calin radoni's humble web presence |
homedocstoolboxabout |
Information Disclosure Vulnerability in the IPv6 stack
Finding the alive IPv6 enabled hosts is a laborius process because the address space is huge. Sending an ICMPv6 echo request to each
possible address is a time and bandwith consuming opration.
I have observed that by sending a single crafted ICMPv6 echo request packet, all enabled IPv6 hosts in my network have given
me responses. In the "IPv4 only" era this was called broadcast ping.
I have been able to probe the existence of this behaviour against the following operating systems:
To prevent this wrong behaviour the IPv6 stack for the affected operating systems, their IPv6 stack must be modified to respond to ICMPv6
echo request packets only if the destination IPv6 address embedded in the received packet is the same as the host's IPv6 address.
This correction may be applied to other types of packets too.
Software platform used for scanning:
To activate the IPv6 support for Microsoft Windows XP SP2 type the following in a command prompt:
ipv6 install
To activate the IPv6 support for Microsoft Windows Server 2003 type the following in a command prompt:
netsh interface ipv6 installIf the machine also has the DNS server installed you could make him IPv6 aware by typing the following in a command prompt:
dnscmd /config /EnableIPv6 1
In Fedora Core 5 the IPv6 support has been installed (in my case) by default.
In OpenSolaris to activate the IPv6 support type the following in a shell :
ifconfig <interfaceName> inet6 plumb up
On a Windows XP SP2 machine, if not installed, install
WinPcap.
Download and install
CHScanner (In the current version, 0.8.1.960, install means to unzip the archive).
Launch CHScanner
from a folder where you have write permissions and execute the following actions:
This document is copyrighted (c) 2005 by Calin Radoni. Permission is granted to copy and/or distribute this document.
No liability for the contents of this document can be accepted. Use the concepts, examples and information at your own risk. There may be errors and inaccuracies that could be damaging to your system. Proceed with caution, the author do not take any responsibility.
All copyrights are held by their respective owners, unless specifically noted otherwise. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark. Naming of particular products or brands should not be seen as endorsements.