Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
IPv6	for	Pentesters
Whoami
• Owen	Shearing	@rebootuser	
• www.notsosecure.com
Coming	up…
• IPv6	addresses	and	terminology	(minimal	theory!)
• ...
A	VERY light	touch	on	addressing	&	terms
FE80::/10	- Link-Local	Unicast	Address
• The	new APIPA	(Automatic	Private	IP	Addr...
Local	targets
Finding	live	IPv6	hosts	on	the	local	network	is	as	easy	as:	
• ping6 -c4 -I eth0 ff02::1 (Link-Local address...
Local	targets
Example:	Mapping	out	OS	behaviour
pkt1=(Ether(dst="33:33:00:00:00:01")/IPv6(dst="ff02::1",src="fe80::a00:27f...
Local	targets
pkt2=(Ether(dst="33:33:00:00:00:01")/IPv6(dst="ff02::1",src="fe80::a00:27ff:fe29:2f2c
")/IPv6ExtHdrDestOpt(l...
Windows	gotya’s
“… the	colon	is	an	illegal	character	in	a	UNC	path	name.	
Thus,	the	use	of	IPv6	addresses	is	also	illegal	...
On	a	side	note…
The	domain	ipv6-literal.net	is	no	longer	owned	by	Microsoft	and	is	up	for	auction!
https://gb.auctions.god...
Remote	targets
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.117 netmask 255.255.255.0 broadcas...
“…a tunnel broker service enables you to reach the IPv6 Internet by tunneling over existing IPv4
connections from your IPv...
• No	cutting	edge	techniques	needed	here…
Host	recon
nmap -Pn -nvv -sV ipv6.rebootuser.com
Warning: Hostname ipv6.rebootuser.com
resolves to 2 IPs. Using 46.101.42.219.
Other ...
Talking	to	the	target
server
{
listen [::]:80 default_server;
root /var/www/html/ipv6;
server
{
listen 80 default_server;
...
Talking	to	the	target
ls -l /var/www/html/ipv6/
total 8
-rw-r--r-- 1 www-data www-data 147 May 4 16:56 index.php
drwxr-xr-...
• IPv6	aware:
wpscan --url http://[2a03:b0c0:1:d0::1650:b001]/wp/ --enumerate u
[+] URL: http://[2a03:b0c0:1:d0::1650:b001...
• Forcing	a	square	peg	into	a	round	hole…
socat -v tcp4-listen:80,fork tcp6:[2a03:b0c0:1:d0::1650:b001]:80
[snip]...
< 201...
IPv6	unaware	tools	(Windows)
• Taking	advantage	of	the	netsh PortProxy interface
netsh interface portproxy add v4tov6 listenport=80
connectaddress=2a03...
• A	fairly	restrictive	iptables configuration	– would	you	agree?
sudo iptables –S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ...
iptables will	save	us.	Right?
AttackerVictim
It’s	all	in	the	n6me!
AttackerVictim
• Lets	fix	this…
sudo ip6tables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -...
thc-ipv6
• https://github.com/vanhauser-thc/thc-ipv6
Scapy with	IPv6
• http://www.idsv6.de/Downloads/IPv6PacketCreationWit...
IPv6 for Pentesters
Upcoming SlideShare
Loading in …5
×

IPv6 for Pentesters

12,745 views

Published on

A talk on assessing hosts that have both IPv4 and IPv6 networking capabilities. Initially given at Bsides London Rookie Track 2017

