IPv6 Capable Security Assessment / Penetration Testing Tools

IPv6 Capable Security Assessment / Penetration Testing Tools Gene Cronk ISSAP,CISSP,NSA-IAM North American IPv6 Forum Systems Admin The Robin Shepherd Group

Why should I know about this? Understanding the weaknesses of your own network. Realize there is a major lack of these tools. What you can do about that lack of tools. Making IPv4 only tools relatively functional with IPv6 only hosts. Your attackers already do.

How This Presentation is Arranged The Good Tools that fully support IPv6 out of the box. The Bad Tools that do not support IPv6 natively. The Ugly Tools that either do not fully support IPv6 natively, or not support IPv6 at all but can be made to do so via transition or proxy. Most tools are from the top 75 listed at www.insecure.org.

The Good Argus The All Seeing Argus is a system/network monitoring application. Current Version -- 3.3 www.tcp4me.com/code/argus-archive/argus-3.3.tgz It will monitor nearly anything you ask it to monitor, including TCP/UDP applications, IP connectivity, SNMP, and databases.

The Good Argus The All Seeing Presents a nice clean, easy to view web interface that will keep both the managers and techs happy. Can send alerts numerous ways (such as via pager). License Perl Artistic License

The Good LSOF LiSt Open Files This Unix-specific diagnostic and forensics tool lists information about any files that are open by processes currently running on the system. Current Version 4.73 ftp://vic.cc.purdue.edu/pub/tools/unix/lsof Can also list comms sockets by each process. License F/OSS

The Good Snoop Network Sniffer for Solaris Similar to TCPDump, Snoop listens for all traffic on a specific interface. Available in Solaris since 8. www.sun.com/software/solaris License Solaris Software License

The Good DIG DNS Query Tool A handy DNS query tool that comes free with BIND. Available in BIND DNS since 8.3 www.isc.org License F/OSS

The Good Etherape EtherApe is a graphical network monitor for Unix modeled after etherman. Featuring link layer, ip and TCP modes, it displays network activity graphically. Hosts and links change in size with traffic. Color coded protocols display. Current Version -- 0.9.1 http://etherape.sourceforge.net License GPL

The Good Etherape

The Good Ethereal Ethereal is used by network professionals around the world for troubleshooting, analysis, software and protocol development, and education. It has all of the standard features you would expect in a protocol analyzer, and several features not seen in any other product. Current Version -- 0.10.7 http://ethereal.com License GPL

The Good Ethereal

Parallel ICMP scanner. The Good Fping Current version -- 2.4 Beta 2 http://www.fping.com Can ping multiple hosts from command line or text file. Great for scripting. License F/OSS

High level network API. The Good LibNet Current Version -- 1.1.2-rc06 http://www.packetfactory.net/libnet Allows an application programmer to construct and inject network packets. License F/OSS

Web based traffic probe. Current Version -- 3.0 http://www.ntop.org The Good Ntop Users access a web page of an NTOP server to get graphical visualizations of network use and abuse. License GPL

The Good NTop

The Good PF Packet filter originally included with OpenBSD, ported to FreeBSD. Comes with FreeBSD 5.xx and OpenBSD 3.xx http://www.freebsd.org/http://www.openbsd.org http://www.openbsd.org Full IPv6 support, much like everything else BSD. License BSD

The Good SendIP Command line tool for sending arbitrary IP packets. Current Version -- 2.5 www.earth.li/projectpurple/progs/sendip.html Command line options to specify the content of every header of a NTP, BGP, RIP, RIPng, TCP, UDP, ICMP or raw IPv4 and IPv6 packets. License GPL

The Good TCPDump/WinDump Classic tool for network monitoring and data aquisition. Current Versions 3.8.3 (TCP) or 3.8.3 Beta (Win) www.tcpdump.org (*Nix) win6.jp/windump/index.html (Win32) License BSD

The Good IP6Sic IPv6 Stack integrity checker. Current Version -- 0.1 http://cvs.sourceforge.net/viewcvs.py/ip6sic/ip6sic/ License BSD

The Bad Cheops-NG Graphical Network Monitoring and Mapping Suite. Current Version -- 0.1.12 http://cheops-ng.sourceforge.net License GPL Status AF_INET (IPv4 only calls) used in most of the source code. Last release 05/2003.

The Bad Ettercap-NG Suite for man in the middle attacks on a LAN. Current Version -- 0.7.1 http://ettercap.sourceforge.net License GPL Status Relies on ARP cache poisoning. IPv6 support planned long term in CVS notes.

