IPv6 Capable Security Assessment / Penetration Testing Tools

Gene Cronk ISSAP,CISSP,NSA-IAM North American IPv6 Forum Systems Admin The Robin Shepherd Group

Why should I know about this?

Understanding the weaknesses of your own network. Realize there is a major lack of these tools. What you can do about that lack of tools. Making IPv4 only tools relatively functional with IPv6 only hosts. Your attackers already do.

How This Presentation is Arranged

The Good Tools that fully support IPv6 out of the box. The Bad Tools that do not support IPv6 natively. The Ugly Tools that either do not fully support IPv6 natively, or not support IPv6 at all but can be made to do so via transition or proxy. Most tools are from the top 75 listed at www.insecure.org.

The Good
Argus The All Seeing Argus is a system/network monitoring application. Current Version -- 3.3 Available from: www.tcp4me.com/code/argus-archive/argus-3.3.tgz It will monitor nearly anything you ask it to monitor, including TCP/UDP applications, IP connectivity, SNMP, and databases.

The Good

Argus The All Seeing Presents a nice clean, easy to view web interface that will keep both the managers and techs happy. Can send alerts numerous ways (such as via pager). License Perl Artistic License Platforms --

The Good
LSOF LiSt Open Files This Unix-specific diagnostic and forensics tool lists information about any files that are open by processes currently running on the system. Current Version 4.73 Available from: ftp://vic.cc.purdue.edu/pub/tools/unix/lsof Can also list comms sockets by each process. License F/OSS Platforms --

The Good
Snoop Network Sniffer for Solaris Similar to TCPDump, Snoop listens for all traffic on a specific interface. Available in Solaris since 8. Available from: www.sun.com/software/solaris License Solaris Software License Platforms --

The Good
DIG DNS Query Tool A handy DNS query tool that comes free with BIND. Available in BIND DNS since 8.3 Available from: www.isc.org License F/OSS Platforms --

The Good
Etherape EtherApe is a graphical network monitor for Unix modeled after etherman. Featuring link layer, ip and TCP modes, it displays network activity graphically. Hosts and links change in size with traffic. Color coded protocols display. Current Version -- 0.9.1 Available from: http://etherape.sourceforge.net License GPL Platforms --

The Good
Etherape

The Good
Ethereal Ethereal is used by network professionals around the world for troubleshooting, analysis, software and protocol development, and education. It has all of the standard features you would expect in a protocol analyzer, and several features not seen in any other product. Current Version -- 0.10.7 Available from: http://ethereal.com License GPL Platforms --

The Good
Ethereal

The Good
Fping Parallel ICMP scanner. Current version -- 2.4 Beta 2 Available from: http://www.fping.com Can ping multiple hosts from command line or text file. Great for scripting. License F/OSS Platforms --

The Good
LibNet High level network API. Current Version -- 1.1.2-rc06 Available from: http://www.packetfactory.net/libnet Allows an application programmer to construct and inject network packets. License F/OSS Platforms --

The Good
Ntop Web based traffic probe. Current Version -- 3.0 Available from: http://www.ntop.org Users access a web page of an NTOP server to get graphical visualizations of network use and abuse. License GPL Platforms --

The Good
NTop

The Good
PF Packet filter originally included with OpenBSD, ported to FreeBSD. Comes with FreeBSD 5.xx and OpenBSD 3.xx Available from: http://www.freebsd.org/http://www.openbsd.org Full IPv6 support, much like everything else BSD. License BSD Platforms --

The Good
SendIP Command line tool for sending arbitrary IP packets. Current Version -- 2.5 Available from: www.earth.li/projectpurple/progs/sendip.html Command line options to specify the content of every header of a NTP, BGP, RIP, RIPng, TCP, UDP, ICMP or raw IPv4 and IPv6 packets. License GPL Platforms --

