As you may remember, back in 2014 we published a whitepaper (compiled by Antonis Atlasis) on the support of IPv6 in different pentesting tools. This is almost three years ago and we thought it is time for an update. In short not much has changed. Most of the tools which didn’t support IPv6 are still not supporting it or haven’t got any update since then.
This post will cover the tools where we could identify some progress on supporting IPv6.
Nmap
Starting with nmap which already supported IPv6 back in 2014 some new OS fingerprints where added since then and some new NSE scripts were added. The fingerprinting of nmap is a little bit better over IPv6 than the last time we tested it but still not that good as over IPv4. Another feature which wasn’t possible before is that nmap now also supports a list of IPv6 addresses via command line but there is still no support for using ranges. To do so we still need to create a list of ipv6 addresses for scanning. Another way which is a little bit more easy is to use the new NSE script “target-ipv6-wordlist” which uses a wordlist of hexadecimal “words” and to create addresses for the given subnet. It comes with a default list or we can use our own list.
#nmap -6 -p 80 --script targets-ipv6-wordlist --script-args newtargets,targets-ipv6-subnet={2001:db8::/64}
Starting Nmap 7.60 ( https://nmap.org ) at 2017-09-03 17:07 CEST
Pre-scan script results:
| targets-ipv6-wordlist:
|_ node count: 2645
In addition to the above methods there is another NSE script called “targets-ipv6-map4to6” which adds support for mapping IPv4 addresses or IPv4 subnets onto an IPv6 subnet and adds them to the scan queue.
#nmap -6 --script targets-ipv6-map4to6 --script-args newtargets,targets-ipv6-map4to6.IPv4Hosts={192.168.1.1},targets-ipv6-subnet={2001:db8::/64}
Starting Nmap 7.60 ( https://nmap.org ) at 2017-09-13 17:05 CEST
Pre-scan script results:
| targets-ipv6-map4to6:
| node count: 1.0
| addresses:
|_ 2001:db8:0:0:0:0:c0a8:101
The last new NSE script is “ipv6-multicast-mld-list” and is supporting MLD (Multicast Listener Discovery) to find multicast addresses on the local-link which are subscribed by IPv6 multicast listeners (more on MLD here or here, or in Jayson’s thesis on MLD Security).
#nmap --script=ipv6-multicast-mld-list
Starting Nmap 7.60 ( https://nmap.org ) at 2017-09-13 07:11 CEST
Pre-scan script results:
| ipv6-multicast-mld-list:
| fe80::21e6:4529:cea:d560:
| device: vboxnet0
| mac: 08:00:27:f2:a4:37
| multicast_ips:
| ff02::1:ffea:d560 (NDP Solicited-node)
| ff02::1:3 (Link-local Multicast Name Resolution)
| ff02::c (SSDP)
| ff02::1:3 (Link-local Multicast Name Resolution)
| ff02::1:ffea:d560 (NDP Solicited-node)
| ff02::c (SSDP)
| fe80::a00:27ff:fea1:b6e6:
| device: vboxnet0
| mac: 08:00:27:a1:b6:e6
| multicast_ips:
| ff02::1:ff00:2 (Solicited-Node Address)
| ff02::1:ffa1:b6e6 (NDP Solicited-node)
| ff02::1:ff00:2 (Solicited-Node Address)
|_ ff02::1:ffa1:b6e6 (NDP Solicited-node)
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 10.98 seconds
Ncrack
In the ncrack release 0.5 a test showed that ncrack is now capable to address also IPv6 targets as long as they are provided via their hostnames. When we tried to use an IPv6 address instead it shows the error message “invalid port number”. A workaround for this problem is to use the hosts file and create an entry for the target with a hostname.
#cat /etc/hosts
[...]
2001:db8::2 ipv6-tool-test
Then provide ncrack the hostname and it is working.
#ncrack -6 -v --user root --pass test ipv6-tool-test:22
Starting Ncrack 0.5 ( http://ncrack.org ) at 2017-09-04 10:27 EDT
ssh://2001:db8::2:22 finished.
Ncrack done: 1 service scanned in 3.00 seconds.
Probes sent: 1 | timed-out: 0 | prematurely-closed: 0
Ncrack finished.
Ettercap
Ettercap added in version 8.1 some new features regarding IPv6:
- New ipv6 hidden scan mode
- New nd-poisoning!
