[ipv6hackers] Attacking Microsoft DirectAccess and Transition Technologies (6to4/Teredo)

Thu Aug 29 15:09:48 CEST 2013

Hi Reno,

I used to work at MSFT and I can tell you that DA is quite popular in the
enterprise segment.

The typical scenario is a company where the employees are allowed to take
their laptop home. Laptops run Windows and are joined to the enterprise
Active Directory domain. In this scenario, the user experience is quite
good. Once you get home with your laptop, you switch it on and voila, you
are connected to your company's intranet. When the user logs into the
computer, the tunnel is already in place, so the experience is 99.9% the
same you have when connected to the intranet directly from the office. If
configured properly, no extra user/password dialog boxes, no OTP, no
smartcard, nothing.

One of the big pros of DA is the price. The basic version was always
included with Windows Server 2008 R2, but for fancy stuff (easy
compatibility with IPv4, for example) you needed UAG. With 2012, thats no
longer the case, so with a single Windows Server 2012 license you can
deploy DA in the entire enterprise. Of course you may want to deploy more
than one box for redundancy, but what I'm saying is that this is something
affordable even for startups.

Of course, there are other vendors like Cisco that provide much better VPN
solutions with proper hardware and all. I'm just saying that DA is actually
deployed in the field.

Just my two cents.

Regards,

L

On Thu, Aug 29, 2013 at 7:00 AM, Enno Rey <erey at ernw.de> wrote:

> Hi,
>
> sorry, Jim, no direct answer to your question (btw: pity, you couldn't be
> in Berlin at IETF 87), but I'd like to somewhat rephrase the question: is
> there any use of MS DirectAccess in organizations at all?
> In dead earnest: I've yet to see any enterprise environment (or any at
> all) using it. I'm still considering MS DA as a kind-of chimera. Can
> anybody share any practical experience, war stories, anecdotes, whatever of
> practical use of MS DA out there? [yes, I'm aware of the presentation at
> the Heise Kongress 2010/2011].
>
> thanks
>
> Enno
>
> On Thu, Aug 29, 2013 at 03:25:53AM +0000, Jim Small wrote:
> > Wondering if anyone has done penetration testing on an older Windows
> 2008 R2 Server setup for DirectAccess with all the transition technologies
> on (6to4/Teredo/ISATAP) with no hardening.  My thought is you might be able
> to gain some internal access/reconnaissance via a Teredo/Miredo client or
> leveraging 6to4/Teredo weaknesses.  I think DA by itself is pretty solid
> (open to hear otherwise though), but the transition technologies have
> issues if not locked down.  I think some people setting up DA don't
> understand IPv6 or the transition technologies and are blindly following a
> point and click guide.  ISATAP may also be deployed internally if NAT64
> wasn't setup -or- UAG may also be present acting as a NAT64 gateway
> potentially even providing internal IPv4 access.  I'm not sure how strict
> the default policy firewall policy is.  Thus these types of setups could be
> interesting to a penetration tester.
> >
> > Any comments welcome,
> >   --Jim
> >
> >
> > _______________________________________________
> > Ipv6hackers mailing list
> > Ipv6hackers at lists.si6networks.com
> > http://lists.si6networks.com/listinfo/ipv6hackers
>
> --
> Enno Rey
>
> ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de
> Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 174 3082474
>
> Handelsregister Mannheim: HRB 337135
> Geschaeftsfuehrer: Enno Rey
>
> Troopers 2013 Videos online:
> http://www.youtube.com/user/TROOPERScon?feature=watch
>
> =======================================================
> Blog: www.insinuator.net || Conference: www.troopers.de
> =======================================================
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers
>