Post on 30-Jun-2020
transcript
Kathrin Hufnagl | 10.11.2017 | IT-SECX 2017 1
IPv6-Scanning350 Billiarden Mal zum Mars und wieder zurück: Der unwahrscheinlich große IPv6-Adressbereich und wie man Hosts für externe und interne Sicherheitsüberprüfungen findet
Kathrin Hufnagl
Kathrin Hufnagl | 10.11.2017 | IT-SECX 2017 2
kathrinhufnagl@cahira.at
@cahira_
BSc in IT Security
Master Information Security
DOCH WARUM IPV6?
Kathrin Hufnagl | 10.11.2017 | IT-SECX 2017 3
IPv6 verbreitet sich ...
Kathrin Hufnagl | 10.11.2017 | IT-SECX 2017 4https://www.google.de/ipv6/statistics.html
T-Mobile USA
Kathrin Hufnagl | 10.11.2017 | IT-SECX 2017 5
http://www.worldipv6launch.org/apps/ipv6week/measurement/images/graphs/T-MobileUSA.png
Deutsche Telekom AG
Kathrin Hufnagl | 10.11.2017 | IT-SECX 2017 6
http://www.worldipv6launch.org/apps/ipv6week/measurement/images/graphs/DeutscheTelekomAG.png
IPv4 vs. IPv6
§ Anzahl aller Adressen:§ IPv4: 4.294.967.296 Adressen (232 )
§ IPv6: 3.402823669 x 1038 Adressen (2128)
§ DNS § A
§ AAAA
§ Konfiguration
Kathrin Hufnagl | 10.11.2017 | IT-SECX 2017 7
Muster
Low-Byte Adressen
§ 2001:db8::17
§ 2001:db8::1:17
IPv4-Based Adressen
§ 2001:db8::192.168.0.1
§ 2001:db8::192:168:0:1
§ 2001:db8::C0A8:1
§ 2001:db8::C0:A8:0:1
Kathrin Hufnagl | 10.11.2017 | IT-SECX 2017 8
Service-Port Adressen
§ 2001:db8::80 für http
§ 2001:db8::53 für dns
Wordy Adressen
§ 2001:db8::dead:beef
§ 2001:db8::cafe:babe:bad
RFC 7707
Kathrin Hufnagl | 10.11.2017 | IT-SECX 2017 9
Gont, F., "IPv6 Network Reconnaissance: Theory & Practice", LACSEC Conference, Medellin, Colombia, May 2013
Ford, M., "IPv6 Address Analysis - Privacy In, Transition Out", May 2013
Tools
• Scan6
• Chiron
• Nessus
• Alive6
Kathrin Hufnagl | 10.11.2017 | IT-SECX 2017 10
§ Masscan
§ Metasploit
§ Nmap
§ ZMap
§ ZMapv6
Übersichtsmatrix
Kathrin Hufnagl | 10.11.2017 | IT-SECX 2017 11
Local Host Discovery
Kathrin Hufnagl | 10.11.2017 | IT-SECX 2017 12
Nmap - ICMP-Echo-Requests
§ targets-ipv6-multicast-echo:
Kathrin Hufnagl | 10.11.2017 | IT-SECX 2017 13
/nmap-7.40$ sudo ./nmap -6 --script=targets-ipv6-multicast-echo.nse -sL --script-args=newtargetsStarting Nmap 7.40 ( https://nmap.org ) at 2017-04-12 19:03 CESTPre-scan script results:| targets-ipv6-multicast-echo: | IP: 2606:2800:220:caff:192:168::1 MAC: 00:0c:29:32:d2:c3 IFACE: ens38| IP: 2606:2800:220:caff::1 MAC: 00:0c:29:32:d2:c3 IFACE: ens38| IP: 2606:2800:220:cafe::256 MAC: 00:0c:29:32:d2:c3 IFACE: ens38| IP: fe80::42b:9d6b:b33:5185 MAC: f4:5c:89:ac:e2:15 IFACE: ens38| IP: 2606:2800:220:caff::80 MAC: 00:0c:29:32:d2:c3 IFACE: ens38| IP: 2606:2800:220:caff::dead MAC: 00:0c:29:32:d2:c3 IFACE: ens38| IP: fe80::20c:29ff:fe32:d2b9 MAC: 00:0c:29:32:d2:b9 IFACE: ens38| IP: fe80::20c:29ff:fead:b328 MAC: 00:0c:29:ad:b3:28 IFACE: ens38| IP: fe80::20c:29ff:fe32:d2c3 MAC: 00:0c:29:32:d2:c3 IFACE: ens38...Nmap done: 15 IP addresses (0 hosts up) scanned in 2.81 seconds
Nmap - ICMP-Echo-Requests
Kathrin Hufnagl | 10.11.2017 | IT-SECX 2017 14
§ targets-ipv6-multicast-echo im Wireshark:
Nmap - ICMP-Echo-Requests
/nmap-7.40$ sudo ./nmap -6 --script=targets-ipv6-multicast-invalid-dst.nse --script-args 'newtargets,interface=ens38' –sPStarting Nmap 7.40 ( https://nmap.org ) at 2017-10-20 16:00 CESTPre-scan script results:| targets-ipv6-multicast-invalid-dst: | IP: fe80::c91:b5e:58dc:fa31 MAC: f4:5c:89:ac:e2:15 IFACE: ens38| IP: fe80::20c:29ff:fefe:b5ab MAC: f4:5c:89:ac:e2:15 IFACE: ens38| IP: fe80::20c:29ff:fe76:ed5e MAC: f4:5c:89:ac:e2:15 IFACE: ens38| IP: fe80::20c:29ff:fe79:d8c1 MAC: f4:5c:89:ac:e2:15 IFACE: ens38| IP: fe80::20c:29ff:fead:b328 MAC: f4:5c:89:ac:e2:15 IFACE: ens38| IP: fe80::20c:29ff:fe07:f11c MAC: f4:5c:89:ac:e2:15 IFACE: ens38|_IP: fe80::20c:29ff:fe07:f112 MAC: f4:5c:89:ac:e2:15 IFACE: ens38...Nmap done: 7 IP addresses (7 hosts up) scanned in 2.74 seconds
