Skip to main content

Advertisement

SpringerLink
Log in
Menu
Find a journal Publish with us
Search
Cart
Book cover

Meeting of the European Network of Universities and Companies in Information and Communication Engineering

EUNICE 2012: Information and Communication Technologies pp 88–99Cite as

  1. Home
  2. Information and Communication Technologies
  3. Conference paper
The Impact of IPv6 on Penetration Testing

The Impact of IPv6 on Penetration Testing

  • Christiaan Ottow17,
  • Frank van Vliet18,
  • Pieter-Tjerk de Boer17 &
  • …
  • Aiko Pras17 
  • Conference paper
  • 1594 Accesses

  • 3 Citations

Part of the Lecture Notes in Computer Science book series (LNISA,volume 7479)

Abstract

In this paper we discuss the impact the use of IPv6 has on remote penetration testing of servers and web applications. Several modifications to the penetration testing process are proposed to accommodate IPv6. Among these modifications are ways of performing fragmentation attacks, host discovery and brute-force protection. We also propose new checks for IPv6-specific vulnerabilities, such as bypassing firewalls using extension headers and reaching internal hosts through available transition mechanisms.

The changes to the penetration testing process proposed in this paper can be used by security companies to make their penetration testing process applicable to IPv6 targets.

Keywords

  • IPv6
  • security
  • penetration testing
  • host discovery
  • transition mechanisms

Download conference paper PDF

References

  1. Abley, J., Savola, P., Neville-Neil, G.: Deprecation of type 0 routing headers in IPv6 (December 2007), http://tools.ietf.org/html/rfc5095

  2. APNIC: APNIC IPv4 address pool reaches final /8 (April 2011), http://www.apnic.net/publications/news/2011/final-8

  3. Atlasis, A.: Attacking ipv6 implementation using fragmentation (March 2012), http://media.blackhat.com/bh-eu-12/Atlasis/bh-eu-12-Atlasis-Attacking_IPv6-WP.pdf

  4. Bernstein, D.: Breaking dnssec (August 2009), http://cr.yp.to/talks/2009.08.10/slides.pdf

  5. Biondi, P., Ebalard, A.: IPv6 routing header security (April 2007), http://cansecwest.com/csw07/csw07-ebalard-biondi.pdf

  6. Certified Secure: Certified Secure Checklists, https://www.certifiedsecure.com/checklists/

  7. Chown, T.: RFC 5157: IPv6 implications for network scanning (March 2008), http://www.rfc-editor.org/rfc/rfc5157.txt

  8. Davies, E., Krishnan, S., Savola, P.: IPv6 transition/coexistence security considerations (September 2007), http://tools.ietf.org/html/rfc4942

  9. van Dijk, P.: Finding v6 hosts by efficiently mapping ip6.arpa. (March 2012), http://7bits.nl/blog/2012/03/26/finding-v6-hosts-by-efficiently-mapping-ip6-arpa

  10. Gont, F.: Results of a security assessment of the internet protocol version 6 (September 2011), http://www.si6networks.com/presentations/hacklu2011/fgont-hacklu2011-ipv6-security.pdf

  11. Gont, F.: Security implications of ipv6 on ipv4 networks (April 2012), http://www.ietf.org/id/draft-gont-opsec-ipv6-implications-on-ipv4-nets-00.txt

  12. Gont, F., Manral, V.: Security and interoperability implications of oversized ipv6 header chains (April 2012), http://tools.ietf.org/html/gont-6man-oversized-header-chain-01

  13. Herzog, P.: The Open Source Security Testing Methodology Manual. In: ISECOM (2010)

    Google Scholar 

  14. Heuse, M.: Recent advances in IPv6 insecurities (December 2010), http://events.ccc.de/congress/2010/Fahrplan/events/3957.en.html

  15. Heuse, M.: Vulnerabilities, failures - and a future? (November 2011), http://www.mh-sec.de/downloads/mh-ipv6_vulnerabilities.pdf

  16. Hinden, R., Deering, S.: RFC 4291: IP version 6 addressing architecture (February 2006), http://tools.ietf.org/html/rfc4291

  17. Huston, G.: Active BGP entries (FIB), http://bgp.potaroo.net/v6/as2.0/index.html

  18. Kaps, R.: Ipv6: Privacy extensions einschalten (March 2011), http://www.heise.de/netze/artikel/IPv6-Privacy-Extensions-einschalten-1204783.html

