzer
data. However, the Windows firewall blocks those by default, and also
other
Post by Antonios Atlasis
Post by Mathias Morbitzer
firewalls tend to filter Echo Requests.
Post by Marc Heuse
Post by Mathias Morbitzer
2) Another thing I thought about were atomic fragments. However,
since
Post by Antonios Atlasis
Post by Mathias Morbitzer
those are basically deprecated and also cause issues with some hosts, I
think this is also not a good solution.
Post by Marc Heuse
Post by Mathias Morbitzer
3) The last thing I could come up with where services like DNS,
which
Post by Antonios Atlasis
Post by Mathias Morbitzer
also tend to reply with a lot of data that needs to be fragmented.
However,
Post by Antonios Atlasis
Post by Mathias Morbitzer
this would require the remote host to run such a services, and is
therefore
Post by Antonios Atlasis
Post by Mathias Morbitzer
very limiting.
Post by Marc Heuse
Post by Mathias Morbitzer
So I was wondering if somebody has another idea for a probe that I
could use to get the extension header for fragmentation in the
response?
Post by Antonios Atlasis
Post by Mathias Morbitzer
Post by Marc Heuse
Post by Mathias Morbitzer
Thanks for your help,
Mathias
_______________________________________________
Ipv6hackers mailing list
http://lists.si6networks.com/listinfo/ipv6hackers
--
--
Marc Heuse
Mobil: +49 177 9611560
Fax: +49 30 37309726
www.mh-sec.de
Marc Heuse - IT-Security Consulting
Winsstr. 68
10405 Berlin
Ust.-Ident.-Nr.: DE244222388
PGP: AF3D 1D4C D810 F0BB 977D 3807 C7EE D0A0 6BE9 F573
_______________________________________________
Ipv6hackers mailing list
http://lists.si6networks.com/listinfo/ipv6hackers
_______________________________________________
Ipv6hackers mailing list
http://lists.si6networks.com/listinfo/ipv6hackers
_______________________________________________
Ipv6hackers mailing list
http://lists.si6networks.com/listinfo/ipv6hackers
_______________________________________________
Ipv6hackers mailing list
http://lists.si6networks.com/listinfo/ipv6hackers
Mathias Morbitzer
2015-04-02 12:25:55 UTC
Permalink
Hi,
Post by Enno Rey
Post by Marc Heuse
the DOS would only be from that system to yours, and the same "DOS"
would happen with every fragmented packet that host would send you, even
without forcing it to set atomic fragmentation headers.
I am not sure if we talk about the same thing here. I was referring to for example Linux 2.6.32, which refuses to send any more packets after receiving a PTB message with an MTU < 1280, or LInux 3.2 which is calculating the wrong upper layer checksums after receiving such a PTB message. (This will probably recently have changed since those systems don't accept PTB with an MTU < 1280 anymore)
Post by Enno Rey
Post by Marc Heuse
Well - either you force atomic fragments by sending a toobig to a packet
the system sends to you with a very small MTU value (see my toobig6
command) or you generate packets which forces fragmented replies.
The easiest for the fragmented replies is a large ping, e.g.
ping6 -s 1600 TARGET
that would assume/imply that your 1600 byte ping reaches the target, in order to generate a similar size pong, which I think would be a (methodology-wise) quite dangerous assumption.
For this and previously mentioned reasons, I think that pings are not the way to go, especially when sending the traffic over multiple networks.
Post by Enno Rey
to me "forced large DNS responses" seem the best/most reliable way to generate fragmented response traffic, albeit with the limitations Mathias mentioned in this initial mail. one should keep in mind that fragmentation is not foreseen in the IPv6 world anyway, so "any reasonable IPv6 stack" [note the contradiction in adiecto, for most current OS ;-)] will avoid it, until forced to employ it by an ULP.
Which means i should rephrase my question to "What ULP can I use to get IPv6 fragments back"?

