Ipv6 Attack Tools

IPv6 Capable Security Assessment / IPv6 Capable Security Assessment / Penetration Testing ToolsPenetration Testing Tools

Gene Cronk – ISSAP,CISSP,NSA-IAMGene Cronk – ISSAP,CISSP,NSA-IAMNorth American IPv6 ForumNorth American IPv6 Forum

Systems Admin – The Robin Shepherd GroupSystems Admin – The Robin Shepherd Group

Why should I know about this?Why should I know about this?

Understanding the weaknesses of your own Understanding the weaknesses of your own network. network.

Realize there is a major lack of these tools.Realize there is a major lack of these tools.

What you can do about that lack of tools.What you can do about that lack of tools.

Making IPv4 only tools relatively functional with Making IPv4 only tools relatively functional with IPv6 only hosts. IPv6 only hosts.

Your attackers already do. Your attackers already do.

How This Presentation is ArrangedHow This Presentation is Arranged

The Good – Tools that fully support IPv6 out of the The Good – Tools that fully support IPv6 out of the box. box.

The Bad – Tools that do not support IPv6 natively.The Bad – Tools that do not support IPv6 natively.

The Ugly – Tools that either do not fully support The Ugly – Tools that either do not fully support IPv6 natively, or not support IPv6 at all but can be IPv6 natively, or not support IPv6 at all but can be made to do so via transition or proxy. made to do so via transition or proxy.

Most tools are from the top 75 listed at Most tools are from the top 75 listed at www.insecure.orgwww.insecure.org..

The GoodThe Good

Argus – The All SeeingArgus – The All Seeing

Argus is a system/network monitoring application.Argus is a system/network monitoring application.

Current Version -- 3.3Current Version -- 3.3

Available from:Available from: www.tcp4me.com/code/argus-archive/argus-3.3.tgz www.tcp4me.com/code/argus-archive/argus-3.3.tgz

It will monitor nearly anything you ask it to It will monitor nearly anything you ask it to monitor, including TCP/UDP applications, IP monitor, including TCP/UDP applications, IP connectivity, SNMP, and databases.connectivity, SNMP, and databases.

The GoodThe Good

Argus – The All SeeingArgus – The All Seeing

Presents a nice clean, easy to view web interface Presents a nice clean, easy to view web interface that will keep both the managers and techs happy.that will keep both the managers and techs happy.

Can send alerts numerous ways (such as via pager).Can send alerts numerous ways (such as via pager).

License – Perl Artistic LicenseLicense – Perl Artistic License

Platforms -- Platforms --

The GoodThe GoodLSOF – LiSt Open FilesLSOF – LiSt Open Files

This Unix-specific diagnostic and forensics tool This Unix-specific diagnostic and forensics tool lists information about any files that are open by lists information about any files that are open by processes currently running on the system.processes currently running on the system.

Current Version – 4.73Current Version – 4.73

Available from:Available from: ftp://vic.cc.purdue.edu/pub/tools/unix/lsofftp://vic.cc.purdue.edu/pub/tools/unix/lsof

Can also list comms sockets by each process.Can also list comms sockets by each process.

License – F/OSSLicense – F/OSS


The GoodThe Good

Snoop – Network Sniffer for SolarisSnoop – Network Sniffer for Solaris

Similar to TCPDump, Snoop listens for all traffic Similar to TCPDump, Snoop listens for all traffic on a specific interface. on a specific interface.

Available in Solaris since 8.Available in Solaris since 8.

Available from:Available from: www.sun.com/software/solariswww.sun.com/software/solaris

License – Solaris Software LicenseLicense – Solaris Software License


The GoodThe Good

DIG – DNS Query ToolDIG – DNS Query Tool

A handy DNS query tool that comes free with A handy DNS query tool that comes free with BIND. BIND.

Available in BIND DNS since 8.3Available in BIND DNS since 8.3

Available from:Available from: www.isc.orgwww.isc.org



The GoodThe GoodEtherapeEtherape

EtherApe is a graphical network monitor for Unix EtherApe is a graphical network monitor for Unix modeled after etherman. Featuring link layer, ip and modeled after etherman. Featuring link layer, ip and TCP modes, it displays network activity graphically. TCP modes, it displays network activity graphically. Hosts and links change in size with traffic. Color Hosts and links change in size with traffic. Color coded protocols display.coded protocols display.

