Friday, June 8, 2012

IPv6 Security: Back to square one?

After enjoying with a IPv6 "Hello World!" and surfing IPv6 a bit during the IPv6 World Launch I've notice something while reading some IPv6 configuration guides available around for Unix. Let me see... Interface definition, tunnel creation, end-point IP, DNS, etc. Everything seems in order but something is missing: The firewall!
With all that rush to set up our new IPv6 connection and after all that time working behind a NAT connection we didn't pay attention to that important element and some machines are plugged-in wide open.
Are just a couple of poorly configured systems or a epidemic? Let's scan the network "old style". Any sequential IPv6 scan approach is not viable due the size of the IPv6 range (2^128) so I took an IP list from this IPv6 database . From there I've got 16839 unique IPv6 addresses. A good sample to test.
With the nc Linux command, the IP list and a loop we have a low cost IP scanner:

while read ip; do
    nc -6zv -w 1 $ip $1
done < "list"

Scan result: From 16839 scanned IPs:
6660 machines with Port TCP 22 SSH open
53 machines with Port TCP 5900 VNC open
181 machines with Port TCP 3389 Windows Remote Desktop open
and the list goes on...

I know, some of those machines have those ports open on purpose. But when you see something like these nmap scan results you realise that these are computers without any IP filtering active. And this is not good.

# nmap -6 2001:**:**:**::**
Starting Nmap 6.00 ( ) at 2012-06-08 00:48 CEST
Nmap scan report for ****.******.cr (2001:**:**:**::**)
Host is up (0.22s latency).
Not shown: 972 closed ports
22/tcp   open     ssh
25/tcp   open     smtp
53/tcp   open     domain
80/tcp   open     http
88/tcp   open     kerberos-sec
143/tcp  open     imap
311/tcp  open     asip-webadmin
389/tcp  open     ldap
443/tcp  open     https
445/tcp  open     microsoft-ds
464/tcp  open     kpasswd5
548/tcp  open     afp
587/tcp  open     submission
625/tcp  open     apple-xsrvr-admin
636/tcp  open     ldapssl
749/tcp  open     kerberos-adm
993/tcp  open     imaps
2000/tcp open     cisco-sccp
5222/tcp open     xmpp-client
5269/tcp open     xmpp-server
5900/tcp open     vnc
8088/tcp open     radan-http
9999/tcp filtered abyss
Nmap done: 1 IP address (1 host up) scanned in 27.74 seconds

# nmap -6 2607:**:**:**::**
Starting Nmap 6.00 ( ) at 2012-06-08 09:04 CEST
Nmap scan report for ****.******.com (2607:**:**:**::**)
Host is up (0.24s latency).
Not shown: 973 closed ports
21/tcp    open     ftp
22/tcp    open     ssh
25/tcp    open     smtp
26/tcp    open     rsftp
53/tcp    open     domain
79/tcp    open     finger
80/tcp    open     http
88/tcp    open     kerberos-sec
110/tcp   open     pop3
143/tcp   open     imap
389/tcp   open     ldap
443/tcp   open     https
515/tcp   open     printer
548/tcp   open     afp
631/tcp   open     ipp
636/tcp   open     ldapssl
993/tcp   open     imaps
995/tcp   open     pop3s
1025/tcp  open     NFS-or-IIS
5900/tcp  open     vnc
10001/tcp open     scp-config
Nmap done: 1 IP address (1 host up) scanned in 45.27 seconds

# nmap -6 2a02:**:**:**::**
Starting Nmap 6.00 ( ) at 2012-06-08 08:59 CEST
Nmap scan report for 2a02:**:**:**::**
Host is up (0.11s latency).
Not shown: 981 closed ports
80/tcp    open     http
135/tcp   open     msrpc
445/tcp   open     microsoft-ds
554/tcp   open     rtsp
1433/tcp  open     ms-sql-s
3389/tcp  open     ms-wbt-server
49152/tcp open     unknown
49153/tcp open     unknown
49154/tcp open     unknown
49155/tcp open     unknown
49156/tcp open     unknown
49157/tcp open     unknown
49158/tcp open     unknown
Nmap done: 1 IP address (1 host up) scanned in 15.75 seconds