Fernando Gont, who is specializing in the field of communications protocols security, gave a talk during this year’s Troopers IPv6 summit. He spoke about network reconnaissance techniques in IPv6 area and presented a brand new set of tools for this purpose.
Comparing with methods for IPv4, reconnaissance techniques for IPv6 should be different. It offers much larger address space, so such attacks as brute force address scanning are not feasible anymore, because it would take too much time to send one packet to each and every possible address. Fernando has also noted that in general network reconnaissance support in security tools has traditionally been poor. Together these facts prompt that it’s time for something new, and recently a new IETF RFC 7707 was published.
In the beginning of the talk a research on patterns in IPv6 addresses was presented. The results were the following:
- For web-sites: mostly used Low-byte addresses and Embed-IPv4 addresses (the latter makes it easier for the owners to remember, but also easier for an attacker to find it out)
- For mail-servers: Low-byte addresses
- For DNS: Low-byte addresses
- For client addresses: mostly random (~75%), but as Fernando emphasized, that does not mean that they are not predictable.
So, the summarized result of this study is the fact that server addresses do follow patterns. The impact of having predictable addresses can be high: if an attacker wants to target other systems in your network, he can find them easier even if they are not on DNS.
The statistical patterns found during this research are used in the new tool set. The tool scan6 allows for generating addresses automatically based on the patterns; it can figure out the pattern by itself, employs multiple probe types and has a database to follow even a specific vendor. It incorporates all known TCP/UDP techniques for port-scanning, and supports DNS reverse mappings.
There is also a filtering functionality: for example, if you are interested in a specific prefix, or if you want to filter out duplicates, loopbacks, multicast, etc. For generating statistics addr6 can be used. Also, the tools take care of the canonic IPv6 addresses, when they may look different in text but be equivalent in fact.
Another thing you may face is the problem with extension headers. When a packet has many extension headers, it can get dropped on its way on the network.
- path6 tool will tell you how far do your IPv6 packets get
- blackhole6 tool find where on the network they get dropped. It first does traceroute on the packet without extension headers, then with them, and finds the last node on the network that responded.
If you want to see the demonstration of these tools and find more additional details, check the recording as we already published the talks videos on the Troopers channel!