Cheers,
Mathias
Post by Enno Rey
cheers
Enno
Post by Marc Heuse
Greets,
Marc
Post by Mathias Morbitzer
Hi Antonios,
To my understanding, I would be only able to cause fragmentation of packets I send, not of the ones I receive.
Let's say I send a TCP SYN, using a Destination Option Extension header with enough dummy option data that my SYN will be fragmented. Still, in the responding SYN/ACK or RST, no Destination Option header will be used, and therefore also no extension header for fragmentation since the response will not be big enough.
Or am I missing something here?
Cheers,
Mathias
Post by Antonios Atlasis
Hi Matthias,
Why not using a Dest Opt Ext Hdr in the fragmentable part with several
dummy Option data (can be more than a thousand bytes) and as a layer 4
protocol whatever you like? Having a quick look at RFC 2460 will help you
figure out how Dest Opt should look like.
Best
Antonios
Post by Mathias Morbitzer
Hi Marc,
I want to implement the probes into Nmaps IPv6 OS fingerprinting system.
Therefore, the probes should also work in the future.
For sure, atomic fragments would currently work to get the fragmentation
policy from most hosts (however, not linux). But there is already a draft
RFC which deprecates them and they can also cause a DoS on some systems, so
that's why I was wondering if somebody has an alternative.
Cheers,
Mathias
Post by Marc Heuse
Hi Mathias,
toobig6 eth0 TARGET-IP6 YOUR-IP6 64
then it should send all packets with an atomic fragmentation header to
you (well, most systems do that silly thing now).
Greets,
Marc
Post by Mathias Morbitzer
Hi IPv6 hackers,
I would like to asses the fragmentation ID assignment policy
(incremental, random, per-host/local counter, ...) of a remote host. For
this, I need the host to send me multiple packets with the extension header
for fragmentation. Now, my question is how to make the remote host respond
with the extension header?
Post by Marc Heuse
Post by Mathias Morbitzer
1) The first possibility would the a ICMPv6 Echo Request with a lot of
data. However, the Windows firewall blocks those by default, and also other
firewalls tend to filter Echo Requests.
Post by Marc Heuse
Post by Mathias Morbitzer
2) Another thing I thought about were atomic fragments. However, since
those are basically deprecated and also cause issues with some hosts, I
think this is also not a good solution.
Post by Marc Heuse
Post by Mathias Morbitzer
3) The last thing I could come up with where services like DNS, which
also tend to reply with a lot of data that needs to be fragmented. However,
this would require the remote host to run such a services, and is therefore
very limiting.
Post by Marc Heuse
Post by Mathias Morbitzer
So I was wondering if somebody has another idea for a probe that I
could use to get the extension header for fragmentation in the response?
Post by Marc Heuse
Post by Mathias Morbitzer
Thanks for your help,
Mathias
_______________________________________________
Ipv6hackers mailing list
http://lists.si6networks.com/listinfo/ipv6hackers
--
--
Marc Heuse
Mobil: +49 177 9611560
Fax: +49 30 37309726
www.mh-sec.de
Marc Heuse - IT-Security Consulting
Winsstr. 68
10405 Berlin
Ust.-Ident.-Nr.: DE244222388
PGP: AF3D 1D4C D810 F0BB 977D 3807 C7EE D0A0 6BE9 F573
_______________________________________________
Ipv6hackers mailing list
http://lists.si6networks.com/listinfo/ipv6hackers
_______________________________________________
Ipv6hackers mailing list
http://lists.si6networks.com/listinfo/ipv6hackers
_______________________________________________
Ipv6hackers mailing list
http://lists.si6networks.com/listinfo/ipv6hackers
_______________________________________________
Ipv6hackers mailing list
http://lists.si6networks.com/listinfo/ipv6hackers
--
Marc Heuse
www.mh-sec.de
PGP: AF3D 1D4C D810 F0BB 977D 3807 C7EE D0A0 6BE9 F573
_______________________________________________
Ipv6hackers mailing list
http://lists.si6networks.com/listinfo/ipv6hackers
--
Enno Rey
ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de
Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902
Handelsregister Mannheim: HRB 337135
Geschaeftsfuehrer: Enno Rey
=======================================================
Blog: www.insinuator.net || Conference: www.troopers.de
=======================================================
_______________________________________________
Ipv6hackers mailing list
http://lists.si6networks.com/listinfo/ipv6hackers
Enno Rey
2015-04-02 12:36:40 UTC
Permalink
Hi,
Post by Mathias Morbitzer
Post by Enno Rey
that would assume/imply that your 1600 byte ping reaches the target, in order to generate a similar size pong, which I think would be a (methodology-wise) quite dangerous assumption.
For this and previously mentioned reasons, I think that pings are not the way to go, especially when sending the traffic over multiple networks.
Post by Enno Rey
to me "forced large DNS responses" seem the best/most reliable way to generate fragmented response traffic, albeit with the limitations Mathias mentioned in this initial mail. one should keep in mind that fragmentation is not foreseen in the IPv6 world anyway, so "any reasonable IPv6 stack" [note the contradiction in adiecto, for most current OS ;-)] will avoid it, until forced to employ it by an ULP.
Which means i should rephrase my question to "What ULP can I use to get IPv6 fragments back"?
well, yes.
which then means you could rephrase to "what are the typical arguments why [ed: crappy & useless] fragmentation should be allowed in the IPv6 world at all" (DNSSEC being the most commonly heard one). which in turn will point you to all the religious debates about this on various lists (IETF 6ops etc.].
seriously: I don't think there's a reliable way of doing this (not considering atomic fragments, for the exact reasons you mentioned). and even if you manage to identify one, there's a significant risk of response traffic being dropped somewhere in transit which would impact the reliability of your exact effort.

