How to Pwn things over IPv6
IPv6 is the demon that many testers dare not touch very often as it is still not the norm or widely adopted. Don't get me wrong, it is available(it has been for a while now). And, many big and small companies are using it but it isn't what a lot of people are used to & for this reason, there's not often much written down about how to hack at it, find flaws and exploit them.
For this reason, this post will dive into what IPv6 is, some information about different schemas within the protocol & how to attack IPv6 addresses. Someone said to me recently to be able to hack something you must first understand the technology or app you're hacking. By this methodology, it is somewhat correct however I find myself and others winging it from time to time on obscure technologies!
A little bit of Background on IPv6
So for those of you who don't know, IPv6 is at some point going to be a reality for the content we all access on the internet. It created after one bright spark pointed out that the current Internet addressing system, IPv4, only has room for about 4 billion addresses.
Now that is a big number, but it doesn't account for nearly as many people on the planet, and thus connected devices. So IPv6 fixes this issue by bringing 340,000,000,000,000,000,000,000,000,000,000,000,000 unique addresses to the table which dwarfs the 4 billion by quite a few.
Interacting with IPv6
Much like IPv4 addresses, interacting with IPv6 can be done in a multitude of ways and there are special addresses similar to IPv4 that do different things. Firstly when it comes to browsing to a web application over IPv4, it is as simple as chucking the address into the URL bar, and your browser will take you to the respective site/application on that IP.
However, when it comes to IPv6, you need to add a set of brackets around an address for your browser to recognise it. So, for example, browsing to
https://[2a00:1450:401b:803::2003] will give you an error on google however if you try to browse to it without
] your browser will not understand it.
IPv6 Special Addresses
Like IPv4, IPv6 has a few special addresses and ways of doing things that should be noted. IPv6 reserves certain headers for different types of addresses. Probably the best-known example of this is that link local unicast addresses always begin with FE80. Similarly, multicast addresses always begin with FF0x, where the x is a placeholder representing a number from 1 to 8. The following list shows a select amount of these special address types.
A link-local address is an IPv6 unicast address that can be automatically configured on any interface using the link-local prefix FE80::/10. All interfaces of IPv6 hosts require a link-local address. It is valid only for communications within the network segment (link) or the broadcast domain that the host is connected to.
Simply put, a link-local address is created from the MAC address of an interface and the prefix fe80::/10. So anytime you see an address with fe80 as the prefix you can assume this is likely a link-local address however with all things it is always worth double checking.
The process involves filling the address space with prefix bits from the leftmost bit of the most significant bit and filling the MAC address in EUI-64 format into the least-significant bits. If any bits remain to be filled between the two parts, those are set to zero.
Luckily there are tools for creating link-local addresses, so you don't need to worry about them, address6 will take a mac address which it is supplied and convert this to a link-local address, an example run of this command would look similar to:
ro[email protected]:~# address6 74:d4:35:4e:39:c8 fe80::76d4:35ff:fe4e:39c8
The tool essentially takes the mac address and straight converts it as can be seen above. Additionally, address6 can be used to convert a local-link address back from IPv6 to a mac address like so:
ro[email protected]:~# address6 fe80::76d4:35ff:fe4e:39c8 74:d4:35:4e:39:c8
This tool is part of THC-IPv6 which is discussed more further down this post.
In IPv4, a designated address known as a loopback address points to the local machine. The loopback address for any IPv4-enabled device is 127.0.0.1/8 this is also referred to as localhost. Similarly, with IPv6 there is also a designated loopback address for IPv6:
Once all of the zeros have been suppressed, however, the IPv6 loopback address doesn't even look like a valid address. The loopback address is usually shown as
::1. So if you see
::1 you can safely assume this is for the local machine and won't be routable over the internet.
A unique local address(ULA) is the IPv6 equivalent to IPv4 private addresses; the current IPv4 private address ranges are those shown in the list below. These are intended for use in a single organisation's internal network. As part of RFC 4193, the address block fc00::/7 is reserved for use in private IPv6 networks.
IPv4 Private Addresses
- 10.0.0.0/8 IP addresses: 10.0.0.0 -- 10.255.255.255.
- 172.16.0.0/12 IP addresses: 172.16.0.0 -- 172.31.255.255.
- 192.168.0.0/16 IP addresses: 192.168.0.0 – 192.168.255.255.
It is important to know the local addresses as you may come across them on an external test and find yourself unable to reach them.
Prefixes in the fd00::/8 range have similar properties as those of the IPv4 private address ranges:
- They are not allocated by an address registry and may be used in networks by anyone without outside involvement.
- They are not guaranteed to be globally unique.
- Reverse Domain Name System (DNS) entries (under ip6.arpa) for fd00::/8 ULAs cannot be delegated in the global DNS.
As fd00::/8 ULAs are not meant to be routed outside their administrative domain (site or organization), administrators of interconnecting networks normally do not need to worry about the uniqueness of ULA prefixes.
Windows still doesn't fully support IPv6...
It is a little bit ironic however as hard as Microsoft has been pushing IPv6 adoption, Windows does not fully support IPv6 in all the ways you might expect. As an example, in Windows, it is possible to include an IP address within a Universal Naming Convention (\127.0.0.1\ADMIN$, for example). However, you can't do this with IPv6 addresses because when Windows sees a colon, it assumes you're referencing a drive letter.