The Bad Firewalk Active reconnaissance network security tool that attempts to determine what layer 4 protocols a given IP forwarding device will pass. Current Version -- 5.0 http://www.packetfactory.net/projects/firewalk License BSD Status All libraries are currently IPv6 aware. Last update was 07/2003.

The Bad DSniff Active reconnaissance network security tool that attempts to determine what layer 4 protocols a given IP forwarding device will pass. Current Version 2.4 Beta1 http://www.monkey.org/~dugsong/dsniff/ License BSD Status All libraries are currently IPv6 aware. Last update was 05/2002.

The Bad TCPReplay A tool to send network traffic stored in pcap format back onto the network. Current Version 2.3.1 http://tcpreplay.sourceforge.net License BSD Status All libraries are currently IPv6 aware. Docs indicate IPv6 support planned. Last release 09/2004.

The Bad FPort Foundstone's enhanced netstat. Current Version 2.0 http://www.foundstone.com License Freeware (no source code) Status Not updated since 05/2001.

The Bad FragRoute Intercepts and rewrites egress traffic, implementing many intrusion detection evasion attacks. Current Version 1.2 http://www.monkey.org/~dugsong/fragroute License BSD Status Full library support. Last release 04/2002.

The Bad GFI LANguard Scans networks and reports information such as service pack level, missing security patches, open shares, open ports, registry entries, weak passwords, users and groups, etc.. Current Version 5.0 http://www.gfi.com License Commercial Status Scans Win32 protocols (e.g. NetBIOS over TCP) only available on IPv4 currently.

The Bad Hunt An advanced packet sniffing and connection intrusion tool for Linux. Current Version 1.5 http://lin.fsid.cvut.cz/~kra License GPL Status Last update 05/2000. Developed on a Linux 2.2.x Kernel.

The Bad IPTraf IP network monitoring software based on NCurses. Current Version 2.7.0 http://cebu.mozcom.com/riker/iptraf/ License GPL Status Last update 05/2002. No support for IPv6, only for raw sockets and IPv4.

The Bad ISS Internet Scanner Application level vulnerability assessment scanner. Current Version 7.0 SP1 http://www.iss.net/products License Commercial Status No IPv6 capabilities.

The Bad NBTScan NetBIOS network name information scanner. Current Version 1.5.1 http://www.inetcat.org/software/nbtscan.html License GPL Status NetBIOS over TCPv6 currently not supported in Microsoft OSes. Last updated 06/2003.

The Bad NGrep Network Grep strives to provide most of GNU Greps' features over the network layer. Current Version 1.4.2 http://ngrep.sourceforge.net/ License F/OSS IPv6 support planned in future versions (from CVS notes).

The Bad Nessus The premier Open Source vulnerability assessment tool. Current Version 2.2 http://www.nessus.org License GPL Status Developer had mentioned a possibility of limited IPv6 support in the 2.2 release. Latest CVS as of 11/07/04 does not support IPv6.

The Bad Paketto Keiretsu A tool for stretching TCP/IP networks and protocols beyond what they were intended for. Current Version 2.00pre3 http://www.doxpara.com License GPL Status Because of the packet manipulation at a raw level and the header differences of v4 and v6, would take almost an entire rewrite to port to IPv6.

The Bad Retina A flexible vulnerability scanner, similar to Nessus and ISS Internet Scanner. Current Version 5.0.17 http://www.eeye.com License Commercial Status No IPv6 support from provider (eeye).

The Bad SAINT Security Auditor's Integrated Network Tool. A tool much like Nessus or eeye Retina designed exclusively for UNIX. Current Version 5.6.2 http://www.saintcorporation.com License Commercial Status No IPv6 support from provider.

The Bad SARA Security Auditor's Research Assistant. A security assessment tool derived from the infamous SATAN scanner. Current Version 5.6.2 http://www-arc.com License F/OSS Status No IPv6 support from provider.

The Bad Shadow Security Scanner A commercial vulnerability assessment tool. Current Version 7.0.7 http://www.safety-lab.com/en/download.htm License Commercial Status No IPv6 support from provider.

The Bad Solar Winds Toolsets A plethora of network discovery, monitoring and attack tools. Dozens of special purpose tools targeted at systems administrators. Current Version Multiple Programs http://www.solarwinds.net License Commercial Status No IPv6 support from provider.

The Bad SuperScan A Windows based TCP port scanner, pinger and hostname resolver. It can handle ping and port scans using specified ranges and connect to ports using specified helper apps. Current Version 4.0 http://www.foundstone.com License Freeware Status No IPv6 support from provider.

