A key component for improving the security and resiliency of an IPv6 implementation or site is the availability...
of security assessment and troubleshooting tools. Without these, an IPv6 implementer or network engineer can neither assess nor stress their implementations and networks in the same way an attacker would.
Below is an illustrated introduction to the SI6 Networks' IPv6 Toolkit, a free, open source security assessment and troubleshooting toolkit that is available on most major open source operating systems. The tools the toolkit comprises are introduced via real-world examples to help readers grasp the techniques currently being employed by vendors and pen testers, as well as improve the security and resiliency of their own IPv6 implementations and sites.
Creating the IPv6 Toolkit
For many years, THC's IPv6 attack suite (THC-IPv6) was the only free IPv6 toolkit available for assessing IPv6 implementations and networks. THC-IPv6 emphasized specific attack vectors and made exploitation straightforward; a user only needed to set some key options (e.g., the IPv6 address of the target) and its tools would set the rest of the parameters automatically. However, this also limited the flexibility of many of THC-IPv6's features.
Upon its release in 2011, SI6 Networks' IPv6 toolkit filled a gap in IPv6 security assessment and troubleshooting tools: enabling the assessment of IPv6 implementations and deployments, even with respect to issues not envisioned by the creators or maintainers of the toolkit.
The SI6 IPv6 Toolkit originated as part of a security effort to help both IPv6 vendors improve the security and resiliency of their products, and network and security engineers assess and troubleshoot their IPv6 deployments.
This objective implicitly set four goals for the development of the toolkit. First, it had to be flexible enough to exploit as many attack vectors as possible -- even those not envisioned by the toolkit creator. Second, the toolkit had to be released as free software, so a broad community could benefit from it. Third, it had to have clear, effective documentation. Fourth, the toolkit had to support as many platforms as possible. This last goal not only was motivated by the goal of supporting a broader community, but also was considered to be helpful in improving the overall quality and portability of the code.
The toolkit currently supports most major BSD-based operating systems, most major GNU/Linux operating systems, Mac OS and OpenSolaris. It is integrated into the package system of most of the aforementioned operating systems and can be installed as any other supported application. For example, Ubuntu users can install the toolkit via the command:
sudo apt-get install ipv6toolkit
For operating system types and versions for which there is no application package -- or when or if the corresponding application package predates the latest official release -- manual installation can be employed. The toolkit's source code is available online, and the official releases always include a PGP-signed tarball.
IPv6 toolkit contents
All the tools in the SI6 IPv6 Toolkit are accompanied by comprehensive documentation, which can be accessed via the online manual page for each of the tools (e.g., man scan6), with ipv6toolkt(7) providing an overview of the available tools. Succinct documentation for each tool can also be accessed via the --help option of each tool (e.g., scan6 --help).
Most of the tools currently included in the toolkit focus on each of the different protocol messages the IPv6 protocol suite comprises. For example, five different tools (ns6, na6, rs6, ra6 and rd6) allow users to send arbitrary messages (ranging from neighbor solicitations to redirects) corresponding to IPv6 neighbor discovery.
Other tools focus on specific IPv6 mechanisms that can be the subject of specific assessments. For example, frag6 is entirely devoted to assessing IPv6 fragmentation and reassembly functions, from flooding a target with IPv6 fragments to assessing the fragment reassembly policy of a given node.
Finally, other tools resemble more complex applications; scan6 is the most comprehensive IPv6 address scanner out there, while blackhole6 helps with troubleshooting packet drops resulting from the use of IPv6 extension headers.
Using specific tools
Stateless address autoconfiguration (SLAAC) attacks have been known for years. One of the most common involves an attacker impersonating the local router and advertising a "router lifetime" of 0 (or some other small value). This essentially results in all local hosts discarding the impersonated router as the local router, causing a denial of service (DoS) situation. To maintain the DoS situation, the attacker will periodically send attack packets, such that new, legitimate router advertisements (RAs) are essentially disregarded. In figure 3, the ra6 tool is instructed to resend the malicious RA message every second.
