Using Group Policy To Secure Rogue IPv6 in Small Enterprises (Why You Can’t Ignore IPv6) [T1557]

This article focuses on IPv6 man-in-the-middle attacks using DHCP to trick a client into communicating with an attacker’s system. DHCPv6 can be used by malicious actors to inject a different DNS server or WPAD configuration into the client’s settings. This article explores how to mitigate these attacks and secure IPv6 in small enterprise environments.

By the end of this article you will:

1. Be aware of the risks of misconfigured or unconfigured IPv6.
2. Have implemented 2 mitigations via group policy to disrupt several variants of IPv6 attacks.
3. Deployed a honeypot for these IPv6 Attacks.
4. Be aware of additional mitigations that can secure this attack vector.

Attack Scenario

Mitre Attack Technique T1557, Adversary-in-the-Middle (MITM): This attack vector, commonly abbreviated as MITM or Man-in-the-Middle, occurs when an attacker positions themselves between two communicating parties, intercepting and potentially altering the communications between them. The attacker can then eavesdrop on the communication or manipulate it in order to steal sensitive information, such as login credentials or financial data. MITM attacks can occur in various ways, such as through the use of rogue access points, DNS spoofing, DHCP Injection, or session hijacking. These attacks can be particularly effective when the attacker is able to obtain a security certificate for the purposes of impersonating a legitimate website or service.

An example attack scenerio is below:

Windows systems default to preferring IPv6 over IPv4. If a NIC on a Windows system has DHCPv6 enabled, it will occasionally send out DHCPv6 configuration requests, even if it has a valid IPv4 configuration. This provides attackers with the ability to set up rogue IPv6 DHCP servers that can advertise a DNS address pointing to a system they control. Fox-It’s mitmv6 is a common attack tool for this, and the Windows client will accept that configuration and use it over the existing IPv4 configuration.

Mitigations

Disabling IPv6 on clients is a knee-jerk reaction that may have unintended consequences, as IPv6 is an integral component of the Windows operating system. Instead, there are two alternative solutions that we recommend:

1. Configure clients to prefer IPv4 over IPv6: This can be accomplished with a registry update. Setting the value of HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip6\\Parameters\\DisabledComponents to decimal 32 will configure Windows to prefer IPv4 over IPv6 (setting it to decimal 255 will disable IPv6 entirely).
2. Configure clients to disable IPv6 configuration requests: This can be done with a simple PowerShell script that runs at login: Set-NetIPInterface -AddressFamily IPv6 -InterfaceIndex $(Get-NetIPInterface -AddressFamily IPv6 | Select-Object -ExpandProperty InterfaceIndex) -RouterDiscovery Disabled -Dhcp Disabled

Enabling either of these two configurations should render this attack useless. We lean towards setting the preference to IPv4 over IPv6, as this will still allow systems to request DHCPv6 configuration if they are off network and attached to an IPv6 network (e.g., Mi-Fi’s and some hotel wireless networks).

Enable IPv6 in Your Environment

Enabling IPv6 in your environment is an unspoken mitigation that can be highly effective. However, this is a topic beyond the scope of this article. Enabling IPv6 requires careful planning and implementation, and is far beyond what we can describe in this article.

Honeypots!

One additional mitigation is to use a simple script running on a Raspberry Pi that issues a dhclient -6 on a regular basis and sends an email alert if it ever gets a response. This is a common attack vector that can be used to detect attacks against your system with almost 0 false positives.

Additional Mitigations

There are many other mitigations for IPv6 that can be very powerful in reducing cyber-risk. The list below are some honorable mentions that should be implemented, but are perhaps outside of the scope of this article. Many of these controls can apply to IPv4 as well!

1. Disable unnecessary IPv6 services: Administrators should disable any unnecessary IPv6 services on their network devices. This reduces the attack surface and limits the potential for exploits.
2. Implement IPv6 firewalls: IPv6 firewalls can be used to monitor and control IPv6 traffic. This helps prevent unauthorized access and reduces the risk of exploits.
3. Implement network segmentation: Network segmentation can be used to separate IPv6 networks from other networks. This helps to limit the potential for exploits and reduces the impact of any successful attacks.
4. Use IPv6 address filtering: Administrators can use IPv6 address filtering to restrict the types of traffic that are allowed to enter their networks. This helps to limit the potential for exploits and reduces the risk of unauthorized access.
5. Use IPv6 encryption: IPv6 encryption can be used to protect data in transit. This helps to prevent unauthorized access and reduces the risk of exploits.
6. Implement IPv6 intrusion detection and prevention systems: IPv6 intrusion detection and prevention systems can be used to monitor and detect any suspicious activity on the network. This helps to prevent exploits and reduce the impact of any successful attacks.
7. Filter out network traffic for DHCP on ports 67-68 from untrusted DHCP servers via port security on layer switches. Layer 2 switches may also have DHCP snooping protections.

Conclusion

The benefits IPv6 for small enterprise (and all enterprise) is a very controversial matter across the IT community. But the security implications IPv6 access brings cannot and should not be ignored to keep your environment secure. By following the mitigations outlined in this article, you can significantly reduce the risk of IPv6 man-in-the-middle attacks. However, it’s important to remember that cyber threats are constantly evolving, and it’s essential to stay up-to-date with the latest security measures. If you need assistance in implementing these controls or other security measures, don’t hesitate to reach out to professionalservices@tridentstack.com.