The Good
TCPDump/WinDump Classic tool for network monitoring and data aquisition. Current Versions 3.8.3 (TCP) or 3.8.3 Beta (Win) Available from: www.tcpdump.org (*Nix) win6.jp/WinDump/index.html (Win32) License BSD Platforms --

The Good
IP6Sic IPv6 Stack integrity checker. Current Version -- 0.1 Available from: http://cvs.sourceforge.net/viewcvs.py/ip6sic/ip6sic/ License BSD Platforms --

The Bad
Cheops-NG Graphical Network Monitoring and Mapping Suite. Current Version -- 0.1.12 Available from: http://cheops-ng.sourceforge.net License GPL Platforms -Status AF_INET (IPv4 only calls) used in most of the source code. Last release 05/2003.

The Bad
Ettercap-NG Suite for man in the middle attacks on a LAN. Current Version -- 0.7.1 Available from: http://ettercap.sourceforge.net License GPL Platforms -Status Relies on ARP cache poisoning. IPv6 support planned long term in CVS notes.

The Bad
Firewalk Active reconnaissance network security tool that attempts to determine what layer 4 protocols a given IP forwarding device will pass. Current Version -- 5.0 Available from: http://www.packetfactory.net/projects/firewalk License BSD Platforms -Status All libraries are currently IPv6 aware. Last update was 07/2003.

The Bad
DSniff Active reconnaissance network security tool that attempts to determine what layer 4 protocols a given IP forwarding device will pass. Current Version 2.4 Beta1 Available from: http://www.monkey.org/~dugsong/dsniff/ License BSD Platforms -Status All libraries are currently IPv6 aware. Last update was 05/2002.

The Bad
TCPReplay A tool to send network traffic stored in pcap format back onto the network. Current Version 2.3.1 Available from: http://tcpreplay.sourceforge.net License BSD Platforms -Status All libraries are currently IPv6 aware. Docs indicate IPv6 support planned. Last release 09/2004.

The Bad
FPort Foundstone's enhanced netstat. Current Version 2.0 Available from: http://www.foundstone.com License Freeware (no source code) Platforms -Status Not updated since 05/2001.

The Bad
FragRoute Intercepts and rewrites egress traffic, implementing many intrusion detection evasion attacks. Current Version 1.2 Available from: http://www.monkey.org/~dugsong/fragroute License BSD Platforms -Status Full library support. Last release 04/2002.

GFI LANguard Scans networks and reports information such as service pack level, missing security patches, open shares, open ports, registry entries, weak passwords, users and groups, etc.
.

The Bad

Current Version 5.0 Available from: http://www.gfi.com License Commercial Platforms -Status Scans Win32 protocols (e.g. NetBIOS over TCP) only available on IPv4 currently.

The Bad
Hunt An advanced packet sniffing and connection intrusion tool for Linux. Current Version 1.5 Available from: http://lin.fsid.cvut.cz/~kra License GPL Platforms -Status Last update 05/2000. Developed on a Linux 2.2.x Kernel.

The Bad
IPTraf IP network monitoring software based on NCurses. Current Version 2.7.0 Available from: http://cebu.mozcom.com/riker/iptraf/ License GPL Platforms -Status Last update 05/2002. No support for IPv6, only for raw sockets and IPv4.

The Bad
ISS Internet Scanner Application level vulnerability assessment scanner. Current Version 7.0 SP1 Available from: http://www.iss.net/products License Commercial Platforms -Status No IPv6 capabilities.

The Bad
NBTScan NetBIOS network name information scanner. Current Version 1.5.1 Available from: http://www.inetcat.org/software/nbtscan.html License GPL Platforms -Status NetBIOS over TCPv6 currently not supported in Microsoft OSes. Last updated 06/2003.

The Bad
NGrep Network Grep strives to provide most of GNU Greps' features over the network layer. Current Version 1.4.2 Available from: http://ngrep.sourceforge.net/ License F/OSS Platforms -IPv6 support planned in future versions (from CVS notes).

