IPv6 Security: Audit Security: Difference between revisions

Revision as of 00:56, 11 July 2013

Currently there are no comfortable tools out which are able to check a system over network for IPv6 security issues. Neither Nessus nor any commercial security scanner is as far as I know able to scan IPv6 addresses.

19.3.1. Legal issues

ATTENTION: always take care that you only scan your own systems or after receiving a written order, otherwise legal issues are able to come up to you. CHECK destination IPv6 addresses TWICE before starting a scan.

19.3.2. Security auditing using IPv6-enabled netcat

With the IPv6-enabled netcat (see IPv6+Linux-status-apps/security-auditing for more) you can run a portscan by wrapping a script around which run through a port range, grab banners and so on. Usage example:

# nc6 ::1 daytime
13 JUL 2002 11:22:22 CEST

19.3.3. Security auditing using IPv6-enabled nmap

NMap, one of the best portscaner around the world, supports IPv6 since version 3.10ALPHA1. Usage example:

# nmap -6 -sT ::1

Starting Nmap 6.00 ( http://nmap.org ) at 2013-07-11 07:54 WIT
Nmap scan report for ip6-localhost (::1)
Host is up (0.00049s latency).
Not shown: 993 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
25/tcp  open  smtp
80/tcp  open  http
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
631/tcp open  ipp
873/tcp open  rsync

Nmap done: 1 IP address (1 host up) scanned in 0.15 seconds

19.3.4. Security auditing using IPv6-enabled strobe

Strobe is a (compared to NMap) more a low budget portscanner, but there is an IPv6-enabling patch available (see IPv6+Linux-status-apps/security-auditing for more). Usage example:

# ./strobe ::1 strobe 1.05 (c) 1995-1999 Julian Assange <proff@iq.org>.
::1 2401 unassigned unknown
::1 22 ssh Secure Shell - RSA encrypted rsh 
::1 515 printer spooler (lpd)
::1 6010 unassigned unknown 
::1 53 domain Domain Name Server

Note: strobe isn't really developed further on, the shown version number isn't the right one.

19.3.5. Audit results

If the result of an audit mismatch your IPv6 security policy, use IPv6 firewalling to close the holes, e.g. using netfilter6 (see Firewalling/Netfilter6 for more).

Info: More detailed information concerning IPv6 Security can be found here:

   IETF drafts - IPv6 Operations (v6ops)

   RFC 3964 / Security Considerations for 6to4

IPv6 Security: Audit Security: Difference between revisions

Revision as of 00:56, 11 July 2013

Contents

19.3.1. Legal issues

19.3.2. Security auditing using IPv6-enabled netcat

19.3.3. Security auditing using IPv6-enabled nmap

19.3.4. Security auditing using IPv6-enabled strobe

19.3.5. Audit results

Navigation menu

Page actions

Page actions

Personal tools

Navigation

Search

Tools

@@ Line 1: / Line 1: @@
-.3. IPv6 security auditing
+Currently there are no comfortable tools out which are able to check a system over network for IPv6 security issues. Neither Nessus nor any commercial security scanner is as far as I know able to scan IPv6 addresses.
-Currently there are no comfortable tools out which are able to check a system over network for IPv6 security issues. Neither Nessus nor any commercial security scanner is as far as I know able to scan IPv6 addresses.
+==19.3.1. Legal issues==
-.3.1. Legal issues
 ATTENTION: always take care that you only scan your own systems or after receiving a written order, otherwise legal issues are able to come up to you. CHECK destination IPv6 addresses TWICE before starting a scan.
-.3.2. Security auditing using IPv6-enabled netcat
+==19.3.2. Security auditing using IPv6-enabled netcat==
 With the IPv6-enabled netcat (see IPv6+Linux-status-apps/security-auditing for more) you can run a portscan by wrapping a script around which run through a port range, grab banners and so on. Usage example:
-# nc6 ::1 daytime
+ # nc6 ::1 daytime
 JUL 2002 11:22:22 CEST
-.3.3. Security auditing using IPv6-enabled nmap
+==19.3.3. Security auditing using IPv6-enabled nmap==
 NMap, one of the best portscaner around the world, supports IPv6 since version 3.10ALPHA1. Usage example:
-# nmap -6 -sT ::1
+ # nmap -6 -sT ::1
-Starting nmap V. 3.10ALPHA3 ( www.insecure.org/nmap/ )
-Interesting ports on localhost6 (::1):
+ Starting Nmap 6.00 ( http://nmap.org ) at 2013-07-11 07:54 WIT
-(The 1600 ports scanned but not shown below are in state: closed)
+ Nmap scan report for ip6-localhost (::1)
-Port       State       Service
+ Host is up (0.00049s latency).
-/tcp     open        ssh
+ Not shown: 993 closed ports
-/tcp     open        domain
+ PORT    STATE SERVICE
-/tcp    open        printer
+/tcp  open  ssh
-/tcp   open        cvspserver
+/tcp  open  smtp
-Nmap run completed -- 1 IP address (1 host up) scanned in 0.525 seconds
+/tcp  open  http
+/tcp open  netbios-ssn
+/tcp open  microsoft-ds
+/tcp open  ipp
+/tcp open  rsync
+ Nmap done: 1 IP address (1 host up) scanned in 0.15 seconds
-.3.4. Security auditing using IPv6-enabled strobe
+==19.3.4. Security auditing using IPv6-enabled strobe==
 Strobe is a (compared to NMap) more a low budget portscanner, but there is an IPv6-enabling patch available (see IPv6+Linux-status-apps/security-auditing for more). Usage example:
-# ./strobe ::1 strobe 1.05 (c) 1995-1999 Julian Assange <proff@iq.org>.
+ # ./strobe ::1 strobe 1.05 (c) 1995-1999 Julian Assange <proff@iq.org>.
-::1 2401 unassigned unknown
+ ::1 2401 unassigned unknown
-::1 22 ssh Secure Shell - RSA encrypted rsh
+ ::1 22 ssh Secure Shell - RSA encrypted rsh
-::1 515 printer spooler (lpd)
+ ::1 515 printer spooler (lpd)
-::1 6010 unassigned unknown
+ ::1 6010 unassigned unknown
-::1 53 domain Domain Name Server
+ ::1 53 domain Domain Name Server
 Note: strobe isn't really developed further on, the shown version number isn't the right one.
-.3.5. Audit results
+==19.3.5. Audit results==
 If the result of an audit mismatch your IPv6 security policy, use IPv6 firewalling to close the holes, e.g. using netfilter6 (see Firewalling/Netfilter6 for more).