IPv6-Scanning - IT-SECX › wp-content › uploads › 2017 › ... · IPv4 vs. IPv6 § Anzahl...

Kathrin Hufnagl | 10.11.2017 | IT-SECX 2017 1

IPv6-Scanning350 Billiarden Mal zum Mars und wieder zurück: Der unwahrscheinlich große IPv6-Adressbereich und wie man Hosts für externe und interne Sicherheitsüberprüfungen findet

Kathrin Hufnagl


[email protected]

@cahira_

BSc in IT Security

Master Information Security

DOCH WARUM IPV6?


IPv6 verbreitet sich ...

Kathrin Hufnagl | 10.11.2017 | IT-SECX 2017 4https://www.google.de/ipv6/statistics.html

T-Mobile USA


http://www.worldipv6launch.org/apps/ipv6week/measurement/images/graphs/T-MobileUSA.png

Deutsche Telekom AG


http://www.worldipv6launch.org/apps/ipv6week/measurement/images/graphs/DeutscheTelekomAG.png

IPv4 vs. IPv6

§ Anzahl aller Adressen:§ IPv4: 4.294.967.296 Adressen (232 )

§ IPv6: 3.402823669 x 1038 Adressen (2128)

§ DNS § A

§ AAAA

§ Konfiguration


Muster

Low-Byte Adressen

§ 2001:db8::17

§ 2001:db8::1:17

IPv4-Based Adressen

§ 2001:db8::192.168.0.1

§ 2001:db8::192:168:0:1

§ 2001:db8::C0A8:1

§ 2001:db8::C0:A8:0:1


Service-Port Adressen

§ 2001:db8::80 für http

§ 2001:db8::53 für dns

Wordy Adressen

§ 2001:db8::dead:beef

§ 2001:db8::cafe:babe:bad

RFC 7707


Gont, F., "IPv6 Network Reconnaissance: Theory & Practice", LACSEC Conference, Medellin, Colombia, May 2013

Ford, M., "IPv6 Address Analysis - Privacy In, Transition Out", May 2013

Tools

• Scan6

• Chiron

• Nessus

• Alive6


§ Masscan

§ Metasploit

§ Nmap

§ ZMap

§ ZMapv6

Übersichtsmatrix


Local Host Discovery


Nmap - ICMP-Echo-Requests

§ targets-ipv6-multicast-echo:


/nmap-7.40$ sudo ./nmap -6 --script=targets-ipv6-multicast-echo.nse -sL --script-args=newtargetsStarting Nmap 7.40 ( https://nmap.org ) at 2017-04-12 19:03 CESTPre-scan script results:| targets-ipv6-multicast-echo: | IP: 2606:2800:220:caff:192:168::1 MAC: 00:0c:29:32:d2:c3 IFACE: ens38| IP: 2606:2800:220:caff::1 MAC: 00:0c:29:32:d2:c3 IFACE: ens38| IP: 2606:2800:220:cafe::256 MAC: 00:0c:29:32:d2:c3 IFACE: ens38| IP: fe80::42b:9d6b:b33:5185 MAC: f4:5c:89:ac:e2:15 IFACE: ens38| IP: 2606:2800:220:caff::80 MAC: 00:0c:29:32:d2:c3 IFACE: ens38| IP: 2606:2800:220:caff::dead MAC: 00:0c:29:32:d2:c3 IFACE: ens38| IP: fe80::20c:29ff:fe32:d2b9 MAC: 00:0c:29:32:d2:b9 IFACE: ens38| IP: fe80::20c:29ff:fead:b328 MAC: 00:0c:29:ad:b3:28 IFACE: ens38| IP: fe80::20c:29ff:fe32:d2c3 MAC: 00:0c:29:32:d2:c3 IFACE: ens38...Nmap done: 15 IP addresses (0 hosts up) scanned in 2.81 seconds



§ targets-ipv6-multicast-echo im Wireshark:


/nmap-7.40$ sudo ./nmap -6 --script=targets-ipv6-multicast-invalid-dst.nse --script-args 'newtargets,interface=ens38' –sPStarting Nmap 7.40 ( https://nmap.org ) at 2017-10-20 16:00 CESTPre-scan script results:| targets-ipv6-multicast-invalid-dst: | IP: fe80::c91:b5e:58dc:fa31 MAC: f4:5c:89:ac:e2:15 IFACE: ens38| IP: fe80::20c:29ff:fefe:b5ab MAC: f4:5c:89:ac:e2:15 IFACE: ens38| IP: fe80::20c:29ff:fe76:ed5e MAC: f4:5c:89:ac:e2:15 IFACE: ens38| IP: fe80::20c:29ff:fe79:d8c1 MAC: f4:5c:89:ac:e2:15 IFACE: ens38| IP: fe80::20c:29ff:fead:b328 MAC: f4:5c:89:ac:e2:15 IFACE: ens38| IP: fe80::20c:29ff:fe07:f11c MAC: f4:5c:89:ac:e2:15 IFACE: ens38|_IP: fe80::20c:29ff:fe07:f112 MAC: f4:5c:89:ac:e2:15 IFACE: ens38...Nmap done: 7 IP addresses (7 hosts up) scanned in 2.74 seconds


