IPv6 Network Reconnaissance Table of Contents Threats -1 ........................................................................................................................................ 2 Notices ............................................................................................................................................ 4 Page 1 of 4 Threats -1 Threats -1 Publically Available Information • • • • Not very different from IPv4 Web, Mail, DNS server IP addresses in DNS DNS Zone Transfers Server client access logs Mitigation: • • • • Default deny rules for unauthorized traffic Consider privacy addressing Proper use of Site-Local/Unique-Local Addressing (it’s not NAT, but...) Split DNS and protection of private hostname/IPs DEMO – IPv6 Network Recon 20 **020 So now we start to get to some more fun. This is where it gets good. This is where we can have some fun. So when we get to the first threats, we can look at publicly available information. In IPv4, what is it? It's phone numbers. It's network blocks. It's name server queries. It's no different from IPv4, what we're going to see in IPv6. Web, Mail, DNS servers. Right? Those are always going to be our targets. Right? But DNS is going to be more of a target now, because of all those funky long names. And having such a big range to scan, if you're a bad guy, you can drastically decrease that, if you can get in there and actually see some of your IPs, and your hostnames. Page 2 of 4 Server client access logs become really important to protect. You might not care, from a web server perspective, who's accessing your website. But now all of a sudden I can tell that Chris May, because he's got a unique MAC address that follows him wherever he goes-- whether he's in China, or whether he's in South America, or he's home in Cranberry-what's going to happen is his MAC address, if he's using his EUI-64 address on his computer, is now registered in all those pornography websites, in their web logs; and whatever the case might be. Right? So now I have a way to say, "I know who this individual is because their MAC address was used." Right? Now obviously as security professionals, we can argue whether or not that can be spoofed, or it's really me, or whatever the case might be. But that's a big problem right now with privacy, that people are concerned with, is that there's going to be law enforcement, or whoever it is, and people are going to know my surfing habits, my computer use habits, based off of this unique identifier that's tied to my machine. Hence privacy extensions come into play. Hence more difficult to track anything that's going on, or set access controls, if you use privacy extensions. So we got some issues there. Page 3 of 4 Notices Notices Copyright 2013 Carnegie Mellon University This material has been approved for public release and unlimited distribution except as restricted below. This material is distributed by the Software Engineering Institute (SEI) only to course attendees for their own individual study. Except for the U.S. government purposes described below, this material SHALL NOT be reproduced or used in any other manner without requesting formal permission from the Software Engineering Institute at permission@sei.cmu.edu. This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The U.S. Government's rights to use, modify, reproduce, release, perform, display, or disclose this material are restricted by the Rights in Technical Data-Noncommercial Items clauses (DFAR 252-227.7013 and DFAR 252-227.7013 Alternate I) contained in the above identified contract. Any reproduction of this material or portions thereof marked with this legend must also reproduce the disclaimers contained on this slide. Although the rights granted by contract do not require course attendance to use this material for U.S. Government purposes, the SEI recommends attendance to ensure proper understanding. NO WARRANTY. THE MATERIAL IS PROVIDED ON AN “AS IS” BASIS, AND CARNEGIE MELLON DISCLAIMS ANY AND ALL WARRANTIES, IMPLIED OR OTHERWISE (INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE, RESULTS OBTAINED FROM USE OF THE MATERIAL, MERCHANTABILITY, AND/OR NON-INFRINGEMENT). CERT® is a registered mark of Carnegie Mellon University. . Page 4 of 4