The Bad TCPTraceRoute A traceroute implementation using TCP packets. Current Version 1.5 Beta 4 http://michael.toren.net/code/tcptraceroute/ License GPL Status No IPv6 support from provider. Libraries do support IPv6.

The Bad THC Amap Application written by The Hacker's Choice for application fingerprinting. Current Version 4.7 http://www.thc.org License GPL Status No IPv6 support from provider.

The Bad Visual Route Application to obtain traceroute and whois data to be plotted on a world map. Current Version 8.0f http://www.visualware.com License Commercial Status No IPv6 support from provider.

The Bad Win FingerPrint Winfingerprint is a Win32 Host/Network Enumeration Scanner. Winfingerprint is capable of performing SMB, TCP, UDP, ICMP, RPC, and SNMP scans. Current Version 0.5.13 http://winfingerprint.sourceforge.net License GPL Status No IPv6 SMB support currently in any Microsoft OS.

The Bad Xprobe 2 A tool for determining the OS of a remote host. It uses the same techniques of NMAP as well as a few others. Emphasizes ICMP as the fingerprinting approach. Current Version 0.2 http://www.sys-security.com/html/projects/x.html License GPL Status Will not recognize an IPv6 address.

The Bad Zone Alarm Personal firewall software for Windows. Current Version 5.1.033 http://www.zonelabs.com License Freeware/Commercial Status Asks to block an IPv6 query, then doesn't.

The Ugly NMAP Network MAPper is an open source utility for network exploration or security auditing. It uses raw IP packets in novel ways to determine what hosts are available on a given network. Current Version 3.75 http://www.insecure.org License GPL

The Ugly NMAP Status -- -6 option enables IPv6 support. Only supports ping scan, TCP scan and TCP connect scan. An alternative (but older) patched version does other scan types. It requires NMAP 2.54Beta36 and patches from http://nmap6.sourceforge.net Does not do network scanning (for obvious reasons).

The Ugly PuTTY An excellent Windows based SSH client. Can also be compiled for other platforms. Current Version 0.56 http://www.chiark.greenend.org.uk/~sgtatham/putty/ License MIT

The Ugly PuTTY IPv6 not enabled in default compile. IPv6 capable version available from: http://win6.jp/putty/index.html win6.jp also has many other F/OSS Windows based tools recompiled with IPv6 support.

The Ugly Achilles A web attack proxy based on Windows. Acts as a Proxy/MITM during an HTTP session, intercepting packets before they go out to an HTTP server. Current Version 0.27 http://www.mavensecurity.com/achilles License Freeware

The Ugly Achilles Achilles by itself does not support IPv6. SSH Tunnel with port forwarding. IPv6 enabled Squid proxy. IPv6 enabled Apache proxy.

The Ugly Brutus A brute force authentication cracker for Windows only. Uses dictionary and brute force attacks to break into systems. Supports FTP, SMB, Telnet, IMAP, NTP and others. Current Version??? http://www.hoobie.net (currently down) Has not been updated since 2000. License Freeware

The Ugly Brutus Brutus by itself does not support IPv6. SSH Tunnel with port forwarding. IPv6 enabled Squid proxy (with much configuration for non HTTP protocols). IPv6 enabled Apache proxy (with much configuration for non HTTP protocols).

The Ugly Cain & Abel A free password recovery tool for Windows. Allows easy recovery of passwords by network sniffing, revealing password boxes, uncovering cached passwords and analyzing routing protocols. Current Version 2.5 Beta 62 http://www.oxid.it License Freeware Local password cracking works fine. No IPv6 support otherwise.

The Ugly GPG A GNU tool for encrypting and decrypting files and communications, based on Phil Zimmerman's PGP standard. Current Version 1.2.6 http://www.gnupg.org License GPL Patches available for IPv6.

The Ugly HoneyD A small daemon that creates virtual hosts on a network, running arbitrary services. TCP signatures can appear to be running different OSes and services. Current Version 0.8b http://www.honeyd.org/ License GPL While HoneyD supports IPv6, no NIDS for *Nix currently supports decoding IPv6 packets.

The Ugly HPing2(3) Assembles and sends custom ICMP/UDP/TCP packets and displays any replies. Current Version http://www.hping.org/ License GPL Hping 2 and 3 do not support IPv6. There are patches available for a beta version of Hping 2.

