IPv6 Capable Security Assessment /
IPv6 Capable Security Assessment /
Penetration Testing Tools
Penetration Testing Tools
Gene Cronk – ISSAP,CISSP,NSA-IAM
Gene Cronk – ISSAP,CISSP,NSA-IAM
North American IPv6 Forum
North American IPv6 Forum
Systems Admin – The Robin Shepherd Group
Why should I know about this?
Why should I know about this?
Understanding the weaknesses of your own
Understanding the weaknesses of your own
network.
network.
Realize there is a major lack of these tools.
Realize there is a major lack of these tools.
What you can do about that lack of tools.
What you can do about that lack of tools.
Making IPv4 only tools relatively functional with
Making IPv4 only tools relatively functional with
IPv6 only hosts.
IPv6 only hosts.
Your attackers already do.
How This Presentation is Arranged
How This Presentation is Arranged
The Good – Tools that fully support IPv6 out of theThe Good – Tools that fully support IPv6 out of the
box.
box.
The Bad – Tools that do not support IPv6 natively.
The Bad – Tools that do not support IPv6 natively.
The Ugly – Tools that either do not fully support
The Ugly – Tools that either do not fully support
IPv6 natively, or not support IPv6 at all but can be
IPv6 natively, or not support IPv6 at all but can be
made to do so via transition or proxy.
made to do so via transition or proxy.
Most tools are from the top 75 listed at
Most tools are from the top 75 listed at
www.insecure.org
The Good
The Good
Argus – The All Seeing Argus – The All Seeing
Argus is a system/network monitoring application.
Argus is a system/network monitoring application.
Current Version -- 3.3 Current Version -- 3.3 Available from: Available from: www.tcp4me.com/code/argus-archive/argus-3.3.tgz www.tcp4me.com/code/argus-archive/argus-3.3.tgz
It will monitor nearly anything you ask it to
It will monitor nearly anything you ask it to
monitor, including TCP/UDP applications, IP
monitor, including TCP/UDP applications, IP
connectivity, SNMP, and databases.
The Good
The Good
Argus – The All Seeing Argus – The All Seeing
Presents a nice clean, easy to view web interface
Presents a nice clean, easy to view web interface
that will keep both the managers and techs happy.
that will keep both the managers and techs happy.
Can send alerts numerous ways (such as via pager).
Can send alerts numerous ways (such as via pager).
License – Perl Artistic License
License – Perl Artistic License
Platforms --
The Good
The Good
LSOF – LiSt Open Files LSOF – LiSt Open Files
This Unix-specific diagnostic and forensics tool
This Unix-specific diagnostic and forensics tool
lists information about any files that are open by
lists information about any files that are open by
processes currently running on the system.
processes currently running on the system.
Current Version – 4.73 Current Version – 4.73 Available from: Available from: ftp://vic.cc.purdue.edu/pub/tools/unix/lsofftp://vic.cc.purdue.edu/pub/tools/unix/lsof Can also list comms sockets by each process.
Can also list comms sockets by each process.
License – F/OSS
License – F/OSS
Platforms --
The Good
The Good
Snoop – Network Sniffer for Solaris Snoop – Network Sniffer for Solaris
Similar to TCPDump, Snoop listens for all traffic
Similar to TCPDump, Snoop listens for all traffic
on a specific interface.
on a specific interface.
Available in Solaris since 8.
Available in Solaris since 8.
Available from:
Available from:
www.sun.com/software/solaris
www.sun.com/software/solaris
License – Solaris Software License
License – Solaris Software License
Platforms --
The Good
The Good
DIG – DNS Query Tool DIG – DNS Query Tool
A handy DNS query tool that comes free with
A handy DNS query tool that comes free with
BIND.
BIND.
Available in BIND DNS since 8.3
Available in BIND DNS since 8.3
Available from: Available from: www.isc.org www.isc.org License – F/OSS License – F/OSS Platforms -- Platforms --
The Good
The Good
Etherape Etherape
EtherApe is a graphical network monitor for Unix
EtherApe is a graphical network monitor for Unix
modeled after etherman. Featuring link layer, ip and
modeled after etherman. Featuring link layer, ip and
TCP modes, it displays network activity graphically.
TCP modes, it displays network activity graphically.
Hosts and links change in size with traffic. Color
Hosts and links change in size with traffic. Color
coded protocols display.
coded protocols display.
Current Version -- 0.9.1 Current Version -- 0.9.1 Available from: Available from: http://etherape.sourceforge.net http://etherape.sourceforge.net License – GPL License – GPL Platforms -- Platforms --
The Good
The Good
Etherape Etherape
The Good
The Good
Ethereal Ethereal
Ethereal is used by network professionals around
Ethereal is used by network professionals around
the world for troubleshooting, analysis, software and
the world for troubleshooting, analysis, software and
protocol development, and education. It has all of
protocol development, and education. It has all of
the standard features you would expect in a
the standard features you would expect in a
protocol analyzer, and several features not seen in
protocol analyzer, and several features not seen in
any other product.
any other product.