Current Version -- 0.9.1Current Version -- 0.9.1

Available from:Available from: http://etherape.sourceforge.nethttp://etherape.sourceforge.net

License – GPLLicense – GPL


The GoodThe GoodEtherapeEtherape

The GoodThe GoodEtherealEthereal

Ethereal is used by network professionals around Ethereal is used by network professionals around the world for troubleshooting, analysis, software and the world for troubleshooting, analysis, software and protocol development, and education. It has all of protocol development, and education. It has all of the standard features you would expect in a the standard features you would expect in a protocol analyzer, and several features not seen in protocol analyzer, and several features not seen in any other product.any other product.


Available from:Available from: http://ethereal.comhttp://ethereal.com



The GoodThe GoodEtherealEthereal

The GoodThe GoodFpingFping

Parallel ICMP scanner.Parallel ICMP scanner.

Current version -- 2.4 Beta 2Current version -- 2.4 Beta 2

Available from:Available from: http://www.fping.comhttp://www.fping.com

Can ping multiple hosts from command line or text Can ping multiple hosts from command line or text file. file.

Great for scripting.Great for scripting.



The GoodThe Good

LibNetLibNet

High level network API.High level network API.

Current Version -- 1.1.2-rc06Current Version -- 1.1.2-rc06

Available from:Available from: http://www.packetfactory.net/libnethttp://www.packetfactory.net/libnet

Allows an application programmer to construct and Allows an application programmer to construct and inject network packets. inject network packets.



The GoodThe Good

NtopNtop

Web based traffic probe.Web based traffic probe.


Available from:Available from: http://www.ntop.orghttp://www.ntop.org

Users access a web page of an NTOP server to get Users access a web page of an NTOP server to get graphical visualizations of network use and abuse. graphical visualizations of network use and abuse.



The GoodThe GoodNTopNTop

The GoodThe Good

PFPF

Packet filter originally included with OpenBSD, Packet filter originally included with OpenBSD, ported to FreeBSD. ported to FreeBSD.

Comes with FreeBSD 5.xx and OpenBSD 3.xxComes with FreeBSD 5.xx and OpenBSD 3.xx

Available from:Available from: http://www.freebsd.orghttp://www.freebsd.org//http://www.openbsd.orghttp://www.openbsd.org

Full IPv6 support, much like everything else BSD.Full IPv6 support, much like everything else BSD.

License – BSDLicense – BSD


The GoodThe GoodSendIPSendIP

Command line tool for sending arbitrary IP packets.Command line tool for sending arbitrary IP packets.


Available from:Available from: www.earth.li/projectpurple/progs/sendip.htmlwww.earth.li/projectpurple/progs/sendip.html

Command line options to specify the content of Command line options to specify the content of every header of a NTP, BGP, RIP, RIPng, TCP, every header of a NTP, BGP, RIP, RIPng, TCP, UDP, ICMP or raw IPv4 and IPv6 packets. UDP, ICMP or raw IPv4 and IPv6 packets.



The GoodThe Good

TCPDump/WinDumpTCPDump/WinDump

Classic tool for network monitoring and data Classic tool for network monitoring and data aquisition. aquisition.

Current Versions – 3.8.3 (TCP) or 3.8.3 Beta (Win) Current Versions – 3.8.3 (TCP) or 3.8.3 Beta (Win)

Available from:Available from: www.tcpdump.orgwww.tcpdump.org (*Nix) (*Nix) win6.jp/WinDump/index.html (Win32)win6.jp/WinDump/index.html (Win32)



The GoodThe Good

IP6SicIP6Sic

IPv6 Stack integrity checker.IPv6 Stack integrity checker.


Available from:Available from: http://cvs.sourceforge.net/viewcvs.py/ip6sic/ip6sic/http://cvs.sourceforge.net/viewcvs.py/ip6sic/ip6sic/



The BadThe Bad

Cheops-NGCheops-NG

Graphical Network Monitoring and Mapping Suite.Graphical Network Monitoring and Mapping Suite.


Available from:Available from: http://cheops-ng.sourceforge.nethttp://cheops-ng.sourceforge.net



Status – AF_INET (IPv4 only calls) used in most of Status – AF_INET (IPv4 only calls) used in most of the source code. Last release 05/2003. the source code. Last release 05/2003.