Published in: Technology

IPv6 for Pentesters

  1. 1. IPv6 for Pentesters
  2. 2. Whoami • Owen Shearing @rebootuser • www.notsosecure.com Coming up… • IPv6 addresses and terminology (minimal theory!) • Connecting to remote IPv6 services; even if the ISP doesn’t support native IPv6 • Taking a look at non-IPv6 aware toolsets (Linux & Windows) • Limitations (or unawareness) of common security configurations • Putting this stuff into practice! IPv6 for Pentesters
  3. 3. A VERY light touch on addressing & terms FE80::/10 - Link-Local Unicast Address • The new APIPA (Automatic Private IP Addressing, i.e. 169.254.0.0 in the IPv4 world) • Not routable FC00::/7 - Unique Local Unicast Address (ULA) • Comparable to private IPv4 addresses 2000::/3 – Global Unicast Address • Comparable to public IPv4 addresses Useful Multicast Addresses: • FF02::1 – All nodes • FF02::2 – All routers coming up…
  4. 4. Local targets Finding live IPv6 hosts on the local network is as easy as: • ping6 -c4 -I eth0 ff02::1 (Link-Local addresses) • ping6 -c4 -I 2a00:23c4:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx ff02::1 (Global addresses) • thc-ipv6 https://www.thc.org/thc-ipv6/ A dirty one liner to determine the IPv4, IPv6 Link-Local & Global addresses of a target(s): atk6-alive6 eth0 -l > /dev/null; atk6-alive6 eth0 > /dev/null; arp-scan -l | head -n - 2 | tail -n +3 > arp && ip -6 neigh > neigh && for line in $(cat neigh | cut -d" " -f5 |sort -u); do grep $line arp && grep $line neigh && echo -e 'n'; done; rm arp neigh
  5. 5. Local targets Example: Mapping out OS behaviour pkt1=(Ether(dst="33:33:00:00:00:01")/IPv6(dst="ff02::1",src="fe80::a00:27ff:fe29:2f2c ")/ICMPv6EchoRequest()) • Get’s a valid response • However in testing, Windows systems did not reply!
  6. 6. Local targets pkt2=(Ether(dst="33:33:00:00:00:01")/IPv6(dst="ff02::1",src="fe80::a00:27ff:fe29:2f2c ")/IPv6ExtHdrDestOpt(len=1)/ICMPv6EchoRequest()) • Sends an invalid packet and get’s an invalid response… • …but Windows systems DO reply (hence IPv6 enabled host discovery == complete)
  7. 7. Windows gotya’s “… the colon is an illegal character in a UNC path name. Thus, the use of IPv6 addresses is also illegal in UNC names. For this reason, Microsoft implemented a transcription algorithm to represent an IPv6 address in the form of a domain name that can be used in UNC paths, ipv6-literal.net …”* *https://en.wikipedia.org/wiki/IPv6_address#Literal_IPv6_addresses_in_U NC_path_names
  8. 8. On a side note… The domain ipv6-literal.net is no longer owned by Microsoft and is up for auction! https://gb.auctions.godaddy.com/trpItemListing.aspx?miid=137558591
  9. 9. Remote targets eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.1.117 netmask 255.255.255.0 broadcast 192.168.1.255 inet6 fe80::a00:27ff:fe29:2f2c prefixlen 64 scopeid 0x20<link>
  10. 10. “…a tunnel broker service enables you to reach the IPv6 Internet by tunneling over existing IPv4 connections from your IPv6 enabled host or router to one of our IPv6 routers…”* *https://tunnelbroker.net/ Speaking the lingo: Tunnel Brokers
  11. 11. • No cutting edge techniques needed here… Host recon
  12. 12. nmap -Pn -nvv -sV ipv6.rebootuser.com Warning: Hostname ipv6.rebootuser.com resolves to 2 IPs. Using 46.101.42.219. Other addresses for ipv6.rebootuser.com (not scanned): 2a03:b0c0:1:d0::1650:b001 Not shown: 999 filtered ports Reason: 998 no-responses PORT STATE SERVICE REASON VERSION 80/tcp open http syn-ack ttl 51 nginx 1.10.0 (Ubuntu) It’s all a matter of perspective nmap -Pn -nvv -sV ipv6.rebootuser.com -6 Warning: Hostname ipv6.rebootuser.com resolves to 2 IPs. Using 2a03:b0c0:1:d0::1650:b001. Other addresses for ipv6.rebootuser.com (not scanned): 46.101.42.219 Not shown: 998 closed ports Reason: 998 resets PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 56 OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0) 80/tcp open http syn-ack ttl 56 nginx 1.10.0 (Ubuntu)
  13. 13. Talking to the target server { listen [::]:80 default_server; root /var/www/html/ipv6; server { listen 80 default_server; root /var/www/html/ipv4;
