2. Whoami
• Owen Shearing @rebootuser
• www.notsosecure.com
Coming up…
• IPv6 addresses and terminology (minimal theory!)
• Connecting to remote IPv6 services; even if the ISP doesn’t support native IPv6
• Taking a look at non-IPv6 aware toolsets (Linux & Windows)
• Limitations (or unawareness) of common security configurations
• Putting this stuff into practice!
IPv6 for Pentesters
3. A VERY light touch on addressing & terms
FE80::/10 - Link-Local Unicast Address
• The new APIPA (Automatic Private IP Addressing, i.e. 169.254.0.0 in the IPv4 world)
• Not routable
FC00::/7 - Unique Local Unicast Address (ULA)
• Comparable to private IPv4 addresses
2000::/3 – Global Unicast Address
• Comparable to public IPv4 addresses
Useful Multicast Addresses:
• FF02::1 – All nodes
• FF02::2 – All routers
coming up…
4. Local targets
Finding live IPv6 hosts on the local network is as easy as:
• ping6 -c4 -I eth0 ff02::1 (Link-Local addresses)
• ping6 -c4 -I 2a00:23c4:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx ff02::1 (Global addresses)
• thc-ipv6 https://www.thc.org/thc-ipv6/
A dirty one liner to determine the IPv4, IPv6 Link-Local & Global addresses of a target(s):
atk6-alive6 eth0 -l > /dev/null; atk6-alive6 eth0 > /dev/null; arp-scan -l | head -n -
2 | tail -n +3 > arp && ip -6 neigh > neigh && for line in $(cat neigh | cut -d" " -f5
|sort -u); do grep $line arp && grep $line neigh && echo -e 'n'; done; rm arp neigh
10. “…a tunnel broker service enables you to reach the IPv6 Internet by tunneling over existing IPv4
connections from your IPv6 enabled host or router to one of our IPv6 routers…”*
*https://tunnelbroker.net/
Speaking the lingo: Tunnel Brokers
12. nmap -Pn -nvv -sV ipv6.rebootuser.com
Warning: Hostname ipv6.rebootuser.com
resolves to 2 IPs. Using 46.101.42.219.
Other addresses for ipv6.rebootuser.com (not
scanned): 2a03:b0c0:1:d0::1650:b001
Not shown: 999 filtered ports
Reason: 998 no-responses
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 51 nginx
1.10.0 (Ubuntu)
It’s all a matter of perspective
nmap -Pn -nvv -sV ipv6.rebootuser.com -6
Warning: Hostname ipv6.rebootuser.com resolves
to 2 IPs. Using 2a03:b0c0:1:d0::1650:b001.
Other addresses for ipv6.rebootuser.com (not
scanned): 46.101.42.219
Not shown: 998 closed ports
Reason: 998 resets
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 56 OpenSSH
7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol
2.0)
80/tcp open http syn-ack ttl 56 nginx
1.10.0 (Ubuntu)
14. Talking to the target
ls -l /var/www/html/ipv6/
total 8
-rw-r--r-- 1 www-data www-data 147 May 4 16:56 index.php
drwxr-xr-x 5 www-data www-data 4096 May 24 12:03 wp
ls -l /var/www/html/ipv4/
total 4
-rw-r--r-- 1 www-data www-data 147 May 4 16:56 index.php
15. • IPv6 aware:
wpscan --url http://[2a03:b0c0:1:d0::1650:b001]/wp/ --enumerate u
[+] URL: http://[2a03:b0c0:1:d0::1650:b001]/wp/
[snip]
[+] Enumerating usernames ...
[+] Identified the following 1 user/s:
+----+---------+----------------+
| Id | Login | Name |
+----+---------+----------------+
| 1 | blogger | blogger – IPv6 |
+----+---------+----------------+
• IPv6 unaware:
nikto -host http://[2a03:b0c0:1:d0::1650:b001]
- Nikto v2.1.6
---------------------------------------------------------------------------
+ ERROR: Cannot resolve hostname '[2a03'
+ 0 host(s) tested
IPv6 unaware tools (Linux)
16. • Forcing a square peg into a round hole…
socat -v tcp4-listen:80,fork tcp6:[2a03:b0c0:1:d0::1650:b001]:80
[snip]...
< 2017/05/26 17:12:03.734587 length=313 from=151 to=463
r
7br
<!DOCTYPE html>
<html>
<body>
<H1>You hit my IPv6 page!</H1>Your IP: 2002:xxxx:xxxx:10:99d8:b8d5:b5e0:fef
nikto -host http://127.0.0.1
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 127.0.0.1
+ Target Hostname: 127.0.0.1
+ Target Port: 80
+ Start Time: 2017-05-26 17:12:03 (GMT1)
---------------------------------------------------------------------------
+ Server: nginx/1.10.0 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
IPv6 unaware tools (Linux)