The BadThe Bad

Ettercap-NGEttercap-NG

Suite for man in the middle attacks on a LAN.Suite for man in the middle attacks on a LAN.


Available from:Available from: http://ettercap.sourceforge.nethttp://ettercap.sourceforge.net



Status – Relies on ARP cache poisoning. IPv6 Status – Relies on ARP cache poisoning. IPv6 support planned “long term” in CVS notes. support planned “long term” in CVS notes.

The BadThe BadFirewalkFirewalk

Active reconnaissance network security tool that Active reconnaissance network security tool that attempts to determine what layer 4 protocols a attempts to determine what layer 4 protocols a given IP forwarding device will pass. given IP forwarding device will pass.


Available from:Available from: http://www.packetfactory.net/projects/firewalkhttp://www.packetfactory.net/projects/firewalk



Status – All libraries are currently IPv6 aware. Last Status – All libraries are currently IPv6 aware. Last update was 07/2003. update was 07/2003.

The BadThe BadDSniffDSniff

Active reconnaissance network security tool that Active reconnaissance network security tool that attempts to determine what layer 4 protocols a attempts to determine what layer 4 protocols a given IP forwarding device will pass. given IP forwarding device will pass.

Current Version – 2.4 Beta1Current Version – 2.4 Beta1

Available from:Available from: http://www.monkey.org/~dugsong/dsniff/http://www.monkey.org/~dugsong/dsniff/



Status – All libraries are currently IPv6 aware. Last Status – All libraries are currently IPv6 aware. Last update was 05/2002. update was 05/2002.

The BadThe BadTCPReplayTCPReplay

A tool to send network traffic stored in pcap format A tool to send network traffic stored in pcap format back onto the network.back onto the network.

Current Version – 2.3.1Current Version – 2.3.1

Available from:Available from: http://tcpreplay.sourceforge.nethttp://tcpreplay.sourceforge.net



Status – All libraries are currently IPv6 aware. Status – All libraries are currently IPv6 aware. Docs indicate IPv6 support planned. Last release Docs indicate IPv6 support planned. Last release 09/2004. 09/2004.

The BadThe Bad

FPortFPort

Foundstone's enhanced netstat.Foundstone's enhanced netstat.


Available from:Available from: http://www.foundstone.comhttp://www.foundstone.com

License – Freeware (no source code)License – Freeware (no source code)


Status – Not updated since 05/2001.Status – Not updated since 05/2001.

The BadThe Bad

FragRouteFragRoute

Intercepts and rewrites egress traffic, implementing Intercepts and rewrites egress traffic, implementing many intrusion detection evasion attacks.many intrusion detection evasion attacks.


Available from:Available from: http://www.monkey.org/~dugsong/fragroutehttp://www.monkey.org/~dugsong/fragroute



Status – Full library support. Last release 04/2002.Status – Full library support. Last release 04/2002.

The BadThe BadGFI LANguardGFI LANguard

Scans networks and reports information such as service pack level, missing security patches, open shares, open ports, registry entries, weak passwords, users and groups, etc..


Available from:Available from: http://www.gfi.comhttp://www.gfi.com

License – Commercial License – Commercial


Status – Scans Win32 protocols (e.g. NetBIOS over Status – Scans Win32 protocols (e.g. NetBIOS over TCP) only available on IPv4 currently.TCP) only available on IPv4 currently.

The BadThe Bad

HuntHunt

An advanced packet sniffing and connection An advanced packet sniffing and connection intrusion tool for Linux. intrusion tool for Linux.


Available from:Available from: http://lin.fsid.cvut.cz/~krahttp://lin.fsid.cvut.cz/~kra



Status – Last update 05/2000. Developed on a Status – Last update 05/2000. Developed on a Linux 2.2.x Kernel. Linux 2.2.x Kernel.

The BadThe Bad

IPTrafIPTraf

IP network monitoring software based on NCurses.IP network monitoring software based on NCurses.


Available from:Available from: http://cebu.mozcom.com/riker/iptraf/http://cebu.mozcom.com/riker/iptraf/



Status – Last update 05/2002. No support for IPv6, Status – Last update 05/2002. No support for IPv6, only for raw sockets and IPv4. only for raw sockets and IPv4.

The BadThe Bad

ISS Internet ScannerISS Internet Scanner

Application level vulnerability assessment scanner.Application level vulnerability assessment scanner.

