IPv6 Security: Audit Security: Difference between revisions
From OnnoCenterWiki
Jump to navigationJump to search
Onnowpurbo (talk | contribs) |
Onnowpurbo (talk | contribs) |
||
| Line 28: | Line 28: | ||
==Security auditing menggunakan nmap IPv6-enabled== | ==Security auditing menggunakan nmap IPv6-enabled== | ||
NMap, salah satu portscaner terbaik di dunia, mendukung IPv6 sejak versi 3.10ALPHA1. | NMap, salah satu portscaner terbaik di dunia, mendukung IPv6 sejak versi 3.10ALPHA1. Instalasi dapat menggunakan perintah | ||
# nmap | # apt-get install nmap | ||
Starting Nmap 6. | Contoh penggunaan: | ||
Nmap scan report for | |||
Host is up (0. | # nmap -6 -sS -v -Pn 2001:470:36:ab6:6847:8077:6bc1:4b2b | ||
Not shown: | |||
PORT STATE SERVICE | Hasilnya kira-kira: | ||
22/tcp open ssh | |||
Starting Nmap 6.40 ( http://nmap.org ) at 2015-07-04 14:14 WIB | |||
80/tcp open http | Initiating ND Ping Scan at 14:14 | ||
139/tcp open netbios-ssn | Scanning 2001:470:36:ab6:6847:8077:6bc1:4b2b [1 port] | ||
445/tcp open microsoft-ds | Completed ND Ping Scan at 14:14, 0.21s elapsed (1 total hosts) | ||
Initiating System DNS resolution of 1 host. at 14:14 | |||
Completed System DNS resolution of 1 host. at 14:15, 2.43s elapsed | |||
Initiating SYN Stealth Scan at 14:15 | |||
Scanning 2001:470:36:ab6:6847:8077:6bc1:4b2b [1000 ports] | |||
Discovered open port 80/tcp on 2001:470:36:ab6:6847:8077:6bc1:4b2b | |||
Discovered open port 139/tcp on 2001:470:36:ab6:6847:8077:6bc1:4b2b | |||
Discovered open port 445/tcp on 2001:470:36:ab6:6847:8077:6bc1:4b2b | |||
Discovered open port 22/tcp on 2001:470:36:ab6:6847:8077:6bc1:4b2b | |||
Discovered open port 873/tcp on 2001:470:36:ab6:6847:8077:6bc1:4b2b | |||
Completed SYN Stealth Scan at 14:15, 2.88s elapsed (1000 total ports) | |||
Nmap scan report for 2001:470:36:ab6:6847:8077:6bc1:4b2b | |||
Host is up (0.0027s latency). | |||
Not shown: 995 closed ports | |||
PORT STATE SERVICE | |||
22/tcp open ssh | |||
80/tcp open http | |||
139/tcp open netbios-ssn | |||
445/tcp open microsoft-ds | |||
873/tcp open rsync | |||
MAC Address: 60:A4:4C:75:A6:A0 (Asustek Computer) | |||
Nmap done: 1 IP address (1 host up) scanned in | Read data files from: /usr/bin/../share/nmap | ||
Nmap done: 1 IP address (1 host up) scanned in 5.61 seconds | |||
Raw packets sent: 1209 (77.384KB) | Rcvd: 1017 (61.076KB) | |||
==Security auditing menggunakan strobe IPv6-enabled== | ==Security auditing menggunakan strobe IPv6-enabled== | ||
Revision as of 00:44, 23 September 2018
Fasilitas / tool untuk melakukan security audit pada jaringan IPv6 masih terus di kembangkan. Tool yang ada memang belum sebaik yang tersedia di IPv4.
Masalah Hukum / Legal
PERHATIAN: berhati-hati saat melakukan scan ke sistem yang kita gunakan, jika tidak mungkin kita akan terkena masalah hukum. CEK tujuan IPv6 address DUA KALI sebelum melakukan scan.
Audit Security Menggunakan netcat yang IPv6
Dengan menggunakan netcat IPv6-enabled kita dapat menjalankan portscan dengan membungkusnya dengan script dan melakukannya pada range port tertentu, untuk menangkap banner dll.
Contoh penggunaan:
# apt-get install netcat6
Jika anda mempunyai server daytime di localhost, dapat melakukan scan:
# nc6 ::1 daytime 13 JUL 2002 11:22:22 CEST
Contoh lain jika kita mempunyai server, misalnya SMTP (port 25), maka
# nc6 ::1 25 220 axioo ESMTP Postfix (Ubuntu)
Security auditing menggunakan nmap IPv6-enabled
NMap, salah satu portscaner terbaik di dunia, mendukung IPv6 sejak versi 3.10ALPHA1. Instalasi dapat menggunakan perintah
# apt-get install nmap
Contoh penggunaan:
# nmap -6 -sS -v -Pn 2001:470:36:ab6:6847:8077:6bc1:4b2b
Hasilnya kira-kira:
Starting Nmap 6.40 ( http://nmap.org ) at 2015-07-04 14:14 WIB Initiating ND Ping Scan at 14:14 Scanning 2001:470:36:ab6:6847:8077:6bc1:4b2b [1 port] Completed ND Ping Scan at 14:14, 0.21s elapsed (1 total hosts) Initiating System DNS resolution of 1 host. at 14:14 Completed System DNS resolution of 1 host. at 14:15, 2.43s elapsed Initiating SYN Stealth Scan at 14:15 Scanning 2001:470:36:ab6:6847:8077:6bc1:4b2b [1000 ports] Discovered open port 80/tcp on 2001:470:36:ab6:6847:8077:6bc1:4b2b Discovered open port 139/tcp on 2001:470:36:ab6:6847:8077:6bc1:4b2b Discovered open port 445/tcp on 2001:470:36:ab6:6847:8077:6bc1:4b2b Discovered open port 22/tcp on 2001:470:36:ab6:6847:8077:6bc1:4b2b Discovered open port 873/tcp on 2001:470:36:ab6:6847:8077:6bc1:4b2b Completed SYN Stealth Scan at 14:15, 2.88s elapsed (1000 total ports) Nmap scan report for 2001:470:36:ab6:6847:8077:6bc1:4b2b Host is up (0.0027s latency). Not shown: 995 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 139/tcp open netbios-ssn 445/tcp open microsoft-ds 873/tcp open rsync MAC Address: 60:A4:4C:75:A6:A0 (Asustek Computer) Read data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 5.61 seconds Raw packets sent: 1209 (77.384KB) | Rcvd: 1017 (61.076KB)
Security auditing menggunakan strobe IPv6-enabled
Strobe (dibandingkan dengan NMap) merupakan portscanner low budger, tetapi ada patch untuk mengaktifkan IPv6. Contoh penggunaan:
# ./strobe ::1 strobe 1.05 (c) 1995-1999 Julian Assange <proff@iq.org>. ::1 2401 unassigned unknown ::1 22 ssh Secure Shell - RSA encrypted rsh ::1 515 printer spooler (lpd) ::1 6010 unassigned unknown ::1 53 domain Domain Name Server
Catatan: tampaknya strobe tidak di kembangkan lebih lanjut.
Hasil Audit
Jika hasil audit ternyata tidak cocok dengan kebijakan keamanan IPv6, gunakan firewall IPv6 untuk menutup lubang yang ada, misalnya, menggunakan netfilter6.
Informasi tambahan: Lebih detail tentang IPv6 Security dapat di peroleh disini:
- IETF drafts - IPv6 Operations (v6ops)
- RFC 3964 / Security Considerations for 6to4