Current Version -- 0.10.7 Current Version -- 0.10.7 Available from: Available from: http://ethereal.com http://ethereal.com License – GPL License – GPL Platforms -- Platforms --
The Good
The Good
Ethereal Ethereal
The Good
The Good
Fping Fping
Parallel ICMP scanner.
Parallel ICMP scanner.
Current version -- 2.4 Beta 2
Current version -- 2.4 Beta 2
Available from:
Available from:
http://www.fping.com
http://www.fping.com
Can ping multiple hosts from command line or text
Can ping multiple hosts from command line or text
file.
file.
Great for scripting.
Great for scripting.
License – F/OSS
License – F/OSS
Platforms --
The Good
The Good
LibNet LibNet
High level network API.
High level network API.
Current Version -- 1.1.2-rc06 Current Version -- 1.1.2-rc06 Available from: Available from: http://www.packetfactory.net/libnet http://www.packetfactory.net/libnet
Allows an application programmer to construct and
Allows an application programmer to construct and
inject network packets.
inject network packets.
License – F/OSS
License – F/OSS
Platforms --
The Good
The Good
Ntop Ntop
Web based traffic probe.
Web based traffic probe.
Current Version -- 3.0 Current Version -- 3.0 Available from: Available from: http://www.ntop.org http://www.ntop.org
Users access a web page of an NTOP server to get
Users access a web page of an NTOP server to get
graphical visualizations of network use and abuse.
graphical visualizations of network use and abuse.
License – GPL
License – GPL
Platforms --
The Good
The Good
NTop NTop
The Good
The Good
PF PF
Packet filter originally included with OpenBSD,
Packet filter originally included with OpenBSD,
ported to FreeBSD.
ported to FreeBSD.
Comes with FreeBSD 5.xx and OpenBSD 3.xx
Comes with FreeBSD 5.xx and OpenBSD 3.xx
Available from:
Available from:
http://www.freebsd.org
http://www.freebsd.org//http://www.openbsd.orghttp://www.openbsd.org Full IPv6 support, much like everything else BSD.
Full IPv6 support, much like everything else BSD.
License – BSD
License – BSD
Platforms --
The Good
The Good
SendIP SendIP
Command line tool for sending arbitrary IP packets.
Command line tool for sending arbitrary IP packets.
Current Version -- 2.5 Current Version -- 2.5 Available from: Available from: www.earth.li/projectpurple/progs/sendip.html www.earth.li/projectpurple/progs/sendip.html
Command line options to specify the content of
Command line options to specify the content of
every header of a NTP, BGP, RIP, RIPng, TCP,
every header of a NTP, BGP, RIP, RIPng, TCP,
UDP, ICMP or raw IPv4 and IPv6 packets.
UDP, ICMP or raw IPv4 and IPv6 packets.
License – GPL
License – GPL
Platforms --
The Good
The Good
TCPDump/WinDump TCPDump/WinDump
Classic tool for network monitoring and data
Classic tool for network monitoring and data
aquisition.
aquisition.
Current Versions – 3.8.3 (TCP) or 3.8.3 Beta (Win)
Current Versions – 3.8.3 (TCP) or 3.8.3 Beta (Win)
Available from:
Available from:
www.tcpdump.org
www.tcpdump.org (*Nix) (*Nix)
win6.jp/WinDump/index.html (Win32) win6.jp/WinDump/index.html (Win32) License – BSD License – BSD Platforms -- Platforms --
The Good
The Good
IP6Sic IP6Sic
IPv6 Stack integrity checker.
IPv6 Stack integrity checker.
Current Version -- 0.1 Current Version -- 0.1 Available from: Available from: http://cvs.sourceforge.net/viewcvs.py/ip6sic/ip6sic/ http://cvs.sourceforge.net/viewcvs.py/ip6sic/ip6sic/ License – BSD License – BSD Platforms -- Platforms --
The Bad
The Bad
Cheops-NG Cheops-NG
Graphical Network Monitoring and Mapping Suite.
Graphical Network Monitoring and Mapping Suite.
Current Version -- 0.1.12 Current Version -- 0.1.12 Available from: Available from: http://cheops-ng.sourceforge.net http://cheops-ng.sourceforge.net License – GPL License – GPL Platforms -- Platforms --
Status – AF_INET (IPv4 only calls) used in most of
Status – AF_INET (IPv4 only calls) used in most of
the source code. Last release 05/2003.
The Bad
The Bad
Ettercap-NG Ettercap-NG
Suite for man in the middle attacks on a LAN.
Suite for man in the middle attacks on a LAN.
Current Version -- 0.7.1 Current Version -- 0.7.1 Available from: Available from: http://ettercap.sourceforge.net http://ettercap.sourceforge.net License – GPL License – GPL Platforms -- Platforms --
Status – Relies on ARP cache poisoning. IPv6
Status – Relies on ARP cache poisoning. IPv6
support planned “long term” in CVS notes.
