• Stars
    star
    321
  • Rank 127,857 (Top 3 %)
  • Language
    Go
  • Created over 2 years ago
  • Updated over 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Silly usage of AWS EC2 IPv6 prefixes

ipv6-ghost-ship

Twitter thread 🐦

As of July 2021, AWS EC2 instances can be assigned IPv4 and IPv6 address prefixes. The IPv6 prefixes are /80, which gives your EC2 instance 281,474,976,710,656 IP addresses to play with. You could use the feature to run 281 trillion containers with their own IPs (which I assume is what AWS intended for the feature), but I wanted to find a more fun use.

SSH doesn't support TOTP (those six digit codes that change every 30 seconds) out of the box. Neither does Telnet, plain old HTTP or any number of protocols. So I thought it would be fun to add TOTP support to every protocol by embedding the six digit code inside the IP address.

Usage

Generate a QR code and shared secret using the generate/generate command. Use that QR code with an app like Google Authenticator and keep the shared secret for usage later.

Start an EC2 instance in an IPv6-enabled subnet:

aws ec2 run-instances \
  --instance-type m6g.medium
  --min-count 1 \
  --max-count 1 \
  --key-name $KeyName
  --image-id resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-kernel-5.10-hvm-arm64-gp2 \
  --network-interfaces SubnetId=$SubnetId,Ipv6PrefixCount=1,DeviceIndex=0,Groups=$SecurityGroupId

On that instance run the following commands to enable IPv6:

mac=$(curl http://169.254.169.254/latest/meta-data/network/interfaces/macs/)
prefix=$(curl http://169.254.169.254/latest/meta-data/network/interfaces/macs/${mac}ipv6-prefix)
ip route add local $prefix dev eth0
ip addr add local $prefix dev eth0

Now you can build the ghost ship:

sudo yum install libnetfilter_queue-devel
go build
sudo setcap cap_net_admin=+ep ipv6-ghost-ship # this means it can run without sudo

Now create an iptables rule to only allow incoming connections to IP addresses that are permitted by ipv6-ghost-ship:

ip6tables -A INPUT -p ip -m state --state NEW -j NFQUEUE --queue-num 0

Start the ghost ship:

./ipv6-ghost-ship --secret AZCHNJHC42T3PCHNLQPJAEBMFLEXAMPLE

Now from your local computer, try ping6 or ssh or anything. If your EC2 instance was assigned the prefix 2406:da1c:176:a202:ee3f/80 and your authenticator app currently says the code is 123456, then you would run:

ssh ec2-user@2406:da1c:176:a202:ee3f:12:34:56
                                   # ^ this is where the magic happens

You will connect successfully! If you try that again a minute later, no such luck. If you had tried any other suffix on that IP address, your connections will also be dropped.

why though

Because Massimo implied I wasn't clown-ish.

More Repositories

1

osx-abi-macho-file-format-reference

Mirror of OS X ABI Mach-O File Format Reference
742
star
2

MagicKit

MagicKit is an Objective-C file identification framework based on libmagic.
C
194
star
3

cloudkey

No need for IAM users when we have Yubikeys
Go
158
star
4

flowdog

Framework for inspecting and editing traffic in AWS VPCs
Go
107
star
5

rdsconn

rdsconn makes connecting to an AWS RDS instance inside a VPC from your laptop easier
Go
107
star
6

openrolesanywhere

Open-source proof-of-concept client for AWS IAM Roles Anywhere
Go
68
star
7

centralized-logs

Centralizing AWS CloudWatch log forwarding via EventBridge and Step Functions
49
star
8

s3zipper

A tool that allows downloading S3 directories as ZIP files
Go
34
star
9

jwtex

A serverless JWT exchanger and OIDC IdP
Go
32
star
10

freedata

A silly project for free (maybe) egress from EC2 instances using Tailscale and Session Manager
Go
31
star
11

ima.ge.cx

TypeScript
30
star
12

aws_sdk.nim

Nim
28
star
13

demo-serverless-aspnetcore

ASP.Net Core 3.1 on AWS Lambda demo
C#
24
star
14

postinvoke

Run in-process code after your Go-powered Lambda function has returned
Go
23
star
15

cloudenv

Go
22
star
16

awsaccountcreds

Go
21
star
17

secretsctx

Go
20
star
18

ses-sidecar

An SMTP server sidecar to allow AWS SES usage with IAM roles
Go
14
star
19

GEBEncoding

An Objective-C BEncoding Library
Objective-C
11
star
20

vpcdelorean

Go
9
star
21

sph

Nim
9
star
22

ima.ge.cx-backend

Go
8
star
23

sphlib

C
7
star
24

serverful

Go
7
star
25

prelink_unpack

Tool for unpacking the prelinked kernel on iOS.
Python
7
star
26

go-xrayprofile

Selective profiling of AWS Lambda functions
Go
6
star
27

lzo

Ruby
6
star
28

iphone_detect

C
5
star
29

cwemf-to-honeycomb

Go
5
star
30

matconnect

A silly proof-of-concept for VPC network nonsense
Go
5
star
31

sshcontainers

Go
4
star
32

SSCrypto

Unofficial mirror of the SSCrypto.framework wrapper around OpenSSL
Objective-C
4
star
33

ghcs

Nim
4
star
34

ios_sig

C
3
star
35

freedumb

Go
3
star
36

ghal

ghal allows streaming of live GitHub Actions build logs to your terminal
Go
3
star
37

idp4nathan

for t04glovern's eyes only
Go
2
star
38

vpcjump

Helper tool for connecting to jumpboxes in AWS.
Ruby
2
star
39

awsdial

Go
2
star
40

gha-stats

Go
2
star
41

lambda

Go
1
star
42

pandaboot

A libusb-based tool to copy bootloaders to the Pandaboard using USB.
C
1
star
43

demotemplate

1
star
44

ami2docker

Ruby
1
star
45

Protobuf.framework

Ruby
1
star
46

update-function-code-bug

Reproduction of AWS Lambda UpdateFunctionCode bug
Shell
1
star
47

aidansteele.github.io

Ruby
1
star
48

stepapi

TypeScript
1
star
49

protobuf-mirror

Unofficial git mirror of the Google Protocol Buffers project
C++
1
star