Whilst picking through the responses to the latest Spy Hunter challenge I stumbled over some interesting behaviour when using whois to query various kinds of IPv6 addresses, especially those related to v6-over-v4 tunnelling mechanisms. It turns out it’s rather insightful.
As a baseline, let’s start by performing a whois of a non-tunnelled IPv6 address – it’s pretty straightforward, as you would expect:
user@box:~$ whois 2001:200:dff:fff1:216:3eff:feb1:44d7 % [whois.apnic.net node-5] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html inet6num: 2001:200::/32 netname: WIDE-JP-19990813 descr: WIDE project country: JP remarks: upgraded from /35 admin-c: JM46-AP tech-c: AK27-AP tech-c: SU19-AP status: ALLOCATED PORTABLE notify: kato@wide.ad.jp notify: zin@wide.ad.jp mnt-by: APNIC-HM mnt-lower: MAINT-JP-WIDE changed: hm-changed@apnic.net 20030423 changed: hm-changed@apnic.net 20071109 source: APNIC person: Jun Murai address: Keio University address: 5322 Endo Fujisawa 252-8520 country: JP phone: +81 466 49 1100 fax-no: +81 466 49 1101 e-mail: junsec@wide.ad.jp nic-hdl: JM46-AP mnt-by: MAINT-AU-APNIC-GM85-AP changed: kato@wide.ad.jp 19990729 source: APNIC person: Akira Kato address: Keio University, Graduate School of Media Design address: 4-1-1 Hiyoshi, Kohoku, Yokoahama 223-8526 country: JP phone: +81 45 564 2490 fax-no: +81 45 564 2503 e-mail: kato@wide.ad.jp nic-hdl: AK27-AP mnt-by: MAINT-JP-WIDE changed: kato@wide.ad.jp 20090225 source: APNIC person: Satoshi UDA nic-hdl: SU19-AP e-mail: zin@jaist.ac.jp address: Japan Advanced Institute of Science and Technology address: Center for Information Science address: 1-1 Asahidai, Tatsunokuchi, Nomi, Ishikawa 923-1292 phone: +81 761 51 1111 fax-no: +81 761 51 1305 country: JP notify: zin@jaist.ac.jp changed: zin@jaist.ac.jp 20040803 changed: zin@jaist.ac.jp 20041028 mnt-by: MAINT-JP-WIDE mnt-by: MAINT-JP-JAIST source: APNIC
In this case, there is a direct link between the IPv6 address and it’s “owner”, provided you trust what the whois server is telling you.
With tunnelled IPv6 addresses, there isn’t such a strong correlation between an observed IPv6 address and the actual IPv4 computer sourcing that traffic. Depending on the type, the IPv6 address may be “owned” by the tunnel provider, and one might be tempted to think that a whois query of such an address would merely tell you about the provider.
It turns out that whois is a bit smarter than that. Various flavours of IPv6-over-IPv4 tunnelling embed the original IPv4 address into the IPv6 address, and whois can parse it out for you. Taking a Teredo IPv6 address as an example, look at line 03 below:
user@box:~$ whois 2001:0:5ef5:79fb:3447:18d4:b0b5:1c05 Querying for the IPv4 endpoint 79.74.227.250 of a Teredo IPv6 address. % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf % Note: this output has been filtered. % To receive output for a database update, use the "-B" flag. % Information related to '79.72.0.0 - 79.79.255.255' inetnum: 79.72.0.0 - 79.79.255.255 netname: DSL-AS9105-UK descr: Tiscali UK Ltd descr: Milton Keynes descr: Dynamic DSL descr: ========================================================== descr: Concerning abuse and spam ... Email abuse@talktalkplc.com descr: e-mail to other addresses will not be dealt with. descr: ========================================================== country: GB admin-c: TU935-RIPE tech-c: TU935-RIPE status: ASSIGNED PA mnt-by: TU935-RIPE-MNT source: RIPE # Filtered role: Tiscali UK address: Tiscali UK Limited address: 11 Evesham Street address: London W11 4AJ phone: +44 207 087 2000 remarks: Information: http://www.talktalk.co.uk org: ORG-TUL3-RIPE admin-c: MJ3048-RIPE admin-c: RH2381-RIPE tech-c: MJ3048-RIPE nic-hdl: TU935-RIPE remarks: Hostmaster Role Account mnt-by: TU935-RIPE-MNT source: RIPE # Filtered abuse-mailbox: abuse@talktalkplc.com % Information related to '79.64.0.0/12AS9105' route: 79.64.0.0/12 descr: Tiscali UK Limited origin: AS9105 mnt-by: TU935-RIPE-MNT source: RIPE # Filtered