The traceroute tool is widely employed for network reconnaissance and troubleshooting purposes. However, all of its open source implementations fail to support IPv6 extension headers. The path6 tool of the SI6 IPv6 Toolkit fills this gap by implementing IPv6 traceroute-like functionality with full support for IPv6 extension headers and arbitrary probe packets.
Figure 4 illustrates how to trace the route to the SI6 Networks site with ICMPv6 echo request messages (the default probe messages) that employ a destination options header of 72 bytes.
Whether as part of a security assessment or a troubleshooting operation, it may be handy or necessary to isolate where network packets with IPv6 extension headers are being dropped. The blackhole6 tool does exactly that: It infers where in the network packets with IPv6 extension headers are being dropped and provides useful information, such as the IPv6 address and Autonomous System Number of the dropping node.
Transport protocols have their own set of dedicated tools. For example, the tcp6 tool is entirely devoted to TCP-based attacks and measurements; tcp6 can be employed to assess the resistance of a Web server to IPv6-based TCP SYN flood attacks. Figure 6 illustrates how tcp6 can be employed to perform such an attack against port 80 of the server 2001:db8::1, forging the IPv6 source addresses from the prefix fc00:1::/64.
When performing a penetration test of a site, it is not unusual for a pen tester to work off of a list of domain names that the target site comprises. The script6 tool within the SI6 IPv6 Toolkit can easily obtain DNS records for a list of domain names stored in a file. For example, figure 7 shows the contents of the "sites.txt" file, how the toolkit can be employed to obtain the IPv6 addresses of the corresponding Web servers, and the corresponding mail servers. The output includes comments that clearly show the domain name to which each IPv6 address corresponds.
Reduced experience with IPv6 operation could make it tricky for a security administrator to identify the type of address in question. For example, it may be difficult to tell the difference between global and Unique Local Unicast addresses, traditional SLAAC addresses and randomized addresses, and so on. The SI6 IPv6 Toolkit contains a specific tool -- addr6 -- to remedy this challenge. By default, when an IPv6 address is specified via the -a option, addr6 decodes the address and prints the result with the following syntax:
A different problem posed by IPv6 addresses is that the same address could be written multiple ways. For example, 2001:db8::1, 2001:db8:0::1 and 2001:db8::0001 are all equivalent, with 2001:db8::1 being the "canonical" (i.e., more authoritative) representation of the address. While this may not be an issue for an experienced admin, it can be problematic when addresses are compared by scripts or other tools that process IPv6 addresses as simple text strings. When in doubt, the --print-canonical option in addr6 will print the canonical representation of the address specified via the -a option.
One of the most interesting tools included in the SI6 IPv6 Toolkit is scan6, the most comprehensive IPv6 address-scanning tool available. This tool benefits from recent research in IPv6 address scanning and incorporates a number of heuristics to reduce the search space. The coolest feature of scan6 is that it can automatically assess the address pattern(s) of a site and target only these address patterns in the resulting address scan. For example, as seen in figure 9, if it scans the site scanme.nmap.org, scan6 will infer that the address "2600:3c01::f03c:91ff:fe93:cd19" is a random address and by default target low-byte addresses (commonly employed addresses at server sites), thus reducing the search space.
Most of the tools included in the SI6 Networks' IPv6 Toolkit admittedly require deep knowledge of the protocols being employed and may be challenging for IPv6 newbies. However, other tools such as scan6 resemble more common applications and can be beneficial to less experienced users.
Given the comprehensive documentation provided with the toolkit -- and given that the relevant manual pages also provide concrete examples on how to employ the tools -- it's simply a matter of investing time and dedication in order to master the SI6 IPv6 Toolkit.
About the author:
Fernando Gont works for SI6 Networks as an Internet security and engineering consultant. He is an active participant in the Internet Engineering Task Force, where he contributes to several working groups and has authored a number of RFCs (Requests for Comments) and Internet drafts. Gont regularly speaks at a number of conferences, trade shows and technical meetings about information security, operating systems and Internet engineering. More information is available at his website.
Don't miss SearchSecurity's IPv6 Tutorial: Understanding IPv6 security issues, threats and defenses
Learn about the security flaws in IPv6 addressing schemes
Discover how to analyze the risk of IPv6 extension headers