IPv6 Capable Security Assessment / Penetration Testing Tools

(1)

IPv6 Capable Security Assessment /

Penetration Testing Tools

Gene Cronk – ISSAP,CISSP,NSA-IAM

North American IPv6 Forum

Systems Admin – The Robin Shepherd Group

(2)

Why should I know about this?

Understanding the weaknesses of your own

network.

Realize there is a major lack of these tools.

What you can do about that lack of tools.

Making IPv4 only tools relatively functional with

IPv6 only hosts.

Your attackers already do.

(3)

How This Presentation is Arranged

The Good – Tools that fully support IPv6 out of the

box.

The Bad – Tools that do not support IPv6 natively.

The Ugly – Tools that either do not fully support

IPv6 natively, or not support IPv6 at all but can be

made to do so via transition or proxy.

Most tools are from the top 75 listed at

www.insecure.org

(4)

The Good

Argus – The All Seeing Argus – The All Seeing

Argus is a system/network monitoring application.

Current Version -- 3.3 Current Version -- 3.3 Available from: Available from: www.tcp4me.com/code/argus-archive/argus-3.3.tgz www.tcp4me.com/code/argus-archive/argus-3.3.tgz

It will monitor nearly anything you ask it to

monitor, including TCP/UDP applications, IP

connectivity, SNMP, and databases.

(5)

The Good

Argus – The All Seeing Argus – The All Seeing

Presents a nice clean, easy to view web interface

that will keep both the managers and techs happy.

Can send alerts numerous ways (such as via pager).

License – Perl Artistic License

Platforms --

(6)

The Good

LSOF – LiSt Open Files LSOF – LiSt Open Files

This Unix-specific diagnostic and forensics tool

lists information about any files that are open by

processes currently running on the system.

Current Version – 4.73 Current Version – 4.73 Available from: Available from: ftp://vic.cc.purdue.edu/pub/tools/unix/lsofftp://vic.cc.purdue.edu/pub/tools/unix/lsof Can also list comms sockets by each process.

Can also list comms sockets by each process.

License – F/OSS

Platforms --

(7)

The Good

Snoop – Network Sniffer for Solaris Snoop – Network Sniffer for Solaris

Similar to TCPDump, Snoop listens for all traffic

on a specific interface.

Available in Solaris since 8.

Available from:

www.sun.com/software/solaris

License – Solaris Software License

Platforms --

(8)

The Good

DIG – DNS Query Tool DIG – DNS Query Tool

A handy DNS query tool that comes free with

BIND.

Available in BIND DNS since 8.3

Available from: Available from: www.isc.org www.isc.org License – F/OSS License – F/OSS Platforms -- Platforms --

(9)

The Good

Etherape Etherape

EtherApe is a graphical network monitor for Unix

modeled after etherman. Featuring link layer, ip and

TCP modes, it displays network activity graphically.

Hosts and links change in size with traffic. Color

coded protocols display.

Current Version -- 0.9.1 Current Version -- 0.9.1 Available from: Available from: http://etherape.sourceforge.net http://etherape.sourceforge.net License – GPL License – GPL Platforms -- Platforms --

(10)

The Good

Etherape Etherape

(11)

The Good

Ethereal Ethereal

Ethereal is used by network professionals around

the world for troubleshooting, analysis, software and

protocol development, and education. It has all of

the standard features you would expect in a

protocol analyzer, and several features not seen in

any other product.

Current Version -- 0.10.7 Current Version -- 0.10.7 Available from: Available from: http://ethereal.com http://ethereal.com License – GPL License – GPL Platforms -- Platforms --

(12)

The Good

Ethereal Ethereal

(13)

The Good

Fping Fping

Parallel ICMP scanner.

Current version -- 2.4 Beta 2

Available from:

http://www.fping.com

Can ping multiple hosts from command line or text

file.

Great for scripting.

License – F/OSS

Platforms --

(14)

The Good

LibNet LibNet

High level network API.

Current Version -- 1.1.2-rc06 Current Version -- 1.1.2-rc06 Available from: Available from: http://www.packetfactory.net/libnet http://www.packetfactory.net/libnet

Allows an application programmer to construct and

inject network packets.

