One of the first steps of performing a network security audit is to find out which networks and systems belong...
to the target site, as well as the services provided by such systems. While these tasks are rather well known for the IPv4 world, they are not widely understood in the case of IPv6.
This article covers a number of techniques that can be employed to gain information about a target site when performing an IPv6 network security audit. Most of the techniques either have no counterpart in the IPv4 world or have specific nuances in the IPv6 world that deserve special mention. This article focuses on two IPv6 toolkits: the SI6 Networks' IPv6 toolkit (SI6-IPv6) and THC's IPv6 attack suite (THC-IPv6). SI6-IPv6 currently supports most major BSD-based operating systems, most major GNU/Linux operating systems, Mac OS and OpenSolaris. THC-IPv6, on the other hand, currently only supports most major GNU/Linux systems. While this article covers a number of tools comprised in each of these toolkits, note that both toolkits contain many other tools, some of which can also be employed for IPv6 network reconnaissance.
DNS-based network reconnaissance
When gathering information about a site, you want to obtain a list of domain names employed by that site (which will typically use a set of different systems). The most comprehensive list of such names can be obtained with what is referred to as a "DNS zone transfer" -- that is, by downloading the entire contents of the target DNS zone. This can be done with the following command, replacing "example.com" with the target domain:
host -l example.com
For security reasons, however, most sites block DNS zone transfers; it is therefore not trivial to obtain the entire contents of the corresponding DNS zone. But not everything is lost; sites tend to use common names for systems providing common services. For example, the Web server for the site "example.com" will likely use the name "www.example.com", while the SMTP server for the same site will likely employ the name "smtp.example.com" or "mail.example.com". Thus, it is possible to obtain a list of domain names for a site by creating a "dictionary" of common DNS names.
The dnsdict6 tool of THC-IPv6 implements this functionality using the following command:
As a result, dnsdict6 will employ its internal dictionary in hopes of finding common domain names in the zone "example.com". For each domain name found, the corresponding IPv6 address(es) will be printed.
If we ran dnsdict6 for the domain name "ripe.net", for example, we would obtain the following output:
DNS can also be employed to find IPv6 addresses within a target prefix. Namely, DNS reverse mappings can be useful for finding the IPv6 addresses of nodes in a given IPv6 prefix. While the specific details of this technique are out of the scope of this article, it essentially consists of finding (by brute force) PTR records for each of the IPv6 addresses in an IPv6 prefix. Thanks to a technique discovered rather recently, the search space can be greatly reduced, such that exploring a whole prefix becomes feasible.
The dnsrevenum6 tool of THC-IPv6 can be used for this purpose as follows:
dnsrevenum6 188.8.131.52 2001:db8::/32
Where "184.108.40.206" is Google public DNS server employed for name resolution and 2001:db8::/32 is the target prefix (which should be replaced with the specific target IPv6 prefix).
Note that depending on a number of factors -- DNS server software used at the target site, whether DNS reverse mappings have been configured -- this technique might or might not work as expected, but when it does, it can produce impressive results.
Finally, it is not unusual to have to obtain IPv6 addresses within a file with a list of domain names, along with the IPv6 addresses corresponding to the mailservers (MX records) and nameservers (NS records). The script6 tool of SI6-IPv6 can help.
For example, for a file named "sites.txt", script6 can obtain the IPv6 addresses of the corresponding domains and of the corresponding mail servers as follows:
Nameservers can also be obtained by piping the contents of the file "sites.txt" to the command "script6 get-ns".
IPv6 address scanning: Remote networks
The increased IPv6 address space has straightforward implications on IPv6 address scanning. While brute-force address scanning attacks are "good enough" in the IPv4 world because of its reduced address space, scanning a whole /64 IPv6 prefix would be unfeasible.
However, recent research indicates many sites employ specific patterns for their nodes; hence, it is possible to greatly reduce the search space by scanning for addresses that follow such patterns. The scan6 tool of SI6-IPv6 is the most comprehensive IPv6 address scanning tools and can target a variety of specific address patterns. Probably the coolest feature of scan6 is that it can automatically infer the address pattern of a site and reduce the search space accordingly.
For example, one could perform an IPv6 address scan of a site as follows:
scan6 -v www.example.com/64
In this example, scan6 would obtain the IPv6 address(es) corresponding to the domain name "www.example.com" and would try to infer the address pattern employed by such address(es). It would subsequently perform an IPv6 address scan targeting only the inferred address pattern.