Current Version – 7.0 SP1Current Version – 7.0 SP1

Available from:Available from: http://www.iss.net/productshttp://www.iss.net/products



Status – No IPv6 capabilities.Status – No IPv6 capabilities.

The BadThe Bad

NBTScanNBTScan

NetBIOS network name information scanner.NetBIOS network name information scanner.


Available from:Available from: http://www.inetcat.org/software/nbtscan.htmlhttp://www.inetcat.org/software/nbtscan.html



Status – NetBIOS over TCPv6 currently not Status – NetBIOS over TCPv6 currently not supported in Microsoft OSes. Last updated supported in Microsoft OSes. Last updated 06/2003. 06/2003.

The BadThe BadNGrepNGrep

Network Grep strives to provide most of GNU Network Grep strives to provide most of GNU Greps' features over the network layer. Greps' features over the network layer.


Available from:Available from: http://ngrep.sourceforge.net/http://ngrep.sourceforge.net/



IPv6 support planned in future versions (from CVS IPv6 support planned in future versions (from CVS notes). notes).

The BadThe BadNessusNessus

The premier Open Source vulnerability assessment The premier Open Source vulnerability assessment tool. tool.


Available from:Available from: http://www.nessus.orghttp://www.nessus.org



Status – Developer had mentioned a possibility of Status – Developer had mentioned a possibility of limited IPv6 support in the 2.2 release. Latest CVS limited IPv6 support in the 2.2 release. Latest CVS as of 11/07/04 does not support IPv6.as of 11/07/04 does not support IPv6.

The BadThe BadPaketto KeiretsuPaketto Keiretsu

A tool for stretching TCP/IP networks and A tool for stretching TCP/IP networks and protocols beyond what they were intended for.protocols beyond what they were intended for.

Current Version – 2.00pre3Current Version – 2.00pre3

Available from:Available from: http://www.doxpara.comhttp://www.doxpara.com



Status – Because of the packet manipulation at a Status – Because of the packet manipulation at a raw level and the header differences of v4 and v6, raw level and the header differences of v4 and v6, would take almost an entire rewrite to port to IPv6. would take almost an entire rewrite to port to IPv6.

The BadThe Bad

RetinaRetina

A flexible vulnerability scanner, similar to Nessus A flexible vulnerability scanner, similar to Nessus and ISS Internet Scanner. and ISS Internet Scanner.


Available from:Available from: http://www.eeye.comhttp://www.eeye.com



Status – No IPv6 support from provider (eEye).Status – No IPv6 support from provider (eEye).

The BadThe Bad

SAINTSAINT

Security Auditor's Integrated Network Tool. A tool Security Auditor's Integrated Network Tool. A tool much like Nessus or eEye Retina designed much like Nessus or eEye Retina designed exclusively for UNIX. exclusively for UNIX.


Available from:Available from: http://www.saintcorporation.comhttp://www.saintcorporation.com



Status – No IPv6 support from provider.Status – No IPv6 support from provider.

The BadThe Bad

SARASARA

Security Auditor's Research Assistant. A security Security Auditor's Research Assistant. A security assessment tool derived from the infamous SATAN assessment tool derived from the infamous SATAN scanner.scanner.


Available from:Available from: http://www-arc.comhttp://www-arc.com




The BadThe Bad

Shadow Security ScannerShadow Security Scanner

A commercial vulnerability assessment tool.A commercial vulnerability assessment tool.


Available from:Available from: http://www.safety-lab.com/en/download.htmhttp://www.safety-lab.com/en/download.htm




The BadThe BadSolar Winds ToolsetsSolar Winds Toolsets

A plethora of network discovery, monitoring and A plethora of network discovery, monitoring and attack tools. Dozens of special purpose tools attack tools. Dozens of special purpose tools targeted at systems administrators. targeted at systems administrators.

Current Version – Multiple ProgramsCurrent Version – Multiple Programs

Available from:Available from: http://www.solarwinds.nethttp://www.solarwinds.net




The BadThe BadSuperScanSuperScan

A Windows based TCP port scanner, pinger and A Windows based TCP port scanner, pinger and hostname resolver. It can handle ping and port hostname resolver. It can handle ping and port scans using specified ranges and connect to ports scans using specified ranges and connect to ports using specified helper apps. using specified helper apps.