Line 3 shows that whois has recognised a Teredo IPv6 address, and has parsed out the client’s obfuscated IPv4 address from bits 96-127 and run the whois on that instead. If we want to know the tunnel provider, we have to extract it ourselves – it’s unobfuscated in bits 32-63. In this example, this is 5ef579fb which translates as 94.245.121.251. A standard whois query tells us that the person connecting with Teredo from 79.74.227.250 on Tiscali’s network is doing so via Microsoft – they are therefore likely using Vista or Win7:
user@box:~$ whois 94.245.121.251 % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf % Note: this output has been filtered. % To receive output for a database update, use the "-B" flag. % Information related to '94.245.64.0 - 94.245.127.255' inetnum: 94.245.64.0 - 94.245.127.255 descr: Microsoft Limited org: ORG-MA42-RIPE netname: UK-MICROSOFT-20081107 country: GB admin-c: AS9763-RIPE tech-c: EN603-RIPE tech-c: BR329-ARIN status: ALLOCATED PA mnt-by: RIPE-NCC-HM-MNT mnt-lower: MICROSOFT-MAINT mnt-domains: MICROSOFT-MAINT mnt-routes: MICROSOFT-MAINT source: RIPE # Filtered organisation: ORG-MA42-RIPE org-name: Microsoft Limited org-type: LIR address: Microsoft Darren Norman One Microsoft Way WA 98052 Redmond UNITED STATES phone: +1 (425) 703 6647 fax-no: +1 425 936 7329 e-mail: danorm@microsoft.com admin-c: NORM1-RIPE admin-c: NORM1-RIPE admin-c: NORM1-RIPE mnt-ref: MICROSOFT-MAINT mnt-ref: RIPE-NCC-HM-MNT mnt-by: RIPE-NCC-HM-MNT source: RIPE # Filtered person: Allie Settlemyre address: Microsoft Limited address: One Microsoft Way, address: Redmond, WA 98052 address: USA phone: +1 (425) 705 0516 phone: +1 (425) 936 7329 e-mail: iprrms@microsoft.com nic-hdl: AS9763-RIPE source: RIPE # Filtered person: Bharat Ranjan address: Microsoft Corporation address: Redmond, WA, 98102 address: One Microsoft Way address: USA phone: +1 (425) 706 3230 fax-no: +1 (425) 936 7329 nic-hdl: BR329-ARIN source: RIPE # Filtered e-mail: bharatr@microsoft.com person: Edet Nkposong address: Microsoft, One Microsoft Way,Redmond, WA 98052 address: USA e-mail: edetn@microsoft.com phone: +14257071045 nic-hdl: EN603-RIPE mnt-by: MICROSOFT-MAINT source: RIPE # Filtered
Pretty neat. You can pull off a similar trick for 6to4 addresses as well:
user@box:~$ whois 2002:4b95:26ad:0:d067:8ff6:b954:b37f Querying for the IPv4 endpoint 75.149.38.173 of a 6to4 IPv6 address. # # Query terms are ambiguous. The query is assumed to be: # "n 75.149.38.173" # # Use "?" to get help. # # # The following results may also be obtained via: # http://whois.arin.net/rest/nets;q=75.149.38.173?showDetails=true&showARIN=false&ext=netref2 # Comcast Business Communications, LLC CBC-CM-5 (NET-75-144-0-0-1) 75.144.0.0 - 75.151.255.255 Comcast Business Communications, LLC CBC-SFBA-11 (NET-75-149-32-0-1) 75.149.32.0 - 75.149.63.255 # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html #
There’s one last use case I’d like to illustrate – that of a static IPv6 tunnel via a tunnel broker. This is where you manually connect a 6in4 tunnel (using IP Protocol 41) to a tunnel broker service, such as that run by Hurricane Electric. The tunnel broker is your point of access to the IPv6 internet, and the next-hop for your ::/0 default route is the broker’s end of the tunnel.
When signing up for a tunnel like this, you might have to supply some information about yourself to the tunnel broker as required by the Terms of Service. Take care – this information may end up in the output of a whois query.
In the query below, I’ve obfuscated the actual IPv6 address and other items to protect the privacy of the individual concerned. Some interesting points:
- Line 17 tells us that the IPv6 address is owned by Hurricane Electric
- Line 74 is where we start to find the interesting stuff. This is talking about 2001:470:XXXX:XXXX::/64, the static IPv6 address block assigned to the user of the tunnel broker.
