 My talk doesn't start for eight minutes, but they give me permission to tell you something outside my talk first, which I totally want to do, because there's something great that happened last week, and it was way too late to get it in my talk. So forget about this for eight minutes. We'll get back to that. What I want you to see is the link vulnerability. How many people know about the link shortcut vulnerability? Yeah, not even half of you. That means you guys can totally take over those guys. So on my website, Sam's class.info, they had Wi-Fi on my airplane, so I got this working on the plane to another conference. I just got back from them, and we did it down there. This is awesome, and you don't need to know anything. So I wrote it up here, and I tried to get it in the speaker's corner, but I was too late to do it. So go to Sam's class.info, and you can take over everybody around you, and everybody in the whole blasted world right now. This is one of those rare times. So what's going on is the Microsoft has a vulnerability that was found in their operating system so that link files, the routine that draws the picture on the screen on the icon has a bug in it, and I don't know exactly what it is. It's something like a buffer overflow, but anyway, you can put malicious binary in that file. So just viewing the file and seeing the icon means you're owned. So you can do it, and GloriousHD more put it in Metasploit, so all you do is load up Metasploit, issue the same old commands you always use in Metasploit. You tell it use exploit, show payloads, choose a payload like reverse TCP Metropeter, and then your victim, just you have to trick your victim into going to a website, an internet explorer, or going to an SMB share, because what you make is a malicious server, but if they go and view your server, the IE will pop to Windows Explorer, and they will see a window with these two files. And when this was originally found in the wild, it was traveling on USB sticks and it was taking over power stations through SCADA. But the first step of that attack, which is a three-stage attack, was this one, which is awesome. So as soon as you see this shortcut and the little picture appears, it's all over. You are owned. It has injected this Dill into memory and executed it, and if you're using Metasploit, it goes up phone back to you saying, please control me, and you control it, and you own that box. And that's what these instructions show you how to do. Metasploit looks like this when you're running it. Then when they connect, it does all this complicated stuff back and forth, sending more and more stuff over to the victim. And eventually, when it's done with all that hogwash, you get a session open. And then you just open the session, and you have a command prompt on that machine, and you can do whatever you want to it. I, of course, just go to the desktop, make a directory called owned, and your victim will just see directories start appearing on the desktop. It's wonderful. And there's nothing you can do about it. At least easy. There is no Microsoft patch. There are some things you can do, though, and that's, of course, the serious side of this. This is an awesome demonstration for students to get their attention, and it'll be homework for all my students next semester, but it'll be old and tired by then, like all my other homework, stuff that's been patched, so you have to get an old machine that's not patched, and then you can see it. But right now, you can do it to real living machines. And if they want to be patched, they have to go off the map. And you can use Sophos made a nice tool that will patch it Microsoft Security Essentials apparently detects it because we tried it in the classroom two days ago in Orlando, and a guy with Microsoft Security Essentials, it popped up and saved him. So that's cool. So if you want to be safe, probably the most reasonable same thing to do is put on Microsoft Security Essentials. I imagine the other antivirus products will eventually catch it too. And maybe they already have. But anyway, there's a Microsoft workaround, but it stinks. You have to hack the registry, and you have to turn off the display of all icons. So anyway, so all your icons look like dirt. So it's not much fun. Anyway, this is great for me that the previous speaker ended a bit early, because I was thinking, I can't add this to my talk. And this is exciting. So you should all take over everybody around you at Windows, and then you can laugh. Because at Defcon, you can do this stuff. And this is as far as I know, when it's not common that you have these living zero days with no patch, but it means that every server on the internet running Windows and almost everybody running a Windows machine in here like me is probably vulnerable. As a matter of fact, I am vulnerable. I never go around to patch in my own box. Which is commonly the case, attacking boxes, you never patch them, I never run the firewall, right? I'm always getting all that junk out of my way. So yeah, you could take me over actually, but you have to trick me into clicking on your link. Anyway, let me see if it's time for my official talk yet. Looks like it is. Is there an authority figure? There you are. Is it time to get started? Okay, he says it is. Alright, so let me depart from that, which is great stuff. But it's not my official talk here, which is also extremely important. I'm here on a mission from God. Okay. Which is IP version six. Now, I've heard about IP version six for years and years, and it was like this total waste of time that I didn't really care about. And it seemed all complicated. And about three years ago, for some reason, I got all excited. And I tried to do it. And I got my best student, we spent six weeks replacing the firmware of routers with DDWRT and putting on things that were supposed to make it rod IP version six, and we couldn't make it work. We just got fed up and gave up. One other student of mine actually got it working because he had a Cisco router at home. But it would cost $200 a month to get IP version six to your house. And I said, Well, you know, there's no point teaching anybody anything yet, because there's no equipment worth having yet, that you can afford in your house. And I better wait for them to do that. But in the back of my mind, the reason why I thought it would probably be okay is because there's class D and E just sitting there. 