The Bad
The Bad
Firewalk Firewalk
Active reconnaissance network security tool that
Active reconnaissance network security tool that
attempts to determine what layer 4 protocols a
attempts to determine what layer 4 protocols a
given IP forwarding device will pass.
given IP forwarding device will pass.
Current Version -- 5.0 Current Version -- 5.0 Available from: Available from: http://www.packetfactory.net/projects/firewalk http://www.packetfactory.net/projects/firewalk License – BSD License – BSD Platforms -- Platforms --
Status – All libraries are currently IPv6 aware. Last
Status – All libraries are currently IPv6 aware. Last
update was 07/2003.
The Bad
The Bad
DSniff DSniff
Active reconnaissance network security tool that
Active reconnaissance network security tool that
attempts to determine what layer 4 protocols a
attempts to determine what layer 4 protocols a
given IP forwarding device will pass.
given IP forwarding device will pass.
Current Version – 2.4 Beta1
Current Version – 2.4 Beta1
Available from: Available from: http://www.monkey.org/~dugsong/dsniff/ http://www.monkey.org/~dugsong/dsniff/ License – BSD License – BSD Platforms -- Platforms --
Status – All libraries are currently IPv6 aware. Last
Status – All libraries are currently IPv6 aware. Last
update was 05/2002.
The Bad
The Bad
TCPReplay TCPReplay
A tool to send network traffic stored in pcap format
A tool to send network traffic stored in pcap format
back onto the network.
back onto the network.
Current Version – 2.3.1 Current Version – 2.3.1 Available from: Available from: http://tcpreplay.sourceforge.net http://tcpreplay.sourceforge.net License – BSD License – BSD Platforms -- Platforms --
Status – All libraries are currently IPv6 aware.
Status – All libraries are currently IPv6 aware.
Docs indicate IPv6 support planned. Last release
Docs indicate IPv6 support planned. Last release
09/2004.
The Bad
The Bad
FPort FPort
Foundstone's enhanced netstat.
Foundstone's enhanced netstat.
Current Version – 2.0 Current Version – 2.0 Available from: Available from: http://www.foundstone.com http://www.foundstone.com
License – Freeware (no source code)
License – Freeware (no source code)
Platforms --
Platforms --
Status – Not updated since 05/2001.
The Bad
The Bad
FragRoute FragRoute
Intercepts and rewrites egress traffic, implementing
Intercepts and rewrites egress traffic, implementing
many intrusion detection evasion attacks.
many intrusion detection evasion attacks.
Current Version – 1.2 Current Version – 1.2 Available from: Available from: http://www.monkey.org/~dugsong/fragroute http://www.monkey.org/~dugsong/fragroute License – BSD License – BSD Platforms -- Platforms --
Status – Full library support. Last release 04/2002.
The Bad
The Bad
GFI LANguard GFI LANguard
Scans networks and reports information such as service pack level, missing security patches, open shares, open ports, registry entries, weak passwords, users and groups, etc..
Current Version – 5.0 Current Version – 5.0 Available from: Available from: http://www.gfi.com http://www.gfi.com License – Commercial License – Commercial Platforms -- Platforms --
Status – Scans Win32 protocols (e.g. NetBIOS over
Status – Scans Win32 protocols (e.g. NetBIOS over
TCP) only available on IPv4 currently.
The Bad
The Bad
Hunt Hunt
An advanced packet sniffing and connection
An advanced packet sniffing and connection
intrusion tool for Linux.
intrusion tool for Linux.
Current Version – 1.5 Current Version – 1.5 Available from: Available from: http://lin.fsid.cvut.cz/~kra http://lin.fsid.cvut.cz/~kra License – GPL License – GPL Platforms -- Platforms --
Status – Last update 05/2000. Developed on a
Status – Last update 05/2000. Developed on a
Linux 2.2.x Kernel.
The Bad
The Bad
IPTraf IPTraf
IP network monitoring software based on NCurses.
IP network monitoring software based on NCurses.
Current Version – 2.7.0 Current Version – 2.7.0 Available from: Available from: http://cebu.mozcom.com/riker/iptraf/ http://cebu.mozcom.com/riker/iptraf/ License – GPL License – GPL Platforms -- Platforms --
Status – Last update 05/2002. No support for IPv6,
Status – Last update 05/2002. No support for IPv6,
only for raw sockets and IPv4.
The Bad
The Bad
ISS Internet Scanner ISS Internet Scanner
Application level vulnerability assessment scanner.
Application level vulnerability assessment scanner.
Current Version – 7.0 SP1 Current Version – 7.0 SP1 Available from: Available from: http://www.iss.net/products http://www.iss.net/products License – Commercial License – Commercial Platforms -- Platforms --
Status – No IPv6 capabilities.
The Bad
The Bad
NBTScan NBTScan
NetBIOS network name information scanner.
NetBIOS network name information scanner.
