Home page logo

dailydave logo Dailydave mailing list archives

Another Microsoft (and other) IPv6 security issue: sniffer detection
From: Marc Heuse <mh () baseline-security de>
Date: Fri, 15 Apr 2011 02:10:53 +0200

Hi Daily Davers,

another neat security issue with IPv6 which can be also exploited on
IPv4-only LANs. (and yes, this one *is* zEr0 DaY ;-) )

It is possible to identify hosts on the local LAN which are sniffing.
But before spoiling the details, a small rant. Skip it if you don't care.

I am mad at Microsoft how they ignore severe but local LAN security
issues. (see

I usually only publish an advisory if the the vendor does not fix the
bug in a timely fashion (> 6 months) or it was a deliberate backdoor.
So when I found the IPv6 Router Advertisement flooding DOS, I was
surprised that Cisco fixes the bug fast - and Microsoft doesnt.
It is their stand (as can be read in an interview they gave here
that local LAN attacks are nothing to worry about, as this is only
possible if someone is already in the trusted environment.
That "trusted environment" can mean a conference or university network,
or a public WLAN, doesnt seem to be a problem for Microsoft.

But picture my surprise when I reported Microsoft that it is possible to
detect a Windows system sniffing on the local LAN - they will fix this
security issue.

Yes, read again. Sniffing detection is a serious security issue for
Microsoft to fix, but DOSing all Windows systems on the same network is
nothing to move a finger for.

Enough ranting, lets get the details.

All you need to do is sending an ICMPv6 Echo Request packet to the
potentially sniffing host with a multicast MAC address. Multicast MAC
addresses are special MAC addresses that a system can choose to look
for; they start with 03:03:.....
The multicast MAC address you choose may of course not one the host is
listening to, 03:03:99:00:00:99 should be a safe choice.

This can be tested with the thcping tool from the thc-ipv6 package
YOUR-MAC 03:03:99:00:00:99 foo
Run a sniffer (e.g. in non-promisc mode ;-) and see if you get an echo
reply. If so, the target host is sniffing.

The target host's link local address can be created from it's MAC
address, e.g. if it is 00:30:48:53:aa:aa, then the link local address is
fe80::230:48ff:fe53:aaaa (note the bit flip on the first MAC address octet).

There is also a way to send this to all local systems at once via
ff02::1, however this involves crafting a special error generating
destination extension header.
(this might even work with IPv4 pings and multicast MACs and not even
need ICMPv6 at all, haven't tried, didn't care.)

Affected OS:
Windows 2008, 7, Vista in default config; 2003, 2000, XP when IPv6 is
Linux in default config
FreeBSD when IPv6 is activated

CVEs: CVE-2010-4562, CVE-2010-4563
Vendors informed on the 29th December 2010

This does not count as a security advisory :-)


P.S. For the historians, funnily I found a similar issue for IPv4 in
1998 which could detect sniffing Linux machines. History repeating.
Especially with IPv6.

Marc Heuse
PGP: FEDD 5B50 C087 F8DF 5CB9  876F 7FDD E533 BF4F 891A
Dailydave mailing list
Dailydave () lists immunityinc com

  By Date           By Thread  

Current thread:
  • Another Microsoft (and other) IPv6 security issue: sniffer detection Marc Heuse (Apr 15)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]