32 class A is enough to last us five or eight more years. So I figured there's really no crisis coming. But then I went to Hurricane Electric in Fremont, California, I went to a talk there and they told us about IP version six and Aaron, the American regional internet associate number, internet number association, something like that. The people that really hand out the IP addresses were there and they said they are not going to hand out D and E for general use. So we're coming into a time of crisis and nobody is ready. And I knew this was my mission from God to make sure all you people know about the crisis and what you can do about it because it's easy this time, thanks to Hurricane Electric. So I'm Sam Bown. I teach at City College, San Francisco and everything my talk and everything is all on the web. All my stuff is always available for anybody to use. So let me show you why I care. IP version four, we've all seen these addresses 192, 168, 110. And of course, in binary, that's a 32 bit binary number. And then we're all know how to subnet that and everything, but there's only 32 binary numbers. So there's only two to the 32 of them. And that's only 4 billion. And that's ridiculous, right? There's 7 billion people and how many devices do you have on your body right now that need an IP address? I must have four. And when I'm in my house, I have another 12. And you know, there's no way 4 billion is ever going to cut it. So that's a problem. IP version six is the answer. Make the addresses really long and disgusting like this in hexadecimal. That is an IP version six address, learn to love it. That is 128 bits long. And the good thing about that is there are enough of them, of course, that is 256 billion billion billion billion. So until we colonize the entire galaxy and have every atom in our body independently addressed to reformat will, we're not going to run out of those addresses. So we will not have to have IP version seven in another 10 years. At least not because we ran out of addresses. And we really are running out of IP version four addresses. Here's the current situation. There are 256 class A's blocks of 16 million, which is how they are commonly allocated. And we are now down to maybe 16 left. And they've already allocated something like six or eight of them this year. They're going to completely run out of them in 2011 at the current rate. It is an estimate because they don't they don't they are not allocated on a regular timetable, but they're going to run out in about one year in about one year, whoever invents the new cell phone, or iPad or any kind of gizmo and wants to sell 50 million on is going to go say okay, I have 50 million more things to attach to the internet. And Aaron is going to say, tough, the internet is full, you cannot attach any more devices to it. This is not going to be fun. So there's a crisis coming. We could see it coming 10 years ago. And we're now down to less than one year left. And nobody cares. Everywhere I go, most everybody about 90% of my audiences have no interest in IP version six at all. They still think the way I did four months ago, it was some piece of nonsense. It's just a fake crisis like why 2k, because they can just hand out those D&E addresses, they're just sitting there. And appears the projected timetable. The main reservoir of addresses will run out in 2011. But the regional internet registries will have some leftover, which they can continue to distribute and they will begin running out in 2012. That's the prediction. And then people will really go and there won't be any more IP addresses available. That's the end of the world. The internet's full. Pack up the internet and go do something else. That's not going to be a hit. But let me tell you what's already started happening. I brought up two years ago to my network administration. City College, we have a whole class B address space. We have 65,000 IP addresses. And we're only using 30 of them for public facing web servers. So we don't need them. So I wanted to sell them a long time ago because we're broke. We need money. And I went to my network administrator and he said, you can't sell them. We don't really own them they're on loan or rent from some agency like IANA. But they just changed their policy about a month ago so you can really sell your IP addresses now. Because they said there are only two possibilities in the next year. They're either going to be a black market for used IP addresses or there's going to be a white market for used IP addresses. So we might as well choose the second of these two alternatives. And now when people apply to them and try to get IP addresses, they actually investigate why you're getting them because they want to determine if you really are going to use them or if you're just hoarding them so you can scalp them and sell them later. Speculator is IP addresses. And that's all coming. So in about a year, panic will sit in and about two years, I think we can really get a million bucks for our Class B. That's my goal. But we'll see. Because we don't need it. What you'll have to do instead of getting fresh IP addresses is you'll have to get IP version 4 addresses from some other company that was smarter than you and already went to IPv6. And that's what we're doing. And that's what all you should do as soon as possible. Anyway, the Department of Defense changed to IP version 6 in 2008. They had a goal and they met it. They had the whole network runnable on IP version 6 in 2008. That is what put pressure on the operating systems like Microsoft put it in Windows XP. And they put it very well in Vista and Windows 7. It's in Linux. It's in Unix. It's in the Apple, although Apple did a pretty bad job of it. But they will eventually be pressured to fix it. The rest of the federal government will switch in 2012 to IP version 6. And therefore, since every large manufacturer has to sell to the government, they have all been pressured into putting IP version 6 in their products even though there was no significant amount of traffic on the backbone in IP version 6 yet and no significant computer consumer demand for it yet. But it's coming and there will be a huge rush for it. And when it comes, there will be mad chaos because we are not ready and most manufacturers and technicians are not getting ready. So the people that do know are going to be sitting pretty and that should be you. And it's going to be my students because whether they like it or not, they're all going to do IP version 6 homework next semester. And my prediction is they will be glad of that in a year. So here's the summary. This is the current state of the internet. And this is our fate. Those who accept soon will have a position of power in the new order. Those who resist will be crushed. So now that you have hopefully been motivated, you can now face the problem I faced, which is what do you do because there are big, thick books full of long, complicated, irritating things. And I looked at Microsoft's recommendation for an IP version 6 lab and it was 260 pages long. And I said, how can it be this hard? It doesn't have to be that hard if you're WIMP. If you want to do it the Microsoft way and get all your domain controllers and exchange servers and everything, there's a bunch of fancy stuff you have to do. But you can get started and do the essentials easy and it's fun and it's a game. So anyway, but here's the plan. One plan which is really popular is to ignore it and hoping it just goes away. This is not a practical plan, but it's the most popular one. The other one is to buy a gateway. And this is what's really going to happen, unfortunately, in everybody's house because they have a bunch of legacy equipment in their house that's IP version 4 only. So they are going to buy an IP version 6 device that will convert it to IP version 6 to go on the internet. And there are currently four incompatible standards for that and four manufacturers making poorly designed devices to do that. So in the future, actually making a game connect to a game over here is going to require 16 combinations of imperfect transfer translation on the way. And even more than that, Aaron will be giving some talk here and they may get into this. But the IETF guy at the last conference I went to is very unhappy because there's now NAT 4 to 4 changing IP version 4 to other version 4. There's NAT 4 to 6. There's NAT 6 to 4 and now there's even NAT 6 to 6, which was never supposed to happen. The whole point of IP version 6 was going to be end-to-end addressing, but that's already broken because the end-user machines can't handle the multi-homing. And I'll show you a little bit of that later. Anyway, so gateways are in the future and they're going to be a bloody mesh, but companies are not going to use them. What you really want to have is dual stack on your company. This is the goal for the foreseeable future. For the next 10 years we're going to have to run both IP version 4 and IP version 6 on our whole networks because everybody's going to have a mix of devices. And right now you can run IP version 4 only, but in 360 days and therefore all the people that plan more than a year ahead have already begun doing this, like Comcast and Verizon and Facebook and Google, they're already putting up IP version 6 properties, so soon there will be IP version 6 only websites and IP version 6 only end-user devices. I think it's Verizon cell phones are already IP version 6 only. It might be Comcast. I get it mixed up. One of those companies has already decided to use IP version 6 only on their cell phones. Smart meters are IP version 6 only and Japanese televisions are IP version 6 only. And they get converted at the Enterprise network address translation. Anyway, in the short run the trick to get started learning is to use a tunnel. This is awesome. If you tunnel you can take an existing IP version 4 internet connection and you can run IP version 6 over it. Now of course this does not solve the problem. You're still using an IP version 4 address. It makes all your performance in IP version 6 inferior to your IP version 4 and all that, but it means you can learn how to do it now. And then you've got everything ready when you get native IP version 6 from your internet service provider which is coming very soon. AT&T offers it now. I've been told that their latest U-verse and various providers I think Comcast just had their first rollout in California a month ago of IP version 6 directly to the businesses. So it's coming. So the fast thing is to set up a tunnel and you can all do this right now and all my students are going to do it and you should because it's great. You are free tunnel brokers out there. Hurricane Electric ones one called tunnel broker. 