License – F/OSS

Platforms --

(15)

The Good

Ntop Ntop

Web based traffic probe.

Current Version -- 3.0 Current Version -- 3.0 Available from: Available from: http://www.ntop.org http://www.ntop.org

Users access a web page of an NTOP server to get

graphical visualizations of network use and abuse.

License – GPL

Platforms --

(16)

The Good

NTop NTop

(17)

The Good

PF PF

Packet filter originally included with OpenBSD,

ported to FreeBSD.

Comes with FreeBSD 5.xx and OpenBSD 3.xx

Available from:

http://www.freebsd.org

http://www.freebsd.org//http://www.openbsd.orghttp://www.openbsd.org Full IPv6 support, much like everything else BSD.

Full IPv6 support, much like everything else BSD.

License – BSD

Platforms --

(18)

The Good

SendIP SendIP

Command line tool for sending arbitrary IP packets.

Current Version -- 2.5 Current Version -- 2.5 Available from: Available from: www.earth.li/projectpurple/progs/sendip.html www.earth.li/projectpurple/progs/sendip.html

Command line options to specify the content of

every header of a NTP, BGP, RIP, RIPng, TCP,

UDP, ICMP or raw IPv4 and IPv6 packets.

License – GPL

Platforms --

(19)

The Good

TCPDump/WinDump TCPDump/WinDump

Classic tool for network monitoring and data

aquisition.

Current Versions – 3.8.3 (TCP) or 3.8.3 Beta (Win)

Available from:

www.tcpdump.org

www.tcpdump.org (*Nix) (*Nix)

win6.jp/WinDump/index.html (Win32) win6.jp/WinDump/index.html (Win32) License – BSD License – BSD Platforms -- Platforms --

(20)

The Good

IP6Sic IP6Sic

IPv6 Stack integrity checker.

Current Version -- 0.1 Current Version -- 0.1 Available from: Available from: http://cvs.sourceforge.net/viewcvs.py/ip6sic/ip6sic/ http://cvs.sourceforge.net/viewcvs.py/ip6sic/ip6sic/ License – BSD License – BSD Platforms -- Platforms --

(21)

The Bad

Cheops-NG Cheops-NG

Graphical Network Monitoring and Mapping Suite.

Current Version -- 0.1.12 Current Version -- 0.1.12 Available from: Available from: http://cheops-ng.sourceforge.net http://cheops-ng.sourceforge.net License – GPL License – GPL Platforms -- Platforms --

Status – AF_INET (IPv4 only calls) used in most of

the source code. Last release 05/2003.

(22)

The Bad

Ettercap-NG Ettercap-NG

Suite for man in the middle attacks on a LAN.

Current Version -- 0.7.1 Current Version -- 0.7.1 Available from: Available from: http://ettercap.sourceforge.net http://ettercap.sourceforge.net License – GPL License – GPL Platforms -- Platforms --

Status – Relies on ARP cache poisoning. IPv6

support planned “long term” in CVS notes.

(23)

The Bad

Firewalk Firewalk

Active reconnaissance network security tool that

attempts to determine what layer 4 protocols a

given IP forwarding device will pass.

Current Version -- 5.0 Current Version -- 5.0 Available from: Available from: http://www.packetfactory.net/projects/firewalk http://www.packetfactory.net/projects/firewalk License – BSD License – BSD Platforms -- Platforms --

Status – All libraries are currently IPv6 aware. Last

update was 07/2003.

(24)

The Bad

DSniff DSniff

Active reconnaissance network security tool that

attempts to determine what layer 4 protocols a

given IP forwarding device will pass.

Current Version – 2.4 Beta1

Available from: Available from: http://www.monkey.org/~dugsong/dsniff/ http://www.monkey.org/~dugsong/dsniff/ License – BSD License – BSD Platforms -- Platforms --

Status – All libraries are currently IPv6 aware. Last

update was 05/2002.

(25)

The Bad

TCPReplay TCPReplay

A tool to send network traffic stored in pcap format

back onto the network.