To work around this issue, Microsoft has established a special domain for IPv6 address translation. If you want to include an IPv6 address within a Universal Naming Convention, you must replace the colons with dashes and append .ipv6.literal.net to the end of the address — for example, FE80-AB00—200D-617B.ipv6.literal.net.
Now that we've learned a little bit about IPv6 addresses, here comes the fun bit... Attacking them. There are a few toolkits for testing and hacking away at IPv6, however, there is a lot of room for development and creation of tooling to deal with IPv6 still.
One of the main things any pentester will use at some point will be Linux and more specifically the norm would be to use Kali Linux or a Debian Variant. Luckily for us, Kali Rolling(2016-Present) comes preinstalled with an IPv6 toolkit for a lot of different attack scenarios.
The main tooling used for infrastructure assessments have IPv6 modules built into them to allow us as the tester to do more! The conventional nmap & Metasploit type tools will work with IPv6, they just need some tuning and have some special options specifically for IPv6.
The Hacker Choice's IPv6 Attack Toolkit, is a collection of tools designed for probing and testing IPv6. I'm not going to re-write the descriptions for each in this blog post, check out the page for detailed info on each. However, the list below is a few I'd recommend for day-to-day IPv6 testing/hacking/pwning.
- alive6 - Shows alive addresses in a given segment, useful for quickly identifying potential targets in range.
- dnsrevenum6 - Performs reverse DNS lookups for IPv6 addresses, useful for if you've got an IP and you want to find the domain associated with it.
- exploit6 - Performs various CVE exploits, however, BE CAREFUL some of the exploits are unstable and could crash the host...
- firewall6 - Runs a lot of access control list(ACL) bypass attempts to check different implementations of firewalling & restrictions.
- passive_discovery6 - Passively sniffs the network and dump all client’s IPv6 addresses, very useful for internal infrastructure assessments for identifying potential IPv6 targets.
- trace6 - An implementation of traceroute for IPv6 which runs a bit quicker than traceroute6.
The above tools are a select few that I've found pretty useful in the limited IPv6 testing I've done. If you have more suggestions, please tweet them at me.
Traditionally when it comes to port scanning there is one tool which is king; nmap! Rest assured nmap works for IPv6, all of the flags you know and love for IPv4 will mostly work on IPv6. To be able to scan IPv6, you'll need to add
-6 before your targets regardless if it's an individual address or a file containing a list of addresses. Typically using something like:
sudo nmap -6 -sSV -p- -iL targets.txt -oA example_IPv6 --version-all --max-retries 3 -T4 -Pn -n --reason –vvv
Will work no problem, the breakdown of this command is as follows:
- nmap: the command to run the program
- -6: tells nmap that the targets are IPv6 hosts
- -sSV: instructs nmap to carry out a syn half-open scan & a version scan
- -p-: notes to scan all 65535 ports
- -iL: This flag tells nmap to load targets from a file path, loads from the current folder.
- -oA: notes the output to be in all three formats that nmap supports; XML, nmap & greppable nmap output.
- --version-all: Sends additional version probes to attempt to discover the version of software running on each open port.
- --max-retries: Notes the maximum amount of retries nmap will do per port
- -T4: Adds additional timing options to nmap tuning the parallel processes and other timeout settings
- -Pn: Instructs nmap to assume the host is up and not to send ICMP packets to the target.
- -n: Tells nmap not to carry out DNS resolution of targets.
- --reason: Tells nmap to show the reason why a port is determined as open or closed based upon response.
- -vvv: This increases the verbosity of scan output.
On top of nmap, there are other great port scanning tools such as zmap, which has been modified to enable support for IPv6 scanning, the modified version can be found here. The GitHub page for the modified version lists that it supports:
- ICMPv6 Echo Request
- IPv6 TCP SYN (any port)
- IPV6 UDP (any port and payload)
As well as port scanning, tooling such as Metasploit Framework support attacks for IPv6. Currently, Metasploit features a handful of scanner modules for IPv6 discovery, and IPv6 enabled versions of its traditional payloads. A quick and easy way to locate the IPv6 modules is to run the command
search ipv6 from within the Metasploit Console:
The majority of modules at the time of writing are related to payloads specifically for communicating back to the attacker's machine. However, the nature of Metasploit is that this will likely change in the future.
Not only can IPv6 be a good target from a scanning perspective there are also many tools out there that can leverage IPv6 addresses for reconnaissance & open source intelligence gathering. Shodan is a great tool I often use to discover information about an organisation. There is a simple search term that can be appended to a shodan search:
has_ipv6:1 to find live IPv6 hosts tied to a search term.
The security stack of an IPv6 system is relatively less mature than that of an IPv4 counterpart. Meaning that there are some potential issues that will have been overlooked. What I've found previously is that sometimes a company will have locked down their servers' IPv4 address & interface but completely forgotten about IPv6. Meaning that the usual ports: 3389,3306,445 etc are rightfully not exposed to the internet on their IPv4 interface but are wide open on IPv6!
This is where port scanning and the rest comes into play allowing you to poke and prod at systems(that you have permission to look at) to find holes and bugs. Once you've found an app or anything else it's as simple as
http://[ipv6 address]:port/path and away you go!
So hopefully you've learned something from this post, sorry it has taken so long to put together but overall I've learned quite a bit from writing it so hope you have too!