An Information Security Community
If you are into network security, now is the time to acquaint yourself with IPv6.
If you're planning to buy or perform a penetration test on your site, make sure that IPv6 is incorporated in the test.
If the pentest firm that you hired does not incorporate it or reacts kind of hesitant or surprised, get another vendor!
Why? Because IPv6 is and has been enabled in all kinds of operating systems and networking devices for some time per default. The fact that you don't use it and are not aware of it does not mean that it's not there and could not be exploited or leveraged by an attacker to wreak havoc on your network.
I won't go too deep into technical details in this issue of what hopefully will become a series of short articles on the topic of IPv6 and IPv6 security.
If IPv6 is enabled on a host - which is the default for most operating systems, the host will have at least one IPv6 address assigned to it - which will be the link local address.
Link Local IPv6 addresses have the prefix fe80::/10. They are automatically configured by the system. If the system has also a routable IPv6 network assigned to it (maybe via a router that sends out ICMPv6 type 134 messages called router advertisements) the system would actually have two IPv6 addresses on that interface: the link local address and a routable IPv6 address.
For now let's assume the host only has a link local address assigned to it. Why would you want to test that?
Well maybe your IDS is watching for IPv4 only or your log analyzing software has no rules for IPv6 related log entries because you or the vendor didn't think it's worthwhile looking at these. That way if I already own one box on your network or if I have physical access to a LAN port maybe I can scan and hack without any alarms going off.
And boy I have already seen some "hardened" servers where the "hardening" and "locking down" only applied to IPv4 and all IPv6-enabled network services were exposed on the IPv6 interface.
Until now, I've only checked out some of the security tools out there on link local addresses. I have only just begun testing with real live routable IPv6 addresses. I am hoping to write about my first experiences with requesting and configuring an IPv6 tunnel and subnet with SixXS in one of the next issues of this series.
If you have only scanned and tested IPv4 networks so far, you'll not have had any problems determining the index of the scope where the scope would be "your dmz" for instance and the index would be a list of actual IP addresses or subnets that reside on that network. Or in simple words - you most probably knew which IP adresses should be tested or scanned.
But how do you know which hosts have IPv6 enabled and how do you know which IPv6 addresses these hosts have?
One way to find out those active IPv6 link local addresses is to start off with what you already know about the IPv4 network you're looking at. If you have a list of IPv4 addresses or subnets, you can find out which hosts are active on the network using ARP, e.g. do an ARP-scan with Nmap. You get back a list of active hosts and - tadaaa! - their MAC addresses. Because this is how ARP works. It matches physical interface adresses to IPv4 addresses.
So now what next? We don't have ARP in IPv6. But we have of course something similar, which is called NDP - neighbor discovery protocol that is incorporated in ICMPv6. Neighbor discovery protocol allows an IPv6 node on the network to discover the link local and autoconfigured addresses of all active IPv6 nodes on the local network. Since auto-configured link local IPv6 addresses are derived from a NICs MAC address using a standardized deterministic method, I can also determine the IPv6 link local addresses of all active MAC addresses on the local network using that exact same method.
You can read that up and how to leverage it using metasploit and much more in a great article by HD Moore.
Check out the tools and methods described there. You'll be astonished about what you'll find out about your network.
Another fact only few people know and actually take advantage of is that the current versions of Nessus (at least I tested that for the professional feed) have very good support for IPv6. I've been able to find most vulnerabilities that I've found via IPv4 also by running Nessus against the link local IPv6 addresses of the same hosts.
Recommended reading and watching
For starters I would recommend reading the Wikipedia articles on IPv6, ICMPv6 and NDP.
Another talk I can highly recommend is Recent Advances In IPv6 Insecurity by Marc "Van Hauser" Heuse, which was held at the 27th Chaos Communication Congress (27C3) in Berlin 2010. Also check out his tools at http://www.thc.org/
That's it for now. As always, I'll really appreciate your comments, corrections and feedback, so don't hesitate.
I can only learn from your feedback on where I am wrong, what I've misunderstood or how I can write better articles. Thanks for reading and commmenting. :)