The Bad
Nessus The premier Open Source vulnerability assessment tool. Current Version 2.2 Available from: http://www.nessus.org License GPL Platforms -Status Developer had mentioned a possibility of limited IPv6 support in the 2.2 release. Latest CVS as of 11/07/04 does not support IPv6.

The Bad
Paketto Keiretsu A tool for stretching TCP/IP networks and protocols beyond what they were intended for. Current Version 2.00pre3 Available from: http://www.doxpara.com License GPL Platforms -Status Because of the packet manipulation at a raw level and the header differences of v4 and v6, would take almost an entire rewrite to port to IPv6.

The Bad
Retina A flexible vulnerability scanner, similar to Nessus and ISS Internet Scanner. Current Version 5.0.17 Available from: http://www.eeye.com License Commercial Platforms -Status No IPv6 support from provider (eEye).

The Bad
SAINT Security Auditor's Integrated Network Tool. A tool much like Nessus or eEye Retina designed exclusively for UNIX. Current Version 5.6.2 Available from: http://www.saintcorporation.com License Commercial Platforms -Status No IPv6 support from provider.

The Bad
SARA Security Auditor's Research Assistant. A security assessment tool derived from the infamous SATAN scanner. Current Version 5.6.2 Available from: http://www-arc.com License F/OSS Platforms -Status No IPv6 support from provider.

The Bad
Shadow Security Scanner A commercial vulnerability assessment tool. Current Version 7.0.7 Available from: http://www.safety-lab.com/en/download.htm License Commercial Platforms -Status No IPv6 support from provider.

The Bad
Solar Winds Toolsets A plethora of network discovery, monitoring and attack tools. Dozens of special purpose tools targeted at systems administrators. Current Version Multiple Programs Available from: http://www.solarwinds.net License Commercial Platforms -Status No IPv6 support from provider.

The Bad
SuperScan A Windows based TCP port scanner, pinger and hostname resolver. It can handle ping and port scans using specified ranges and connect to ports using specified helper apps. Current Version 4.0 Available from: http://www.foundstone.com License Freeware Platforms -Status No IPv6 support from provider.

The Bad
TCPTraceRoute A traceroute implementation using TCP packets. Current Version 1.5 Beta 4 Available from: http://michael.toren.net/code/tcptraceroute/ License GPL Platforms -Status No IPv6 support from provider. Libraries do support IPv6.

The Bad
THC Amap Application written by The Hacker's Choice for application fingerprinting. Current Version 4.7 Available from: http://www.thc.org License GPL Platforms -Status No IPv6 support from provider.

The Bad
Visual Route Application to obtain traceroute and whois data to be plotted on a world map. Current Version 8.0f Available from: http://www.visualware.com License Commercial Platforms -Status No IPv6 support from provider.

The Bad
Win FingerPrint Winfingerprint is a Win32 Host/Network Enumeration Scanner. Winfingerprint is capable of performing SMB, TCP, UDP, ICMP, RPC, and SNMP scans. Current Version 0.5.13 Available from: http://winfingerprint.sourceforge.net License GPL Platforms -Status No IPv6 SMB support currently in any Microsoft OS.

The Bad
Xprobe 2 A tool for determining the OS of a remote host. It uses the same techniques of NMAP as well as a few others. Emphasizes ICMP as the fingerprinting approach. Current Version 0.2 Available from: http://www.sys-security.com/html/projects/X.html License GPL Platforms -Status Will not recognize an IPv6 address.

The Bad
Zone Alarm Personal firewall software for Windows. Current Version 5.1.033 Available from: http://www.zonelabs.com License Freeware/Commercial Platforms -Status Asks to block an IPv6 query, then doesn't.

The Ugly
NMAP Network MAPper is an open source utility for network exploration or security auditing. It uses raw IP packets in novel ways to determine what hosts are available on a given network. Current Version 3.75 Available from: http://www.insecure.org License GPL Platforms --

The Ugly
NMAP Status -- -6 option enables IPv6 support. Only supports ping scan, TCP scan and TCP connect scan. An alternative (but older) patched version does other scan types. It requires NMAP 2.54Beta36 and patches from http://nmap6.sourceforge.net Does not do network scanning (for obvious reasons).

