BackTrack4 Uses IPv6 to Cover Tracks
This past week I was working on performing a security assessment and I was using the latest version of BackTrack 4. I noticed that it has Miredo support to help auditors establish a secret IPv6 back-channel to their exploited systems. This shows that the security community is recognizing how IPv6 can be used as a backdoor to owned systems.
Let’s face it; IPv6 deployments haven’t been as numerous as many of us would have hoped. Several years ago we were expecting that at the end of 2009 migration to IPv6 would be in full motion. However, the fact that IPv6 is still fairly obscure to most security administrators means that is can fly under the radar of most organizations. However, IPv6 is starting to gain the attention of hackers as a means of creating a covert channel to compromised systems.
It is a fact that many organizations have a default outbound policy on their firewalls that allow virtually all outgoing connections. This means that the dynamic tunneling technique Teredo, which places IPv6 packets inside UDP 3544 packets, would be allowed outbound by most companies. If a similar technique were to use TCP port 80 to create encapsulated IPv6 tunnels outbound those would also be permitted to leave an organization. The organization’s stateful firewalls would then allow the return traffic to be returned to that internal host and thus any protocol could be carried through the encapsulated IPv6 packets.