§ targets-ipv6-multicast-invalid-dst:



§ targets-ipv6-multicast-invalid-dst im Wireshark:

Remote Host Discovery


Nmap - IPv6-Subnetze

§ 65.536 durchsuchte Hosts ~ 20 Minuten


nmap-7.40$ sudo ./nmap -6 -sn 2606:2800:0220:caff::/112Starting Nmap 7.40 (https://nmap.org) at 2017-04-12 14:35 CESTNmap scan report for 2606:2800:220:caff::1Host is up (0.0030s latency).Nmap scan report for 2606:2800:220:caff::80Host is up (0.00055s latency).Nmap scan report for 2606:2800:220:caff::256Host is up (0.00018s latency).Nmap scan report for 2606:2800:220:caff::deadHost is up (0.00094s latency).

Nmap done: 65536 IP addresses (4 hosts up) scanned in 1118.96 seconds

Scan6- IPv6-Subnetze

§ 65.536 durchsuchte Hosts ~ 3 Minuten


sudo scan6 -d 2606:2800:0220:caff::/112 –vvvTarget address ranges (1)2606:2800:220:caff:0:0:0:0-ffff

Alive nodes:2606:2800:220:caff::12606:2800:220:caff::802606:2800:220:caff::2562606:2800:220:caff::dead

Alive6 - IPv4-Based Adressen


$ sudo alive6 -4 192.168.0.0/24 ens38 2606:2800:0220:caff::/64Alive: 2606:2800:220:cafe::256 [ICMP echo-reply]Alive: 2606:2800:220:caff:: [ICMP parameter problem]Alive: 2606:2800:220:caff::1 [ICMP echo-reply]Alive: 2606:2800:220:caff:192:168:0:1 [ICMP echo-reply]Alive: 2606:2800:220:caff::80 [ICMP echo-reply]Scanned 1271 addresses and found 5 systems alive

Scan6 - Service-Port Adressen

§ 23 der bekanntesten Ports


$ sudo scan6 –d 2606:2800:0220:caff::/64 –g2606:2800:220:caff::80

Nmap - Wordy-Adressen

§ ~ 8 Minuten


nmap-7.40$ sudo ./nmap -6 --script targets-ipv6-wordlist --script-args newtargets,targets-ipv6-subnet={2606:2800:0220:caff::/64}Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-12 15:02 CESTPre-scan script results:| targets-ipv6-wordlist: |_ node count: 2645

Nmap scan report for 2606:2800:220:caff::deadHost is up (0.0053s latency).Not shown: 999 closed portsPORT STATE SERVICE22/tcp open ssh

Nmap done: 2117 IP addresses (1 host up) scanned in 448.02 seconds

Portscan


Nmap - Portscan (SYN)


nmap-7.40$ sudo ./nmap -6 -sS -iL ../targets.txtStarting Nmap 7.40 ( https://nmap.org ) at 2017-04-12 15:22 CESTNmap scan report for 2606:2800:220:caff::1Host is up (0.00099s latency).Not shown: 997 closed portsPORT STATE SERVICE21/tcp open ftp22/tcp open ssh80/tcp open http

Nmap scan report for 2606:2800:220:caff::80Host is up (0.0010s latency).Not shown: 999 closed portsPORT STATE SERVICE22/tcp open ssh

Nmap done: 2 IP addresses (2 hosts up) scanned in 99.83 seconds

Nmap - Version Disclosure


nmap-7.40$ sudo ./nmap -6 -sV 2606:2800:0220:caff::1Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-08 20:06 CESTNmap scan report for 2606:2800:220:caff::1Host is up (0.0011s latency).Not shown: 997 closed portsPORT STATE SERVICE VERSION21/tcp open ftp vsftpd 3.0.322/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)80/tcp open http Apache httpd 2.4.18 ((Ubuntu))Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelServicedetection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 9.54 seconds

Zusammenfassend:

§ große Erleichterung

§ Jedoch weiterhin Problem

§ Scannen von gesamten IPv6-Adressbereich

§ Keine große Subnetze


IPv6-Scanning - IT-SECX › wp-content › uploads › 2017 › ... · IPv4 vs. IPv6 § Anzahl...

Documents

Transcript of IPv6-Scanning - IT-SECX › wp-content › uploads › 2017 › ... · IPv4 vs. IPv6 § Anzahl...