IPv6 for Pentesters

Whoami
• Owen Shearing @rebootuser
• www.notsosecure.com
Coming up…
• IPv6 addresses and terminology (minimal theory!)
• Connecting to remote IPv6 services; even if the ISP doesn’t support native IPv6
• Taking a look at non-IPv6 aware toolsets (Linux & Windows)
• Limitations (or unawareness) of common security configurations
• Putting this stuff into practice!
IPv6 for Pentesters

A VERY light touch on addressing & terms
FE80::/10 - Link-Local Unicast Address
• The new APIPA (Automatic Private IP Addressing, i.e. 169.254.0.0 in the IPv4 world)
• Not routable
FC00::/7 - Unique Local Unicast Address (ULA)
• Comparable to private IPv4 addresses
2000::/3 – Global Unicast Address
• Comparable to public IPv4 addresses
Useful Multicast Addresses:
• FF02::1 – All nodes
• FF02::2 – All routers
coming up…

Local targets
Finding live IPv6 hosts on the local network is as easy as:
• ping6 -c4 -I eth0 ff02::1 (Link-Local addresses)
• ping6 -c4 -I 2a00:23c4:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx ff02::1 (Global addresses)
• thc-ipv6 https://www.thc.org/thc-ipv6/
A dirty one liner to determine the IPv4, IPv6 Link-Local & Global addresses of a target(s):
atk6-alive6 eth0 -l > /dev/null; atk6-alive6 eth0 > /dev/null; arp-scan -l | head -n -
2 | tail -n +3 > arp && ip -6 neigh > neigh && for line in $(cat neigh | cut -d" " -f5
|sort -u); do grep $line arp && grep $line neigh && echo -e 'n'; done; rm arp neigh

Local targets
Example: Mapping out OS behaviour
pkt1=(Ether(dst="33:33:00:00:00:01")/IPv6(dst="ff02::1",src="fe80::a00:27ff:fe29:2f2c
")/ICMPv6EchoRequest())
• Get’s a valid response
• However in testing, Windows systems did not reply!

Local targets
pkt2=(Ether(dst="33:33:00:00:00:01")/IPv6(dst="ff02::1",src="fe80::a00:27ff:fe29:2f2c
")/IPv6ExtHdrDestOpt(len=1)/ICMPv6EchoRequest())
• Sends an invalid packet and get’s an invalid response…
• …but Windows systems DO reply (hence IPv6 enabled host discovery == complete)

Windows gotya’s
“… the colon is an illegal character in a UNC path name.
Thus, the use of IPv6 addresses is also illegal in UNC
names. For this reason, Microsoft implemented a
transcription algorithm to represent an IPv6 address in
the form of a domain name that can be used in UNC
paths, ipv6-literal.net …”*
*https://en.wikipedia.org/wiki/IPv6_address#Literal_IPv6_addresses_in_U
NC_path_names

On a side note…
The domain ipv6-literal.net is no longer owned by Microsoft and is up for auction!
https://gb.auctions.godaddy.com/trpItemListing.aspx?miid=137558591

Remote targets
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.117 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::a00:27ff:fe29:2f2c prefixlen 64 scopeid 0x20<link>

“…a tunnel broker service enables you to reach the IPv6 Internet by tunneling over existing IPv4
connections from your IPv6 enabled host or router to one of our IPv6 routers…”*
*https://tunnelbroker.net/
Speaking the lingo: Tunnel Brokers

• No cutting edge techniques needed here…
Host recon

nmap -Pn -nvv -sV ipv6.rebootuser.com
Warning: Hostname ipv6.rebootuser.com
resolves to 2 IPs. Using 46.101.42.219.
Other addresses for ipv6.rebootuser.com (not
scanned): 2a03:b0c0:1:d0::1650:b001
Not shown: 999 filtered ports
Reason: 998 no-responses
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 51 nginx
1.10.0 (Ubuntu)
It’s all a matter of perspective
nmap -Pn -nvv -sV ipv6.rebootuser.com -6
Warning: Hostname ipv6.rebootuser.com resolves
to 2 IPs. Using 2a03:b0c0:1:d0::1650:b001.
Other addresses for ipv6.rebootuser.com (not
scanned): 46.101.42.219
Not shown: 998 closed ports
Reason: 998 resets
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 56 OpenSSH
7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol
2.0)
80/tcp open http syn-ack ttl 56 nginx
1.10.0 (Ubuntu)