Current Version – 1.5.1 Current Version – 1.5.1 Available from: Available from: http://www.inetcat.org/software/nbtscan.html http://www.inetcat.org/software/nbtscan.html License – GPL License – GPL Platforms -- Platforms --
Status – NetBIOS over TCPv6 currently not
Status – NetBIOS over TCPv6 currently not
supported in Microsoft OSes. Last updated
supported in Microsoft OSes. Last updated
06/2003.
The Bad
The Bad
NGrep NGrep
Network Grep strives to provide most of GNU
Network Grep strives to provide most of GNU
Greps' features over the network layer.
Greps' features over the network layer.
Current Version – 1.4.2 Current Version – 1.4.2 Available from: Available from: http://ngrep.sourceforge.net/ http://ngrep.sourceforge.net/ License – F/OSS License – F/OSS Platforms -- Platforms --
IPv6 support planned in future versions (from CVS
IPv6 support planned in future versions (from CVS
notes).
The Bad
The Bad
Nessus Nessus
The premier Open Source vulnerability assessment
The premier Open Source vulnerability assessment
tool. tool. Current Version – 2.2 Current Version – 2.2 Available from: Available from: http://www.nessus.org http://www.nessus.org License – GPL License – GPL Platforms -- Platforms --
Status – Developer had mentioned a possibility of
Status – Developer had mentioned a possibility of
limited IPv6 support in the 2.2 release. Latest CVS
limited IPv6 support in the 2.2 release. Latest CVS
as of 11/07/04 does not support IPv6.
The Bad
The Bad
Paketto Keiretsu Paketto Keiretsu
A tool for stretching TCP/IP networks and
A tool for stretching TCP/IP networks and
protocols beyond what they were intended for.
protocols beyond what they were intended for.
Current Version – 2.00pre3
Current Version – 2.00pre3
Available from: Available from: http://www.doxpara.com http://www.doxpara.com License – GPL License – GPL Platforms -- Platforms --
Status – Because of the packet manipulation at a
Status – Because of the packet manipulation at a
raw level and the header differences of v4 and v6,
raw level and the header differences of v4 and v6,
would take almost an entire rewrite to port to IPv6.
The Bad
The Bad
Retina Retina
A flexible vulnerability scanner, similar to Nessus
A flexible vulnerability scanner, similar to Nessus
and ISS Internet Scanner.
and ISS Internet Scanner.
Current Version – 5.0.17 Current Version – 5.0.17 Available from: Available from: http://www.eeye.com http://www.eeye.com License – Commercial License – Commercial Platforms -- Platforms --
Status – No IPv6 support from provider (eEye).
The Bad
The Bad
SAINT SAINT
Security Auditor's Integrated Network Tool. A tool
Security Auditor's Integrated Network Tool. A tool
much like Nessus or eEye Retina designed
much like Nessus or eEye Retina designed
exclusively for UNIX.
exclusively for UNIX.
Current Version – 5.6.2 Current Version – 5.6.2 Available from: Available from: http://www.saintcorporation.com http://www.saintcorporation.com License – Commercial License – Commercial Platforms -- Platforms --
Status – No IPv6 support from provider.
The Bad
The Bad
SARA SARA
Security Auditor's Research Assistant. A security
Security Auditor's Research Assistant. A security
assessment tool derived from the infamous SATAN
assessment tool derived from the infamous SATAN
scanner. scanner. Current Version – 5.6.2 Current Version – 5.6.2 Available from: Available from: http://www-arc.com http://www-arc.com License – F/OSS License – F/OSS Platforms -- Platforms --
Status – No IPv6 support from provider.
The Bad
The Bad
Shadow Security Scanner Shadow Security Scanner
A commercial vulnerability assessment tool.
A commercial vulnerability assessment tool.
Current Version – 7.0.7 Current Version – 7.0.7 Available from: Available from: http://www.safety-lab.com/en/download.htm http://www.safety-lab.com/en/download.htm License – Commercial License – Commercial Platforms -- Platforms --
Status – No IPv6 support from provider.
The Bad
The Bad
Solar Winds Toolsets Solar Winds Toolsets
A plethora of network discovery, monitoring and
A plethora of network discovery, monitoring and
attack tools. Dozens of special purpose tools
attack tools. Dozens of special purpose tools
targeted at systems administrators.
targeted at systems administrators.
Current Version – Multiple Programs
Current Version – Multiple Programs
Available from: Available from: http://www.solarwinds.net http://www.solarwinds.net License – Commercial License – Commercial Platforms -- Platforms --
Status – No IPv6 support from provider.
The Bad
The Bad
SuperScan SuperScan
A Windows based TCP port scanner, pinger and
A Windows based TCP port scanner, pinger and
hostname resolver. It can handle ping and port
hostname resolver. It can handle ping and port
scans using specified ranges and connect to ports
scans using specified ranges and connect to ports
using specified helper apps.
using specified helper apps.
