IPv6 for Pentesters

hi guys thank you right um no further Ado let's just have a little look over what we're going to be talking about today now we're not going to be focusing on any ipv specific um attacks I know weaknesses with the protocol but rather how we go about assessing an IPv6 host in our daily lives as pentesters or Security Consultants or even you know if you're ad in in the system and so on so the idea with this is just to give us a bit of unfortunately you have to have a bit of theory about the addressing scheme um but then talk to uh you know talk some through some reality and some situations we may come across so first

things first addressing we have to cover this because it's going to be appearing a lot throughout these slides um the link local address so the fe80 addresses um whenever you have a uh IPv6 enabled interface you'll get one of these addresses okay it's equivalent to your 169 254s in the ipv4 world um not rootable but they're important okay in in regards to what we're about to do I'm not going to talk too much about the ulas but uh equivalent to your private ipv4 addressing and the other important address uh address type from our perspective or my perspective of this talk is the global so the global addressing scheme on the 2003 so this is comparable to your

public ipv4 addresses okay a couple of interesting um addresses as well are these multicast um Valu so we've got ff02 coln 1 which denotes anything that you send to this um address will go to nodes in the network and the double colon to all routers on the network okay now this becomes quite useful um in regards to host Discovery all right so the first thing we've got here is a quick and easy using ping six um how do we discover link local um addresses or link local hosts on our on our local network so these are you know IPv6 enabled hosts on our local network easy enough we can use ping six and um Target

this ff02 double column 1 so all noes will respond and there are you know there are targets now with a tweak a slight tweak of this command we can essentially um perform the same thing but find all the global addresses on our local network now a global address um it might not be assigned to every device so we might not get as many respond but they they are very useful um things to know now the way we do this is exactly the same Principle as the link local except we use our global address so we have to have a global address for our um device we use our global address as the source and we'll get a list of global

addresses on the local network these sort of um ping um uh commands are very rudimental we'll going across some of the limitations in a moment um the Hacker's Choice the IPv6 tools um there are um various Tools in this tool set that allow us to do this one of which is a live six now it's worth noting that in Cali rolling release a lot THC has been renamed to the ATK 6 just to confuse um but they're the same tools okay and we use that in this second example so this um dirty one liner and I know this is dirty I know it can be optimized but it works okay this dir1 liner will essentially get us all the ipv4

addresses IPv6 link local and Global addresses from the hosts on our Network so we can see exactly what interfaces have you know what address assigned now this is useful because we might have different Services running on ipv4 or IPv6 um which we'll look at you know throughout the rest of this talk this is our first stage of host Discovery taking this a step further I said there were some limitations to that ping six command this is just using scappy to create just a very raw packet there there's you know there's probably a lot well there is a lot missing here but it does the job um we are targeting the FF uh 02 double column 1 so all nodes and

we get a uh response back from the nodes on our local network as expected now during testing I did notice that Windows hosts don't respond to this they literally just you know they're there but they don't respond so um what we can do is basically craft an invalid packet and send this now there's a lot wrong with this um it doesn't matter what but in this case we're we're supplying a new um Extended header option and we're saying the lengths one which is invalid um and in this case in this scenario only Windows hosts reply now they reply with a you know parameter problem in this case but we know they exist and we know they're IPv6 address because they

reply with this issue so although it's it shouldn't work it does work because Microsoft have looked at the rfc's and obviously implemented things slightly differently to everyone else um so there's there's one way to sort of get Windows host on the local network it's also worth mentioning I mentioned a live six earlier the same tool that tool does this sort of manipulation slightly different packets but the same Theory okay now when you do get access to a Windows host and you're using a Windows attacking box there are a few gotches um in regards to SB or UNC shares if I've got a um IPv6 Target and I want to connect to an SMB share I can't just do

a slash slash you know like normal addressing scheme because colons are not um valid characters in in a UNC path so Microsoft in their wisdom have said okay we'll uh substitute the colons for hyphens and then at the end we have to have this iv6 leral.net so that's how we connect to a S&B share um it's worth noting on a side note I did find out this IPv6 lot Uhn net is not actually Lo uh owned by Microsoft these days it's up for auction at the moment so if you've got enough pennies you can bid for this it's got about 80 days left I think when I took this it was only a day or two ago

it'd be interesting to see if any traffic goes out that's all I'm saying but back onto the topic so that's local local is fairly easy in the in the world of IPv6 what about remote so in this case the um address in red is a linked local address we don't have rooting capabilities but we're trying to connect to a global address this is a server sitting in digital ocean you know we're on our local land we're trying to connect out we don't get there um now if our ISP doesn't Supply us with Native IPv6 connections which some still don't in the UK um or if you're tethering you may not get a native IPv6 address you can

use something like a tunnel broker um or a 6 to4 address which essentially in the regards to Tunnel broker um is a is a proxy for one of a better phrase your IPv6 enabled host talks to another IPv6 enabled host over iv4 Network okay is worth noting if you do use this you are passing traffic for an unknown property so just be aware of that now in my case I do have I'm with BT they do kindly present me with a um global iv6 address I didn't have to worry too much about that so I can go straight into my Recon now a very you know cut down example of host Recon we've only got a few minutes

to go through this um we're looking at the pings here so we've got ping for ipv4 and ping for IPv6 you can see straight away we're targeting the same host we obviously get responses in regards to the IP address um but we also see that ipv4 is no is giv no response where IPv6 responds there's obviously some difference in a configuration on the firewall which we'll touch on throughout this similarly um in DNS it's just another example of how you can you know essentially find an ipv4 IPv6 address and so on there are a few other well a lot of other things we're not touching on here so now we know our Target in this case it's going to be