The Ugly
PuTTY An excellent Windows based SSH client. Can also be compiled for other platforms. Current Version 0.56 Available from: http://www.chiark.greenend.org.uk/~sgtatham/putty/ License MIT Platforms --

The Ugly

PuTTY IPv6 not enabled in default compile. IPv6 capable version available from: http://win6.jp/PuTTY/index.html win6.jp also has many other F/OSS Windows based tools recompiled with IPv6 support.

The Ugly
Achilles A web attack proxy based on Windows. Acts as a Proxy/MITM during an HTTP session, intercepting packets before they go out to an HTTP server. Current Version 0.27 Available from: http://www.mavensecurity.com/achilles License Freeware Platforms --

The Ugly

Achilles Achilles by itself does not support IPv6. SSH Tunnel with port forwarding. IPv6 enabled Squid proxy. IPv6 enabled Apache proxy.

The Ugly
Brutus A brute force authentication cracker for Windows only. Uses dictionary and brute force attacks to break into systems. Supports FTP, SMB, Telnet, IMAP, NTP and others. Current Version ??? Available from: http://www.hoobie.net (currently down) Has not been updated since 2000. License Freeware Platforms --

The Ugly
Brutus Brutus by itself does not support IPv6. SSH Tunnel with port forwarding. IPv6 enabled Squid proxy (with much configuration for non HTTP protocols). IPv6 enabled Apache proxy (with much configuration for non HTTP protocols).

The Ugly
Cain & Abel A free password recovery tool for Windows. Allows easy recovery of passwords by network sniffing, revealing password boxes, uncovering cached passwords and analyzing routing protocols. Current Version 2.5 Beta 62 Available from: http://www.oxid.it License Freeware Platforms -Local password cracking works fine. No IPv6 support otherwise.

The Ugly
GPG A GNU tool for encrypting and decrypting files and communications, based on Phil Zimmerman's PGP standard. Current Version 1.2.6 Available from: http://www.gnupg.org License GPL Platforms -Patches available for IPv6.

The Ugly
HoneyD A small daemon that creates virtual hosts on a network, running arbitrary services. TCP signatures can appear to be running different OSes and services. Current Version 0.8b Available from: http://www.honeyd.org/ License GPL Platforms -While HoneyD supports IPv6, no NIDS for *Nix currently supports decoding IPv6 packets.

The Ugly
HPing2(3) Assembles and sends custom ICMP/UDP/TCP packets and displays any replies. Current Version Available from: http://www.hping.org/ License GPL Platforms -Hping 2 and 3 do not support IPv6. There are patches available for a beta version of Hping 2.

The Ugly
Kismet An 802.11 layer 2 wireless network detector, sniffer, and intrusion detection system. Kismet will work with any wireless card which supports raw monitoring mode, and can sniff 802.11 a/b/g traffic. Current Version 2004-10-R1 Available from: http://www.kismetwireless.net License GPL Platforms -While Kismet works on mostly layer 2, it also detects (non IPv6) IP addresses.

The Ugly
NetCat A simple utility which reads/writes data across network connections using TCP or UDP. AKA The Hacker's Swiss Army Knife. Current Version 0.7.1 Available from: http://netcat.sourceforge.net/ License GPL Platforms -NetCat6 available from: http://www.deepspace6.net/projects/netcat6.html

The Ugly
NetFilter The current Linux packet filter/firewall. Iptables userspace command is used for configuration. Supports packet filtering and NAT. Current Version 1.2.11 Available from: http://www.netfilter.org License GPL Platforms -Ip6tables only supports stateless firewalling.

