IPv6 for Pentesters
•
0 likes•2,541 views
IPv6 is slowly making its way into our environments and we need to be aware of how it impacts the systems we manage. This presentation takes us through a basic review of the protocol from a pentesters perspective
Recommended
More Related Content
What's hot
What's hot (20)
Similar to IPv6 for Pentesters
Similar to IPv6 for Pentesters (20)
More from NotSoSecure Global Services
More from NotSoSecure Global Services (6)
Recently uploaded
Recently uploaded (20)
IPv6 for Pentesters
- 2. Whoami • Owen Shearing @rebootuser • www.notsosecure.com Coming up… • IPv6 addresses and terminology (minimal theory!) • Connecting to remote IPv6 services; even if the ISP doesn’t support native IPv6 • Taking a look at non-IPv6 aware toolsets (Linux & Windows) • Limitations (or unawareness) of common security configurations • Putting this stuff into practice! IPv6 for Pentesters
- 3. A VERY light touch on addressing & terms FE80::/10 - Link-Local Unicast Address • The new APIPA (Automatic Private IP Addressing, i.e. 169.254.0.0 in the IPv4 world) • Not routable FC00::/7 - Unique Local Unicast Address (ULA) • Comparable to private IPv4 addresses 2000::/3 – Global Unicast Address • Comparable to public IPv4 addresses Useful Multicast Addresses: • FF02::1 – All nodes • FF02::2 – All routers coming up…
- 4. Local targets Finding live IPv6 hosts on the local network is as easy as: • ping6 -c4 -I eth0 ff02::1 (Link-Local addresses) • ping6 -c4 -I 2a00:23c4:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx ff02::1 (Global addresses) • thc-ipv6 https://www.thc.org/thc-ipv6/ A dirty one liner to determine the IPv4, IPv6 Link-Local & Global addresses of a target(s): atk6-alive6 eth0 -l > /dev/null; atk6-alive6 eth0 > /dev/null; arp-scan -l | head -n - 2 | tail -n +3 > arp && ip -6 neigh > neigh && for line in $(cat neigh | cut -d" " -f5 |sort -u); do grep $line arp && grep $line neigh && echo -e 'n'; done; rm arp neigh
- 6. Local targets pkt2=(Ether(dst="33:33:00:00:00:01")/IPv6(dst="ff02::1",src="fe80::a00:27ff:fe29:2f2c ")/IPv6ExtHdrDestOpt(len=1)/ICMPv6EchoRequest()) • Sends an invalid packet and get’s an invalid response… • …but Windows systems DO reply (hence IPv6 enabled host discovery == complete)
- 9. Remote targets eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.1.117 netmask 255.255.255.0 broadcast 192.168.1.255 inet6 fe80::a00:27ff:fe29:2f2c prefixlen 64 scopeid 0x20<link>
- 10. “…a tunnel broker service enables you to reach the IPv6 Internet by tunneling over existing IPv4 connections from your IPv6 enabled host or router to one of our IPv6 routers…”* *https://tunnelbroker.net/ Speaking the lingo: Tunnel Brokers
- 12. nmap -Pn -nvv -sV ipv6.rebootuser.com Warning: Hostname ipv6.rebootuser.com resolves to 2 IPs. Using 46.101.42.219. Other addresses for ipv6.rebootuser.com (not scanned): 2a03:b0c0:1:d0::1650:b001 Not shown: 999 filtered ports Reason: 998 no-responses PORT STATE SERVICE REASON VERSION 80/tcp open http syn-ack ttl 51 nginx 1.10.0 (Ubuntu) It’s all a matter of perspective nmap -Pn -nvv -sV ipv6.rebootuser.com -6 Warning: Hostname ipv6.rebootuser.com resolves to 2 IPs. Using 2a03:b0c0:1:d0::1650:b001. Other addresses for ipv6.rebootuser.com (not scanned): 46.101.42.219 Not shown: 998 closed ports Reason: 998 resets PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 56 OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0) 80/tcp open http syn-ack ttl 56 nginx 1.10.0 (Ubuntu)
- 13. Talking to the target server { listen [::]:80 default_server; root /var/www/html/ipv6; server { listen 80 default_server; root /var/www/html/ipv4;
