Ipv6-ghost-ship - Silly usage of AWS EC2 IPv6 prefixes

Overview

ipv6-ghost-ship

Twitter thread 🐦

As of July 2021, AWS EC2 instances can be assigned IPv4 and IPv6 address prefixes. The IPv6 prefixes are /80, which gives your EC2 instance 281,474,976,710,656 IP addresses to play with. You could use the feature to run 281 trillion containers with their own IPs (which I assume is what AWS intended for the feature), but I wanted to find a more fun use.

SSH doesn't support TOTP (those six digit codes that change every 30 seconds) out of the box. Neither does Telnet, plain old HTTP or any number of protocols. So I thought it would be fun to add TOTP support to every protocol by embedding the six digit code inside the IP address.

Usage

Generate a QR code and shared secret using the generate/generate command. Use that QR code with an app like Google Authenticator and keep the shared secret for usage later.

Start an EC2 instance in an IPv6-enabled subnet:

aws ec2 run-instances \
  --instance-type m6g.medium
  --min-count 1 \
  --max-count 1 \
  --key-name $KeyName
  --image-id resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-kernel-5.10-hvm-arm64-gp2 \
  --network-interfaces SubnetId=$SubnetId,Ipv6PrefixCount=1,DeviceIndex=0,Groups=$SecurityGroupId

On that instance run the following commands to enable IPv6:

mac=$(curl http://169.254.169.254/latest/meta-data/network/interfaces/macs/)
prefix=$(curl http://169.254.169.254/latest/meta-data/network/interfaces/macs/${mac}ipv6-prefix)
ip route add local $prefix dev eth0
ip addr add local $prefix dev eth0

Now you can build the ghost ship:

sudo yum install libnetfilter_queue-devel
go build
sudo setcap cap_net_admin=+ep ipv6-ghost-ship # this means it can run without sudo

Now create an iptables rule to only allow incoming connections to IP addresses that are permitted by ipv6-ghost-ship:

ip6tables -A INPUT -p ip -m state --state NEW -j NFQUEUE --queue-num 0

Start the ghost ship:

./ipv6-ghost-ship --secret AZCHNJHC42T3PCHNLQPJAEBMFLEXAMPLE

Now from your local computer, try ping6 or ssh or anything. If your EC2 instance was assigned the prefix 2406:da1c:176:a202:ee3f/80 and your authenticator app currently says the code is 123456, then you would run:

ssh [email protected]:da1c:176:a202:ee3f:12:34:56
                                   # ^ this is where the magic happens

You will connect successfully! If you try that again a minute later, no such luck. If you had tried any other suffix on that IP address, your connections will also be dropped.

why though

Because Massimo implied I wasn't clown-ish.

Issues
  • Time Skew

    Time Skew

    My read of the Go code has the program only matching in the 30 second TOTP window. In a lot of TOTP aplications, there is an allowance for one or both clocks to have some time Skew or packets to be routing on the internet until after the aceptance window. This is covered by having a larger group of accepted numbers

    Could this be modified to allow codes from of 30 seconds each side? Could the size buffer be user configurable?

    opened by michft-v 1
Owner
Aidan Steele
Aidan Steele
SOCKS Protocol Version 5 Library in Go. Full TCP/UDP and IPv4/IPv6 support

socks5 中文 SOCKS Protocol Version 5 Library. Full TCP/UDP and IPv4/IPv6 support. Goals: KISS, less is more, small API, code is like the original protoc

TxThinking 476 Jul 30, 2022
The Dual-Stack Dynamic DNS client, the world's first dynamic DNS client built for IPv6.

dsddns DsDDNS is the Dual-Stack Dynamic DNS client. A dynamic DNS client keeps your DNS records in sync with the IP addresses associated with your hom

Ryan Young 11 Jul 8, 2022
ScriptTiger 17 Jul 26, 2022
Quickly find all IPv6 and IPv4 hosts in a LAN.

invaentory Quickly find all IPv6 and IPv4 hosts in a LAN. Overview ?? This project is a work-in-progress! Instructions will be added as soon as it is

Felix Pojtinger 7 May 17, 2022
CoreRAD is an extensible and observable IPv6 Neighbor Discovery Protocol router advertisement daemon. Apache 2.0 Licensed.

CoreRAD CoreRAD is an extensible and observable IPv6 Neighbor Discovery Protocol router advertisement daemon. Apache 2.0 Licensed. To get started with

Matt Layher 121 Jul 20, 2022
The included device-simple example device service demonstrates basic usage of device-sdk-go

device-simple The included device-simple example device service demonstrates basic usage of device-sdk-go. Protocol Driver To make a functional Device

Khalid 0 Oct 9, 2021
Go fish for AWS EIPs

EIP Fishing This is an AWS Lambda that runs a small Go binary on a schedule. Each execution of the binary will allocate an Elastic IP (EIP) in the reg

Tim Koopmans 34 Apr 30, 2022
Drop-in replacement for Go net/http when running in AWS Lambda & API Gateway

Package gateway provides a drop-in replacement for net/http's ListenAndServe for use in AWS Lambda & API Gateway, simply swap it out for gateway.Liste

Apex 631 Jul 30, 2022
Automatic AWS Security Group ingress through DDNS

Auto DDNS Security Lambda Update AWS Security Group rules to an IP resolved from a DNS hostname. Useful to dynamically allow ingress from a DDNS hostn

Jason Kingsbury 0 Oct 19, 2021
CLI for exploring AWS EC2 Spot inventory. Inspect AWS Spot instance types, saving, price, and interruption frequency.

spotinfo The spotinfo is a command-line tool that helps you determine AWS Spot instance types with the least chance of interruption and provides the s

Alexei Ledenev 68 Aug 4, 2022
Infrastructure testing helper for AWS Resources that uses AWS SSM to remotely execute commands on EC2 machines.

