IPv6 for Pentesters

Whoami
• Owen Shearing @rebootuser
• www.notsosecure.com
Coming up…
• IPv6 addresses and terminology (minimal theory!)
• Connecting to remote IPv6 services; even if the ISP doesn’t support native IPv6
• Taking a look at non-IPv6 aware toolsets (Linux & Windows)
• Limitations (or unawareness) of common security configurations
• Putting this stuff into practice!
IPv6 for Pentesters

A VERY light touch on addressing & terms
FE80::/10 - Link-Local Unicast Address
• The new APIPA (Automatic Private IP Addressing, i.e. 169.254.0.0 in the IPv4 world)
• Not routable
FC00::/7 - Unique Local Unicast Address (ULA)
• Comparable to private IPv4 addresses
2000::/3 – Global Unicast Address
• Comparable to public IPv4 addresses
Useful Multicast Addresses:
• FF02::1 – All nodes
• FF02::2 – All routers
coming up…

Local targets
Finding live IPv6 hosts on the local network is as easy as:
• ping6 -c4 -I eth0 ff02::1 (Link-Local addresses)
• ping6 -c4 -I 2a00:23c4:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx ff02::1 (Global addresses)
• thc-ipv6 https://www.thc.org/thc-ipv6/
A dirty one liner to determine the IPv4, IPv6 Link-Local & Global addresses of a target(s):
atk6-alive6 eth0 -l > /dev/null; atk6-alive6 eth0 > /dev/null; arp-scan -l | head -n -
2 | tail -n +3 > arp && ip -6 neigh > neigh && for line in $(cat neigh | cut -d" " -f5
|sort -u); do grep $line arp && grep $line neigh && echo -e 'n'; done; rm arp neigh

Local targets
Example: Mapping out OS behaviour
pkt1=(Ether(dst="33:33:00:00:00:01")/IPv6(dst="ff02::1",src="fe80::a00:27ff:fe29:2f2c
")/ICMPv6EchoRequest())
• Get’s a valid response
• However in testing, Windows systems did not reply!

Local targets
pkt2=(Ether(dst="33:33:00:00:00:01")/IPv6(dst="ff02::1",src="fe80::a00:27ff:fe29:2f2c
")/IPv6ExtHdrDestOpt(len=1)/ICMPv6EchoRequest())
• Sends an invalid packet and get’s an invalid response…
• …but Windows systems DO reply (hence IPv6 enabled host discovery == complete)

Windows gotya’s
“… the colon is an illegal character in a UNC path name.
Thus, the use of IPv6 addresses is also illegal in UNC
names. For this reason, Microsoft implemented a
transcription algorithm to represent an IPv6 address in
the form of a domain name that can be used in UNC
paths, ipv6-literal.net …”*
*https://en.wikipedia.org/wiki/IPv6_address#Literal_IPv6_addresses_in_U
NC_path_names

On a side note…
The domain ipv6-literal.net is no longer owned by Microsoft and is up for auction!
https://gb.auctions.godaddy.com/trpItemListing.aspx?miid=137558591

Remote targets
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.117 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::a00:27ff:fe29:2f2c prefixlen 64 scopeid 0x20<link>

“…a tunnel broker service enables you to reach the IPv6 Internet by tunneling over existing IPv4
connections from your IPv6 enabled host or router to one of our IPv6 routers…”*
*https://tunnelbroker.net/
Speaking the lingo: Tunnel Brokers

• No cutting edge techniques needed here…
Host recon

nmap -Pn -nvv -sV ipv6.rebootuser.com
Warning: Hostname ipv6.rebootuser.com
resolves to 2 IPs. Using 46.101.42.219.
Other addresses for ipv6.rebootuser.com (not
scanned): 2a03:b0c0:1:d0::1650:b001
Not shown: 999 filtered ports
Reason: 998 no-responses
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 51 nginx
1.10.0 (Ubuntu)
It’s all a matter of perspective
nmap -Pn -nvv -sV ipv6.rebootuser.com -6
Warning: Hostname ipv6.rebootuser.com resolves
to 2 IPs. Using 2a03:b0c0:1:d0::1650:b001.
Other addresses for ipv6.rebootuser.com (not
scanned): 46.101.42.219
Not shown: 998 closed ports
Reason: 998 resets
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 56 OpenSSH
7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol
2.0)
80/tcp open http syn-ack ttl 56 nginx
1.10.0 (Ubuntu)