- 14. Talking to the target ls -l /var/www/html/ipv6/ total 8 -rw-r--r-- 1 www-data www-data 147 May 4 16:56 index.php drwxr-xr-x 5 www-data www-data 4096 May 24 12:03 wp ls -l /var/www/html/ipv4/ total 4 -rw-r--r-- 1 www-data www-data 147 May 4 16:56 index.php
- 15. • IPv6 aware: wpscan --url http://[2a03:b0c0:1:d0::1650:b001]/wp/ --enumerate u [+] URL: http://[2a03:b0c0:1:d0::1650:b001]/wp/ [snip] [+] Enumerating usernames ... [+] Identified the following 1 user/s: +----+---------+----------------+ | Id | Login | Name | +----+---------+----------------+ | 1 | blogger | blogger – IPv6 | +----+---------+----------------+ • IPv6 unaware: nikto -host http://[2a03:b0c0:1:d0::1650:b001] - Nikto v2.1.6 --------------------------------------------------------------------------- + ERROR: Cannot resolve hostname '[2a03' + 0 host(s) tested IPv6 unaware tools (Linux)
- 16. • Forcing a square peg into a round hole… socat -v tcp4-listen:80,fork tcp6:[2a03:b0c0:1:d0::1650:b001]:80 [snip]... < 2017/05/26 17:12:03.734587 length=313 from=151 to=463 r 7br <!DOCTYPE html> <html> <body> <H1>You hit my IPv6 page!</H1>Your IP: 2002:xxxx:xxxx:10:99d8:b8d5:b5e0:fef nikto -host http://127.0.0.1 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 127.0.0.1 + Target Hostname: 127.0.0.1 + Target Port: 80 + Start Time: 2017-05-26 17:12:03 (GMT1) --------------------------------------------------------------------------- + Server: nginx/1.10.0 (Ubuntu) + The anti-clickjacking X-Frame-Options header is not present. IPv6 unaware tools (Linux)
- 18. • Taking advantage of the netsh PortProxy interface netsh interface portproxy add v4tov6 listenport=80 connectaddress=2a03:b0c0:1:d0::1650:b001 connectport=80 protocol=tcp https://technet.microsoft.com/en-us/library/cc731068(v=ws.10).aspx IPv6 unaware tools (Windows)
- 19. • A fairly restrictive iptables configuration – would you agree? sudo iptables –S -P INPUT DROP -P FORWARD DROP -P OUTPUT DROP -N LOGGING -A INPUT -i lo -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -A OUTPUT -p tcp -m tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT -A OUTPUT -d 8.8.8.8/32 -p udp -m udp --dport 53 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -A OUTPUT -d 66.155.40.186/32 -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -A OUTPUT -d 66.155.40.187/32 -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -A OUTPUT -d 66.155.40.188/32 -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -A OUTPUT -d 66.155.40.189/32 -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -A OUTPUT -d 66.155.40.202/32 -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -A OUTPUT -d 66.155.40.250/32 -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -A OUTPUT -j LOGGING -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 5 -A LOGGING -j DROP iptables will save us. Right?
- 22. • Lets fix this… sudo ip6tables -S -P INPUT DROP -P FORWARD DROP -P OUTPUT DROP -A INPUT -i lo -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A INPUT -s fe80::/10 -j ACCEPT -A INPUT -d ff00::/8 -j ACCEPT -A INPUT -p ipv6-icmp -j ACCEPT -A INPUT -p tcp -m multiport --dports 22,80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -A OUTPUT -s fe80::/10 -j ACCEPT -A OUTPUT -d ff00::/8 -j ACCEPT -A OUTPUT -p ipv6-icmp -j ACCEPT -A OUTPUT -p tcp -m multiport --sports 22,80 -m conntrack --ctstate ESTABLISHED -j ACCEPT It’s all in the n6me!
- 23. thc-ipv6 • https://github.com/vanhauser-thc/thc-ipv6 Scapy with IPv6 • http://www.idsv6.de/Downloads/IPv6PacketCreationWithScapy.pdf Various IPv6 tutorials • http://www.omnisecu.com/tcpip/ipv6/ IPv6 Essentials • https://www.amazon.co.uk/d/cka/IPv6-Essentials-Silvia- Hagen/1449319211/ref=sr_1_1?ie=UTF8&qid=1496609973&sr=8-1&keywords=ipv6+essentials Tools and resources worth a look
- 24. Questions?