[ipv6hackers] Windows 7 Neighbor Cache Bug?

Johannes Weber johannes at webernetz.net
Thu Nov 22 12:05:17 CET 2012


Hello everybody,

I am testing with the THC-IPV6 Toolkit from van Hauser and noticed that
Windows 7 adds and deletes several neighbor cache entries even on interfaces
which are not connected. It further adds and deletes complete network
interface cards from the neighbor cache.
I would like to know if this is a feature or a bug.

My test method: I use flood_solicitate6 (to flood Neighbor Solicitations)
with a target-ip specified as the Windows 7 link-local IPv6 addresss. In
parallel, I use parasite6 to answer to all Neighbor Solicitation NUDs from
the Windows machine with Neighbor Advertisements.
Unlike a Cisco router, which adds thousands of neighbors to its neighbor
cache, Windows 7 does not mark any of these spoofed addresses as REACH, but
deletes some other IPv6 address from all interfaces, even though these
interfaces are not touched by the attacks.
The only interface that was connected to the network was "Interface 12:
LAN-Verbindung", all the other interfaces were NOT connected!

I have four listings that document this behavior:
1) shows the neighbor cache right after a reboot
http://pastebin.com/ncvkNwtP

2) after a first run of both tools. There are only a few interfaces and
cache entries anymore
http://pastebin.com/tq54AUkf

3) after a few more runs of the attacking tools, there are some interfaces
back, but without many entries
http://pastebin.com/P3rw4teM

4) another listing with several IPv6 multicast address with different MAC
addresses per interface
http://pastebin.com/hT0Sn3dG

Maybe someone has the same experience? Or maybe I am doing something wrong?

Regards,

Johannes





More information about the Ipv6hackers mailing list