Talking to the target
server
{
listen [::]:80 default_server;
root /var/www/html/ipv6;
server
{
listen 80 default_server;
root /var/www/html/ipv4;

Talking to the target
ls -l /var/www/html/ipv6/
total 8
-rw-r--r-- 1 www-data www-data 147 May 4 16:56 index.php
drwxr-xr-x 5 www-data www-data 4096 May 24 12:03 wp
ls -l /var/www/html/ipv4/
total 4
-rw-r--r-- 1 www-data www-data 147 May 4 16:56 index.php

• IPv6 aware:
wpscan --url http://[2a03:b0c0:1:d0::1650:b001]/wp/ --enumerate u
[+] URL: http://[2a03:b0c0:1:d0::1650:b001]/wp/
[snip]
[+] Enumerating usernames ...
[+] Identified the following 1 user/s:
+----+---------+----------------+
| Id | Login | Name |
+----+---------+----------------+
| 1 | blogger | blogger – IPv6 |
+----+---------+----------------+
• IPv6 unaware:
nikto -host http://[2a03:b0c0:1:d0::1650:b001]
- Nikto v2.1.6
---------------------------------------------------------------------------
+ ERROR: Cannot resolve hostname '[2a03'
+ 0 host(s) tested
IPv6 unaware tools (Linux)

• Forcing a square peg into a round hole…
socat -v tcp4-listen:80,fork tcp6:[2a03:b0c0:1:d0::1650:b001]:80
[snip]...
< 2017/05/26 17:12:03.734587 length=313 from=151 to=463
r
7br
<!DOCTYPE html>
<html>
<body>
<H1>You hit my IPv6 page!</H1>Your IP: 2002:xxxx:xxxx:10:99d8:b8d5:b5e0:fef
nikto -host http://127.0.0.1
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 127.0.0.1
+ Target Hostname: 127.0.0.1
+ Target Port: 80
+ Start Time: 2017-05-26 17:12:03 (GMT1)
---------------------------------------------------------------------------
+ Server: nginx/1.10.0 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
IPv6 unaware tools (Linux)

• Taking advantage of the netsh PortProxy interface
netsh interface portproxy add v4tov6 listenport=80
connectaddress=2a03:b0c0:1:d0::1650:b001 connectport=80 protocol=tcp
https://technet.microsoft.com/en-us/library/cc731068(v=ws.10).aspx
IPv6 unaware tools (Windows)

• A fairly restrictive iptables configuration – would you agree?
sudo iptables –S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-N LOGGING
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -d 8.8.8.8/32 -p udp -m udp --dport 53 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -d 66.155.40.186/32 -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -j LOGGING
-A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 5
-A LOGGING -j DROP
iptables will save us. Right?

iptables will save us. Right?
AttackerVictim

It’s all in the n6me!
AttackerVictim

• Lets fix this…
sudo ip6tables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A INPUT -s fe80::/10 -j ACCEPT
-A INPUT -d ff00::/8 -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -p tcp -m multiport --dports 22,80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -s fe80::/10 -j ACCEPT
-A OUTPUT -d ff00::/8 -j ACCEPT
-A OUTPUT -p ipv6-icmp -j ACCEPT
-A OUTPUT -p tcp -m multiport --sports 22,80 -m conntrack --ctstate ESTABLISHED -j ACCEPT
It’s all in the n6me!

thc-ipv6
• https://github.com/vanhauser-thc/thc-ipv6
Scapy with IPv6
• http://www.idsv6.de/Downloads/IPv6PacketCreationWithScapy.pdf
Various IPv6 tutorials
• http://www.omnisecu.com/tcpip/ipv6/
IPv6 Essentials
• https://www.amazon.co.uk/d/cka/IPv6-Essentials-Silvia-
Hagen/1449319211/ref=sr_1_1?ie=UTF8&qid=1496609973&sr=8-1&keywords=ipv6+essentials
That’s all folks!
Tools and resources worth a look

IPv6 for Pentesters

More Related Content

What's hot

Similar to IPv6 for Pentesters

More from camsec

Recently uploaded

IPv6 for Pentesters