Last year, I posted the following bug report on the IPv6 hackers mailing list, but nobody ever responded. I also sent it to Microsoft, but heart no response either. Since I am owning this blog since a few days, I will post it here, too:
I am testing with the THC-IPV6 Toolkit from van Hauser and noticed that Windows 7 adds and deletes several neighbor cache entries even on interfaces which are not connected. It further adds and deletes complete network interface cards from the neighbor cache. I would like to know if this is a feature or a bug.
My test method: I use flood_solicitate6 (to flood Neighbor Solicitations) with a target-ip specified as the Windows 7 link-local IPv6 addresss. In parallel, I use parasite6 to answer to all Neighbor Solicitation NUDs from the Windows machine with Neighbor Advertisements. Unlike a Cisco router, which adds thousands of neighbors to its neighbor cache, Windows 7 does not mark any of these spoofed addresses as REACH, but deletes some other IPv6 address from all interfaces, even though these interfaces are not touched by the attacks. The only interface that was connected to the network was “Interface 12: LAN-Verbindung”, all the other interfaces were NOT connected!
I have four listings that document this behavior (all hosted at pastebin.com):
- shows the neighbor cache right after a reboot
- after a first run of both tools. There are only a few interfaces and cache entries anymore
- after a few more runs of the attacking tools, there are some interfaces back, but without many entries
- another listing with several IPv6 multicast address with different MAC addresses per interface
Maybe someone has the same experience? Or maybe I am doing something wrong?
Featured image: “Bug” by Texas.713 is licensed under CC BY-NC 2.0.