Here we are, half-way through this list of the top 10 IPv6 security myths! Welcome to myth #6. Since IPv6 is just now being deployed at any real scale on true production networks, some may think that the attackers have yet to catch up. As we learned in Myth #2, IPv6 was actually designed starting 15-20 years ago. While it didn’t see widespread commercial adoption until the last several years, there has been plenty of time to develop at least a couple suites of test/attack tools.
Myth: IPv6 is too New to be Attacked
Reality: Tools are Already Available
The first toolkit I learned about is THC-IPv6 (THC stands for The Hackers Choice). Originally released in 2005, the current version 2.5 was published just this past summer (2014-06-02). THC-IPv6 is, according to it’s own website, “A complete tool set to attack the inherent protocol weaknesses of IPV6 and ICMP6, and includes an easy to use packet factory library.” This publicly available toolkit includes:
– parasite6: icmp neighbor solitication/advertisement spoofer, puts you as man-in-the-middle, same as ARP mitm (and parasite)
– alive6: an effective alive scanng, which will detect all systems listening to this address
– dnsdict6: parallized dns ipv6 dictionary bruteforcer
– fake_router6: announce yourself as a router on the network, with the highest priority
– redir6: redirect traffic to you intelligently (man-in-the-middle) with a clever icmp6 redirect spoofer
– toobig6: mtu decreaser with the same intelligence as redir6
– detect-new-ip6: detect new ip6 devices which join the network, you can run a script to automatically scan these systems etc.
– dos-new-ip6: detect new ip6 devices and tell them that their chosen IP collides on the network (DOS).
– trace6: very fast traceroute6 with supports ICMP6 echo request and TCP-SYN
– flood_router6: flood a target with random router advertisements
– flood_advertise6: flood a target with random neighbor advertisements
– exploit6: known ipv6 vulnerabilities to test against a target
– denial6: a collection of denial-of-service tests againsts a target
– fuzz_ip6: fuzzer for ipv6
– implementation6: performs various implementation checks on ipv6
– implementation6d: listen daemon for implementation6 to check behind a fw
– fake_mld6: announce yourself in a multicast group of your choice on the net
– fake_mld26: same but for MLDv2
– fake_mldrouter6: fake MLD router messages
– fake_mipv6: steal a mobile IP to yours if IPSEC is not needed for authentication
– fake_advertiser6: announce yourself on the network
– smurf6: local smurfer
– rsmurf6: remote smurfer, known to work only against linux at the moment
– sendpees6: a tool by willdamn(ad)gmail.com, which generates a neighbor solicitation requests with a lot of CGAs (crypto stuff ;-) to keep the CPU busy. nice.
– thcping6: sends a hand crafted ping6 packet[and about 30 more tools for you to discover!]
That’s fairly comprehensive from what I can tell!
The other IPv6 toolkit I am currently aware of is from SI6 Networks: “The SI6 Networks’ IPv6 toolkit is a set of IPv6 security assessment and trouble-shooting tools. It can be leveraged to perform security assessments of IPv6 networks, assess the resiliency of IPv6 devices by performing real-world attacks against them, and to trouble-shoot IPv6 networking problems. The tools comprising the toolkit range from packet-crafting tools to send arbitrary Neighbor Discovery packets to the most comprehensive IPv6 network scanning tool out there (our scan6 tool).” This toolkit includes:
addr6: An IPv6 address analysis and manipulation tool.
flow6: A tool to perform a security asseessment of the IPv6 Flow Label.
frag6: A tool to perform IPv6 fragmentation-based attacks and to perform a security assessment of a number of fragmentation-related aspects.
icmp6: A tool to perform attacks based on ICMPv6 error messages.
jumbo6: A tool to assess potential flaws in the handling of IPv6 Jumbograms.
na6: A tool to send arbitrary Neighbor Advertisement messages.
ni6: A tool to send arbitrary ICMPv6 Node Information messages, and assess possible flaws in the processing of such packets.
ns6: A tool to send arbitrary Neighbor Solicitation messages.
ra6: A tool to send arbitrary Router Advertisement messages.
rd6: A tool to send arbitrary ICMPv6 Redirect messages.
rs6: A tool to send arbitrary Router Solicitation messages.
scan6: An IPv6 address scanning tool.
tcp6: A tool to send arbitrary TCP segments and perform a variety of TCP-based attacks.
What should be clear now is that IPv6 is not safe from attack based on a lack of tools. The understanding and “equipment” necessary is readily available to any potentially nefarious folks. Luckily these tools are also available to you and your security team, to test and harden your own network before the attackers show up!
Another aspect of a device, technology, or protocol being too new to attack is knowledge of bugs and vulnerabilities. Having tools to probe for deployment weaknesses is great but if you can jump right to a software bug all the better, right?
Myth: IPv6 is too New to be Attacked
Reality: Bugs and Vulnerabilities are Published
The fact is that folks are paying attention to IPv6, now more than ever. This means that you can’t rely on any type of security through obscurity. Hardware and software bugs and other vulnerabilities are well known and widely published.
One of my favorite sites to keep track of such bugs and vulnerabilities is securityfocus.com. An easy way to pull a list of IPv6 specific vulnerabilities is to search for: “securityfocus.com inurl:bid ipv6”
The bottom line is that while IPv6 may be new to you or your organization, it’s not new to those who may want to attack your network. They have the tools and knowledge they need, so be sure that you do as well. I sincerely hope that this series of posts on IPv6 security is your first step in acquiring that knowledge – be sure to check out all the posts so far, and stay tuned for the next 4 installments!
This post also appeared on the Deploy360 blog.