|
Penetration Testing has been around for decades, but has become more important in recent times, where an IPv4 host is attacked within five (5) minutes of coming online on the internet. At the end of the day, the goal of Penetration Testing (or pen testing), is to keep the Bad Guys out. That said many pen testing tools can be used for good and bad. We will focus on the good use of these tools.
Penetration Testing is the nice word for hacking. But there is good hacking and bad hacking. Although pen testing tools can be used for evil, they can also be used for good, such as discovering holes in your network before the bad guys do.
With the advent of the Internet, all computers are connected to every other computer on the internet. This is very convenient for downloading newer OpenWrt software for your router, or buying peanut butter cookies on Amazon. But it isn't good if random person can get to your computer, and start running attacks on it.
Many feel that IPv4 is secure because it incorporates NAT (Network Address Translation) and there is a state machine that watches outbound packets, and allows return packets (with the same destination/source addresses) to enter your network. However NAT is not security. Every home router with NAT also has a Firewall, which is where the real security lies.
Network Firewalls operate much the same as a real firewall, preventing the firestorm from getting past the wall. Network Firewalls (hence just referred to as firewalls) do this by inspecting different fields in the IP (Internet Protocol) header. Modern firewalls can inspect even further in the chain of headers (aka the stack) to include TCP/UDP (layer 4), and even HTTP (Layer 7).
In IPv4, because of the lack of anything to anything connectivity, one must use tricks, such as reverse port forwarding to allow external traffic into your LAN. This is quite common in commercial home router software.
Because IPv6 does not use NAT, and each device has its own Global Unique Address (GUA), the firewall functionally is more straight forward, only allowing external access based on GUA source/destination. The home router software vendors are slow to implement a granular IPv6 firewall. Typically it is ON or OFF (Off is a bad idea).
OpenWrt has a very reasonable default set of rules for the IPv6 firewall, which will keep the bad guys at bay.
When designing networks (or writing software), it is best to build security in from the beginning (the same applies to IPv6). Sure you can add it later, but there is a good chance that something will be missed, and a gaping hole is left for the bad guys to exploit.
This is why I recommend that everyone who has a home network have a guest network, in addition to their own home network. A guest network is setup to prevent traffic from the guest network getting into your home network, but allowing access to the internet. Not only is a guest network where you can put your guests, but also all of your IoT (Internet of Things) devices.
There's a security joke, "S stands for security in IoT." And that is because IoT pretty much does not have any security. It isn't part of vendor's business model. After all, what do they care if someone else changes the colour of your light bulbs, but you might. Or you may care if your furnace no longer turns on (because the thermostat was IoT connected and now someone else is controlling it.
The reason to put IoT on the guest network, is that once your IoT device is hacked, at least it won't be hacking your computers on your home network.
We have discussed nmap
in the past, but it is an excellent go-to tool for network reconnaissance. nmap
can do port sweeps looking for open ports (usually TCP, but it can also search for UDP ports). Any open ports nmap
may find are considered the threat surface. Basic network security starts with reducing the threat surface. Don't turn on service which aren't used or needed.
[nmap](https://nmap.org/book/toc.html)
has many options, but we only need a few for this lab.
$ nmap -h
Nmap 7.93 ( https://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iL <inputfilename>: Input from list of hosts/networks
-iR <num hosts>: Choose random targets
--exclude <host1[,host2][,host3],...>: Exclude hosts/networks
--excludefile <exclude_file>: Exclude list from file
HOST DISCOVERY:
-sL: List Scan - simply list targets to scan
-sn: Ping Scan - disable port scan
-Pn: Treat all hosts as online -- skip host discovery
-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-PO[protocol list]: IP Protocol Ping
...
OS DETECTION:
-O: Enable OS detection
--osscan-limit: Limit OS detection to promising targets
--osscan-guess: Guess OS more aggressively
...
EXAMPLES:
nmap -v -A scanme.nmap.org
nmap -v -sn 192.168.0.0/16 10.0.0.0/8
nmap -v -iR 10000 -Pn -p 80
SEE THE MAN PAGE (https://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES
Use nmap
to do network reconnaissance on the lab target (address/hostname posted locally)
Use nmap -v -A <target>
command to:
Attempt/Answer the following:
nmap
discover the open ports?
Naturally nmap
works well if you can give it a single (or list of) targets. However what if you don't know the address of the target? The obvious answer, is DNS (Domain Name Service). If the host has a DNS entry, then you can probably find it. For example, you probably don't know what the IP address Google's servers are. But you can easily get to them via the name www.google.ca
Adding a DNS name increases your threat surface, since your device is now easier to find. Note: make sure your devices with DNS entries are secure.
IP Address Scanners are a tool which can detect potential targets (for nmap
). [zmap](https://github.com/zmap/zmap)
claims:
"ZMap is capable scanning the entire public IPv4 address space on a single port in under 45 minutes."
Of course, what it is really saying is that it can scan 2^32 addresses in 45 minutes. Clearly this application is limited to IPv4. Since a single IPv6 subnet is /64, which is equal to 2^64 addresses. IF zmap
could scan IPv6 (which it doesn't), it would only take 193,273,528,320 minutes or 22,063,188 years to scan a single IPv6 subnet (aka prefix). As you can see scanning IPv6 addresses with traditional scanners is not very practical.
nmap
can also scan networks with a command such as nmap -F -n 192.168.1.0/24
However, this is still oriented to a brute force scan, and is not practical for IPv6 networks.
[v6disc.sh](https://github.com/cvmiller/v6disc)
is a tool developed to find hosts (aka targets) on an IPv6 network. Rather than brute force (aka iterating through each possible IP address), the tool exploits IPv6 Neighbour Discover Protocol (NDP) to discover the targets.
Download v6disc.sh to run this lab. Note: this will only work on a *nix system.
# ./v6disc.sh -h
./v6disc.sh - auto discover IPv6 hosts
e.g. ./v6disc.sh -D -p
-p Ping discovered hosts
-i use this interface
-L show link-local only
-D Dual Stack, show IPv4 addresses
-N Scan with nmap -6 -sT
-n disable neighbour table detection
-q quiet, just print discovered hosts
By Craig Miller - Version: 2.3.4
It can also run nmap
to port sweep hosts which are discovered.
Use v6disc.sh
to do network enumeration on the lab target(s) (address/hostname posted locally). After discovering the targets, use the nmap
option to scan the ports on the target(s)
Attempt/Answer the following:
v6disc.sh
discover IPv4 hosts?v6disc.sh
discover hosts?
All this pen testing is good, but how do you test you own home router? Do you have ports open that didn't know about?
The easiest solution is to do Pen Testing from an outside machine. But what if you don't have an outside machine?
Fortunately, there are a couple of outside machines which you can use for free. Unfortunately neither of the following have IPv6 connections to the internet.
In this lab, we have only scratched the surface of Penetration Testing. We have focused primarily on finding targets and discovering/mapping the threat surface. We haven't dug into true vulnerability testing (such as using the Metasploit tool).
The important first step is to start thinking about security.
Notes:
17 February 2024