IPv6 address scanning: Local networks
In scenarios where the security professional has local access to the target network, a different technique can be leveraged for IPv6 address scanning: IPv6 multicast addresses. Rather than sending probe packets to multiple addresses, a single probe packet is sent to a multicast address (e.g., the all-nodes link-local multicast address, ff02::1) that elicits a response from all local nodes. While multicast addresses could be leveraged with a simple tool such as ping6, some IPv6 implementations (notably Windows) do not respond to the multicasted ICMPv6 echo requests employed by ping6.
Fortunately, the scan6 tool of SI6-IPv6 not only employs the traditional ICMPv6 echo requests as the probe packets, but also alternative probe packets that can elicit responses from all nodes -- including Windows. Thus, scan6 can be used to perform a local address scan by leveraging IPv6 multicast addresses with the following command:
scan6 -e -i eth0 -L
Eth0 should be replaced by the network interface being used for the address scan.
Scan6 will print all the addresses present in the local network, along with the underlying MAC addresses, which can be leveraged to tell which addresses correspond to the same network interfaces, since in the IPv6 world each network interface is typically assigned multiple IPv6 addresses.
Tracing the route to a target system
Two widely employed tools for tracing the route to a target IPv6 node are traceroute and traceroute6. However, the current versions of these tools fail to implement support for IPv6 extension headers. The path6 tool of SI6-IPv6 fills this gap by implementing IPv6 traceroute-like functionality with full support for IPv6 extension headers and arbitrary probe packets. For example, we could trace the route to the site www.si6networks.com with ICMPv6 echo request messages (the default probe messages) that employ a Destination Options header of 72 bytes as follows:
It should be noted that while the use of IPv6 extension headers can be used to circumvent some security controls, packets with IPv6 extension headers are widely filtered in the public Internet and therefore their use might be counterproductive.
Filtering IPv6 addresses
As a result of executing the commands discussed, organizations will typically end up with a long list of IPv6 addresses that might contain duplicate addresses or addresses that are of little to no use when performing a security audit. For example, when auditing a remote site, IPv6 link-local addresses will be of virtually no use. Additionally, one might want to restrict the security audit to addresses belonging to a specific IPv6 prefix. Thus, the need to filter IPv6 addresses based on different criteria (address type, IPv6 prefixes and so on) should be evident.
Addr6 in SI6-IPv6 is a powerful and flexible tool for processing IPv6 addresses. Among other things, it can process a list of IPv6 addresses, remove duplicate addresses from the list, and filter IPv6 addresses based on a number of possible criteria.
Assuming the file "addresses.txt" contains a list of IPv6 addresses (one per line), duplicate addresses can be filtered out using the following command:
cat addresses.txt | addr6 -i -q > addresses-unique.txt
As a result, a new file ("addresses-unique.txt") will be created, containing only nonduplicated addresses. The addr6 manual page should be consulted for further information and examples about its filtering capabilities.
Port scanning in IPv6
Once a filtered list of IPv6 addresses is produced, it is important to find out which services are being offered by each address; performing a port-scan of the aforementioned IPv6 addresses is warranted. Simple IPv6-based port-scanning has been implemented in traditional tools (such as Nmap) for a long time now. However, some IPv6-specific features -- such as the ability to employ IPv6 extension headers with port-scanning packets -- have not been widely implemented. The scan6 tool of SI6-IPv6 implements all known TCP and UDP port scanning techniques (e.g., SYN scans, ACK scans, among others), and also includes support for IPv6 extension headers.
In order to scan TCP ports 1-65535 of scanme.namp.org, for example, one could execute scan6 as follows:
Scan6 can be instructed to perform the same port-scan employing a Destination Options IPv6 extension header of 8 bytes as follows:
In this case, the results are exactly the same. However, as with the path6 tool, it should be noted that while using IPv6 extension headers can circumvent some security controls, packets with IPv6 extension headers are widely filtered in the public Internet.
IPv6 toolkits for network reconnaissance
There are a number of techniques to perform network reconnaissance in IPv6 networks. The two most popular IPv6 toolkits (SI6-IPv6 and THC-IPv6) can be employed to leverage the aforementioned techniques.
The increasing IPv6 address space has concrete implications on IPv6 network reconnaissance, and recent security research and tool development have already produced techniques and tools that make IPv6 network reconnaissance possible.
Bottom line: Audit your site before the bad guys do.
About the author:
Fernando Gont currently works for SI6 Networks as an Internet security and engineering consultant. He is an active participant at the IETF (Internet Engineering Task Force), where he contributes to several working groups, and has authored a number of RFCs (Request for Comments) and Internet-Drafts. Gont is a regular speaker at a number of conferences, trade shows, and technical meetings, about information security, operating systems, and Internet engineering. More information is available at his website.
Learn how to address IPv6 security before time runs out
Find out more about SI6 Networks' IPv6 Toolkit