Current Version – 2.3.1 Current Version – 2.3.1 Available from: Available from: http://tcpreplay.sourceforge.net http://tcpreplay.sourceforge.net License – BSD License – BSD Platforms -- Platforms --

Status – All libraries are currently IPv6 aware.

Docs indicate IPv6 support planned. Last release

09/2004.

(26)

The Bad

FPort FPort

Foundstone's enhanced netstat.

Current Version – 2.0 Current Version – 2.0 Available from: Available from: http://www.foundstone.com http://www.foundstone.com

License – Freeware (no source code)

Platforms --

Status – Not updated since 05/2001.

(27)

The Bad

FragRoute FragRoute

Intercepts and rewrites egress traffic, implementing

many intrusion detection evasion attacks.

Current Version – 1.2 Current Version – 1.2 Available from: Available from: http://www.monkey.org/~dugsong/fragroute http://www.monkey.org/~dugsong/fragroute License – BSD License – BSD Platforms -- Platforms --

Status – Full library support. Last release 04/2002.

(28)

The Bad

GFI LANguard GFI LANguard

Scans networks and reports information such as service pack level, missing security patches, open shares, open ports, registry entries, weak passwords, users and groups, etc..

Current Version – 5.0 Current Version – 5.0 Available from: Available from: http://www.gfi.com http://www.gfi.com License – Commercial License – Commercial Platforms -- Platforms --

Status – Scans Win32 protocols (e.g. NetBIOS over

TCP) only available on IPv4 currently.

(29)

The Bad

Hunt Hunt

An advanced packet sniffing and connection

intrusion tool for Linux.

Current Version – 1.5 Current Version – 1.5 Available from: Available from: http://lin.fsid.cvut.cz/~kra http://lin.fsid.cvut.cz/~kra License – GPL License – GPL Platforms -- Platforms --

Status – Last update 05/2000. Developed on a

Linux 2.2.x Kernel.

(30)

The Bad

IPTraf IPTraf

IP network monitoring software based on NCurses.

Current Version – 2.7.0 Current Version – 2.7.0 Available from: Available from: http://cebu.mozcom.com/riker/iptraf/ http://cebu.mozcom.com/riker/iptraf/ License – GPL License – GPL Platforms -- Platforms --

Status – Last update 05/2002. No support for IPv6,

only for raw sockets and IPv4.

(31)

The Bad

ISS Internet Scanner ISS Internet Scanner

Application level vulnerability assessment scanner.

Current Version – 7.0 SP1 Current Version – 7.0 SP1 Available from: Available from: http://www.iss.net/products http://www.iss.net/products License – Commercial License – Commercial Platforms -- Platforms --

Status – No IPv6 capabilities.

(32)

The Bad

NBTScan NBTScan

NetBIOS network name information scanner.

Current Version – 1.5.1 Current Version – 1.5.1 Available from: Available from: http://www.inetcat.org/software/nbtscan.html http://www.inetcat.org/software/nbtscan.html License – GPL License – GPL Platforms -- Platforms --

Status – NetBIOS over TCPv6 currently not

supported in Microsoft OSes. Last updated

06/2003.

(33)

The Bad

NGrep NGrep

Network Grep strives to provide most of GNU

Greps' features over the network layer.

Current Version – 1.4.2 Current Version – 1.4.2 Available from: Available from: http://ngrep.sourceforge.net/ http://ngrep.sourceforge.net/ License – F/OSS License – F/OSS Platforms -- Platforms --

IPv6 support planned in future versions (from CVS

notes).

(34)

The Bad

Nessus Nessus

The premier Open Source vulnerability assessment

tool. tool. Current Version – 2.2 Current Version – 2.2 Available from: Available from: http://www.nessus.org http://www.nessus.org License – GPL License – GPL Platforms -- Platforms --

Status – Developer had mentioned a possibility of

limited IPv6 support in the 2.2 release. Latest CVS

as of 11/07/04 does not support IPv6.

(35)

The Bad

Paketto Keiretsu Paketto Keiretsu

A tool for stretching TCP/IP networks and

protocols beyond what they were intended for.

Current Version – 2.00pre3

Available from: Available from: http://www.doxpara.com http://www.doxpara.com License – GPL License – GPL Platforms -- Platforms --

Status – Because of the packet manipulation at a

raw level and the header differences of v4 and v6,

would take almost an entire rewrite to port to IPv6.