cheers

Enno
Post by Mathias Morbitzer
Cheers,
Mathias
Post by Enno Rey
cheers
Enno
Post by Marc Heuse
Greets,
Marc
Post by Mathias Morbitzer
Hi Antonios,
To my understanding, I would be only able to cause fragmentation of packets I send, not of the ones I receive.
Let's say I send a TCP SYN, using a Destination Option Extension header with enough dummy option data that my SYN will be fragmented. Still, in the responding SYN/ACK or RST, no Destination Option header will be used, and therefore also no extension header for fragmentation since the response will not be big enough.
Or am I missing something here?
Cheers,
Mathias
Post by Antonios Atlasis
Hi Matthias,
Why not using a Dest Opt Ext Hdr in the fragmentable part with several
dummy Option data (can be more than a thousand bytes) and as a layer 4
protocol whatever you like? Having a quick look at RFC 2460 will help you
figure out how Dest Opt should look like.
Best
Antonios
Post by Mathias Morbitzer
Hi Marc,
I want to implement the probes into Nmaps IPv6 OS fingerprinting system.
Therefore, the probes should also work in the future.
For sure, atomic fragments would currently work to get the fragmentation
policy from most hosts (however, not linux). But there is already a draft
RFC which deprecates them and they can also cause a DoS on some systems, so
that's why I was wondering if somebody has an alternative.
Cheers,
Mathias
Post by Marc Heuse
Hi Mathias,
toobig6 eth0 TARGET-IP6 YOUR-IP6 64
then it should send all packets with an atomic fragmentation header to
you (well, most systems do that silly thing now).
Greets,
Marc
Post by Mathias Morbitzer
Hi IPv6 hackers,
I would like to asses the fragmentation ID assignment policy
(incremental, random, per-host/local counter, ...) of a remote host. For
this, I need the host to send me multiple packets with the extension header
for fragmentation. Now, my question is how to make the remote host respond
with the extension header?
Post by Marc Heuse
Post by Mathias Morbitzer
1) The first possibility would the a ICMPv6 Echo Request with a lot of
data. However, the Windows firewall blocks those by default, and also other
firewalls tend to filter Echo Requests.
Post by Marc Heuse
Post by Mathias Morbitzer
2) Another thing I thought about were atomic fragments. However, since
those are basically deprecated and also cause issues with some hosts, I
think this is also not a good solution.
Post by Marc Heuse
Post by Mathias Morbitzer
3) The last thing I could come up with where services like DNS, which
also tend to reply with a lot of data that needs to be fragmented. However,
this would require the remote host to run such a services, and is therefore
very limiting.
Post by Marc Heuse
Post by Mathias Morbitzer
So I was wondering if somebody has another idea for a probe that I
could use to get the extension header for fragmentation in the response?
Post by Marc Heuse
Post by Mathias Morbitzer
Thanks for your help,
Mathias
_______________________________________________
Ipv6hackers mailing list
http://lists.si6networks.com/listinfo/ipv6hackers
--
--
Marc Heuse
Mobil: +49 177 9611560
Fax: +49 30 37309726
www.mh-sec.de
Marc Heuse - IT-Security Consulting
Winsstr. 68
10405 Berlin
Ust.-Ident.-Nr.: DE244222388
PGP: AF3D 1D4C D810 F0BB 977D 3807 C7EE D0A0 6BE9 F573
_______________________________________________
Ipv6hackers mailing list
http://lists.si6networks.com/listinfo/ipv6hackers
_______________________________________________
Ipv6hackers mailing list
http://lists.si6networks.com/listinfo/ipv6hackers
_______________________________________________
Ipv6hackers mailing list
http://lists.si6networks.com/listinfo/ipv6hackers
_______________________________________________
Ipv6hackers mailing list
http://lists.si6networks.com/listinfo/ipv6hackers
--
Marc Heuse
www.mh-sec.de
PGP: AF3D 1D4C D810 F0BB 977D 3807 C7EE D0A0 6BE9 F573
_______________________________________________
Ipv6hackers mailing list
http://lists.si6networks.com/listinfo/ipv6hackers
--
Enno Rey
ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de
Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902
Handelsregister Mannheim: HRB 337135
Geschaeftsfuehrer: Enno Rey
=======================================================
Blog: www.insinuator.net || Conference: www.troopers.de
=======================================================
_______________________________________________
Ipv6hackers mailing list
http://lists.si6networks.com/listinfo/ipv6hackers
_______________________________________________
Ipv6hackers mailing list
http://lists.si6networks.com/listinfo/ipv6hackers
--
Enno Rey

ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de
Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902

Handelsregister Mannheim: HRB 337135
Geschaeftsfuehrer: Enno Rey

=======================================================
Blog: www.insinuator.net || Conference: www.troopers.de
Twitter: @Enno_Insinuator
=======================================================
Eric Vyncke (evyncke)
2015-04-03 06:25:01 UTC
Permalink
Sending a big (obviously fragmented) UDP to the echo port? Hoping that
this port will reply to you?
Post by Mathias Morbitzer
Hi IPv6 hackers,
I would like to asses the fragmentation ID assignment policy
(incremental, random, per-host/local counter, ...) of a remote host. For
this, I need the host to send me multiple packets with the extension
header for fragmentation. Now, my question is how to make the remote host
respond with the extension header?
1) The first possibility would the a ICMPv6 Echo Request with a lot of
data. However, the Windows firewall blocks those by default, and also
other firewalls tend to filter Echo Requests.
2) Another thing I thought about were atomic fragments. However, since
those are basically deprecated and also cause issues with some hosts, I
think this is also not a good solution.
3) The last thing I could come up with where services like DNS, which
also tend to reply with a lot of data that needs to be fragmented.
However, this would require the remote host to run such a services, and
is therefore very limiting.
So I was wondering if somebody has another idea for a probe that I could
use to get the extension header for fragmentation in the response?
Thanks for your help,
Mathias
_______________________________________________
Ipv6hackers mailing list
http://lists.si6networks.com/listinfo/ipv6hackers
Mathias Morbitzer
2015-04-03 12:55:28 UTC
Permalink
Post by Eric Vyncke (evyncke)
Sending a big (obviously fragmented) UDP to the echo port? Hoping that
this port will reply to you?
I would say in this case I have the same problem as with using a DNS service: It will probably only work on some nodes, not on the majority.

Well anyway, at least it's good to hear that I am not the only one who can't come up with a good solution. Thanks for all your input!

Cheers,
Mathias
Post by Eric Vyncke (evyncke)
Post by Mathias Morbitzer
Hi IPv6 hackers,
I would like to asses the fragmentation ID assignment policy
(incremental, random, per-host/local counter, ...) of a remote host. For
this, I need the host to send me multiple packets with the extension
header for fragmentation. Now, my question is how to make the remote host
respond with the extension header?
1) The first possibility would the a ICMPv6 Echo Request with a lot of
data. However, the Windows firewall blocks those by default, and also
other firewalls tend to filter Echo Requests.
2) Another thing I thought about were atomic fragments. However, since
those are basically deprecated and also cause issues with some hosts, I
think this is also not a good solution.
3) The last thing I could come up with where services like DNS, which
also tend to reply with a lot of data that needs to be fragmented.
However, this would require the remote host to run such a services, and
is therefore very limiting.
So I was wondering if somebody has another idea for a probe that I could
use to get the extension header for fragmentation in the response?
Thanks for your help,
Mathias
_______________________________________________
Ipv6hackers mailing list
http://lists.si6networks.com/listinfo/ipv6hackers
_______________________________________________
Ipv6hackers mailing list
http://lists.si6networks.com/listinfo/ipv6hackers
Loading...