Current Version – 4.0 Current Version – 4.0 Available from: Available from: http://www.foundstone.com http://www.foundstone.com License – Freeware License – Freeware Platforms -- Platforms --
Status – No IPv6 support from provider.
The Bad
The Bad
TCPTraceRoute TCPTraceRoute
A traceroute implementation using TCP packets.
A traceroute implementation using TCP packets.
Current Version – 1.5 Beta 4
Current Version – 1.5 Beta 4
Available from: Available from: http://michael.toren.net/code/tcptraceroute/ http://michael.toren.net/code/tcptraceroute/ License – GPL License – GPL Platforms -- Platforms --
Status – No IPv6 support from provider. Libraries
Status – No IPv6 support from provider. Libraries
do support IPv6.
The Bad
The Bad
THC Amap THC Amap
Application written by The Hacker's Choice for
Application written by The Hacker's Choice for
application fingerprinting. application fingerprinting. Current Version – 4.7 Current Version – 4.7 Available from: Available from: http://www.thc.org http://www.thc.org License – GPL License – GPL Platforms -- Platforms --
Status – No IPv6 support from provider.
The Bad
The Bad
Visual Route Visual Route
Application to obtain traceroute and whois data to
Application to obtain traceroute and whois data to
be plotted on a world map.
be plotted on a world map.
Current Version – 8.0f Current Version – 8.0f Available from: Available from: http://www.visualware.com http://www.visualware.com License – Commercial License – Commercial Platforms -- Platforms --
Status – No IPv6 support from provider.
The Bad
The Bad
Win FingerPrint Win FingerPrint
Winfingerprint is a Win32 Host/Network
Winfingerprint is a Win32 Host/Network
Enumeration Scanner. Winfingerprint is capable of
Enumeration Scanner. Winfingerprint is capable of
performing SMB, TCP, UDP, ICMP, RPC, and
performing SMB, TCP, UDP, ICMP, RPC, and
SNMP scans. SNMP scans. Current Version – 0.5.13 Current Version – 0.5.13 Available from: Available from: http://winfingerprint.sourceforge.net http://winfingerprint.sourceforge.net License – GPL License – GPL Platforms -- Platforms --
Status – No IPv6 SMB support currently in any
Status – No IPv6 SMB support currently in any
Microsoft OS.
The Bad
The Bad
Xprobe 2 Xprobe 2
A tool for determining the OS of a remote host. It
A tool for determining the OS of a remote host. It
uses the same techniques of NMAP as well as a few
uses the same techniques of NMAP as well as a few
others. Emphasizes ICMP as the fingerprinting
others. Emphasizes ICMP as the fingerprinting
approach. approach. Current Version – 0.2 Current Version – 0.2 Available from: Available from: http://www.sys-security.com/html/projects/X.html http://www.sys-security.com/html/projects/X.html License – GPL License – GPL Platforms -- Platforms --
Status – Will not recognize an IPv6 address.
The Bad
The Bad
Zone Alarm Zone Alarm
Personal firewall software for Windows.
Personal firewall software for Windows.
Current Version – 5.1.033 Current Version – 5.1.033 Available from: Available from: http://www.zonelabs.com http://www.zonelabs.com License – Freeware/Commercial License – Freeware/Commercial Platforms -- Platforms --
Status – Asks to block an IPv6 query, then doesn't.
The Ugly
The Ugly
NMAP NMAP
Network MAPper is an open source utility for
Network MAPper is an open source utility for
network exploration or security auditing. It uses
network exploration or security auditing. It uses
raw IP packets in novel ways to determine what
raw IP packets in novel ways to determine what
hosts are available on a given network.
hosts are available on a given network.
Current Version – 3.75 Current Version – 3.75 Available from: Available from: http://www.insecure.org http://www.insecure.org License – GPL License – GPL Platforms -- Platforms --
The Ugly
The Ugly
NMAP NMAP
Status -- “-6” option enables IPv6 support. Only
Status -- “-6” option enables IPv6 support. Only
supports ping scan, TCP scan and TCP connect
supports ping scan, TCP scan and TCP connect
scan.
scan.
An alternative (but older) patched version does
An alternative (but older) patched version does
other scan types. It requires NMAP 2.54Beta36
other scan types. It requires NMAP 2.54Beta36
and patches from
and patches from http://nmap6.sourceforge.nethttp://nmap6.sourceforge.net
Does not do network scanning (for obvious
Does not do network scanning (for obvious
reasons).
The Ugly
The Ugly
PuTTY PuTTY
An excellent Windows based SSH client. Can also
An excellent Windows based SSH client. Can also
be compiled for other platforms.
be compiled for other platforms.
Current Version – 0.56 Current Version – 0.56 Available from: Available from: http://www.chiark.greenend.org.uk/~sgtatham/putty/ http://www.chiark.greenend.org.uk/~sgtatham/putty/ License – MIT License – MIT Platforms -- Platforms --
The Ugly
The Ugly
PuTTY PuTTY
IPv6 not enabled in default compile.