6XS is one some place in Europe. GoGo 6 is my favorite because it's easy. You don't have to do anything to get a GoGo 6 tunnel up except use Windows. And if you can't stand that you should try one of the others. But here's GoGo 6 and let me just show you because I am on IP version 6 right now. I'm connected with a wire to this DEF CON network. I'm using Windows 7 and so here is my local area connection down here. I have an IP version 4 address of 172.168.233. Now this FE80 address is a link local address that's like a 169.254 address. It can only be used for local traffic but I'm tunneling through the GoGo server. And I should have it running in one of my other pains here. There it is the GoGo client. This is awesome because once you set it up you don't have to touch it and everywhere I carry my laptop it connects to IP version 4 at a coffee house and within a minute the IP version 6 tunnel turns on so I always have IP version 6 and I don't have to do anything to earn that. Because it automatically connects with a non authenticated free account to these guys and I can choose how I want to do it. Right now I'm using the most universal one UDP traversal. It will go right through network address translation and right through everything I can go anywhere. It goes right through firewalls. It sends UDP packets out and inside the UDP packets is IP version 6 hiding inside the IP version 4. And if I want to see my address here is my glorious IP version 6 address. A long horrible mess but I've got it and if I want to see the effect I can go look at the 6SS website. Let's go to this one and just go to 6SS and the awesome bar should find it. Open TNS. Well here it is 6SS. Alright and 6SS are the people that run one of those many tunnels but the particular thing cool about them is at the bottom they will tell you whether you've got it typically or now it's not doing it through me. As always I'm getting a host. Enter website. Oh okay. OK. And here we are at the bottom it should tell me you've got IP version 6. Non-SSL IP version 6 connection. It puts my address there. It's not as clear as it could be but there it shows that's my IP address. You can make your IP address look a little smaller and let me go back to my slides but that shows I connected over version 6 instead of version 4 and that's the point. Now I go back to here and show you actually I'll go back and do a couple other things but I've got my IP version 6 connection up. I can ping. You know you're probably used to this. If I ping yahoo.com I see some replies from those boring old IP version 4 addresses but if I ping google.com I get IP version 6 by default because it prefers it and those are that's Google's IP version 6 address. If you want to see what they've got you do NSLookup in interactive modes you can set the query and set the query to give me the A record which is IP version 4 and the IP version 6 record which is four times longer is the AAA record and now I can look up google.com I can get them both. There's the IP version 4 address for Google and the IP version 6 address for Google. Now most people at Facebook has got my server I'm using IP version 6 DNS server but see Facebook only has IP version 4 DNS records but if you do I think it's v6.facebook.com and I guess not. They do have IP version 6 presence but it's not resolving on me now and I'm not going to struggle with it because something always has to go wrong but anyway that's the deal there so let me just show you the way to do this it's fun. Hurricane Electric made a certification process and I finished it and I can tell my students are going to suffer through it. So here's what you do you first prove that you're an IP version 6 client and then you make it to a certain level then you prove that you run a web server that responds to IP version 6 requests then you set up a DNS server or then excuse me then you set up a mail server that takes IP version 6 email and then you set up a DNS server that takes IP version 6 DNS resolution and hands out that quad-a record and then you set up a DNS server that propagates an IP version 6 glue record to the root of your domain. Now by the way perhaps I won't feel so stupid how many people know what a glue record is? Yeah well I didn't you're smarter than me anyway um but the glue record you can learn about it if you do this certification which I highly recommend and it's fun there are steps in it so Google gave me a free cell phone I gave you an Evo which is awesome but they didn't tell us they were going to give us an Evo at this conference then so they mailed me a droid six weeks before the conference so I transferred my service to the droid then when I got the Evo I said this droid was wonderful six week ago but it's junk now it's junk I had my Evo so I transferred to there and it gave the droid away to my students that would get the highest certification and they embraced this this was a hit so they had 30 days to get the highest level of IP version 6 certification one of made it all the way to the end and if you do make it all the way to the top where you have all those things working and you are a sage you get a t-shirt and I told them that if they gave me the t-shirt I would wear it to DEF CON and they mailed it to me right before the conference so this is the awesome t-shirt you get for being a sage and there is every possible fact thank you you get every possible fact about IP version 6 crammed on the back including one typo which someone pointed out on Twitter that should be your homework find the typo on this shirt you have to get