Infrastructure testing helper for AWS Resources that uses AWS SSM to remotely execute commands on EC2 machines, to enable infrastructure engineering teams to write tests that validate behaviour.

Ankit Wal 18 Jul 28, 2022
Una prueba técnica: Servicio Golang REST API local, sobre Docker, gRPC, AWS Serverless y sobre Kubernetes en AWS EC2

Una prueba técnica: Servicio Golang REST API local, sobre Docker, gRPC, AWS Serverless y sobre Kubernetes en AWS EC2

Emilio del Cañal Calleja 4 May 7, 2022
A memory-efficient trie for testing the existence/prefixes of string only(for now).

Succinct Trie A memory-efficient trie for testing the existence/prefixes of string only(for now). Install go get -u github.com/nobekanai/sutrie Docume

野辺かない 2 Mar 10, 2022
Barry is a silly little thing I wanted to try, feel free to screenshot.

Barry What is Barry? Barry is a silly little thing I wanted to try, feel free to screenshot. If you manage to get panics after being told not to do th

Nat 1 Nov 6, 2021
A very simple, silly little kubectl plugin / utility that guesses which language an application running in a kubernetes pod was written in.

A very simple, silly little kubectl plugin / utility that guesses which language an application running in a kubernetes pod was written in.

Tom Granot 2 Mar 9, 2022
go-awssh is a developer tool to make your SSH to AWS EC2 instances easy.

Describing Instances/VPCs data, select one or multiple instances, and make connection(s) to selected instances. Caching the response of API calls for 1day using Tmpfs.

kenju 5 Oct 11, 2021
A simple CLI tool that outputs the history of connections to Amazon EC2 instances using AWS Session Manager.

ssmh This is a simple CLI tool that outputs the history of connections to Amazon EC2 instances using AWS Session Manager. Installation brew install mi

Yoshihiro Ito 0 Dec 10, 2021
Scan all AWS EC2 instances in a region for potentially vulnerable log4j versions

ec2-log4j-scan Scan all AWS EC2 instances in a region for potentially vulnerable log4j versions. This is a clumsy but effective tool which takes outpu

null 2 Dec 28, 2021
Mk48.io Ship Combat Game

Mk48.io Game Mk48.io is an online multiplayer naval combat game, in which you take command of a ship and sail your way to victory. Watch out for torpe

Softbear Studios 133 Aug 1, 2022
Golang library for connecting to EOSIO SHIP

go-eosio-ship go-eosio-ship is a golang library built on top of go-eosio for con

null 0 Jan 3, 2022
Pinki - Pinki helps developers ship software with authenticity

Pinki Pinki helps developers ship software with authenticity. Use it anywhere yo

Twuni 1 Jan 7, 2022
Go-generic-unboxing - A quick ready to ship demo for go generic using the official example

Go generic This repo contain basic demo for installing and running go1.18beta1 v

Shenouda Fawzy 1 Feb 1, 2022
System resource usage profiler tool which regularly takes snapshots of the memory and CPU load of one or more running processes so as to dynamically build up a profile of their usage of system resources.

Vegeta is a system resource usage tracking tool built to regularly take snapshots of the memory and CPU load of one or more running processes, so as to dynamically build up a profile of their usage of system resources.

Kartik 8 Jan 16, 2022
Freaking simple AWS Reserved Instance and Usage coverage report

richeck This tool allows you to simply see the EC2 and ElastiCache nodes you have reserved on amazon. Motivation: How many instances are currently res

Oğuzhan YILMAZ 10 Oct 17, 2021
Alta batch 3 ec2 with go

Porvisioning Perlu login via ssh ke VM: # lenovo.pem adalah nama file permission (key-pair) yang sudah dibuat sebelumnya ssh -i ~/lenovo.pem [email protected]

Go Frendi Gunawan 2 Jan 31, 2022
Simulate which EC2 instances applied reserved instance.

Go - Reserved Instance Simulator (gori-simulator) Usage $ env AWS_PROFILE=YOUR_PROFILE ./gori-simulator Notices Convertible only (not Standard) Regio

Kazuki Ueki 0 Dec 5, 2021
SOCKS Protocol Version 5 Library in Go. Full TCP/UDP and IPv4/IPv6 support

socks5 中文 SOCKS Protocol Version 5 Library. Full TCP/UDP and IPv4/IPv6 support. Goals: KISS, less is more, small API, code is like the original protoc

TxThinking 476 Jul 30, 2022
The Dual-Stack Dynamic DNS client, the world's first dynamic DNS client built for IPv6.

dsddns DsDDNS is the Dual-Stack Dynamic DNS client. A dynamic DNS client keeps your DNS records in sync with the IP addresses associated with your hom

Ryan Young 11 Jul 8, 2022
ScriptTiger 17 Jul 26, 2022