[ipv6hackers] The state of IPv6 (pen)testing and the future

Merike Kaeo merike at doubleshotsecurity.com
Wed Jan 23 20:03:55 CET 2013 

Comments embedded...

On Jan 23, 2013, at 1:23 AM, Marc Heuse wrote:

> Hi guys,
> 
> it has become pretty quiet on the list. As the depletion of IPv6 in
> north america will take until beginning of next year [1] and a lot of
> common topics have been already discussed here, I think thats
> understandable.
> 
> So, I would like to ask some things on the status of people actively
> doing IPv6 security.
> 
> Is anyone presenting on new IPv6 security issues in 2013?
> I will do one presentation at the german IPv6 congress in June with some
> new stuff, but so far that is it. In 2012 it was all Fernando, me plus
> one talk by Antonios Atlasis at Blackhat about extension headers and
> fragments [2].
> (or did I miss a talk with new content?)

While I have not created a talk on this a thought I've had is to think thru scenarios where someone can
play with A vs AAAA records and send traffic via split paths and create malware that goes undetected.

Monitoring any v6 traffic for malicious behavior is ....ok....I'll be positive....getting better.  But I'd be willing to bet this
could be the year we see more v6 malware (hoping to be wrong).

> Is anyone providing public IPv6 pentesting trainings in 2013?
> For securing there are a few (few!), but for full hands-on pentesting, I
> am not aware of anyone else besides me (and my plan so far is only at
> CanSecWest, HITB Amsterdam, Sysscan and 44con so far) - so if you do,
> please send this to the list. We need more IPv6 security/pentest
> training to educate people!

++1

> 
> Coming to tools. I am only aware of two IPv6 pentesting tools emerging
> in 2012: the Topera IPv6 Port Scanner [3] and the SinFP3 Fingerprinting
> Tool [4]. This is ... disappointing. On the plus side, the IPv6 support
> (especially scripts) with nmap got a lot better. Did I miss tools here?
> Of course there were updates to Fernando's tools and mine.
> But the lack of IPv6 pentesting/security tools is an issue.

Back in 2006 I wrote a paper where the appendix had a lot of tools listed that existed at the time.  You'll
note yours is there as well :)  I haven't checked updates to them in years but there were a few interesting ones that
it would be cool to know if any enhancements made.  The paper is here:

http://www.ipv6forum.com/dl/white/NAv6TF_Security_Report.pdf

Keep in mind this was 2006 so while some aspects still relevant some thinking changed for me for more current deployments on how
to secure v6 networks.

> Which brings me to my last topic - the thc-ipv6 toolkit currently
> contains ~50 attack and assessment tools. The last update (v2.2) came
> out on the 27th of December 2012. And at the moment I only have a few
> ideas left what to add, so:
> please send me your wishes, ideas, critizism what I could add/enhance to
> thc-ipv6 package! :-)

If I go to CanSec West I will look you up.   And I will publicly state that THC was the most useful tool in early days.....I had been happy 
that *someone* was actively dealing with v6 security testing tools  since I was actively helping with some deployments :)  I should look at the latest rev....haven't yet had the need.

FWIW I am going to RSA just to play with the products on show floor and will see how many devices I can play with that do have real v6 in them.   Even last year I got a lot of folks saying that they don't have enough customer demand but I usually try and find the folks who will understand that they can have a marketing advantage.  Duh.

One thing I've always been wary of is to not overly panic folks when pointing out lack of v6 security features......we need people to deploy and it's too early yet for any real attacks to exist but they will be coming.   Let's hope the tools to mitigate them effectively will exist by then :)

- merike

More information about the Ipv6hackers mailing list