IPv6-ghost-ship: Using TOTP as part of an AWS EC2 IPv6 address

IPv6-ghost-ship: Using TOTP as part of an AWS EC2 IPv6 address

Twitter thread ๐Ÿฆ

As of July 2021, AWS EC2 instances can be assigned IPv4 and IPv6
address prefixes. The IPv6 prefixes are /80, which gives your EC2 instance
281,474,976,710,656 IP addresses to play with. You could use the feature to
run 281 trillion containers with their own IPs (which I assume is what AWS
intended for the feature), but I wanted to find a more fun use.

SSH doesn’t support TOTP (those six digit codes that change every 30
seconds) out of the box. Neither does Telnet, plain old HTTP or any number of
protocols. So I thought it would be fun to add TOTP support to every protocol
by embedding the six digit code inside the IP address.


Generate a QR code and shared secret using the generate/generate command. Use
that QR code with an app like Google Authenticator and keep the shared secret for
usage later.

Start an EC2 instance in an IPv6-enabled subnet:

aws ec2 run-instances 
  --instance-type m6g.medium
  --min-count 1 
  --max-count 1 
  --key-name $KeyName
  --image-id resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-kernel-5.10-hvm-arm64-gp2 
  --network-interfaces SubnetId=$SubnetId,Ipv6PrefixCount=1,DeviceIndex=0,Groups=$SecurityGroupId

On that instance run the following commands to enable IPv6:

ip route add local $prefix dev eth0
ip addr add local $prefix dev eth0

Now you can build the ghost ship:

sudo yum install libnetfilter_queue-devel
go build
sudo setcap cap_net_admin=+ep ipv6-ghost-ship # this means it can run without sudo

Now create an iptables rule to only allow incoming connections to IP addresses
that are permitted by ipv6-ghost-ship:

ip6tables -A INPUT -p ip -m state --state NEW -j NFQUEUE --queue-num 0

Start the ghost ship:

./ipv6-ghost-ship --secret AZCHNJHC42T3PCHNLQPJAEBMFLEXAMPLE

Now from your local computer, try ping6 or ssh or anything. If your EC2
instance was assigned the prefix 2406:da1c:176:a202:ee3f/80 and your
authenticator app currently says the code is 123456, then you would run:

ssh ec2-user@2406:da1c:176:a202:ee3f:12:34:56
                                   # ^ this is where the magic happens

You will connect successfully! If you try that again a minute later, no such
luck. If you had tried any other suffix on that IP address, your connections
will also be dropped.

why though

Because Massimo implied I wasn’t clown-ish.

Join the pack! Join 8000+ others registered users, and get chat, make groups, post updates and make friends around the world!
Read More

Leave a Reply

2 thoughts on “IPv6-ghost-ship: Using TOTP as part of an AWS EC2 IPv6 address

  1. Aditya avatar
    ยท January 6, 2022 at 5:00 am

    I love that the submitter fit the entire idea into the title. Understood it without even clicking. Brevity is the soul of wit.

    Clever idea, wouldn't have thought of it on my own.

  2. Aditya avatar


    That is a pretty bad idea in practice though, the issue(s) being: IP addresses are public (especially to anyone in the middle of your connection) and it's trivially brute-forceable.