IPv6 reboot user.com please don't try and hack it it's not secure it's for this demo um on the left hand side we have the ipv4 just a default end map scan okay so 1,000 ports we have the ipv4 um scan of it on the right hand side we have an IPv6 scan of it on ipv4 you can see we get 999 filtered ports and one open port so it's behind the firewall on the right hand side with IPv6 we get 998 closed ports and we get two ports exposed so it's not behind a firewall and we get an extra service so this is where from a pen testing point of view we always say we

we try and uce the the ipv4 and IPv6 address for this reason because one may have been forgotten and is often IPv6 is often forgotten um and again we'll see some more as we go through so this is the configuration a white box approach now this is the configuration of the host it's running engine X um when we get two different um or content serve depending on what you hit so for IPv6 it's served from vdd HG IPv6 and you get this you hit my IPv6 page and it tells you your IPv6 address ipv4 same principle but it's served from um/ iv4 okay now if we go a little bit further we're actually serving from the IPv6

only um web rout this WP directory which is WordPress installation whereas ipv4 we're not so we're highlighting again if you go to the IPv6 address you'll get more content than if you see the ipv4 address so stressing that point need to tackle both so with that in mind we found a Target okay um well what how do we sort of see what's you know how do we run our normal tools some tools in fact a lot of tools seem to be IPv6 aware these days which is great um in fact when I was creating this presentation I was struggling to find a commonly used tool that wasn't some you know didn't have some sort of IPv6 awareness but

we've got an example here we're using WP scam it's IPv6 aware does exactly what it says on Tim okay so we're scanning our WordPress installation ncto is not IPv6 aware and we get some weird and wonderful errors so what we can do is use S soat and basically say toat listen on my own box listen on Port 80 anything you hear on Port 80 forward to this IPv6 address I'm telling you about so then Nick to we just go yep just scan local box local box goes okay I'm going to scan myself oh and S so cat's telling me to go and hit IPv6 rever user.com and it works as normal okay so a couple of

really useful techniques to get around these limitations simp on Windows um I don't know who how many of you guys use Windows for an attacking platform but it's it's possible it's just a bit more messy um now just to touch on a fact I don't use zap so I'm not picking on zap the reason I've got zap here is because it gives a nice error where it says failed to uh to attack the URL IPv6 reference so we can assume it's not an IPv6 compatible application so we put an address in there and um it fails so what we can do is use netsh and this port proxy interface now the port proxy interface is fantastic can use it for

many of things in the pen testing World in this case we're using it as a V4 to V6 so same Principle as s soat listen on my local box anything you here on Port 80 forward to this IPv6 address okay and then we point zap to our local host and it runs as normal that's the theory right so this is going to be then the Practical um demo of of all this sort of knowledge um together okay so these are some IP t rules these are for the re IPv6 reboot user.com this is what's in place I'm going to talk you through these briefly there's probably more than there should be due to Wordpress essentially anything that's

not there is dropped okay so this is in or out Ingress or regress the stuff in green is basically allowing our you know users to connect our web app okay so that's allowed Port ATM next one down which is a sort of orange uh sorry burgundy color is our DNS we need to allow our host to resolve now this lot in purple are WordPress specific um IP addresses I have to explain this just because when you use WordPress or you know try to add them in WordPress you try to add a plugin WordPress tries to connect out to Wordpress servers you might if you ever used it you might see it suggest these plugins Etc these are the IPS I've found

that you need to actually whitelist for that to happen um so that's all that's the only reason they're in there anything that doesn't appear in here is dropped in or out and it's loged okay so that's the important point we log this so basic attack we've got a WordPress installation somehow unrelated to this attack we don't care the admin creds for WordPress have been leaked whether it's for a fishing attack or whatever I don't really mind so we've got the credits for the WordPress installation and we're going to use a basic um uh module within metas sploit to basically upload a PHP file and get some reverse shell access again doesn't matter what this is It's unrelated we're

using it for the actual principle of the connection so we um set our configuration up uh we put our credentials in we put our reverse shell our reverse um interpreter shell come back to our ipv Force address of our attacking box and you can see on the victim um it is blocked it's highlighted in red many of multiple times we see this IP address with this port is blocked okay that's what our IP rules are there uh sorry our IP table rules are therefore it's blocking it so we succeed with authentication but we don't get our shell back but what about IP V6 cuz people often forget this and this is where we have ip6 tables now it

is a separate entity so if you don't configure it it's wide open by default um so basically all we have to do from the attacking point of view is go okay this this you know we assume they've put some um rules in here let's use our reversed um Shell let's connect it back to our IPv6 address Bob's your uncle straight through we've got shell access and carry on the attack and that's why we really need to pay more attention to to IPv6 as well okay um we find this on pentest if something's locked down we might we might find specifically with Linux boxes IP tables that it's only been IP V4 rules have only been applied not

IPv6 um just on a side note there are tools like ufw for auntu that actually configure both ipv4 and IPv6 in one so you know there are these sort of things out there it's a one hit wonder um and this is an example of an ipv uh sorry ip6 table rule that you can actually use to you know essentially configure or give your system a bit more protection should we say um so that's a bit of a a fix um depending on what you want to allow in and out so just to finish things off because I know there's a lot to pack into 15 minutes um there's a few resources I've used one thing I will say if you're

interested in learning IPv6 now I know you know the basics to do my pen testing I'm not Cisco man I don't know everything about the protocol but the IPv6 Essentials book there an amazoning there I don't get any sort of credits or anything but that is a fantastic read it gives you a lot of info the stuff you need to actually tackle this um kind of kind of thing um and that's it really if you've got any questions please let me know [Applause]