IPv6 not enabled in default compile.
IPv6 capable version available from:
IPv6 capable version available from:
http://win6.jp/PuTTY/index.html http://win6.jp/PuTTY/index.html
win6.jp also has many other F/OSS Windows based win6.jp also has many other F/OSS Windows based tools recompiled with IPv6 support.
The Ugly
The Ugly
Achilles Achilles
A web attack proxy based on Windows. Acts as a
A web attack proxy based on Windows. Acts as a
Proxy/MITM during an HTTP session, intercepting
Proxy/MITM during an HTTP session, intercepting
packets before they go out to an HTTP server.
packets before they go out to an HTTP server.
Current Version – 0.27 Current Version – 0.27 Available from: Available from: http://www.mavensecurity.com/achilles http://www.mavensecurity.com/achilles License – Freeware License – Freeware Platforms -- Platforms --
The Ugly
The Ugly
Achilles Achilles
Achilles by itself does not support IPv6.
Achilles by itself does not support IPv6.
SSH Tunnel with port forwarding.
SSH Tunnel with port forwarding.
IPv6 enabled Squid proxy.
IPv6 enabled Squid proxy.
IPv6 enabled Apache proxy.
The Ugly
The Ugly
Brutus Brutus
A brute force authentication cracker for Windows
A brute force authentication cracker for Windows
only. Uses dictionary and brute force attacks to
only. Uses dictionary and brute force attacks to
break into systems. Supports FTP, SMB, Telnet,
break into systems. Supports FTP, SMB, Telnet,
IMAP, NTP and others.
IMAP, NTP and others.
Current Version – ???
Current Version – ???
Available from:
Available from:
http://www.hoobie.net
http://www.hoobie.net (currently down) (currently down) Has not been updated since 2000.
Has not been updated since 2000. License – Freeware
License – Freeware
Platforms --
The Ugly
The Ugly
Brutus Brutus
Brutus by itself does not support IPv6.
Brutus by itself does not support IPv6.
SSH Tunnel with port forwarding.
SSH Tunnel with port forwarding.
IPv6 enabled Squid proxy (with much
IPv6 enabled Squid proxy (with much
configuration for non HTTP protocols).
configuration for non HTTP protocols).
IPv6 enabled Apache proxy (with much
IPv6 enabled Apache proxy (with much
configuration for non HTTP protocols).
The Ugly
The Ugly
Cain & Abel Cain & Abel
A free password recovery tool for Windows.
A free password recovery tool for Windows.
Allows easy recovery of passwords by network
Allows easy recovery of passwords by network
sniffing, revealing password boxes, uncovering
sniffing, revealing password boxes, uncovering
cached passwords and analyzing routing protocols.
cached passwords and analyzing routing protocols.
Current Version – 2.5 Beta 62
Current Version – 2.5 Beta 62
Available from: Available from: http://www.oxid.it http://www.oxid.it License – Freeware License – Freeware Platforms -- Platforms --
Local password cracking works fine. No IPv6
Local password cracking works fine. No IPv6
support otherwise.
The Ugly
The Ugly
GPG GPG
A GNU tool for encrypting and decrypting files and
A GNU tool for encrypting and decrypting files and
communications, based on Phil Zimmerman's PGP
communications, based on Phil Zimmerman's PGP
standard. standard. Current Version – 1.2.6 Current Version – 1.2.6 Available from: Available from: http://www.gnupg.org http://www.gnupg.org License – GPL License – GPL Platforms -- Platforms --
Patches available for IPv6.
The Ugly
The Ugly
HoneyD HoneyD
A small daemon that creates virtual hosts on a
A small daemon that creates virtual hosts on a
network, running arbitrary services. TCP
network, running arbitrary services. TCP
signatures can appear to be running different OSes
signatures can appear to be running different OSes
and services. and services. Current Version – 0.8b Current Version – 0.8b Available from: Available from: http://www.honeyd.org/ http://www.honeyd.org/ License – GPL License – GPL Platforms -- Platforms --
While HoneyD supports IPv6, no NIDS for *Nix
While HoneyD supports IPv6, no NIDS for *Nix
currently supports decoding IPv6 packets.
The Ugly
The Ugly
HPing2(3) HPing2(3)
Assembles and sends custom ICMP/UDP/TCP
Assembles and sends custom ICMP/UDP/TCP
packets and displays any replies.
packets and displays any replies.
Current Version – Current Version – Available from: Available from: http://www.hping.org/ http://www.hping.org/ License – GPL License – GPL Platforms -- Platforms --
Hping 2 and 3 do not support IPv6. There are
Hping 2 and 3 do not support IPv6. There are
patches available for a beta version of Hping 2.