it but anyway I highly recommend getting these search and it's really fun and let me check my time here right I may not demonstrate the stages here but there's you take some multiple choice tests and then you just connect it's like a video game you connect it detects whether you got it they say does your web server host this file no get lost keep come back later so it's really a lot of fun and you ought to all do it that's my opinion unless you already know everything about IP version 6 so I promise to say something about hacking since we are security conference and it is actually extremely important to the hackers to be in here fast because IP version 6 is a security nightmare because just to set it up usually have to turn off all security devices just to get it going and most your security devices are not IP version 6 capable so typically you bypass the firewall and everything on the way in so here's just a few things about it the IP version 6 addresses 64 bits for routing and 64 bits for the host the 64 bits for the host are made up by each host they are not distributed by DHCP typically although they can be you just your device just makes up its own address by using its MAC address the MAC address determines the outer six octets the inner six octets are FFFE don't ask me why but that's called the extended unique identifier and it means that everything you send or receive is labeled with your real MAC address and therefore if you were to do something naughty like download copyrighted material they would know who you are much better than they do if all they have is an IP version 4 address so Windows Vista and Windows 7 have privacy extensions turned on by default so it makes up a random number instead of using the recommended EUI which also tends to break and addressing but it does have the effect of protecting your privacy you can turn that off if you want to and many companies prefer to turn that off so that they can tell who's connecting and have policies to let these first this person do one thing and that person do another thing anyway ICMP version 6 good old ping this is optional an IP version 4 and everyone got so tired of it they pretty much blocked it at the router but an IP version 6 you must have it because it replaces ARP there are no broadcasts in IP version 6 there are nothing but multi tasks and you find your neighbors with neighbor discovery protocol over ICMP version 6 there's a hackers toolkit for IP version 6 THC this rocks and I sent to a Google conference in IP version 6 and they had an IP version 6 network and we were connected and so I immediately loaded in a bunch of virtual machine on top of my Windows 7 it connected through IP version 6 through the virtual nick which I didn't think would work and then I loaded the hackers toolkit which I'd never seen until I found it right there and I did a scan and I was able to find people here you could never do a normal ping sweep in IP version 6 you could not sweep 2 to the 64 addresses to go through your subnet it would take forever but you can use neighbor discovery which is pretty much like just sending a broadcast ping and they just tell you where they are because they need to for ARP it's like the ARP cache and there's a list of everybody at that conference just picked them right up with IP version 6 anyway I just mentioned security appliances typically don't do anything for your IP version 6 yet they aren't ready so you can run torrents over IP version 6 the torrent fiends know this you can usually do that in the blocks don't block it one other thing that's fun is the packet amplification attack you can run a routing header 0 there's a header in front of each packet which can head to more headers and you can use routing header 0 you can specifically specify the path for your packets to take and you can tell it to follow a path that's going to make a loop so much that RH0 has already been deprecated before IP version 6 is even hardly rolled out they've already deprecated a few standards that cause problems and the other one is really funny is the ping pong every subnet in your network should be a slash 64 that's the rule to avoid going mad you could have subnets from slice 1 to slash 127 for the Cisco guys out there and you would use a slice 126 to make a subnet with only two addresses for a point-to-point link but they recommend using a slash 64 for everything because you've got so many addresses you can waste them but if you do if i make one into the cable and in one and the other end and in two all i have to do is send in one packet destined for three and coming from four and this packet will return an ICMP unreachable and this packet will return an ICMP unreachable it will flood the packet completely at line speed one packet that line is dead there are devices out there that really fall for this and if you have a long memory you may remember TFTP had a similar problem TFTP originally as written in the RFCs trivial file transfer protocol said you can send data and it's acknowledged every packet will always be acknowledged if there is an error you will send an error acknowledgement and that will have to be acknowledged and you know they didn't think of this but TFTP works until the first error and then it floods the wire with bang bang bang acknowledging each other back and forth they patched that anyway those are just a few of the problems coming up and i guess i've run out of things to tell you this is everything's on my website if you want it and we're going to have the questions in room 106 and i think i might even have oh i'm right on time i think i will stand at 120 i reckon all right so let's go to room 106 if you've got any questions