packet m0nkey

Today I was re-watching Marc Heuse’s 2012 CCC presentation on recent insecurities in IPv6 (if you know anything about IPv6 skip the first 30 slides). In case you don’t already know, blanket port scanning for host identification in Ipv6 is essentially useless. Due to the address space it’s infeasible that you will find someone if they are trying to hide. That is the key though, the massive, unconventional hex-based IPv6 addressing scheme is in some senses more of a hassle than helpful when you consider the numerous layer X technologies it is replacing (ARP, IPv4, NAT). Because of unconventional (and hard to remember) address scheme network administrators seem to have taken a simplification approach to the problem. Heuse outlines how to scan for hosts if you are looking for IPv6 addresses, the strategies are outlined here:

1) Check ::1-X, where X is a larger number {1000,…}

To make networks more organized network admins have been caught numbering their hosts sequentially. While these numbers are essentially worthless without reverse DNS they make administration easy, and scanning easier!

2) Check ::X:p, ::p, where X is a large number {1,2,3,..}, and p is a common port {80,443,22,23,445,3389, etc}

Again, same reasoning as above. Network admins want to make Ipv6 maintainable and using a simple networking scheme makes network and firewall management more convenient. One major IPv6 deployment is guilty of using this strategy.

3) Check ::X:Y, where X and Y are in the set of english, leet-speak words that can be spelled in hexadecimal format.

Dead beef, b00b, babe, all abound in this namespace.

Posted in Uncategorized | Leave a comment