Kathrin Hufnagl | 10.11.2017 | IT-SECX 2017 15
§ targets-ipv6-multicast-invalid-dst:
Nmap - ICMP-Echo-Requests
Kathrin Hufnagl | 10.11.2017 | IT-SECX 2017 16
§ targets-ipv6-multicast-invalid-dst im Wireshark:
Remote Host Discovery
Kathrin Hufnagl | 10.11.2017 | IT-SECX 2017 17
Nmap - IPv6-Subnetze
§ 65.536 durchsuchte Hosts ~ 20 Minuten
Kathrin Hufnagl | 10.11.2017 | IT-SECX 2017 18
nmap-7.40$ sudo ./nmap -6 -sn 2606:2800:0220:caff::/112Starting Nmap 7.40 (https://nmap.org) at 2017-04-12 14:35 CESTNmap scan report for 2606:2800:220:caff::1Host is up (0.0030s latency).Nmap scan report for 2606:2800:220:caff::80Host is up (0.00055s latency).Nmap scan report for 2606:2800:220:caff::256Host is up (0.00018s latency).Nmap scan report for 2606:2800:220:caff::deadHost is up (0.00094s latency).
Nmap done: 65536 IP addresses (4 hosts up) scanned in 1118.96 seconds
Scan6- IPv6-Subnetze
§ 65.536 durchsuchte Hosts ~ 3 Minuten
Kathrin Hufnagl | 10.11.2017 | IT-SECX 2017 19
sudo scan6 -d 2606:2800:0220:caff::/112 –vvvTarget address ranges (1)2606:2800:220:caff:0:0:0:0-ffff
Alive nodes:2606:2800:220:caff::12606:2800:220:caff::802606:2800:220:caff::2562606:2800:220:caff::dead
Alive6 - IPv4-Based Adressen
Kathrin Hufnagl | 10.11.2017 | IT-SECX 2017 20
$ sudo alive6 -4 192.168.0.0/24 ens38 2606:2800:0220:caff::/64Alive: 2606:2800:220:cafe::256 [ICMP echo-reply]Alive: 2606:2800:220:caff:: [ICMP parameter problem]Alive: 2606:2800:220:caff::1 [ICMP echo-reply]Alive: 2606:2800:220:caff:192:168:0:1 [ICMP echo-reply]Alive: 2606:2800:220:caff::80 [ICMP echo-reply]Scanned 1271 addresses and found 5 systems alive
Scan6 - Service-Port Adressen
§ 23 der bekanntesten Ports
Kathrin Hufnagl | 10.11.2017 | IT-SECX 2017 21
$ sudo scan6 –d 2606:2800:0220:caff::/64 –g2606:2800:220:caff::80
Nmap - Wordy-Adressen
§ ~ 8 Minuten
Kathrin Hufnagl | 10.11.2017 | IT-SECX 2017 22
nmap-7.40$ sudo ./nmap -6 --script targets-ipv6-wordlist --script-args newtargets,targets-ipv6-subnet={2606:2800:0220:caff::/64}Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-12 15:02 CESTPre-scan script results:| targets-ipv6-wordlist: |_ node count: 2645
Nmap scan report for 2606:2800:220:caff::deadHost is up (0.0053s latency).Not shown: 999 closed portsPORT STATE SERVICE22/tcp open ssh
Nmap done: 2117 IP addresses (1 host up) scanned in 448.02 seconds
Portscan
Kathrin Hufnagl | 10.11.2017 | IT-SECX 2017 23
Nmap - Portscan (SYN)
Kathrin Hufnagl | 10.11.2017 | IT-SECX 2017 24
nmap-7.40$ sudo ./nmap -6 -sS -iL ../targets.txtStarting Nmap 7.40 ( https://nmap.org ) at 2017-04-12 15:22 CESTNmap scan report for 2606:2800:220:caff::1Host is up (0.00099s latency).Not shown: 997 closed portsPORT STATE SERVICE21/tcp open ftp22/tcp open ssh80/tcp open http
Nmap scan report for 2606:2800:220:caff::80Host is up (0.0010s latency).Not shown: 999 closed portsPORT STATE SERVICE22/tcp open ssh
Nmap done: 2 IP addresses (2 hosts up) scanned in 99.83 seconds
Nmap - Version Disclosure
Kathrin Hufnagl | 10.11.2017 | IT-SECX 2017 25
nmap-7.40$ sudo ./nmap -6 -sV 2606:2800:0220:caff::1Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-08 20:06 CESTNmap scan report for 2606:2800:220:caff::1Host is up (0.0011s latency).Not shown: 997 closed portsPORT STATE SERVICE VERSION21/tcp open ftp vsftpd 3.0.322/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)80/tcp open http Apache httpd 2.4.18 ((Ubuntu))Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelServicedetection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 9.54 seconds
Zusammenfassend:
§ große Erleichterung
§ Jedoch weiterhin Problem
§ Scannen von gesamten IPv6-Adressbereich
§ Keine große Subnetze
Kathrin Hufnagl | 10.11.2017 | IT-SECX 2017 26