Whilst picking through the responses to the latest Spy Hunter challenge I stumbled over some interesting behaviour when using whois to query various kinds of IPv6 addresses, especially those related to v6-over-v4 tunnelling mechanisms. It turns out it’s rather insightful.
As a baseline, let’s start by performing a whois of a non-tunnelled IPv6 address – it’s pretty straightforward, as you would expect:
user@box:~$ whois 2001:200:dff:fff1:216:3eff:feb1:44d7 % [whois.apnic.net node-5] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html inet6num: 2001:200::/32 netname: WIDE-JP-19990813 descr: WIDE project country: JP remarks: upgraded from /35 admin-c: JM46-AP tech-c: AK27-AP tech-c: SU19-AP status: ALLOCATED PORTABLE notify: email@example.com notify: firstname.lastname@example.org mnt-by: APNIC-HM mnt-lower: MAINT-JP-WIDE changed: email@example.com 20030423 changed: firstname.lastname@example.org 20071109 source: APNIC person: Jun Murai address: Keio University address: 5322 Endo Fujisawa 252-8520 country: JP phone: +81 466 49 1100 fax-no: +81 466 49 1101 e-mail: email@example.com nic-hdl: JM46-AP mnt-by: MAINT-AU-APNIC-GM85-AP changed: firstname.lastname@example.org 19990729 source: APNIC person: Akira Kato address: Keio University, Graduate School of Media Design address: 4-1-1 Hiyoshi, Kohoku, Yokoahama 223-8526 country: JP phone: +81 45 564 2490 fax-no: +81 45 564 2503 e-mail: email@example.com nic-hdl: AK27-AP mnt-by: MAINT-JP-WIDE changed: firstname.lastname@example.org 20090225 source: APNIC person: Satoshi UDA nic-hdl: SU19-AP e-mail: email@example.com address: Japan Advanced Institute of Science and Technology address: Center for Information Science address: 1-1 Asahidai, Tatsunokuchi, Nomi, Ishikawa 923-1292 phone: +81 761 51 1111 fax-no: +81 761 51 1305 country: JP notify: firstname.lastname@example.org changed: email@example.com 20040803 changed: firstname.lastname@example.org 20041028 mnt-by: MAINT-JP-WIDE mnt-by: MAINT-JP-JAIST source: APNIC
In this case, there is a direct link between the IPv6 address and it’s “owner”, provided you trust what the whois server is telling you.
With tunnelled IPv6 addresses, there isn’t such a strong correlation between an observed IPv6 address and the actual IPv4 computer sourcing that traffic. Depending on the type, the IPv6 address may be “owned” by the tunnel provider, and one might be tempted to think that a whois query of such an address would merely tell you about the provider.
It turns out that whois is a bit smarter than that. Various flavours of IPv6-over-IPv4 tunnelling embed the original IPv4 address into the IPv6 address, and whois can parse it out for you. Taking a Teredo IPv6 address as an example, look at line 03 below:
user@box:~$ whois 2001:0:5ef5:79fb:3447:18d4:b0b5:1c05 Querying for the IPv4 endpoint 184.108.40.206 of a Teredo IPv6 address. % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf % Note: this output has been filtered. % To receive output for a database update, use the "-B" flag. % Information related to '220.127.116.11 - 18.104.22.168' inetnum: 22.214.171.124 - 126.96.36.199 netname: DSL-AS9105-UK descr: Tiscali UK Ltd descr: Milton Keynes descr: Dynamic DSL descr: ========================================================== descr: Concerning abuse and spam ... Email email@example.com descr: e-mail to other addresses will not be dealt with. descr: ========================================================== country: GB admin-c: TU935-RIPE tech-c: TU935-RIPE status: ASSIGNED PA mnt-by: TU935-RIPE-MNT source: RIPE # Filtered role: Tiscali UK address: Tiscali UK Limited address: 11 Evesham Street address: London W11 4AJ phone: +44 207 087 2000 remarks: Information: http://www.talktalk.co.uk org: ORG-TUL3-RIPE admin-c: MJ3048-RIPE admin-c: RH2381-RIPE tech-c: MJ3048-RIPE nic-hdl: TU935-RIPE remarks: Hostmaster Role Account mnt-by: TU935-RIPE-MNT source: RIPE # Filtered abuse-mailbox: firstname.lastname@example.org % Information related to '188.8.131.52/12AS9105' route: 184.108.40.206/12 descr: Tiscali UK Limited origin: AS9105 mnt-by: TU935-RIPE-MNT source: RIPE # Filtered
