<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML ><HEAD ><TITLE >IPv6 security auditing</TITLE ><META NAME="GENERATOR" CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK REL="HOME" TITLE="Linux IPv6 HOWTO (en)" HREF="index.html"><LINK REL="UP" TITLE="Security" HREF="chapter-security.html"><LINK REL="PREVIOUS" TITLE="Access limitations" HREF="x2317.html"><LINK REL="NEXT" TITLE="Encryption and Authentication" HREF="chapter-encryption-authentication.html"></HEAD ><BODY CLASS="SECT1" BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#840084" ALINK="#0000FF" ><DIV CLASS="NAVHEADER" ><TABLE SUMMARY="Header navigation table" WIDTH="100%" BORDER="0" CELLPADDING="0" CELLSPACING="0" ><TR ><TH COLSPAN="3" ALIGN="center" >Linux IPv6 HOWTO (en)</TH ></TR ><TR ><TD WIDTH="10%" ALIGN="left" VALIGN="bottom" ><A HREF="x2317.html" ACCESSKEY="P" >Prev</A ></TD ><TD WIDTH="80%" ALIGN="center" VALIGN="bottom" >Chapter 18. Security</TD ><TD WIDTH="10%" ALIGN="right" VALIGN="bottom" ><A HREF="chapter-encryption-authentication.html" ACCESSKEY="N" >Next</A ></TD ></TR ></TABLE ><HR ALIGN="LEFT" WIDTH="100%"></DIV ><DIV CLASS="SECT1" ><H1 CLASS="SECT1" ><A NAME="IPV6-SECURITY-AUDITING" ></A >18.3. IPv6 security auditing</H1 ><P >Currently there are no comfortable tools out which are able to check a system over network for IPv6 security issues. Neither <A HREF="http://www.nessus.org/" TARGET="_top" >Nessus</A > nor any commercial security scanner is as far as I know able to scan IPv6 addresses.</P ><DIV CLASS="SECT2" ><H2 CLASS="SECT2" ><A NAME="AEN2326" ></A >18.3.1. Legal issues</H2 ><P >ATTENTION: always take care that you only scan your own systems or after receiving a written order, otherwise legal issues are able to come up to you. CHECK destination IPv6 addresses TWICE before starting a scan.</P ></DIV ><DIV CLASS="SECT2" ><H2 CLASS="SECT2" ><A NAME="AEN2329" ></A >18.3.2. Security auditing using IPv6-enabled netcat</H2 ><P >With the IPv6-enabled netcat (see <A HREF="http://www.bieringer.de/linux/IPv6/status/IPv6+Linux-status-apps.html#security-auditing" TARGET="_top" >IPv6+Linux-status-apps/security-auditing</A > for more) you can run a portscan by wrapping a script around which run through a port range, grab banners and so on. Usage example:</P ><TABLE BORDER="1" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="SCREEN" ># nc6 ::1 daytime 13 JUL 2002 11:22:22 CEST</PRE ></FONT ></TD ></TR ></TABLE ></DIV ><DIV CLASS="SECT2" ><H2 CLASS="SECT2" ><A NAME="AEN2334" ></A >18.3.3. Security auditing using IPv6-enabled nmap</H2 ><P ><A HREF="http://www.insecure.org/nmap/" TARGET="_top" >NMap</A >, one of the best portscaner around the world, supports IPv6 since version 3.10ALPHA1. Usage example:</P ><TABLE BORDER="1" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="SCREEN" ># nmap -6 -sT ::1 Starting nmap V. 3.10ALPHA3 ( www.insecure.org/nmap/ ) Interesting ports on localhost6 (::1): (The 1600 ports scanned but not shown below are in state: closed) Port State Service 22/tcp open ssh 53/tcp open domain 515/tcp open printer 2401/tcp open cvspserver Nmap run completed -- 1 IP address (1 host up) scanned in 0.525 seconds</PRE ></FONT ></TD ></TR ></TABLE ></DIV ><DIV CLASS="SECT2" ><H2 CLASS="SECT2" ><A NAME="AEN2339" ></A >18.3.4. Security auditing using IPv6-enabled strobe</H2 ><P >Strobe is a (compared to NMap) more a low budget portscanner, but there is an IPv6-enabling patch available (see <A HREF="http://www.bieringer.de/linux/IPv6/status/IPv6+Linux-status-apps.html#security-auditing" TARGET="_top" >IPv6+Linux-status-apps/security-auditing</A > for more). Usage example:</P ><TABLE BORDER="1" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="SCREEN" ># ./strobe ::1 strobe 1.05 (c) 1995-1999 Julian Assange <proff@iq.org>. ::1 2401 unassigned unknown ::1 22 ssh Secure Shell - RSA encrypted rsh ::1 515 printer spooler (lpd) ::1 6010 unassigned unknown ::1 53 domain Domain Name Server</PRE ></FONT ></TD ></TR ></TABLE ><P >Note: strobe isn't really developed further on, the shown version number isn't the right one.</P ></DIV ><DIV CLASS="SECT2" ><H2 CLASS="SECT2" ><A NAME="AEN2345" ></A >18.3.5. Audit results</H2 ><P >If the result of an audit mismatch your IPv6 security policy, use IPv6 firewalling to close the holes, e.g. using netfilter6 (see <A HREF="firewalling-netfilter6..html" >Firewalling/Netfilter6</A > for more).</P ><P >Info: More detailed information concerning IPv6 Security can be found here: </P ><P ></P ><UL ><LI ><P ><A HREF="http://www.ietf.org/ids.by.wg/v6ops.html" TARGET="_top" >IETF drafts - IPv6 Operations (v6ops)</A ></P ></LI ><LI ><P ><A HREF="http://www.faqs.org/rfcs/rfc3964.html" TARGET="_top" >RFC 3964 / Security Considerations for 6to4</A ></P ></LI ></UL ></DIV ></DIV ><DIV CLASS="NAVFOOTER" ><HR ALIGN="LEFT" WIDTH="100%"><TABLE SUMMARY="Footer navigation table" WIDTH="100%" BORDER="0" CELLPADDING="0" CELLSPACING="0" ><TR ><TD WIDTH="33%" ALIGN="left" VALIGN="top" ><A HREF="x2317.html" ACCESSKEY="P" >Prev</A ></TD ><TD WIDTH="34%" ALIGN="center" VALIGN="top" ><A HREF="index.html" ACCESSKEY="H" >Home</A ></TD ><TD WIDTH="33%" ALIGN="right" VALIGN="top" ><A HREF="chapter-encryption-authentication.html" ACCESSKEY="N" >Next</A ></TD ></TR ><TR ><TD WIDTH="33%" ALIGN="left" VALIGN="top" >Access limitations</TD ><TD WIDTH="34%" ALIGN="center" VALIGN="top" ><A HREF="chapter-security.html" ACCESSKEY="U" >Up</A ></TD ><TD WIDTH="33%" ALIGN="right" VALIGN="top" >Encryption and Authentication</TD ></TR ></TABLE ></DIV ></BODY ></HTML >