The Ugly
NetStumbler A tool for Windows that allows you to detect Wireless Local Area Networks (WLANs) using 802.11a/b/g. Current Version 0.4.0 Available from: http://www.netstumbler.com License Freeware Platforms -Like Kismet, is mainly layer 2, but only detects IPv4 addresses.

The Ugly
Nikto A web scanner that looks for 2000 potentially dangerous files/CGIs and problems on over 200 servers. Uses LibWhisker but is updated more. Current Version 1.3.4 Available from: http://www.cirt.net/code/nikto.shtml License GPL Platforms -Also a web attack tool. Can easily be proxied or SSH tunnelled.

The Ugly
N-Stealth A commercial web server scanner generally more frequently updated than its free counterparts. Current Version 1.3.4 Available from: http://www.nstalker.com/eng/ License Commercial Platforms -Also a web attack tool. Can easily be proxied or SSH tunnelled.

The Ugly
Sam Spade GUI for many handy network tasks including nslookup, dig, whois, ping, traceroute, raw HTTP, DNS zone transfer, website searching and SMTP relay checks. Current Version 1.14 Available from: http://www.samspade.org License Freeware Platforms -Some tools are TCP based and could be tunnelled via SSH.

The Ugly
Snort Defacto standard F/OSS NIDS. Many commercial products are based on Snort. Current Version 2.2.0 Available from: http://www.snort.org License GPL Platforms --

The Ugly

Snort Does not have IPv6 capabilities in default install. Mods were written into 2.0.1 but never merged into the main distribution. www.webservertalk.com/archive252-2004-4-205516.html Offers were made from Ken Renard of Sun. Patches are available for older versions of Snort.

The Ugly
Spike Proxy A web attack proxy. Acts as a Proxy/MITM during an HTTP session, intercepting packets before they go out to an HTTP server. Current Version 1.48 Available from: http://www.immunitysec.com/resources-freesoftware.shtml License GPL Platforms -Another app that could be proxied or SSH tunnelled.

The Ugly
STunnel A general purpose SSL cryptographic wrapper. Can be used to add crypto functionality to commonly used daemons like POP3 and IMAP. Current Version 4.05 Available from: http://www.stunnel.org License GPL Platforms --

The Ugly

Stunnel

IPv6 Support coming soon from developers. Debian maintainer has coded a private IPv6 port. Could be proxied or SSH tunnelled.

The Ugly
TCP Wrappers A classic IP based access control and logging mechanism. Current Version 7.6 Available from: ftp://ftp.cerias.purdue.edu/pub/tools/unix/netutils/ License F/OSS Platforms -Most default installs do not include IPv6 support.

The Ugly
THC-Hydra Parallelized network authentication cracker for FTP, POP3, IMAP, NBT, Telnet, HTTP, LDAP, NTP, VNC, ICQ, SOCKS and more. Includes SSL support. Current Version 4.4 Available from: http://www.thc.org/thc-hydra License GPL Platforms -IPv6 enabled on Windows, all others could be SSH tunnelled.

The Ugly
Whisker/LibWhisker CGI vulnerability scanner and library. Allows testing of HTTP servers for many known security holes. Libwhisker is a Perl library allowing custom scanner creation. Current Version 2.1 Available from: http://www.wiretrip.net/rfp/lw.asp License GPL Platforms -SSH Tunnel or proxy capable.

Houston, we have a problem...

So what does this mean? If you organization is deploying IPv6 currently, it's not going to be an easy task to assess your own network for security issues. Black hats are ahead of the game in this arena. DNS and ARIN records will help them find you. There is hope.

Houston, we have a problem...

What can be done? It depends on the talents of your organization. Coding your own tools is a possibility. For COTS without IPv6 support, lean on your vendors. For F/OSS either ask the project lead for IPv6 support or.... Donate to the project.

Wrapup

Thank yous... Google.com The Debian Linux IPv6 Project Fyodor and Insecure.org Joe Klein of Honeywell Valkyrie NAv6TF and IPv6 Forum The audience....:-) The authors of any tools in the "Good" section

Wrapup