(36)

The Bad

Retina Retina

A flexible vulnerability scanner, similar to Nessus

and ISS Internet Scanner.

Current Version – 5.0.17 Current Version – 5.0.17 Available from: Available from: http://www.eeye.com http://www.eeye.com License – Commercial License – Commercial Platforms -- Platforms --

Status – No IPv6 support from provider (eEye).

(37)

The Bad

SAINT SAINT

Security Auditor's Integrated Network Tool. A tool

much like Nessus or eEye Retina designed

exclusively for UNIX.

Current Version – 5.6.2 Current Version – 5.6.2 Available from: Available from: http://www.saintcorporation.com http://www.saintcorporation.com License – Commercial License – Commercial Platforms -- Platforms --

Status – No IPv6 support from provider.

(38)

The Bad

SARA SARA

Security Auditor's Research Assistant. A security

assessment tool derived from the infamous SATAN

scanner. scanner. Current Version – 5.6.2 Current Version – 5.6.2 Available from: Available from: http://www-arc.com http://www-arc.com License – F/OSS License – F/OSS Platforms -- Platforms --

(39)

The Bad

Shadow Security Scanner Shadow Security Scanner

A commercial vulnerability assessment tool.

Current Version – 7.0.7 Current Version – 7.0.7 Available from: Available from: http://www.safety-lab.com/en/download.htm http://www.safety-lab.com/en/download.htm License – Commercial License – Commercial Platforms -- Platforms --

(40)

The Bad

Solar Winds Toolsets Solar Winds Toolsets

A plethora of network discovery, monitoring and

attack tools. Dozens of special purpose tools

targeted at systems administrators.

Current Version – Multiple Programs

Available from: Available from: http://www.solarwinds.net http://www.solarwinds.net License – Commercial License – Commercial Platforms -- Platforms --

(41)

The Bad

SuperScan SuperScan

A Windows based TCP port scanner, pinger and

hostname resolver. It can handle ping and port

scans using specified ranges and connect to ports

using specified helper apps.

Current Version – 4.0 Current Version – 4.0 Available from: Available from: http://www.foundstone.com http://www.foundstone.com License – Freeware License – Freeware Platforms -- Platforms --

(42)

The Bad

TCPTraceRoute TCPTraceRoute

A traceroute implementation using TCP packets.

Current Version – 1.5 Beta 4

Available from: Available from: http://michael.toren.net/code/tcptraceroute/ http://michael.toren.net/code/tcptraceroute/ License – GPL License – GPL Platforms -- Platforms --

Status – No IPv6 support from provider. Libraries

do support IPv6.

(43)

The Bad

THC Amap THC Amap

Application written by The Hacker's Choice for

application fingerprinting. application fingerprinting. Current Version – 4.7 Current Version – 4.7 Available from: Available from: http://www.thc.org http://www.thc.org License – GPL License – GPL Platforms -- Platforms --

(44)

The Bad

Visual Route Visual Route

Application to obtain traceroute and whois data to

be plotted on a world map.

Current Version – 8.0f Current Version – 8.0f Available from: Available from: http://www.visualware.com http://www.visualware.com License – Commercial License – Commercial Platforms -- Platforms --

(45)

The Bad

Win FingerPrint Win FingerPrint

Winfingerprint is a Win32 Host/Network

Enumeration Scanner. Winfingerprint is capable of

performing SMB, TCP, UDP, ICMP, RPC, and

SNMP scans. SNMP scans. Current Version – 0.5.13 Current Version – 0.5.13 Available from: Available from: http://winfingerprint.sourceforge.net http://winfingerprint.sourceforge.net License – GPL License – GPL Platforms -- Platforms --

Status – No IPv6 SMB support currently in any

Microsoft OS.

(46)

The Bad

Xprobe 2 Xprobe 2

A tool for determining the OS of a remote host. It

uses the same techniques of NMAP as well as a few

others. Emphasizes ICMP as the fingerprinting

approach. approach. Current Version – 0.2 Current Version – 0.2 Available from: Available from: http://www.sys-security.com/html/projects/X.html http://www.sys-security.com/html/projects/X.html License – GPL License – GPL Platforms -- Platforms --

Status – Will not recognize an IPv6 address.