Available from:Available from: http://www.foundstone.comhttp://www.foundstone.com

License – FreewareLicense – Freeware



The BadThe Bad

TCPTraceRouteTCPTraceRoute

A traceroute implementation using TCP packets.A traceroute implementation using TCP packets.

Current Version – 1.5 Beta 4Current Version – 1.5 Beta 4

Available from:Available from: http://michael.toren.net/code/tcptraceroute/http://michael.toren.net/code/tcptraceroute/



Status – No IPv6 support from provider. Libraries Status – No IPv6 support from provider. Libraries do support IPv6.do support IPv6.

The BadThe Bad

THC AmapTHC Amap

Application written by The Hacker's Choice for Application written by The Hacker's Choice for application fingerprinting. application fingerprinting.


Available from:Available from: http://www.thc.orghttp://www.thc.org




The BadThe Bad

Visual RouteVisual Route

Application to obtain traceroute and whois data to Application to obtain traceroute and whois data to be plotted on a world map. be plotted on a world map.

Current Version – 8.0fCurrent Version – 8.0f

Available from:Available from: http://www.visualware.comhttp://www.visualware.com




The BadThe BadWin FingerPrintWin FingerPrint

Winfingerprint is a Win32 Host/Network Winfingerprint is a Win32 Host/Network Enumeration Scanner. Winfingerprint is capable of Enumeration Scanner. Winfingerprint is capable of performing SMB, TCP, UDP, ICMP, RPC, and performing SMB, TCP, UDP, ICMP, RPC, and SNMP scans. SNMP scans.


Available from:Available from: http://winfingerprint.sourceforge.nethttp://winfingerprint.sourceforge.net



Status – No IPv6 SMB support currently in any Status – No IPv6 SMB support currently in any Microsoft OS. Microsoft OS.

The BadThe BadXprobe 2Xprobe 2

A tool for determining the OS of a remote host. It A tool for determining the OS of a remote host. It uses the same techniques of NMAP as well as a few uses the same techniques of NMAP as well as a few others. Emphasizes ICMP as the fingerprinting others. Emphasizes ICMP as the fingerprinting approach. approach.


Available from:Available from: http://www.sys-security.com/html/projects/X.htmlhttp://www.sys-security.com/html/projects/X.html



Status – Will not recognize an IPv6 address.Status – Will not recognize an IPv6 address.

The BadThe Bad

Zone AlarmZone Alarm

Personal firewall software for Windows.Personal firewall software for Windows.


Available from:Available from: http://www.zonelabs.comhttp://www.zonelabs.com

License – Freeware/Commercial License – Freeware/Commercial


Status – Asks to block an IPv6 query, then doesn't.Status – Asks to block an IPv6 query, then doesn't.

The UglyThe Ugly

NMAPNMAP

Network MAPper is an open source utility for Network MAPper is an open source utility for network exploration or security auditing. It uses network exploration or security auditing. It uses raw IP packets in novel ways to determine what raw IP packets in novel ways to determine what hosts are available on a given network.hosts are available on a given network.


Available from:Available from: http://www.insecure.orghttp://www.insecure.org



The UglyThe Ugly

NMAPNMAP

Status -- “-6” option enables IPv6 support. Only Status -- “-6” option enables IPv6 support. Only supports ping scan, TCP scan and TCP connect supports ping scan, TCP scan and TCP connect scan. scan.

An alternative (but older) patched version does An alternative (but older) patched version does other scan types. It requires NMAP 2.54Beta36 other scan types. It requires NMAP 2.54Beta36 and patches from and patches from http://nmap6.sourceforge.nethttp://nmap6.sourceforge.net

Does not do network scanning (for obvious Does not do network scanning (for obvious reasons). reasons).

The UglyThe Ugly

PuTTYPuTTY

An excellent Windows based SSH client. Can also An excellent Windows based SSH client. Can also be compiled for other platforms. be compiled for other platforms.


Available from:Available from: http://www.chiark.greenend.org.uk/~sgtatham/putty/http://www.chiark.greenend.org.uk/~sgtatham/putty/

License – MITLicense – MIT


The UglyThe Ugly

PuTTYPuTTY

IPv6 not enabled in default compile.IPv6 not enabled in default compile.

IPv6 capable version available from:IPv6 capable version available from: http://win6.jp/PuTTY/index.htmlhttp://win6.jp/PuTTY/index.html

win6.jp also has many other F/OSS Windows based win6.jp also has many other F/OSS Windows based tools recompiled with IPv6 support. tools recompiled with IPv6 support.

