[ipv6hackers] Attacking Microsoft DirectAccess and Transition Technologies (6to4/Teredo)

Jim Small jim.small at cdw.com
Thu Aug 29 17:35:29 CEST 2013 

Hi Enno,

Hoping to work out Troopers for next year...  As for DA use, I can confirm what Luis said - I know of dozens of deployments first hand (in the US) and from asking around it is fairly popular.  I think DA is a good solution if configured right.  I think where there may be weaknesses is especially in older deployments (2008 R2) is where the person setup all the transition technologies without understanding what they were doing or locking them down.  However, I'm not sure about this - that's why I was curious if anyone has probed a DA server (pen tested it).  So really what I'm asking is not if DA has issues, but if you have a Windows 2008 R2 server that's a Teredo server/relay, a 6to4 gateway, perhaps an ISATAP router, and perhaps a NAT64 gateway if any of those could be exploited.

--Jim

> -----Original Message-----
> From: ipv6hackers-bounces at lists.si6networks.com [mailto:ipv6hackers-
> bounces at lists.si6networks.com] On Behalf Of Enno Rey
> Sent: Thursday, August 29, 2013 1:00 AM
> To: IPv6 Hackers Mailing List
> Subject: Re: [ipv6hackers] Attacking Microsoft DirectAccess and Transition
> Technologies (6to4/Teredo)
> 
> Hi,
> 
> sorry, Jim, no direct answer to your question (btw: pity, you couldn't be in
> Berlin at IETF 87), but I'd like to somewhat rephrase the question: is there
> any use of MS DirectAccess in organizations at all?
> In dead earnest: I've yet to see any enterprise environment (or any at all)
> using it. I'm still considering MS DA as a kind-of chimera. Can anybody share
> any practical experience, war stories, anecdotes, whatever of practical use of
> MS DA out there? [yes, I'm aware of the presentation at the Heise Kongress
> 2010/2011].
> 
> thanks
> 
> Enno
> 
> On Thu, Aug 29, 2013 at 03:25:53AM +0000, Jim Small wrote:
> > Wondering if anyone has done penetration testing on an older Windows
> 2008 R2 Server setup for DirectAccess with all the transition technologies on
> (6to4/Teredo/ISATAP) with no hardening.  My thought is you might be able
> to gain some internal access/reconnaissance via a Teredo/Miredo client or
> leveraging 6to4/Teredo weaknesses.  I think DA by itself is pretty solid (open
> to hear otherwise though), but the transition technologies have issues if not
> locked down.  I think some people setting up DA don't understand IPv6 or
> the transition technologies and are blindly following a point and click guide.
> ISATAP may also be deployed internally if NAT64 wasn't setup -or- UAG may
> also be present acting as a NAT64 gateway potentially even providing internal
> IPv4 access.  I'm not sure how strict the default policy firewall policy is.  Thus
> these types of setups could be interesting to a penetration tester.
> >
> > Any comments welcome,
> >   --Jim
> >
> >
> > _______________________________________________
> > Ipv6hackers mailing list
> > Ipv6hackers at lists.si6networks.com
> > http://lists.si6networks.com/listinfo/ipv6hackers
> 
> --
> Enno Rey
> 
> ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de
> Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 174 3082474
> 
> Handelsregister Mannheim: HRB 337135
> Geschaeftsfuehrer: Enno Rey
> 
> Troopers 2013 Videos online:
> http://www.youtube.com/user/TROOPERScon?feature=watch
> 
> =======================================================
> Blog: www.insinuator.net || Conference: www.troopers.de
> =======================================================
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers

More information about the Ipv6hackers mailing list