Header Steganography: Abusing the IPv6 Header and Prefix-Delegation for Data Exfiltration

Presented at CackalackyCon 1 (2019), June 2, 2019, 2 p.m. (60 minutes).

The most widely used network-based data exfiltration techniques typically rely on the higher layers of the OSI model in IPv4 networks. The risk with using these higher protocol layers is that IDS/IPS signatures and SIEM rules can be written to spot protocol anomalies and thwart exfiltration. Enter IPv6. Designed to address the growing number of network-connected devices, IPv6 expands the IP space from 32 bits to 128 bits. Now, with more addresses than stars in the universe (~1x10e24), providers are issuing trillions of routable addresses to their customers. By utilizing the unused space that will inevitably exist in most IPv6 networks, paired with the expanded protocol header fields, low data rate exfiltration becomes possible using only Layer 3 protocol headers with the added bonus of a low risk of detection.


Presenters:

Links:

Similar Presentations: