The rumors of IPV4’s demise and the impending move to IPV6 have been going around for the last fifteen years. IPV4 defines an address in numerical format such as 126.96.36.199. With the growth in the number of systems the folks allocating addresses (ARIN) realized that we were going to run out of address space. Thus we got a new standard called IPV6. IPV6 is a longer address and uses alphanumeric characters to provide a nearly inexhaustible supply of addresses.
Waiting for widescale arrival of IPV6 has been like waiting for the next ice age. However, given that we really are running out of IPV4 addresses it is inevitable that we will be seeing more and more IPV6 networks in the future. And IPV6 brings additional benefits including support for IPSEC.
So how does the IPV6 move impact penetration testing? Many vendors tout their security tools support for IPV6, however, simply having a toolkit that supports the new protocol is just a start. More attention needs to be paid to the fundamental challenges inherent in testing IPV6 primarily due to the massive scale involved. External penetration testing is gaining some new challenges as we move to IPV6.
In many ways the folks at Arin getting stingy with the address space have made life easy for us security folks. As the unallocated space dried up you could only get the addresses you absolutely needed. As a result most firms have fairly small externally facing address ranges chock full of servers. Finding five live IP’s in a block of eight is like shooting fish in a barrel.
A good reconnaissance phase for a pentest will find all the systems/service that are up and profile them for detailed analysis by the security pro doing the testing. While our clients will often indicate how many/or what hosts are up, testing the whole range frequently identifies additional systems and areas of risk. When was the last time that forgotten dev box sitting next to the credit card processing server was patched. Was the secure hardening process applied to the system the IT guy spun up to host his 4×4 adventure blog next to the ACH processing system? Finding these forgotten systems is key to a good assessment.
A solid reconnaissance phase typically looks something like this:
1. Ping sweep and fast scan of the network (this checks the most common ports on hosts that respond to a ping). We get some initial results within a couple of hours. This gives our team something to get started reviewing. If we think we get blocked later in the engagement we can always compare to this initial quick pass to see if an IPS is monkeying with our traffic.
2. Full port scan (65,535) ports on each host that was found to be up in stage 1.
3. Full port scan (65,535) ports on each host that didn’t respond to a ping in stage 1. We occasionally find the odd backdoor, or custom insecure application hiding on some high random port on a host that didn’t respond to ping.
Then comes the real work (and fun) of digging into each service probing for security flaws that can be leveraged to gain access.
The new Era:
With the shift to IPV6 the network address space to be tested is much, much larger. Consider a modest sized organization’s external footprint with IPV4. They may have only a /24 or 255 internet facing addresses and 12 hosts that are live.
With IPV6 the standard allocation (what you get by default when you as for a block of IPV6 addresses) is a /48. A /48 is 65,000 LANs. Each LAN has 18,446,744,073,709,551,616 addresses. For a total of 1,208,925,819,614,630,000,000,000 possible addresses. Suddenly finding the 12 live IPs to do the security testing is a lot more difficult.
How does this affect assessment time? Assume an IPV4 /24 (255 hosts) that can be scanned for a live service on every IP/port in 24 hours. Now with the same approach, these addresses are hidden in an IPV6 /48. Scanning each host/port would take 13,800,523,054,961,500,000 years. There are a number of ways around this including massively scalable cloud solutions (we’ll talk more about those in the future).
Given the challenges in assessing an address space of this magnitude I can hear the call that “IPV6 makes me more secure than my old IPV4 network”. With such a large space the hackers should have a harder time finding exploitable services. Does this security through obscurity enhance your security posture?
Are you looking at rolling out IPV6? Will the transition to IPV6 make you feel more or less safe?