- Increased IPv6 probe delay from 2 seconds to 3
- make etter{log,filter} ipv6 compatible
- etterfilter now is IPv6 ready!
But to use IPv6 in ettercap it has to be built with “Enabled IPv6 support”. We tried to test the ND-poisoning to do a MitM between two targets. We opened ettercap, enabled “IPv6 Host scan” and started a Host scan to find our targets. Unfortunately only one of our targets was discovered even though we could see in Wireshark that at least one other target responded. We added each target to the target list and started the NDP-Posion. The target “A” now opened a webpage on target “B” and our attacker host could now sniff the communication.
So we can use ettercap for at least NDP MitM attacks. But the down site is that there is no extension header support yet. Perhaps this and some more IPv6 MitM attacks coming in the future.
ZAP
The last tool where some progress happened regarding the support of IPv6 is the ZAP (Zed Attack Proxy) from OWASP. We tried the latest version 2.6.0 and found out that it supports IPv6 but (again) only if we use a hostname instead of an IPv6 address. No support for directly targeting an IPv6 address. For example if we try to connect to ipv6.google.com it is working over IPv6 because that target is only accessible over IPv6. But when we tried to connect to ernw.de it used the IPv4 address instead of the IPv6 (as that target is dual-stacked). This is also happening if our system running ZAP is in an IPv6-only network which means that ZAP can’t connect to ernw.de over IPv6 even there is in the DNS AAAA record entry besides the A record. A workaround for this is to create a static hosts entry which only contains the IPv6 address. Then ZAP , in our example, is able to connect to ernw.de over IPv6 as well.
In addition we tested some useful tools which were not listed in the initial paper.
Masscan
Unfortunately masscan does not support IPv6.
Testssl.sh
Testssl.sh supports IPv6 if there is an openssl version which has IPv6 support enable. The easiest way to avoid the problem with openssl is to use the git version of testssl.sh which contains a precompiled openssl version which has all needed features enabled. For directly targeting an IPv6 address there is the –ip option where the IPv6 address can be added.
$testssl.sh -6 ipv6.google.com
###########################################################
testssl.sh 2.9dev from https://testssl.sh/dev/
This program is free software. Distribution and
modification under GPLv2 permitted.
USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
Please file bugs @ https://testssl.sh/bugs/
###########################################################
Using "OpenSSL 1.0.2-chacha (1.0.2i-dev)" [~183 ciphers]
on pentest:/home/pentest/tools/testssl.sh-github/bin/openssl.Linux.x86_64
(built: "Jun 22 19:32:29 2016", platform: "linux-x86_64")
Start 2017-09-04 12:30:12 -->> [2a00:1450:4001:81f::200e]:443 (ipv6.google.com) <<--
$testssl.sh -6 --ip=2001:db8::2 ipv6-tool-test:8843
###########################################################
testssl.sh 2.9dev from https://testssl.sh/dev/
This program is free software. Distribution and
modification under GPLv2 permitted.
USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
Please file bugs @ https://testssl.sh/bugs/
###########################################################
Using "OpenSSL 1.0.2-chacha (1.0.2i-dev)" [~183 ciphers]
on pentest:/home/pentest/tools/testssl.sh-github/bin/openssl.Linux.x86_64
(built: "Jun 22 19:32:29 2016", platform: "linux-x86_64")
Start 2017-09-04 12:34:04 -->> [2001:db8::2]:8443 (ipv6-tools-test) <<--
sslyze
The tested version of sslyze (1.1.4) also supports IPv6 even without providing an additional flag and it works even with an IPv6 address instead of a hostname.
$sslyze --regular ipv6.google.com
CHECKING HOST(S) AVAILABILITY
-----------------------------
ipv6.google.com:443 => 2a00:1450:4001:81f::200e:443
[...]
$sslyze --regular "[2001:db8::2]:8443"
CHECKING HOST(S) AVAILABILITY
-----------------------------
2001:db8::2:8443 => 2001:db8::2
[...]
To summarize most of the tools which didn’t support IPv6 at the time and haven’t got any update in the last years will probably not get IPv6 support in the near future or at all. On the other hand there are some tools which are actively developed working on implementing more IPv6 capabilities or they have IPv6 support on the feature request list for in the future like nikto (sullo: “Some day, perhaps. Some day.” ). 😀
For the tools without IPv6 support Socat could be your friend or the Chiron proxy might even be the better one. 😉
Cheers, Rafael