Thread Rating:
  • 1 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Avast_Threat_ Research: Data exfiltration via IPv6
#1
Bug 
Quote:
[Image: TVDumYE.png]

Testing the capabilities of IPv6 and how malware could take advantage of it

Within the Aposemat Team, we’ve been working on testing the capabilities of IPv6 and how malware could take advantage of it. One of the topics we explored was exfiltration of data via the IPv6 protocol. In this post, we share our study into this topic.

What is exfiltration?

Exfiltration is the unauthorized exportation of sensitive data out of the network by connecting to an external destination and/or using covert channels. The latter is commonly used to exfiltrate information while being undetected or avoid any measure in place to stop the migration of data. There have been numerous studies on this topic, and even to this day, data theft produced by breaches put exfiltration in the center of attention.

To exfiltrate data, networking and transportation layers (shown in Figure 1) are commonly used as are low level layers that would require deep packet inspection to find occurrences or identify that the exfiltration is happening. They also provide fields and portions of data in the packet headers that are not commonly used or zeroed out. These sections can be used to store portions of data and could be unnoticed by analyzing the packet captures.

Tools of the trade

Several tools exist to carry out exfiltration via IPv6 network stack. We’ll describe IPv6teal and IPv6DNSExfil, and how these tools are used to exfiltrate data via IPv6.

IPv6teal

The first one is IPv6teal and consists of a receiver and sender (exfiltrate) script. This tools makes use of the Flow Label field which is used to label sequences of packets and it has a fixed size of 20 bits (detailed in Figure 2). It makes use of this specific field because it could be variable and contains custom bits without impact on the packet reaching its destination. This detail makes a good candidate for storing data that could reach an endpoint safely while being hidden in normal traffic.

To be able to fit more data in fewer packets the author decided to use GZIP compression to accomplish this. In our tests, it took approximately two seconds and 15 packets to send a plain-text file containing the string THISISASECRET across the internet. The information is transmitted with a magic value that marks the start and end of the flow of data. These magic values also add more information about the data being transmitted.
...
Continue Reading
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:





[-]
Recent Posts
AWZ Screen Recorder
AWZ Screen Recorder ...zevish — 11:05
Website X5 Go 2024.1
Website X5 Go 2024.1...zevish — 09:32
Apple's rules to allow third-party app ...
Apple has announ...alison30 — 09:28
Intel: Microsoft AI PCs need a Copilot K...
Microsoft hopes th...harlan4096 — 08:55
Synchredible 8 Professional Edition v8.2...
          Synchredib...zevish — 08:54

[-]
Birthdays
Today's Birthdays
No birthdays today.
Upcoming Birthdays
No upcoming birthdays.

[-]
Online Staff
There are no staff members currently online.

>