For those of you that weren't at SANSFIRE 2 weeks ago, this was the title of the talk Igave there. At the time, Isaid Iwanted to start a dialog with our readers, so this evening, I'd like to start that. At the IPv6 summit just before SANSFIRE, Iheard IPv6 referred to as Y2K without the hard deadline and, in some ways, Ihave to say Iagree with that. I've spent the last few months looking at my automated malware analysis environment and the honeypots/honeynets that Iam responsible for at the day job and working on updating them to handle IPv6 traffic. In some cases, Iwill need some hardware upgrades before Ican continue too far down that road (old boxes that happily run XPSP2 with 256MBof memory aren't nearly as happy when you try to throw Win7 on them). In the meantime, Istarted looking at the tools that Iuse and whether or not they can handle IPv6. Ihave broken the tools down into a couple of categories (that seem useful to me). Then Ilooked at the tools that Iam currently using, or have used in the (recent)pass to accomplish these tasks and examined them to see how they fared with regard to IPv6. Iwasn't sure when Ibegan this process, what Iwould find. Iguess Iwas, mostly, pleasantly surprised that most of the tools could handle IPv6 to some degree, at least, if Iupdated to the current version. Iknew that most of the tools/scripts that Ihad written didn't handle IPv6 and in several cases, Ihave done a first cut at adding IPv6 support (the links to the updated tools are at the bottom of this diary). They still need more work, especially with respect to handling optional extension headers (hop-by-hop, routing, destination, etc.). Iexpect to finish the clean up of those in the next few weeks. There are too many tools that Ilooked at to cover in one diary, but let me look a a few of them now and I'll continue with the rest of them during my next shift.
RHEL4 - yes, Iknow this isn't the current version of RedHat, but it was the corporate standard when the malware environment was first set up, so that is what Iwas using. Unfortunately, it has some significant shortcomings w.r.t. IPv6, mostly around ip6tables which I'll get to below, so I rate this one a FAIL
XP SP2- yes, again, not the current version, but worked well with the old hardware. Iknow it is possible to do IPv6 with XP, but I haven't bothered to look at what it actually takes, we decided that this was a good excuse to upgrade, too, especially since many enterprises are moving to Win7 as the desktop of choice (skipping over Vista), FAIL?
Ubuntu 10.10 - This is the OS, I use for a lot of my throw away VMs and was the Linux distro Iused to get my feet wet with IPv6, so this one goes down as a WIN
Win7 - handles IPv6 quite nicely out of the box, so we'll be updating the honeypots and client machines to it in the near future, WIN
tcpdump - works just fine (though keep in mind that the 'ip' and 'ip6' BPFfilters examine the layer2 frame for the type of layer 3 traffic, so ip != ip6), WIN
wireshark/tshark - also handle IPv6 just fine, WIN
ipaudit - this is an old tool that Ihad been using to generate a 'flow' summary from the pcap, this one has not been actively maintained for a number of years and does not, handle IPv6, FAIL
argus - given the failure of ipaudit, Ilooked at some of the other tools Iwas already using to see if they could fill the gap and argus works great as long as you are using at least version 3.0, WIN
ngrep - unfortunately, though Ilove this tool, it doesn't handle IPv6 at all. It doesn't look like it is being actively supported anymore, though Iwill send in a bug report to the sourceforge group. If Iget the time, I may look at providing the patch myself. FAIL
pngrep.pl - Ihad already written a 'sort of ngrep workalike' in Perl because Ineeded to be able to print out something other than dots for the non-ASCII stuff in the packets. This is one of the ones that I've updated to be able to do some IPv6, but still need to put some more work into. WIN
dnsdump.pl - Another of my scripts that pulls out just the DNStraffic and gives it to me in a PSV file. This is another that Iupdated, but still needs some work. WIN
httpry - this is a nice tool that finds HTTPtraffic on any port and can summarize it. Iwas disappointed to discover that it doesn't handle IPv6. I've sent an e-mail to the author, but haven't heard back yet on whether he plans to support it in the future. If he doesn't, I'll need to find (or write)another tool that does this useful task. FAIL?
fauxdns.pl/fauxsmtp.pl/smtp-sink - In my paper from 2009, Imentioned that Iwas using Joe Stewart's faux*.pl scripts for my emulated internet. That is still largely true. Joe doesn't have any intention of supporting these scripts and Ifrankly haven't put much effort into them yet, but Iam using the smtp-sink program from postfix to absorb outbound spam and that handles IPv6 quite nicely, so Iguess Irate this as FAIL/FAIL/WIN(but the FAILs are on me)
netflow tools - this is an area that Ihaven't really looked into much. Iknow that netflow v9 can do IPv6, so any tools that can handle v9 netflow can probably handle IPv6 flows. Some of my old standbys though were written in the mid-90s (Mark Verber's flow-tools stuff)and that definitely does not, so ????
ip6tables - one of the big issues with RHEL4 was that the kernel was simply too old. Even though there is IPv6 support there, ip6tables was not stateful in older 2.6.x kernels. Rather than try to figure out which RHEL /Fedora/CentOS version would work, Iditched those and used what Iknew worked from my trials at home. Iwent with 10.10 because that was the current Ubuntu version when I started this, I'm sure 11.04 would work just as well (as would 10.04 since it is an LTSrelease). The one remaining issue with ip6tables is that they have removed the 'nat' table. Idon't want to get into any arguments about NAT, I know it isn't supposed to be necessar in IPv6. My problem is that since I'm emulating the entire internet, Iwas NAT-ing just about everything to my server transparently. Istill see a need for that. Fortunately, I've found an ip6tables extension that works via the QUEUE mechanism in user space to put NATback into ip6tables, so this works for me. WIN-ish
Checkpoint - It has been a number of years since I was a Checkpoint firewall admin, but Iknow folks who use continue to use Checkpoint an environments where they are turning up IPv6, so Iassume the support is really there (not just marketing hype), but I'll call this one ????
Cisco ASA - As above, Ihaven't admined a Cisco firewall in a number of years, so I'll defer to you folks on this one, ????
hping2/hping3 - probably my favorite tool for quick and dirty packet crafting has long been hping because Icould set everything on the command line. Alas, Isee postings on mailing lists going back to at least 2003 asking when hping3 would get IPv6 support and it still isn't there. I'll check one more time with hping.org, but Isuspect I'll be using another tool when Iwant to craft IPv6 traffic. FAIL?
sendip - the other command line tool that Isometimes used was sendip and fortunately, this one does seem to handle IPv6, though I'm not sure I can stack the optional headers, but for the quick and dirty it seems to work. WIN
scapy - the mother of all packet crafting tools handles IPv6 quite well, perhaps I'll have to give up on my quick and dirty command line stuff and just use scapy for all my packet crafting going forward. WIN
So there you have some of what Iwas looking at. How about you? In the next installment, I'll look at
Miscellaneous other tools
My updated tools (and there will be several more beyond the 2 listed above, to be added over the next couple of weeks) will (Ibelieve)eventually be available via our tools page, but for the moment can be found on my handlers page at http://handlers.sans.edu/jclausing/ipv6/
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu
SANS FOR558-Network Forensics coming to central OH in Sep, see http://www.sans.org/mentor/details.php?nid=25749
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.