(47)

The Bad

Zone Alarm Zone Alarm

Personal firewall software for Windows.

Current Version – 5.1.033 Current Version – 5.1.033 Available from: Available from: http://www.zonelabs.com http://www.zonelabs.com License – Freeware/Commercial License – Freeware/Commercial Platforms -- Platforms --

Status – Asks to block an IPv6 query, then doesn't.

(48)

The Ugly

NMAP NMAP

Network MAPper is an open source utility for

network exploration or security auditing. It uses

raw IP packets in novel ways to determine what

hosts are available on a given network.

Current Version – 3.75 Current Version – 3.75 Available from: Available from: http://www.insecure.org http://www.insecure.org License – GPL License – GPL Platforms -- Platforms --

(49)

The Ugly

NMAP NMAP

Status -- “-6” option enables IPv6 support. Only

supports ping scan, TCP scan and TCP connect

scan.

An alternative (but older) patched version does

other scan types. It requires NMAP 2.54Beta36

and patches from

and patches from http://nmap6.sourceforge.nethttp://nmap6.sourceforge.net

Does not do network scanning (for obvious

reasons).

(50)

The Ugly

PuTTY PuTTY

An excellent Windows based SSH client. Can also

be compiled for other platforms.

Current Version – 0.56 Current Version – 0.56 Available from: Available from: http://www.chiark.greenend.org.uk/~sgtatham/putty/ http://www.chiark.greenend.org.uk/~sgtatham/putty/ License – MIT License – MIT Platforms -- Platforms --

(51)

The Ugly

PuTTY PuTTY

IPv6 not enabled in default compile.

IPv6 capable version available from:

http://win6.jp/PuTTY/index.html http://win6.jp/PuTTY/index.html

win6.jp also has many other F/OSS Windows based win6.jp also has many other F/OSS Windows based tools recompiled with IPv6 support.

(52)

The Ugly

Achilles Achilles

A web attack proxy based on Windows. Acts as a

Proxy/MITM during an HTTP session, intercepting

packets before they go out to an HTTP server.

Current Version – 0.27 Current Version – 0.27 Available from: Available from: http://www.mavensecurity.com/achilles http://www.mavensecurity.com/achilles License – Freeware License – Freeware Platforms -- Platforms --

(53)

The Ugly

Achilles Achilles

Achilles by itself does not support IPv6.

SSH Tunnel with port forwarding.

IPv6 enabled Squid proxy.

IPv6 enabled Apache proxy.

(54)

The Ugly

Brutus Brutus

A brute force authentication cracker for Windows

only. Uses dictionary and brute force attacks to

break into systems. Supports FTP, SMB, Telnet,

IMAP, NTP and others.

Current Version – ???

Available from:

http://www.hoobie.net

http://www.hoobie.net (currently down) (currently down) Has not been updated since 2000.

Has not been updated since 2000. License – Freeware

License – Freeware

Platforms --

(55)

The Ugly

Brutus Brutus

Brutus by itself does not support IPv6.

SSH Tunnel with port forwarding.

IPv6 enabled Squid proxy (with much

configuration for non HTTP protocols).

IPv6 enabled Apache proxy (with much

configuration for non HTTP protocols).

(56)

The Ugly

Cain & Abel Cain & Abel

A free password recovery tool for Windows.

Allows easy recovery of passwords by network

sniffing, revealing password boxes, uncovering

cached passwords and analyzing routing protocols.

Current Version – 2.5 Beta 62

Available from: Available from: http://www.oxid.it http://www.oxid.it License – Freeware License – Freeware Platforms -- Platforms --

Local password cracking works fine. No IPv6

support otherwise.

(57)

The Ugly

GPG GPG

A GNU tool for encrypting and decrypting files and

communications, based on Phil Zimmerman's PGP

standard. standard. Current Version – 1.2.6 Current Version – 1.2.6 Available from: Available from: http://www.gnupg.org http://www.gnupg.org License – GPL License – GPL Platforms -- Platforms --

Patches available for IPv6.