Line 3 shows that whois has recognised a Teredo IPv6 address, and has parsed out the client’s obfuscated IPv4 address from bits 96-127 and run the whois on that instead. If we want to know the tunnel provider, we have to extract it ourselves – it’s unobfuscated in bits 32-63. In this example, this is 5ef579fb which translates as 220.127.116.11. A standard whois query tells us that the person connecting with Teredo from 18.104.22.168 on Tiscali’s network is doing so via Microsoft – they are therefore likely using Vista or Win7:
user@box:~$ whois 22.214.171.124 % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf % Note: this output has been filtered. % To receive output for a database update, use the "-B" flag. % Information related to '126.96.36.199 - 188.8.131.52' inetnum: 184.108.40.206 - 220.127.116.11 descr: Microsoft Limited org: ORG-MA42-RIPE netname: UK-MICROSOFT-20081107 country: GB admin-c: AS9763-RIPE tech-c: EN603-RIPE tech-c: BR329-ARIN status: ALLOCATED PA mnt-by: RIPE-NCC-HM-MNT mnt-lower: MICROSOFT-MAINT mnt-domains: MICROSOFT-MAINT mnt-routes: MICROSOFT-MAINT source: RIPE # Filtered organisation: ORG-MA42-RIPE org-name: Microsoft Limited org-type: LIR address: Microsoft Darren Norman One Microsoft Way WA 98052 Redmond UNITED STATES phone: +1 (425) 703 6647 fax-no: +1 425 936 7329 e-mail: email@example.com admin-c: NORM1-RIPE admin-c: NORM1-RIPE admin-c: NORM1-RIPE mnt-ref: MICROSOFT-MAINT mnt-ref: RIPE-NCC-HM-MNT mnt-by: RIPE-NCC-HM-MNT source: RIPE # Filtered person: Allie Settlemyre address: Microsoft Limited address: One Microsoft Way, address: Redmond, WA 98052 address: USA phone: +1 (425) 705 0516 phone: +1 (425) 936 7329 e-mail: firstname.lastname@example.org nic-hdl: AS9763-RIPE source: RIPE # Filtered person: Bharat Ranjan address: Microsoft Corporation address: Redmond, WA, 98102 address: One Microsoft Way address: USA phone: +1 (425) 706 3230 fax-no: +1 (425) 936 7329 nic-hdl: BR329-ARIN source: RIPE # Filtered e-mail: email@example.com person: Edet Nkposong address: Microsoft, One Microsoft Way,Redmond, WA 98052 address: USA e-mail: firstname.lastname@example.org phone: +14257071045 nic-hdl: EN603-RIPE mnt-by: MICROSOFT-MAINT source: RIPE # Filtered
Pretty neat. You can pull off a similar trick for 6to4 addresses as well:
There’s one last use case I’d like to illustrate – that of a static IPv6 tunnel via a tunnel broker. This is where you manually connect a 6in4 tunnel (using IP Protocol 41) to a tunnel broker service, such as that run by Hurricane Electric. The tunnel broker is your point of access to the IPv6 internet, and the next-hop for your ::/0 default route is the broker’s end of the tunnel.
When signing up for a tunnel like this, you might have to supply some information about yourself to the tunnel broker as required by the Terms of Service. Take care – this information may end up in the output of a whois query.
In the query below, I’ve obfuscated the actual IPv6 address and other items to protect the privacy of the individual concerned. Some interesting points:
- Line 17 tells us that the IPv6 address is owned by Hurricane Electric
- Line 74 is where we start to find the interesting stuff. This is talking about 2001:470:XXXX:XXXX::/64, the static IPv6 address block assigned to the user of the tunnel broker.
- Lines 91 and 92 tell us that we’re looking at the address of the user’s private residence
- Line 95 is the postcode you’d put into Google Streetview to start your cyberstalking.
The moral of the story is that you can’t hide behind a tunnelled IPv6 address, and it may well tell the world much more about yourself than you might think!
Alec Waters is responsible for all things security at Dataline Software, and can be emailed at email@example.com