Talking to the target
server
{
listen [::]:80 default_server;
root /var/www/html/ipv6;
server
{
listen 80 default_server;
root /var/www/html/ipv4;

Talking to the target
ls -l /var/www/html/ipv6/
total 8
-rw-r--r-- 1 www-data www-data 147 May 4 16:56 index.php
drwxr-xr-x 5 www-data www-data 4096 May 24 12:03 wp
ls -l /var/www/html/ipv4/
total 4
-rw-r--r-- 1 www-data www-data 147 May 4 16:56 index.php

• IPv6 aware:
wpscan --url http://[2a03:b0c0:1:d0::1650:b001]/wp/ --enumerate u
[+] URL: http://[2a03:b0c0:1:d0::1650:b001]/wp/
[snip]
[+] Enumerating usernames ...
[+] Identified the following 1 user/s:
+----+---------+----------------+
| Id | Login | Name |
+----+---------+----------------+
| 1 | blogger | blogger – IPv6 |
+----+---------+----------------+
• IPv6 unaware:
nikto -host http://[2a03:b0c0:1:d0::1650:b001]
- Nikto v2.1.6
---------------------------------------------------------------------------
+ ERROR: Cannot resolve hostname '[2a03'
+ 0 host(s) tested
IPv6 unaware tools (Linux)

• Forcing a square peg into a round hole…
socat -v tcp4-listen:80,fork tcp6:[2a03:b0c0:1:d0::1650:b001]:80
[snip]...
< 2017/05/26 17:12:03.734587 length=313 from=151 to=463
r
7br
<!DOCTYPE html>
<html>
<body>
<H1>You hit my IPv6 page!</H1>Your IP: 2002:xxxx:xxxx:10:99d8:b8d5:b5e0:fef
nikto -host http://127.0.0.1
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 127.0.0.1
+ Target Hostname: 127.0.0.1
+ Target Port: 80
+ Start Time: 2017-05-26 17:12:03 (GMT1)
---------------------------------------------------------------------------
+ Server: nginx/1.10.0 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
IPv6 unaware tools (Linux)

• Taking advantage of the netsh PortProxy interface
netsh interface portproxy add v4tov6 listenport=80
connectaddress=2a03:b0c0:1:d0::1650:b001 connectport=80 protocol=tcp
https://technet.microsoft.com/en-us/library/cc731068(v=ws.10).aspx
IPv6 unaware tools (Windows)

• A fairly restrictive iptables configuration – would you agree?
sudo iptables –S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-N LOGGING
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -d 8.8.8.8/32 -p udp -m udp --dport 53 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -d 66.155.40.186/32 -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -j LOGGING
-A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 5
-A LOGGING -j DROP
iptables will save us. Right?

iptables will save us. Right?
AttackerVictim

It’s all in the n6me!
AttackerVictim

• Lets fix this…
sudo ip6tables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A INPUT -s fe80::/10 -j ACCEPT
-A INPUT -d ff00::/8 -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -p tcp -m multiport --dports 22,80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -s fe80::/10 -j ACCEPT
-A OUTPUT -d ff00::/8 -j ACCEPT
-A OUTPUT -p ipv6-icmp -j ACCEPT
-A OUTPUT -p tcp -m multiport --sports 22,80 -m conntrack --ctstate ESTABLISHED -j ACCEPT
It’s all in the n6me!

thc-ipv6
• https://github.com/vanhauser-thc/thc-ipv6
Scapy with IPv6
• http://www.idsv6.de/Downloads/IPv6PacketCreationWithScapy.pdf
Various IPv6 tutorials
• http://www.omnisecu.com/tcpip/ipv6/
IPv6 Essentials
• https://www.amazon.co.uk/d/cka/IPv6-Essentials-Silvia-
Hagen/1449319211/ref=sr_1_1?ie=UTF8&qid=1496609973&sr=8-1&keywords=ipv6+essentials
That’s all folks!
Tools and resources worth a look

IPv6 for Pentesters

Recommended

Recommended

More Related Content

What's hot

What's hot (15)

Similar to IPv6 for Pentesters

Similar to IPv6 for Pentesters (20)

More from camsec

More from camsec (6)

Recently uploaded

Recently uploaded (20)

IPv6 for Pentesters