(58)

The Ugly

HoneyD HoneyD

A small daemon that creates virtual hosts on a

network, running arbitrary services. TCP

signatures can appear to be running different OSes

and services. and services. Current Version – 0.8b Current Version – 0.8b Available from: Available from: http://www.honeyd.org/ http://www.honeyd.org/ License – GPL License – GPL Platforms -- Platforms --

While HoneyD supports IPv6, no NIDS for *Nix

currently supports decoding IPv6 packets.

(59)

The Ugly

HPing2(3) HPing2(3)

Assembles and sends custom ICMP/UDP/TCP

packets and displays any replies.

Current Version – Current Version – Available from: Available from: http://www.hping.org/ http://www.hping.org/ License – GPL License – GPL Platforms -- Platforms --

Hping 2 and 3 do not support IPv6. There are

patches available for a beta version of Hping 2.

(60)

The Ugly

Kismet Kismet

An 802.11 layer 2 wireless network detector,

sniffer, and intrusion detection system. Kismet will

work with any wireless card which supports raw

monitoring mode, and can sniff 802.11 a/b/g traffic.

Current Version – 2004-10-R1 Current Version – 2004-10-R1 Available from: Available from: http://www.kismetwireless.net http://www.kismetwireless.net License – GPL License – GPL Platforms -- Platforms --

While Kismet works on mostly layer 2, it also

detects (non IPv6) IP addresses.

(61)

The Ugly

NetCat NetCat

A simple utility which reads/writes data across

network connections using TCP or UDP. AKA

“The Hacker's Swiss Army Knife”.

Current Version – 0.7.1 Current Version – 0.7.1 Available from: Available from: http://netcat.sourceforge.net/ http://netcat.sourceforge.net/ License – GPL License – GPL Platforms -- Platforms --

NetCat6 available from:

http://www.deepspace6.net/projects/netcat6.html

(62)

The Ugly

NetFilter NetFilter

The current Linux packet filter/firewall. Iptables

userspace command is used for configuration.

Supports packet filtering and NAT.

Current Version – 1.2.11 Current Version – 1.2.11 Available from: Available from: http://www.netfilter.org http://www.netfilter.org License – GPL License – GPL Platforms -- Platforms --

Ip6tables only supports stateless firewalling.

(63)

The Ugly

NetStumbler NetStumbler

A tool for Windows that allows you to detect

Wireless Local Area Networks (WLANs) using

802.11a/b/g. 802.11a/b/g. Current Version – 0.4.0 Current Version – 0.4.0 Available from: Available from: http://www.netstumbler.com http://www.netstumbler.com License – Freeware License – Freeware Platforms -- Platforms --

Like Kismet, is mainly layer 2, but only detects

IPv4 addresses.

(64)

The Ugly

Nikto Nikto

A web scanner that looks for 2000 potentially

dangerous files/CGIs and problems on over 200

servers. Uses LibWhisker but is updated more.

Current Version – 1.3.4 Current Version – 1.3.4 Available from: Available from: http://www.cirt.net/code/nikto.shtml http://www.cirt.net/code/nikto.shtml License – GPL License – GPL Platforms -- Platforms --

Also a web attack tool. Can easily be proxied or

SSH tunnelled.

(65)

The Ugly

N-Stealth N-Stealth

A commercial web server scanner generally more

frequently updated than its free counterparts.

Current Version – 1.3.4 Current Version – 1.3.4 Available from: Available from: http://www.nstalker.com/eng/ http://www.nstalker.com/eng/ License – Commercial License – Commercial Platforms -- Platforms --

Also a web attack tool. Can easily be proxied or

SSH tunnelled.

(66)

The Ugly

Sam Spade Sam Spade

GUI for many handy network tasks including

nslookup, dig, whois, ping, traceroute, raw HTTP,

DNS zone transfer, website searching and SMTP

relay checks. relay checks. Current Version – 1.14 Current Version – 1.14 Available from: Available from: http://www.samspade.org http://www.samspade.org License – Freeware License – Freeware Platforms -- Platforms --

Some tools are TCP based and could be tunnelled

via SSH.