The Ugly
The Ugly
Kismet Kismet
An 802.11 layer 2 wireless network detector,
An 802.11 layer 2 wireless network detector,
sniffer, and intrusion detection system. Kismet will
sniffer, and intrusion detection system. Kismet will
work with any wireless card which supports raw
work with any wireless card which supports raw
monitoring mode, and can sniff 802.11 a/b/g traffic.
monitoring mode, and can sniff 802.11 a/b/g traffic.
Current Version – 2004-10-R1 Current Version – 2004-10-R1 Available from: Available from: http://www.kismetwireless.net http://www.kismetwireless.net License – GPL License – GPL Platforms -- Platforms --
While Kismet works on mostly layer 2, it also
While Kismet works on mostly layer 2, it also
detects (non IPv6) IP addresses.
The Ugly
The Ugly
NetCat NetCat
A simple utility which reads/writes data across
A simple utility which reads/writes data across
network connections using TCP or UDP. AKA
network connections using TCP or UDP. AKA
“The Hacker's Swiss Army Knife”.
“The Hacker's Swiss Army Knife”.
Current Version – 0.7.1 Current Version – 0.7.1 Available from: Available from: http://netcat.sourceforge.net/ http://netcat.sourceforge.net/ License – GPL License – GPL Platforms -- Platforms --
NetCat6 available from:
NetCat6 available from:
http://www.deepspace6.net/projects/netcat6.html
The Ugly
The Ugly
NetFilter NetFilter
The current Linux packet filter/firewall. Iptables
The current Linux packet filter/firewall. Iptables
userspace command is used for configuration.
userspace command is used for configuration.
Supports packet filtering and NAT.
Supports packet filtering and NAT.
Current Version – 1.2.11 Current Version – 1.2.11 Available from: Available from: http://www.netfilter.org http://www.netfilter.org License – GPL License – GPL Platforms -- Platforms --
Ip6tables only supports stateless firewalling.
The Ugly
The Ugly
NetStumbler NetStumbler
A tool for Windows that allows you to detect
A tool for Windows that allows you to detect
Wireless Local Area Networks (WLANs) using
Wireless Local Area Networks (WLANs) using
802.11a/b/g. 802.11a/b/g. Current Version – 0.4.0 Current Version – 0.4.0 Available from: Available from: http://www.netstumbler.com http://www.netstumbler.com License – Freeware License – Freeware Platforms -- Platforms --
Like Kismet, is mainly layer 2, but only detects
Like Kismet, is mainly layer 2, but only detects
IPv4 addresses.
The Ugly
The Ugly
Nikto Nikto
A web scanner that looks for 2000 potentially
A web scanner that looks for 2000 potentially
dangerous files/CGIs and problems on over 200
dangerous files/CGIs and problems on over 200
servers. Uses LibWhisker but is updated more.
servers. Uses LibWhisker but is updated more.
Current Version – 1.3.4 Current Version – 1.3.4 Available from: Available from: http://www.cirt.net/code/nikto.shtml http://www.cirt.net/code/nikto.shtml License – GPL License – GPL Platforms -- Platforms --
Also a web attack tool. Can easily be proxied or
Also a web attack tool. Can easily be proxied or
SSH tunnelled.
The Ugly
The Ugly
N-Stealth N-Stealth
A commercial web server scanner generally more
A commercial web server scanner generally more
frequently updated than its free counterparts.
frequently updated than its free counterparts.
Current Version – 1.3.4 Current Version – 1.3.4 Available from: Available from: http://www.nstalker.com/eng/ http://www.nstalker.com/eng/ License – Commercial License – Commercial Platforms -- Platforms --
Also a web attack tool. Can easily be proxied or
Also a web attack tool. Can easily be proxied or
SSH tunnelled.
The Ugly
The Ugly
Sam Spade Sam Spade
GUI for many handy network tasks including
GUI for many handy network tasks including
nslookup, dig, whois, ping, traceroute, raw HTTP,
nslookup, dig, whois, ping, traceroute, raw HTTP,
DNS zone transfer, website searching and SMTP
DNS zone transfer, website searching and SMTP
relay checks. relay checks. Current Version – 1.14 Current Version – 1.14 Available from: Available from: http://www.samspade.org http://www.samspade.org License – Freeware License – Freeware Platforms -- Platforms --
Some tools are TCP based and could be tunnelled
Some tools are TCP based and could be tunnelled
via SSH.
The Ugly
The Ugly
Snort Snort
Defacto standard F/OSS NIDS. Many commercial
Defacto standard F/OSS NIDS. Many commercial
products are based on Snort.
products are based on Snort.
Current Version – 2.2.0 Current Version – 2.2.0 Available from: Available from: http://www.snort.org http://www.snort.org License – GPL License – GPL Platforms -- Platforms --
The Ugly
The Ugly
Snort Snort
Does not have IPv6 capabilities in default install.
Does not have IPv6 capabilities in default install.
Mods were written into 2.0.1 but never merged into the
Mods were written into 2.0.1 but never merged into the
main distribution.
main distribution.
www.webservertalk.com/archive252-2004-4-205516.html
www.webservertalk.com/archive252-2004-4-205516.html
Offers were made from Ken Renard of Sun.