The UglyThe Ugly

AchillesAchilles

A web attack proxy based on Windows. Acts as a A web attack proxy based on Windows. Acts as a Proxy/MITM during an HTTP session, intercepting Proxy/MITM during an HTTP session, intercepting packets before they go out to an HTTP server. packets before they go out to an HTTP server.


Available from:Available from: http://www.mavensecurity.com/achilleshttp://www.mavensecurity.com/achilles



The UglyThe Ugly

AchillesAchilles

Achilles by itself does not support IPv6.Achilles by itself does not support IPv6.

SSH Tunnel with port forwarding.SSH Tunnel with port forwarding.

IPv6 enabled Squid proxy.IPv6 enabled Squid proxy.

IPv6 enabled Apache proxy.IPv6 enabled Apache proxy.

The UglyThe UglyBrutusBrutus

A brute force authentication cracker for Windows A brute force authentication cracker for Windows only. Uses dictionary and brute force attacks to only. Uses dictionary and brute force attacks to break into systems. Supports FTP, SMB, Telnet, break into systems. Supports FTP, SMB, Telnet, IMAP, NTP and others. IMAP, NTP and others.

Current Version – ???Current Version – ???

Available from:Available from: http://www.hoobie.nethttp://www.hoobie.net (currently down) (currently down)

Has not been updated since 2000.Has not been updated since 2000.



The UglyThe Ugly

BrutusBrutus

Brutus by itself does not support IPv6.Brutus by itself does not support IPv6.

SSH Tunnel with port forwarding.SSH Tunnel with port forwarding.

IPv6 enabled Squid proxy (with much IPv6 enabled Squid proxy (with much configuration for non HTTP protocols).configuration for non HTTP protocols).

IPv6 enabled Apache proxy (with much IPv6 enabled Apache proxy (with much configuration for non HTTP protocols).configuration for non HTTP protocols).

The UglyThe UglyCain & AbelCain & Abel

A free password recovery tool for Windows. A free password recovery tool for Windows. Allows easy recovery of passwords by network Allows easy recovery of passwords by network sniffing, revealing password boxes, uncovering sniffing, revealing password boxes, uncovering cached passwords and analyzing routing protocols. cached passwords and analyzing routing protocols.

Current Version – 2.5 Beta 62Current Version – 2.5 Beta 62

Available from:Available from: http://www.oxid.ithttp://www.oxid.it



Local password cracking works fine. No IPv6 Local password cracking works fine. No IPv6 support otherwise. support otherwise.

The UglyThe Ugly

GPGGPG

A GNU tool for encrypting and decrypting files and A GNU tool for encrypting and decrypting files and communications, based on Phil Zimmerman's PGP communications, based on Phil Zimmerman's PGP standard. standard.


Available from:Available from: http://www.gnupg.orghttp://www.gnupg.org



Patches available for IPv6.Patches available for IPv6.

The UglyThe UglyHoneyDHoneyD

A small daemon that creates virtual hosts on a A small daemon that creates virtual hosts on a network, running arbitrary services. TCP network, running arbitrary services. TCP signatures can appear to be running different OSes signatures can appear to be running different OSes and services. and services.

Current Version – 0.8bCurrent Version – 0.8b

Available from:Available from: http://www.honeyd.org/http://www.honeyd.org/



While HoneyD supports IPv6, no NIDS for *Nix While HoneyD supports IPv6, no NIDS for *Nix currently supports decoding IPv6 packets. currently supports decoding IPv6 packets.

The UglyThe Ugly

HPing2(3)HPing2(3)

Assembles and sends custom ICMP/UDP/TCP Assembles and sends custom ICMP/UDP/TCP packets and displays any replies. packets and displays any replies.

Current Version – Current Version –

Available from:Available from: http://www.hping.org/http://www.hping.org/



Hping 2 and 3 do not support IPv6. There are Hping 2 and 3 do not support IPv6. There are patches available for a beta version of Hping 2.patches available for a beta version of Hping 2.

The UglyThe UglyKismetKismet

An 802.11 layer 2 wireless network detector, An 802.11 layer 2 wireless network detector, sniffer, and intrusion detection system. Kismet will sniffer, and intrusion detection system. Kismet will work with any wireless card which supports raw work with any wireless card which supports raw monitoring mode, and can sniff 802.11 a/b/g traffic. monitoring mode, and can sniff 802.11 a/b/g traffic.