  19. Krishnan, S.: RFC 5722 - Handling of overlapping IPv6 fragments (December 2009), http://tools.ietf.org/html/rfc5722

  20. Laurie, B., Sisson, G., Arends, R., Blacka, D.: RFC 5155: DNS security (DNSSEC) hashed authenticated denial of existence (March 2008), http://tools.ietf.org/html/rfc5155

  21. Malone, D.: Observations of IPv6 Addresses. In: Claypool, M., Uhlig, S. (eds.) PAM 2008. LNCS, vol. 4979, pp. 21–30. Springer, Heidelberg (2008)

    CrossRef  Google Scholar 

  22. Manral, V.: Tiny fragments in ipv6. (February 2012), http://tools.ietf.org/html/draft-manral-6man-tiny-fragments-issues-00

  23. Narten, T., Draves, R., Krishnan, S.: RFC 4941: Privacy extensions for stateless address autoconfiguration in IPv6 (September 2007), http://tools.ietf.org/html/rfc4941

  24. Narten, T., Huston, G., Roberts, L.: RFC 6177 - IPv6 address assignments to end sites (March 2011), http://tools.ietf.org/html/rfc6177

  25. NCC, R.: IPv4 exhaustion (2012), http://www.ripe.net/internet-coordination/ipv4-exhaustion

  26. OWASP: OWASP top ten (2010), https://www.owasp.org/index.php/Top_10_2010

  27. PTES: The Penetration Testing Execution Standard (2012), http://www.pentest-standard.org/

  28. Saindane, M.S.: Penetration testing – a systematic approach. Tech. rep., infosecwriters.com (2006)

    Google Scholar 

  29. Scarfone, K., Souppaya, M., Cody, A., Orebaugh, A.: Technical guide to information security testing and assessment. Tech. rep., NIST (2008)

    Google Scholar 

  30. SURFnet: IPv6 numberplan (February 2011), http://www.surfnet.nl/nl/nieuws/Pages/HandleidingIPv6-nummerplanverschenen.aspx

  31. Vyncke, E.: IPv6 Security. Cisco Press (2009)

    Google Scholar 

  32. Wai, C.T.: Conducting a penetration test on an organization (2002), http://www.sans.org/reading_room/whitepapers/auditing/conducting-penetration-test-organization_67

  33. Ytti, S.: IPv6 ACL bypass (August 2011), http://blog.ip.fi/2011/08/ipv6-acl-bypass.html

  34. Ziemba, G., Reed, D., Traina, P.: RFC 1858 - security considerations for IP fragment filtering (October 1995), http://tools.ietf.org/html/rfc1858

Download references

Author information

Authors and Affiliations

  1. University of Twente, Enschede, The Netherlands

    Christiaan Ottow, Pieter-Tjerk de Boer & Aiko Pras

  2. Pine Digital Security, The Hague, The Netherlands

    Frank van Vliet

Authors
  1. Christiaan Ottow
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Frank van Vliet
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Pieter-Tjerk de Boer
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Aiko Pras
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Telecommunications and Media Informatics, Budapest University of Technology and Economics, Magyar Tudósok krt.2, 1117, Budapest, Hungary

    Róbert Szabó & Attila Vidács & 

Rights and permissions

Reprints and Permissions

Copyright information

© 2012 IFIP International Federation for Information Processing

About this paper

Cite this paper

Ottow, C., van Vliet, F., de Boer, PT., Pras, A. (2012). The Impact of IPv6 on Penetration Testing. In: Szabó, R., Vidács, A. (eds) Information and Communication Technologies. EUNICE 2012. Lecture Notes in Computer Science, vol 7479. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-32808-4_9

Download citation

  • .RIS
  • .ENW
  • .BIB
  • DOI: https://doi.org/10.1007/978-3-642-32808-4_9

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-32807-7

  • Online ISBN: 978-3-642-32808-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Share this paper

Anyone you share the following link with will be able to read this content:

Sorry, a shareable link is not currently available for this article.

Provided by the Springer Nature SharedIt content-sharing initiative

Search

Navigation

  • Find a journal
  • Publish with us

Discover content

  • Journals A-Z
  • Books A-Z

Publish with us

  • Publish your research
  • Open access publishing

Products and services

  • Our products
  • Librarians
  • Societies
  • Partners and advertisers

Our imprints

  • Springer
  • Nature Portfolio
  • BMC
  • Palgrave Macmillan
  • Apress
  • Your US state privacy rights
  • Accessibility statement
  • Terms and conditions
  • Privacy policy
  • Help and support

167.114.118.210

Not affiliated

Springer Nature

© 2023 Springer Nature