This past week I was working on performing a security assessment and I was using the latest version of BackTrack 4. I noticed that it has Miredo support to help auditors establish a secret IPv6 back-channel to their exploited systems. This shows that the security community is recognizing how IPv6 can be used as a backdoor to owned systems.
Let's face it; IPv6 deployments haven't been as numerous as many of us would have hoped. Several years ago we were expecting that at the end of 2009 migration to IPv6 would be in full motion. However, the fact that IPv6 is still fairly obscure to most security administrators means that is can fly under the radar of most organizations. However, IPv6 is starting to gain the attention of hackers as a means of creating a covert channel to compromised systems.
It is a fact that many organizations have a default outbound policy on their firewalls that allow virtually all outgoing connections. This means that the dynamic tunneling technique Teredo, which places IPv6 packets inside UDP 3544 packets, would be allowed outbound by most companies. If a similar technique were to use TCP port 80 to create encapsulated IPv6 tunnels outbound those would also be permitted to leave an organization. The organization's stateful firewalls would then allow the return traffic to be returned to that internal host and thus any protocol could be carried through the encapsulated IPv6 packets.
Let's imagine a malicious piece of software that finds vulnerable systems using IPv4. Unlike IPv6's sparse population of nodes, the dense population of IPv4 hosts makes them easy to find. Once those systems are exploited the malicious code would leverage that fact that the host operating system was already running IPv6. Mac, Windows, Linux, BSD, Solaris, HP-UX, AIX, and many other operating systems have IPv6 enabled by default. While that organization hadn't enabled IPv6 on their access routers, the host would still be able to create an IPv6-within-IPv4 tunnel to somewhere on the Internet. That infected host could create a 6in4 tunnel to a command and control server on the Internet. This traffic wouldn't be picked up my most IPSs because most of them lack the ability to peer deeper into the packet contents and fewer still know how to correctly decode an IPv6 header.
BackTrack is a Linux Live CD operating system that has many pre-compiled/pre-installed utilities for performing security assessments. The most current version, BackTrack 4, was recently released to help penetration testers get up and going quickly. BackTrack4 now contains Miredo client/server software to maintain access to a compromised system that was successfully compromised by other tools in the BackTrack toolkit. Miredo is an open-source implementation of the Microsoft Teredo IPv6 tunneling system. Following is a screen shot of BackTrack4 and the Miredo client.
IPv6 will continue to grow in popularity and it will increasingly be used as a method to obscure connections until there are a greater number of tools to observe encapsulated packets. Hopefully the security defenders will start to take notice of IPv6 and the risks associated with having a default outbound policy.
Scott