Current Version – 2004-10-R1Current Version – 2004-10-R1

Available from:Available from: http://www.kismetwireless.nethttp://www.kismetwireless.net



While Kismet works on mostly layer 2, it also While Kismet works on mostly layer 2, it also detects (non IPv6) IP addresses. detects (non IPv6) IP addresses.

The UglyThe UglyNetCatNetCat

A simple utility which reads/writes data across A simple utility which reads/writes data across network connections using TCP or UDP. AKA network connections using TCP or UDP. AKA “The Hacker's Swiss Army Knife”. “The Hacker's Swiss Army Knife”.


Available from:Available from: http://netcat.sourceforge.net/http://netcat.sourceforge.net/



NetCat6 available from:NetCat6 available from: http://www.deepspace6.net/projects/netcat6.html http://www.deepspace6.net/projects/netcat6.html

The UglyThe Ugly

NetFilterNetFilter

The current Linux packet filter/firewall. Iptables The current Linux packet filter/firewall. Iptables userspace command is used for configuration. userspace command is used for configuration. Supports packet filtering and NAT. Supports packet filtering and NAT.


Available from:Available from: http://www.netfilter.orghttp://www.netfilter.org



Ip6tables only supports stateless firewalling.Ip6tables only supports stateless firewalling.

The UglyThe UglyNetStumblerNetStumbler

A tool for Windows that allows you to detect A tool for Windows that allows you to detect Wireless Local Area Networks (WLANs) using Wireless Local Area Networks (WLANs) using 802.11a/b/g. 802.11a/b/g.


Available from:Available from: http://www.netstumbler.comhttp://www.netstumbler.com



Like Kismet, is mainly layer 2, but only detects Like Kismet, is mainly layer 2, but only detects IPv4 addresses. IPv4 addresses.

The UglyThe UglyNiktoNikto

A web scanner that looks for 2000 potentially A web scanner that looks for 2000 potentially dangerous files/CGIs and problems on over 200 dangerous files/CGIs and problems on over 200 servers. Uses LibWhisker but is updated more. servers. Uses LibWhisker but is updated more.


Available from:Available from: http://www.cirt.net/code/nikto.shtmlhttp://www.cirt.net/code/nikto.shtml



Also a web attack tool. Can easily be proxied or Also a web attack tool. Can easily be proxied or SSH tunnelled. SSH tunnelled.

The UglyThe Ugly

N-StealthN-Stealth

A commercial web server scanner generally more A commercial web server scanner generally more frequently updated than its free counterparts. frequently updated than its free counterparts.


Available from:Available from: http://www.nstalker.com/eng/http://www.nstalker.com/eng/



Also a web attack tool. Can easily be proxied or Also a web attack tool. Can easily be proxied or SSH tunnelled. SSH tunnelled.

The UglyThe UglySam SpadeSam Spade

GUI for many handy network tasks including GUI for many handy network tasks including nslookup, dig, whois, ping, traceroute, raw HTTP, nslookup, dig, whois, ping, traceroute, raw HTTP, DNS zone transfer, website searching and SMTP DNS zone transfer, website searching and SMTP relay checks. relay checks.


Available from:Available from: http://www.samspade.orghttp://www.samspade.org



Some tools are TCP based and could be tunnelled Some tools are TCP based and could be tunnelled via SSH.via SSH.

The UglyThe Ugly

SnortSnort

Defacto standard F/OSS NIDS. Many commercial Defacto standard F/OSS NIDS. Many commercial products are based on Snort. products are based on Snort.


Available from:Available from: http://www.snort.orghttp://www.snort.org



The UglyThe Ugly

SnortSnort

Does not have IPv6 capabilities in default install.Does not have IPv6 capabilities in default install.

Mods were written into 2.0.1 but never merged into the Mods were written into 2.0.1 but never merged into the main distribution. main distribution.

www.webservertalk.com/archive252-2004-4-205516.htmlwww.webservertalk.com/archive252-2004-4-205516.html

Offers were made from Ken Renard of Sun.Offers were made from Ken Renard of Sun.

Patches are available for older versions of Snort.Patches are available for older versions of Snort.