The Ugly Kismet An 802.11 layer 2 wireless network detector, sniffer, and intrusion detection system. Kismet will work with any wireless card which supports raw monitoring mode, and can sniff 802.11 a/b/g traffic. Current Version 2004-10-R1 http://www.kismetwireless.net License GPL While Kismet works on mostly layer 2, it also detects (non IPv6) IP addresses.

The Ugly NetCat A simple utility which reads/writes data across network connections using TCP or UDP. AKA The Hacker's Swiss Army Knife. Current Version 0.7.1 http://netcat.sourceforge.net/ License GPL NetCat6 available from: http://www.deepspace6.net/projects/netcat6.html

The Ugly NetFilter The current Linux packet filter/firewall. Iptables userspace command is used for configuration. Supports packet filtering and NAT. Current Version 1.2.11 http://www.netfilter.org License GPL Ip6tables only supports stateless firewalling.

The Ugly NetStumbler A tool for Windows that allows you to detect Wireless Local Area Networks (WLANs) using 802.11a/b/g. Current Version 0.4.0 http://www.netstumbler.com License Freeware Like Kismet, is mainly layer 2, but only detects IPv4 addresses.

The Ugly Nikto A web scanner that looks for 2000 potentially dangerous files/cgis and problems on over 200 servers. Uses LibWhisker but is updated more. Current Version 1.3.4 http://www.cirt.net/code/nikto.shtml License GPL Also a web attack tool. Can easily be proxied or SSH tunnelled.

The Ugly N-Stealth A commercial web server scanner generally more frequently updated than its free counterparts. Current Version 1.3.4 http://www.nstalker.com/eng/ License Commercial Also a web attack tool. Can easily be proxied or SSH tunnelled.

The Ugly Sam Spade GUI for many handy network tasks including nslookup, dig, whois, ping, traceroute, raw HTTP, DNS zone transfer, website searching and SMTP relay checks. Current Version 1.14 http://www.samspade.org License Freeware Some tools are TCP based and could be tunnelled via SSH.

The Ugly Snort Defacto standard F/OSS NIDS. Many commercial products are based on Snort. Current Version 2.2.0 http://www.snort.org License GPL

The Ugly Snort Does not have IPv6 capabilities in default install. Mods were written into 2.0.1 but never merged into the main distribution. www.webservertalk.com/archive252-2004-4-205516.html Offers were made from Ken Renard of Sun. Patches are available for older versions of Snort.

The Ugly Spike Proxy A web attack proxy. Acts as a Proxy/MITM during an HTTP session, intercepting packets before they go out to an HTTP server. Current Version 1.48 http://www.immunitysec.com/resources-freesoftware.shtml License GPL Another app that could be proxied or SSH tunnelled.

The Ugly STunnel A general purpose SSL cryptographic wrapper. Can be used to add crypto functionality to commonly used daemons like POP3 and IMAP. Current Version 4.05 http://www.stunnel.org License GPL

The Ugly Stunnel IPv6 Support coming soon from developers. Debian maintainer has coded a private IPv6 port. Could be proxied or SSH tunnelled.

The Ugly TCP Wrappers A classic IP based access control and logging mechanism. Current Version 7.6 ftp://ftp.cerias.purdue.edu/pub/tools/unix/netutils/ License F/OSS Most default installs do not include IPv6 support.

The Ugly THC-Hydra Parallelized network authentication cracker for FTP, POP3, IMAP, NBT, Telnet, HTTP, LDAP, NTP, VNC, ICQ, SOCKS and more. Includes SSL support. Current Version 4.4 http://www.thc.org/thc-hydra License GPL IPv6 enabled on Windows, all others could be SSH tunnelled.

The Ugly Whisker/LibWhisker CGI vulnerability scanner and library. Allows testing of HTTP servers for many known security holes. Libwhisker is a Perl library allowing custom scanner creation. Current Version 2.1 http://www.wiretrip.net/rfp/lw.asp License GPL SSH Tunnel or proxy capable.

Houston, we have a problem... So what does this mean? If you organization is deploying IPv6 currently, it's not going to be an easy task to assess your own network for security issues. Black hats are ahead of the game in this arena. DNS and ARIN records will help them find you. There is hope.

Houston, we have a problem... What can be done? It depends on the talents of your organization. Coding your own tools is a possibility. For COTS without IPv6 support, lean on your vendors. For F/OSS either ask the project lead for IPv6 support or... Donate to the project.

Wrapup Thank yous... Google.com The Debian Linux IPv6 Project Fyodor and Insecure.org Joe Klein of Honeywell Valkyrie NAv6TF and IPv6 Forum The audience...:-) The authors of any tools in the "Good" section

Wrapup