- Lines 91 and 92 tell us that we’re looking at the address of the user’s private residence
- Line 95 is the postcode you’d put into Google Streetview to start your cyberstalking.
user@box:~$ whois 2001:470:XXXX:XXXX::2 # # Query terms are ambiguous. The query is assumed to be: # "n 2001:470:XXXX:XXXX::2" # # Use "?" to get help. # # # The following results may also be obtained via: # http://whois.arin.net/rest/nets;q=2001:470:XXXX:XXXX::2?showDetails=true&showARIN=false&ext=netref2 # NetRange: 2001:470:: - 2001:470:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF CIDR: 2001:470::/32 OriginAS: NetName: HURRICANE-IPV6 NetHandle: NET6-2001-470-1 Parent: NET6-2001-400-0 NetType: Direct Allocation RegDate: 2001-03-22 Updated: 2012-02-24 Ref: http://whois.arin.net/rest/net/NET6-2001-470-1 OrgName: Hurricane Electric, Inc. OrgId: HURC Address: 760 Mission Court City: Fremont StateProv: CA PostalCode: 94539 Country: US RegDate: Updated: 2011-04-13 Ref: http://whois.arin.net/rest/org/HURC ReferralServer: rwhois://rwhois.he.net:4321 OrgTechHandle: ZH17-ARIN OrgTechName: Hurricane Electric OrgTechPhone: +1-510-580-4100 OrgTechEmail: hostmaster@he.net OrgTechRef: http://whois.arin.net/rest/poc/ZH17-ARIN OrgAbuseHandle: ABUSE1036-ARIN OrgAbuseName: Abuse Department OrgAbusePhone: +1-510-580-4100 OrgAbuseEmail: abuse@he.net OrgAbuseRef: http://whois.arin.net/rest/poc/ABUSE1036-ARIN RNOCHandle: ZH17-ARIN RNOCName: Hurricane Electric RNOCPhone: +1-510-580-4100 RNOCEmail: hostmaster@he.net RNOCRef: http://whois.arin.net/rest/poc/ZH17-ARIN RAbuseHandle: ABUSE1036-ARIN RAbuseName: Abuse Department RAbusePhone: +1-510-580-4100 RAbuseEmail: abuse@he.net RAbuseRef: http://whois.arin.net/rest/poc/ABUSE1036-ARIN RTechHandle: ZH17-ARIN RTechName: Hurricane Electric RTechPhone: +1-510-580-4100 RTechEmail: hostmaster@he.net RTechRef: http://whois.arin.net/rest/poc/ZH17-ARIN # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html # Found a referral to rwhois.he.net:4321. %rwhois V-1.5:0012b7:01 ops.he.net (HE-RWHOISd v:r255,m1:r290) network:ID;I:NET-2001:470:XXXX:XXXX::/64 network:Auth-Area:nets network:Class-Name:network network:Network-Name;I:NET-2001:470:XXXX:XXXX::/64 network:Parent;I:NET-2001:470::/32 network:IP-Network:2001:470:XXXX:XXXX::/64 network:Org-Contact;I:POC-TB-6NGV network:Tech-Contact;I:POC-HE-NOC network:Abuse-Contact;I:POC-HE-ABUSE network:NOC-Contact;I:POC-HE-NOC network:Created:20120217063259000 network:Updated:20120217063259000 contact:ID;I:POC-TB-6NGV contact:Auth-Area:contacts contact:Class-Name:contact contact:Name:Private Customer - Hurricane Electric contact:Street-Address:Private Residence contact:City:SOMECITY contact:Province:SOMECOUNTY contact:Postal-Code:POSTCODE-PLUG-INTO-GOOGLE-STREETVIEW contact:Country-Code:UK contact:Phone:+1-510-580-4100 contact:E-mail:hostmaster@he.net contact:Created:20120217063225000 contact:Updated:20120217063225000 contact:ID;I:POC-HE-NOC contact:Auth-Area:contacts contact:Class-Name:contact contact:Name:Network Operations Center contact:Company:Hurricane Electric contact:Street-Address:760 Mission Ct contact:City:Fremont contact:Province:CA contact:Postal-Code:94539 contact:Country-Code:US contact:Phone:+1-510-580-4100 contact:E-Mail:noc@he.net contact:Created:20100901200738000 contact:Updated:20100901200738000 contact:ID;I:POC-HE-ABUSE contact:Auth-Area:contacts contact:Class-Name:contact contact:Name:Abuse Department contact:Company:Hurricane Electric contact:Street-Address:760 Mission Ct contact:City:Fremont contact:Province:CA contact:Postal-Code:94539 contact:Country-Code:US contact:Phone:+1-510-580-4100 contact:E-Mail:abuse@he.net contact:Created:20100901200738000 contact:Updated:20100901200738000 contact:Comment:For email abuse (spam) only %ok
The moral of the story is that you can’t hide behind a tunnelled IPv6 address, and it may well tell the world much more about yourself than you might think!
Alec Waters is responsible for all things security at Dataline Software, and can be emailed at alec.waters@dataline.co.uk