The UglyThe UglySpike ProxySpike Proxy

A web attack proxy. Acts as a Proxy/MITM during an A web attack proxy. Acts as a Proxy/MITM during an HTTP session, intercepting packets before they go out to an HTTP session, intercepting packets before they go out to an HTTP server. HTTP server.


Available from:Available from: http://www.immunitysec.com/resources-freesoftware.shtmlhttp://www.immunitysec.com/resources-freesoftware.shtml



Another app that could be proxied or SSH tunnelled.Another app that could be proxied or SSH tunnelled.

The UglyThe Ugly

STunnelSTunnel

A general purpose SSL cryptographic wrapper. Can be A general purpose SSL cryptographic wrapper. Can be used to add crypto functionality to commonly used used to add crypto functionality to commonly used daemons like POP3 and IMAP. daemons like POP3 and IMAP.


Available from:Available from: http://www.stunnel.orghttp://www.stunnel.org



The UglyThe Ugly

StunnelStunnel

““IPv6 Support coming soon” from developers.IPv6 Support coming soon” from developers.

Debian maintainer has coded a private IPv6 port.Debian maintainer has coded a private IPv6 port.

Could be proxied or SSH tunnelled.Could be proxied or SSH tunnelled.

The UglyThe Ugly

TCP WrappersTCP Wrappers

A classic IP based access control and logging mechanism.A classic IP based access control and logging mechanism.


Available from:Available from: ftp://ftp.cerias.purdue.edu/pub/tools/unix/netutils/ftp://ftp.cerias.purdue.edu/pub/tools/unix/netutils/



Most default installs do not include IPv6 support.Most default installs do not include IPv6 support.

The UglyThe UglyTHC-HydraTHC-Hydra

Parallelized network authentication cracker for Parallelized network authentication cracker for FTP, POP3, IMAP, NBT, Telnet, HTTP, LDAP, FTP, POP3, IMAP, NBT, Telnet, HTTP, LDAP, NTP, VNC, ICQ, SOCKS and more. Includes SSL NTP, VNC, ICQ, SOCKS and more. Includes SSL support. support.


Available from:Available from: http://www.thc.org/thc-hydrahttp://www.thc.org/thc-hydra



IPv6 enabled on Windows, all others could be SSH IPv6 enabled on Windows, all others could be SSH tunnelled. tunnelled.

The UglyThe UglyWhisker/LibWhiskerWhisker/LibWhisker

CGI vulnerability scanner and library. Allows CGI vulnerability scanner and library. Allows testing of HTTP servers for many known security testing of HTTP servers for many known security holes. Libwhisker is a Perl library allowing custom holes. Libwhisker is a Perl library allowing custom scanner creation. scanner creation.


Available from:Available from: http://www.wiretrip.net/rfp/lw.asphttp://www.wiretrip.net/rfp/lw.asp



SSH Tunnel or proxy capable.SSH Tunnel or proxy capable.

Houston, we have a problem...Houston, we have a problem...

So what does this mean?So what does this mean?

If you organization is deploying IPv6 currently, it's If you organization is deploying IPv6 currently, it's not going to be an easy task to assess your own not going to be an easy task to assess your own network for security issues. network for security issues.

Black hats are ahead of the game in this arena.Black hats are ahead of the game in this arena.

DNS and ARIN records will help them find you.DNS and ARIN records will help them find you.

There is hope.There is hope.

Houston, we have a problem...Houston, we have a problem...

What can be done?What can be done?

It depends on the talents of your organization.It depends on the talents of your organization.

Coding your own tools is a possibility.Coding your own tools is a possibility.

For COTS without IPv6 support, lean on your For COTS without IPv6 support, lean on your vendors. vendors.

For F/OSS either ask the project lead for IPv6 For F/OSS either ask the project lead for IPv6 support or.... support or....

Donate to the project.Donate to the project.

WrapupWrapup

Thank yous...Thank yous...

Google.comGoogle.comThe Debian Linux IPv6 ProjectThe Debian Linux IPv6 ProjectFyodor and Insecure.orgFyodor and Insecure.orgJoe Klein of HoneywellJoe Klein of HoneywellValkyrieValkyrieNAv6TF and IPv6 ForumNAv6TF and IPv6 ForumThe audience....:-)The audience....:-)The authors of any tools in the "Good" sectionThe authors of any tools in the "Good" section

WrapupWrapup

Documents

Ipv6 Attack Tools