Offers were made from Ken Renard of Sun.
Patches are available for older versions of Snort.
The Ugly
The Ugly
Spike Proxy Spike Proxy
A web attack proxy. Acts as a Proxy/MITM during an
A web attack proxy. Acts as a Proxy/MITM during an
HTTP session, intercepting packets before they go out to an
HTTP session, intercepting packets before they go out to an
HTTP server. HTTP server. Current Version – 1.48 Current Version – 1.48 Available from: Available from: http://www.immunitysec.com/resources-freesoftware.shtml http://www.immunitysec.com/resources-freesoftware.shtml License – GPL License – GPL Platforms -- Platforms --
Another app that could be proxied or SSH tunnelled.
The Ugly
The Ugly
STunnel STunnel
A general purpose SSL cryptographic wrapper. Can be
A general purpose SSL cryptographic wrapper. Can be
used to add crypto functionality to commonly used
used to add crypto functionality to commonly used
daemons like POP3 and IMAP.
daemons like POP3 and IMAP.
Current Version – 4.05 Current Version – 4.05 Available from: Available from: http://www.stunnel.org http://www.stunnel.org License – GPL License – GPL Platforms -- Platforms --
The Ugly
The Ugly
Stunnel Stunnel
“
“IPv6 Support coming soon” from developers.IPv6 Support coming soon” from developers. Debian maintainer has coded a private IPv6 port.
Debian maintainer has coded a private IPv6 port.
Could be proxied or SSH tunnelled.
The Ugly
The Ugly
TCP Wrappers TCP Wrappers
A classic IP based access control and logging mechanism.
A classic IP based access control and logging mechanism.
Current Version – 7.6 Current Version – 7.6 Available from: Available from: ftp://ftp.cerias.purdue.edu/pub/tools/unix/netutils/ ftp://ftp.cerias.purdue.edu/pub/tools/unix/netutils/ License – F/OSS License – F/OSS Platforms -- Platforms --
Most default installs do not include IPv6 support.
The Ugly
The Ugly
THC-Hydra THC-Hydra
Parallelized network authentication cracker for
Parallelized network authentication cracker for
FTP, POP3, IMAP, NBT, Telnet, HTTP, LDAP,
FTP, POP3, IMAP, NBT, Telnet, HTTP, LDAP,
NTP, VNC, ICQ, SOCKS and more. Includes SSL
NTP, VNC, ICQ, SOCKS and more. Includes SSL
support. support. Current Version – 4.4 Current Version – 4.4 Available from: Available from: http://www.thc.org/thc-hydra http://www.thc.org/thc-hydra License – GPL License – GPL Platforms -- Platforms --
IPv6 enabled on Windows, all others could be SSH
IPv6 enabled on Windows, all others could be SSH
tunnelled.
The Ugly
The Ugly
Whisker/LibWhisker Whisker/LibWhisker
CGI vulnerability scanner and library. Allows
CGI vulnerability scanner and library. Allows
testing of HTTP servers for many known security
testing of HTTP servers for many known security
holes. Libwhisker is a Perl library allowing custom
holes. Libwhisker is a Perl library allowing custom
scanner creation. scanner creation. Current Version – 2.1 Current Version – 2.1 Available from: Available from: http://www.wiretrip.net/rfp/lw.asp http://www.wiretrip.net/rfp/lw.asp License – GPL License – GPL Platforms -- Platforms --
SSH Tunnel or proxy capable.
Houston, we have a problem...
Houston, we have a problem...
So what does this mean? So what does this mean?
If you organization is deploying IPv6 currently, it's
If you organization is deploying IPv6 currently, it's
not going to be an easy task to assess your own
not going to be an easy task to assess your own
network for security issues.
network for security issues.
Black hats are ahead of the game in this arena.
Black hats are ahead of the game in this arena.
DNS and ARIN records will help them find you.
DNS and ARIN records will help them find you.
There is hope.
Houston, we have a problem...
Houston, we have a problem...
What can be done? What can be done?
It depends on the talents of your organization.
It depends on the talents of your organization.
Coding your own tools is a possibility.
Coding your own tools is a possibility.
For COTS without IPv6 support, lean on your
For COTS without IPv6 support, lean on your
vendors.
vendors.
For F/OSS either ask the project lead for IPv6
For F/OSS either ask the project lead for IPv6
support or....
support or....
Donate to the project.
Wrapup
Wrapup
Thank yous... Thank yous... Google.com Google.comThe Debian Linux IPv6 Project
The Debian Linux IPv6 Project
Fyodor and Insecure.org
Fyodor and Insecure.org
Joe Klein of Honeywell
Joe Klein of Honeywell
Valkyrie
Valkyrie
NAv6TF and IPv6 Forum
NAv6TF and IPv6 Forum
The audience....:-)
The audience....:-)
The authors of any tools in the "Good" section
Wrapup
Wrapup