  14. 14. Talking to the target ls -l /var/www/html/ipv6/ total 8 -rw-r--r-- 1 www-data www-data 147 May 4 16:56 index.php drwxr-xr-x 5 www-data www-data 4096 May 24 12:03 wp ls -l /var/www/html/ipv4/ total 4 -rw-r--r-- 1 www-data www-data 147 May 4 16:56 index.php
  15. 15. • IPv6 aware: wpscan --url http://[2a03:b0c0:1:d0::1650:b001]/wp/ --enumerate u [+] URL: http://[2a03:b0c0:1:d0::1650:b001]/wp/ [snip] [+] Enumerating usernames ... [+] Identified the following 1 user/s: +----+---------+----------------+ | Id | Login | Name | +----+---------+----------------+ | 1 | blogger | blogger – IPv6 | +----+---------+----------------+ • IPv6 unaware: nikto -host http://[2a03:b0c0:1:d0::1650:b001] - Nikto v2.1.6 --------------------------------------------------------------------------- + ERROR: Cannot resolve hostname '[2a03' + 0 host(s) tested IPv6 unaware tools (Linux)
  16. 16. • Forcing a square peg into a round hole… socat -v tcp4-listen:80,fork tcp6:[2a03:b0c0:1:d0::1650:b001]:80 [snip]... < 2017/05/26 17:12:03.734587 length=313 from=151 to=463 r 7br <!DOCTYPE html> <html> <body> <H1>You hit my IPv6 page!</H1>Your IP: 2002:xxxx:xxxx:10:99d8:b8d5:b5e0:fef nikto -host http://127.0.0.1 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 127.0.0.1 + Target Hostname: 127.0.0.1 + Target Port: 80 + Start Time: 2017-05-26 17:12:03 (GMT1) --------------------------------------------------------------------------- + Server: nginx/1.10.0 (Ubuntu) + The anti-clickjacking X-Frame-Options header is not present. IPv6 unaware tools (Linux)
  17. 17. IPv6 unaware tools (Windows)
  18. 18. • Taking advantage of the netsh PortProxy interface netsh interface portproxy add v4tov6 listenport=80 connectaddress=2a03:b0c0:1:d0::1650:b001 connectport=80 protocol=tcp https://technet.microsoft.com/en-us/library/cc731068(v=ws.10).aspx IPv6 unaware tools (Windows)
  19. 19. • A fairly restrictive iptables configuration – would you agree? sudo iptables –S -P INPUT DROP -P FORWARD DROP -P OUTPUT DROP -N LOGGING -A INPUT -i lo -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -A OUTPUT -p tcp -m tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT -A OUTPUT -d 8.8.8.8/32 -p udp -m udp --dport 53 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -A OUTPUT -d 66.155.40.186/32 -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -A OUTPUT -d 66.155.40.187/32 -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -A OUTPUT -d 66.155.40.188/32 -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -A OUTPUT -d 66.155.40.189/32 -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -A OUTPUT -d 66.155.40.202/32 -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -A OUTPUT -d 66.155.40.250/32 -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -A OUTPUT -j LOGGING -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 5 -A LOGGING -j DROP iptables will save us. Right?
  20. 20. iptables will save us. Right? AttackerVictim
  21. 21. It’s all in the n6me! AttackerVictim
  22. 22. • Lets fix this… sudo ip6tables -S -P INPUT DROP -P FORWARD DROP -P OUTPUT DROP -A INPUT -i lo -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A INPUT -s fe80::/10 -j ACCEPT -A INPUT -d ff00::/8 -j ACCEPT -A INPUT -p ipv6-icmp -j ACCEPT -A INPUT -p tcp -m multiport --dports 22,80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -A OUTPUT -s fe80::/10 -j ACCEPT -A OUTPUT -d ff00::/8 -j ACCEPT -A OUTPUT -p ipv6-icmp -j ACCEPT -A OUTPUT -p tcp -m multiport --sports 22,80 -m conntrack --ctstate ESTABLISHED -j ACCEPT It’s all in the n6me!
  23. 23. thc-ipv6 • https://github.com/vanhauser-thc/thc-ipv6 Scapy with IPv6 • http://www.idsv6.de/Downloads/IPv6PacketCreationWithScapy.pdf Various IPv6 tutorials • http://www.omnisecu.com/tcpip/ipv6/ IPv6 Essentials • https://www.amazon.co.uk/d/cka/IPv6-Essentials-Silvia- Hagen/1449319211/ref=sr_1_1?ie=UTF8&qid=1496609973&sr=8-1&keywords=ipv6+essentials That’s all folks! Tools and resources worth a look

×