We’ve heard a bit of noise about how IPv6 may impact network penetration testing and how networks may or may not be more secure because of IPv6. Lets be clear, anyone telling you that IPv6 makes penetration testing harder doesn’t understand the first thing about real penetration testing.
Whats the point of IPv6?
IPv6 was designed by the Internet Engineering Task Force (IETF) to address the issue of IPv4 address space exhaustion. IPv6 uses a 128-bit address space while IPv4 is only 32 bits. This means that there are 2128 possible addresses with IPv6, which is far more than the 232 addresses available with IPv4. This means that there are going to be many more potential targets for a penetration tester to focus on when IPv6 becomes the norm.
What about increased security with IPv6?
The IPv6 specification mandates support for the Internet Protocol Security (IPSec) protocol suite, which is designed to secure IP communications by authenticating and encrypting each IP Packet. IPSec operates at the Internet Layer of the Internet Protocol suite and so differs from other security systems like the Secure Socket Layer, which operates at the application layer. This is the only significant security enhancement that IPv6 brings to the table and even this has little to no impact on penetration testing.
What some penetration testers are saying about IPv6.
Some penetration testers argue that IPv6 will make the job of a penetration testing more difficult because of the massive increase in potential targets. They claim that the massive increase in potential targets will make the process of discovering live targets impossibly time consuming. They argue that scanning each port/host in an entire IPv6 range could take as long as 13,800,523,054,961,500,000 years. But why the hell would anyone waste their time testing potential targets when they could be testing actual live targets?
The very first step in any penetration test is effective and efficient reconnaissance. Reconnaissance is the military term for the passive gathering of intelligence about an enemy prior to attacking an enemy. There are countless ways to perform reconnaissance, all of which must be adapted to the particular engagement. Failure to adapt will result bad intelligence as no two targets are exactly identical.
A small component of reconnaissance is target identification. Target identification may or may not be done with scanning depending on the nature of the penetration test. Specifically, it is impossible to deliver a true stealth / covert penetration test with automated scanners. Likewise it is very difficult to use a scanner to accuratley identify targets in a network that is protected by reactive security systems (like a well configured IPS that supports black-listing). So in some/many cases doing discovery by scanning an entire block of addresses is ineffective.
A few common methods for target identification include Social Engineering, DNS enumeration, or maybe something as simple as asking the client to provide you with a list of targets. Not so common methods involve more aggressive social reconnaissance, continued reconnaissance after initial penetration, etc. Either way, it will not take 13,800,523,054,961,500,000 years to identify all of the live and accessible targets in an IPv6 network if you know what you are doing.
Additionally, penetration testing against 12 targets in an IPv6 network will take the same amount of time as testing 12 targets in an IPv4 network. The number of real targets is what is important and not the number of potential targets. It would be a ridiculous waste of time to test 2128 IPv6 Addresses when only 12 IP addresses are live. Not to mention that increase in time would likely translate to an increase in project cost.
So in reality, for those who are interested, hacking an IPv6 network won’t be any more or less difficult than hacking an IPv4 network. Anyone that argues otherwise either doesn’t know what they are doing or they are looking to charge you more money for roughly the same amount of work.
