Penetration Testing IPV6 Networks

The rumors of IPV4’s demise and the impending move to IPV6 have been going around for the last fifteen
years. IPV4 defines an address in numerical format such as 209.85.143.104. With the growth in the number
of systems the folks allocating addresses (ARIN) realized that we were going to run out of address space. Thus
we got a new standard called IPV6. IPV6 is a longer address and uses alphanumeric characters to provide a
nearly inexhaustible supply of addresses.

Waiting for widescale arrival of IPV6 has been like waiting for the next ice age. However, given that we really
are running out of IPV4 addresses it is inevitable that we will be seeing more and more IPV6 networks in the
future. And IPV6 brings additional benefits including support for IPSEC.

So how does the IPV6 move impact penetration testing? Many vendors tout their security tools support for
IPV6, however, simply having a toolkit that supports the new protocol is just a start. More attention needs to
be paid to the fundamental challenges inherent in testing IPV6 primarily due to the massive scale involved.
External penetration testing is gaining some new challenges as we move to IPV6.

History:

In many ways the folks at Arin getting stingy with the address space have made life easy for us security folks.
As the unallocated space dried up you could only get the addresses you absolutely needed. As a result most
firms have fairly small externally facing address ranges chock full of servers. Finding five live IP’s in a block of
eight is like shooting fish in a barrel.

A good reconnaissance phase for a pentest will find all the systems/service that are up and profile them for
detailed analysis by the security pro doing the testing. While our clients will often indicate how many/or what
hosts are up, testing the whole range frequently identifies additional systems and areas of risk. When was the
last time that forgotten dev box sitting next to the credit card processing server was patched. Was the secure
hardening process applied to the system the IT guy spun up to host his 4×4 adventure blog next to the ACH
processing system? Finding these forgotten systems is key to a good assessment.

A solid reconnaissance phase typically looks something like this:

1. Ping sweep and fast scan of the network (this checks the most common ports on hosts that respond to
a ping). We get some initial results within a couple of hours. This gives our team something to get
started reviewing. If we think we get blocked later in the engagement we can always compare to this
initial quick pass to see if an IPS is monkeying with our traffic.

WEB PHONE EMAIL

WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM

2. Full port scan (65,535) ports on each host that was found to be up in stage 1.

3. Full port scan (65,535) ports on each host that didn’t respond to a ping in stage 1. We occasionally find the
odd backdoor, or custom insecure application hiding on some high random port on a host that didn’t respond
to ping.

Then comes the real work (and fun) of digging into each service probing for security flaws that can be
leveraged to gain access.

The new Era:

With the shift to IPV6 the network address space to be tested is much, much larger. Consider a modest sized
organization’s external footprint with IPV4. They may have only a /24 or 255 internet facing addresses and 12
hosts that are live.

With IPV6 the standard allocation (what you get by default when you as for a block of IPV6 addresses) is a /48.
A /48 is 65,000 LANs. Each LAN has 18,446,744,073,709,551,616 addresses. For a total of
1,208,925,819,614,630,000,000,000 possible addresses. Suddenly finding the 12 live IPs to do the security
testing is a lot more difficult.

How does this affect assessment time? Assume an IPV4 /24 (255 hosts) that can be scanned for a live service
on every IP/port in 24 hours. Now with the same approach, these addresses are hidden in an IPV6 /48.
Scanning each host/port would take 13,800,523,054,961,500,000 years. There are a number of ways around
this including massively scalable cloud solutions (we’ll talk more about those in the future).

Given the challenges in assessing an address space of this magnitude I can hear the call that “IPV6 makes me
more secure than my old IPV4 network”. With such a large space the hackers should have a harder time
finding exploitable services. Does this security through obscurity enhance your security posture?

Are you looking at rolling out IPV6? Will the transition to IPV6 make you feel more or less safe?

Written by Redspin VP of Engineering, Matt Marshall

WEB PHONE EMAIL

WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM