Friday, May 3 • 9:00am - 10:00am
Investigating IPv6 via UPnP

Sign up or log in to save this to your schedule and see who's attending!

Feedback form is now closed.
Projects like ZMap and Masscan have made scans of the entire IPv4 Internet very practical and have resulted in interesting insights into the state of the Internet. However, with growing adoption of IPv6, very little has been done in the way of IPv6 scans because exhaustive scans cannot be performed due to the size of the address space.

Motivated by this, a number of projects have came up with different ideas to unmask in-use IPv6 addresses. Shodan organization had set up IPv6 network time protocol servers so random clients would connect to them and reveal their IPv6 address which Shodan would then scan and make accessible in their database. IPv6.farm project has abused certain properties of DNS and DNSSEC to reveal in-use IPv6 addresses and presented their analysis in a number of papers (https://ipv6.farm/).

In 2015 Martin Zeiser and I presented a joint talk about client-side UPnP attacks at PacSec. Martin talked about interesting UPnP scans he was exploring at the time and I covered memory corruption vulnerability that we had found previously. Recalling this, we had an idea to use UPnP to unmask IPv6 addresses.

By sending a specific UPnP packet, we can have the target connect back to an URL of our choosing. Supplying an IPv6 URL and sending the packet to an IPv4 address of a dual-stack host would make it connect back to us over IPv6 thus divulging it's IPv6 address. By doing this over the whole IPv4 address space we would get back a sizable amount dual-stack UPnP hosts that would reveal their IPv6 address to us.

Further analyzing the gathered data revealed some interesting facts. Doing this across all of IPv4 address space results in IPv4-IPv6 address pairs, which lets us perform interesting additional scans. This revealed a number of hosts with interesting firewall discrepancies between IPv4 and IPv6 side. Also, with UPnP usually being used for local network discovery, the dataset consists of mostly end consumer devices/hosts, IoT devices and similar which is in contrast to the types of hosts scanned in IPv6.farm and Shodan NTP projects giving us a glimpse into this previously unexplored category of targets.

In this presentation we would talk about the IPv6 scanning problem and previous research as motivating examples, we would present our methodology for conducting the initial IPv6 address discovery and subsequent scanning and present our analysis and interesting findings: the unexpected filtering, discrepancies between actual and reported IPv4/IPv6 pairs, cases of lack of filtering on IPv6 side where IPv4 is properly firewalled as well as some facts about the dynamic nature of hosts in this category (usage of teredo, 6to4, ipv6 mac mappings...).

avatar for Aleks Nikolic

Aleks Nikolic

Security Researcher, Cisco Talos
Aleks is a security researcher mostly interested in reverse engineering, code auditing and program analysis with focus on vulnerability discovery. As part of a Cisco Talos vulnerability research team, his tasks involve developing novel fuzzers, tools and techniques for finding software... Read More →

Friday May 3, 2019 9:00am - 10:00am
Scruffy City Hall 32 Market Square, Knoxville, TN, United States

Attendees (21)