(67)

The Ugly

Snort Snort

Defacto standard F/OSS NIDS. Many commercial

products are based on Snort.

Current Version – 2.2.0 Current Version – 2.2.0 Available from: Available from: http://www.snort.org http://www.snort.org License – GPL License – GPL Platforms -- Platforms --

(68)

The Ugly

Snort Snort

Does not have IPv6 capabilities in default install.

Mods were written into 2.0.1 but never merged into the

main distribution.

www.webservertalk.com/archive252-2004-4-205516.html

Offers were made from Ken Renard of Sun.

Patches are available for older versions of Snort.

(69)

The Ugly

Spike Proxy Spike Proxy

A web attack proxy. Acts as a Proxy/MITM during an

HTTP session, intercepting packets before they go out to an

HTTP server. HTTP server. Current Version – 1.48 Current Version – 1.48 Available from: Available from: http://www.immunitysec.com/resources-freesoftware.shtml http://www.immunitysec.com/resources-freesoftware.shtml License – GPL License – GPL Platforms -- Platforms --

Another app that could be proxied or SSH tunnelled.

(70)

The Ugly

STunnel STunnel

A general purpose SSL cryptographic wrapper. Can be

used to add crypto functionality to commonly used

daemons like POP3 and IMAP.

Current Version – 4.05 Current Version – 4.05 Available from: Available from: http://www.stunnel.org http://www.stunnel.org License – GPL License – GPL Platforms -- Platforms --

(71)

The Ugly

Stunnel Stunnel

“

“IPv6 Support coming soon” from developers.IPv6 Support coming soon” from developers. Debian maintainer has coded a private IPv6 port.

Debian maintainer has coded a private IPv6 port.

Could be proxied or SSH tunnelled.

(72)

The Ugly

TCP Wrappers TCP Wrappers

A classic IP based access control and logging mechanism.

Current Version – 7.6 Current Version – 7.6 Available from: Available from: ftp://ftp.cerias.purdue.edu/pub/tools/unix/netutils/ ftp://ftp.cerias.purdue.edu/pub/tools/unix/netutils/ License – F/OSS License – F/OSS Platforms -- Platforms --

Most default installs do not include IPv6 support.

(73)

The Ugly

THC-Hydra THC-Hydra

Parallelized network authentication cracker for

FTP, POP3, IMAP, NBT, Telnet, HTTP, LDAP,

NTP, VNC, ICQ, SOCKS and more. Includes SSL

support. support. Current Version – 4.4 Current Version – 4.4 Available from: Available from: http://www.thc.org/thc-hydra http://www.thc.org/thc-hydra License – GPL License – GPL Platforms -- Platforms --

IPv6 enabled on Windows, all others could be SSH

tunnelled.

(74)

The Ugly

Whisker/LibWhisker Whisker/LibWhisker

CGI vulnerability scanner and library. Allows

testing of HTTP servers for many known security

holes. Libwhisker is a Perl library allowing custom

scanner creation. scanner creation. Current Version – 2.1 Current Version – 2.1 Available from: Available from: http://www.wiretrip.net/rfp/lw.asp http://www.wiretrip.net/rfp/lw.asp License – GPL License – GPL Platforms -- Platforms --

SSH Tunnel or proxy capable.

(75)

Houston, we have a problem...

So what does this mean? So what does this mean?

If you organization is deploying IPv6 currently, it's

not going to be an easy task to assess your own

network for security issues.

Black hats are ahead of the game in this arena.

DNS and ARIN records will help them find you.

There is hope.

(76)

Houston, we have a problem...

What can be done? What can be done?

It depends on the talents of your organization.

Coding your own tools is a possibility.

For COTS without IPv6 support, lean on your

vendors.

For F/OSS either ask the project lead for IPv6

support or....

Donate to the project.

(77)

Wrapup

Thank yous... Thank yous... Google.com Google.com

The Debian Linux IPv6 Project

Fyodor and Insecure.org

Joe Klein of Honeywell

Valkyrie

NAv6TF and IPv6 Forum

The audience....:-)

The authors of any tools in the "Good" section

(78)

Wrapup