IPv6 Servers Can Be Blown Away More Easily Than IPv4. There are many reasons behind why. There is an odd idea that IPv6 Brute Force does not exist. Existing IPv6 security tools, tutorials are limited in number. At worse, unlike IPv4, the craziness to push IPv6 invited hundreds of ways to deploy IPv6 which can open up IPv4 challenges. Previously we supplied some examples tools & commands for testing brute force vulnerability for IPv4. Here Are Some Basic nmap, thc-ipv6 Commands For Planning IPv6 Brute Force Prevention. We are assuming that the readers are not even used with security related terminologies.
IPv6 Brute Force Prevention : Physically Separate the IPv4 and IPv6 Servers
It is probably better to use an IPv4 only physical system for the main server or fully close all open IPv6 for the main server from router level. Thereafter use another server to reverse proxy to make it IPv6 like in the way we described in our earlier guide. So, in our case, the commands are on the second server which is working as reverse proxy.
Funnily, to the IPv4 only server, the reverse proxying IPv6 is always “illegal”. If the IPv4 server is compromised, certificates, keys can get stolen for easy usage. We can actually reverse proxy any non-HTTPS website in that way and make content to our domain! Only need is one AAAA record in DNS. That is one basic way to catch the victims. We are actually “phishing” a HTTPS Everywhere Listed HSTS website. That is the basic reason why we use Dyn DNS and additional DNS security like DNSSEC, DANE etc. Such person who will plan to trap us will need to use Dyn DNS, then compromise security at all levels. The fact clearly says – any good website should have accompanying IPv6 way and use DNSSEC, DANE etc.
---
If you are thinking to find the moron HTTP only websites with no DANE, DNSSEC and free DNS such services actually exist on deep web to make money. You can not use Google AdSense to inject Advert. Google has bots to detect such traffic as “bad traffic”.
Securi’s founder is not understanding many things :
1 | https://blog.sucuri.net/2016/09/ssh-brute-force-compromises-leading-to-ddos.html |
Possibly it is clear to the reader about behind the scene of “cloud based DDoS services”.
IPv6 deployments are still few enough. The large number of IPv6 addresses will introduce multiple changes to the threat scenario. With IPv4 it is entirely feasible for an attacker to scan the default port number for some vulnerable service across all routable IPv4 addresses. Such untargeted attacks are not feasible with IPv6. Attacks will have to be more targeted. What exactly real black hats are planning we can not guess. Banning individual IPv6 addresses might be sufficient to reduce noise in logs. But that is not a given. It is not unlikely that an attacker might use a new IP address from the range available to them for every connection. Password brute force attempts in particular are likely to use a large number of client IPv6 addresses. In order to be effective against attackers switching IPv6 address on each request and in order to keep memory usage down, one have to block ranges, and due to not knowing prefix lengths in advance, one have to adjust the prefix lengths dynamically.
IPv6 Brute Force Prevention : Basic nmap, thc-ipv6 Commands
As usually the commands are with our domain and servers and not intended to copy-paste and run against us. Readers must use their own domains and servers.
nmap
SSH to the reverse proxy server. Install nmap if already not installed :
1 2 | yum install nmap apt install nmap |
The -6 option enables IPv6 scanning. The syntax is:
1 2 3 4 5 6 | nmap -6 IPv6::Address:: # example host thecustomizewindows.com nmap -6 thecustomizewindows.com nmap -6 2a00:6d40:40:506e::1 nmap -v A -6 2a00:6d40:40:506e::1 |
Example output :
1 2 3 4 5 6 7 8 9 10 | nmap -6 thecustomizewindows.com Starting Nmap 6.40 ( http://nmap.org ) at 2016-12-20 05:02 EST Nmap scan report for thecustomizewindows.com (2a00:6d40:40:506e::1) Host is up (0.00022s latency). Not shown: 997 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https |
It is quite obvious, you can run the other commands shown in our examples tools & commands for testing brute force vulnerability for IPv4 adding -6 flag.
thc-ipv6
THC stands for The Hackers Choice. THC-IPv6 according to their website a complete tool set to attack the inherent protocol weaknesses of IPV6 and ICMP6, and includes an easy to use packet factory library. There are other tools as well. It is a set of tools not one tool. It is very powerful and do not run commands of the tools you lack idea.
Install it :
1 2 | apt install thc-ipv6 yum install thc-ipv6 |
Here are example basic commands :
1 | http://tools.kali.org/information-gathering/thc-ipv6 |
Example :
1 | dnsdict6 thecustomizewindows.com |
Output :
1 2 3 4 5 6 | Starting DNS enumeration work on thecustomizewindows.com. ... Starting enumerating thecustomizewindows.com. - creating 8 threads for 1419 words... Estimated time to completion: 1 to 2 minutes www.thecustomizewindows.com. => 2a00:6d40:40:506e::1 Found 1 domain name and 1 unique ipv6 address for thecustomizewindows.com. |
